permissions-20181225-23.12.1 >  A a/Yp9|'7y5BI,( U5\vt[<Ϗ8֨7.W}A.gZ Tq} _!Df얒P2UQ\Iml ,hr'Ui}ÙNGHXZ.R@qW@l5X'req43@=ݝ%w.X)}>Fu酈ᡅGdҘ|$]~b+(GNPKzCJpjg 6 0^IܶLB|fk*GIF.tR \~B{ZRdk1wp\e?h1؞/ 8e/A+yl~4kcv!? .oJL+O5 * B_e,wf)hd+l.0>p@=?=d  > )JS iL p           0 ]   $ h ( 8 69 6:6>8F8G8 H8 I8 X9Y9\9H ]9l ^9b:Sc:d;e;f;l;u; v;w< x= y=4z=L=\=`=f=Cpermissions2018122523.12.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.a/s390zp37lSUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxs390x PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system.T1W_uX9;@큤a/a/a/a/a/a/a/a/a/cd73f4760679880a45dce3c9cb05db59590dd96a4598a64a8a09e1ac03effb067422c5ff5d9dd9db4fff1a3dfd8d40a1a3c85bf2ad31959ddfe48b84a4d64199254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3bb06089354355503cb5ac4dd194f1060fbd6e9fb3977fc49d7dbdf4e3ee875b9b8629bab725bee1b07bba39312965005baffab12b82936e17c0c60977e8d2c744bd3caf537d7c7e867e361902d1981a4a3a7afb33da299c259b1a439ceddabdea35eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181225-23.12.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(s390-64)@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181225-23.12.13.0.4-14.6.0-14.0-15.2-14.14.1aea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@jsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shs390zp37 1642409969 20181225-23.12.120181225-23.12.120181225-23.12.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:22415/SUSE_SLE-15-SP2_Update/24af69c0eeaebf90c0649074940a8198-permissions.SUSE_SLE-15-SP2_Updatecpioxz5s390x-suse-linuxASCII textELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=9eeb7686c75c1ac0e6a15ef3b81365dbb73222ed, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R R RR R REVt[ utf-850f8499d36ee7830927d01f44e78c0a567736b5467c853db68d837923d266109?7zXZ !t/U] crv(vX0T(L&B'#m3 PSsj): ÚbSiy (ߩ;V1b])7 ]4, l椀o)7rbLy8"R#ڛYF4[q^@VI1Oc2ؖ;holĀ͂ 'a~Q1 \RCJ 3OklY_7 v|"zJ k,bX=FWzk6wb#x $DQhECڄ&-.pvm=NgÛ"@|4otHtM`u !W>zyCN Į<:9/)(fH-C@A1-1y)&\$󬌏#rRl` Nt2&X&07&j@m7i,HJHy QL -4h&zXT.""|DVO@$i&ѳ n+Us\ljQ Yv%! etsHp+ef"1C94#݄tB*6rOÉ/ͅQ[f\а)@w 6R3I@bx{%/@P΁^c+`R^9˫75\=ʏ<M\5>߬! 偓!O }br"ʇFIRN>!q$ΨGn!{{](KNL b$64gH$-10ma}NL/l$tQ{VR2Z ו-cۺ 'n+to^l 8YxB8OH iZ!BUزCZKOX'Q}Sv+ ߬MrIA"+dW1x[5Ya3;ѯܞ1R(RIDm/ mگ~{;En G˴׬0CG=Xvbcts|69F0psŹط̼Br(NaU]F2Oϣ8=@Ni 1>Yq\!g%+̡5h/-腾y c FasZ8, j 8/4vӆdh DI>gQav' Ű9Q<3.9d^-[\G6%7Y ̹K`\v&HCC ;=He4PHd,a( `.f`̝NkvM-<_jFu#O%}/3`w,qzSI FwyiĺVKإ% g)[9Nn~ N/ d*Fj4E!]68L:  F-JغNr |gˤz@FN:DkZԇʩ;U[D8#`ᢥ8H3gk]ƥ/34MyLGfp25U8H(ch#~I8wț 2ޢItqhDpNKk{91Z5zىV@av I:BnJWWQr}i؜3VXK%J(if1җ+q/Ж঱鯅řž9 "bqP/R(K1d?EpT!(Q-&hV<<&^m>:?"<O]MCADgg:bsCG7 eCUEPov*O9Z UR.4g|G缓@Ti=<3vbkLCV0e#M0^anPIU_: r.s wR:/>܁."KQ*x0Syl!v.tl6Z  @e|i BV u>˃XQ|[9VF3&3D^^y;xPt'Szӛc{_Tj;yӆ2IT O+]A[[֣2FBg=oѸ~%{(.6j~,#T`i\ry19z "G⦮uoZc-z%~hشk/33N ʱaur; SYQ`UCՒ5͇B1ҤaOdxVzsivHJXXFSԕ|,_r4Nҝ=*IT4lu^cN|IN'i1?Pmbg-qNw!- "Ŝv0PYm$ʒCR| BY؏)u[PHv9Lt¸=5l{3o#VFuUNI=aC !-КPMxly %,p;X 8Q 8)bpTW4듥 (a"3G7i$rcWʒ4tpɢP: \؃tRI\)$ ju%Oa!YJo? Rʡ$4(|$+X o(W \Y!:Ӹ 8yQQ@qWy'x 6@Ma+/w= Ӎ|nIhU&%F6->?9۴h0]dcYrP8=Yzєg\ogIV9!;=ɦݷ`88R,ua!۪ PaB*(!& ;c+dQ3͘Mg2!g$Ua[✮-B(SC<Kf l+Ifp5 DޗBn?*F|b|ٖR-"Z)+Ou%k4^Ҥu>uN4m<,x#eZV\`Qݧc6,ǘܚM9+ٗD5`Z8$" lZϪ^GHOoqJbN)0.9BDǝ[a<;_~:cb͆T-@eZ B5P!*5+L*؟1仓X2rI}:y4[{+}C[FiYWrRDVY4aY$U7b"5IvAEiƼ.@tS?1mBG4pweޯpTd IUCAF"uq:%h9 S{'fdGqn՗޵ֽ>Ѧ/-SIҲ],ĒUgm4mw9 !w Hw{:t$>Pfb/*T$S2* IF.rD@ՔExiGj/~Nz9ߟ@+Ho;F(4;})}WgВVY }zKF1G$y@X1 p)*~Z!,Խ(= #r-(8 |wS􍯔M8*EУr) P8.OvbA![xtn Ҕ+Iz&IMW Ӓ˸@ O,?6`pYl@Ho&H=䍍 M)q!,{ҋe1Cܭ#[`W&I믫}`ۨ#g4fsd9-?:)i]tUiӤJp^YsO{?v`S!LcRɾ2;) j~C#(mYt^ß#Lu /<3Y딛 /4k<&_C ~ o2~Ӷ^!>2.EϾĩp6S5G$m15aP+* k$ى6gں-K睒Aj=^'ja!⤇7#hחNxJjI?Bt6Bʄu^LSt.y%[&E %9Pֺά)?,sDkHVuO.ݜQפH#<:eciVrF hg/]ͻVѲ$y;tOny &)Q@!CZ/u W$KÄц.;]NΊ,|/B*gRPK}Z7m@ K j>+dU.`:Grߊi͎;oK')& #97}vR  _SSDqu'8 $Ǯ{ĵ4_40(hռ6F;/s4< 2BA)N-0Y<-{nVI1Q{Aw +K~#Bh% Cئ᝛ "޽4(:-?ulaq 놳ơ&H`.Ӿ/FQG5C"2{Gb!wd@.&Sp `f< %&yT^wl ;}̑"رs$.ZA9TA8"ْAR;lO=RlEMp`iˮ~/aيfodA|']/# Ecl,0g,S'n\Se |"]|fjQnFN?uIh}62+z,k&'?>|"rENG[~ۀHÀ됮`CW'oAh *Zݔ7.zI]ranC= `O1< ީZ!eC]++b8ODMo rrǢb"4s 4`w;//A|򮋞MBVEVk X+]b:^fҮR!Ǔ/w8d,6N ^IgUؕ:R [H#G_aCGC?LA':AYC܎<߻f|%"#q'L+uE',cT,s>nlhBp`m>iY ~i ?up]A&]UvjY$<:i 7#h_kxd0 mS- 'f-$оfiGh%i̱*,^?K=km$"{H}eEAiIn~̸'ʋS[jk /i&CF[P }`c#IjJvi e1_d^ʤ8L{6 |F$U@sXMʨÓy15A@u:D*ʷRwh/F)q;3tepܣꁩ; P'|VŐ311[⠛4b]9Fd~+Х=$uDSetS \\ܑUulλ L`$`S!P[I4#9| f-iͥ")5͹lZl@) &UPE[#k@ݎ,747D1tOTx #aw.gV.En" F8b^g2ȗWs7:~B͜lKZ% aWak$D nmۉH1J@ ɁƬ0!x;P؈L-ʼA{`oٴ ͅ楺TֳB~j =&M;0҆8Q]Y(9gR922;s wsH01\F`3NMYQAq%2Wx-gJRd%E# 'WtW'ҟ*ޒPJ3#Lu@t9 sݏ`aDr%Yŝf [{XǥSxkmp;?q!g7<ͅk;3mA\Q?_5R#MWey$hTK6`*}ԣ`"8wN*Cgb*v#s,MƢ^3$O kBFX]Šk^Pl#Η2D{#}޸lKoIWLWRʧ\/z>MS @Gd 2"& l,4+hQ!ڮւa7-<z5 Ҫ=sa׫/z AIUѡ5sP=EP vxB1?.]IJ" $#:|ŽcKSV-PմJ`7w#2)΃4rN-76ttܱ,$M 1Vf+Ci!m<6!K.CcN6DXs߳RzZ\pɢNpdHYY}-$쮣qQ6sAGQ'/BX9]_ &-cf'!*D耥K,aI=Mj_m6б'P*lzsΦߋtjNY" #h)7fd?Rޕ:"1pZ1ay`g#wKnttg#A}O& P<_˳`{?UiZJ!"33PVC䬅bT϶̥,"y+iSu)#iZFy~u=؟4$ӣQ5\d!& G!X@0?oF )Oد#m)K\E_mgoe)M4e_<3&u ~]6zGH;W։&. pځҽaW ~!.;Z.Q [ Dq%ǰNw+{ Xy{>ƨ#u6~4ٓUF^ټUev#13MZF/?X gڱ&_ jA)v^IJˑ;Q/؏v)kJ&Z ׭.nԨKfT{Pk: py|Iu$Td;Ecv4^,# j7k@n(=LDm`/*¿f:+nt .e6#o-=C`8aز+5⹍I~ `} w>u7Ϭr>zKk`w;Fw[?E/uȤ`HuՎ<1zjw qLyMxO\DUW֛ |QsITclEB:pd!5>LA' S`ŘYF_d !€Z;!SޚAH뻣XtÂ*$h@A%g_R0- eȢDr~$AbNl#hkHTLBw7htJcyMjk_I-&phR9눚PR f%pZj鉗Y2jRO<T< >V@ 5/[:ͷndPhY4nTJ@| 3p)]tfH}uIb$6FlI#)v-?lո|(I iM] ިEwfo?7u@x- f4KA֞Z7LyZ +uw;pEp:3Q癤"9g싈zM8E2uo 7`0o6E*ǎR@Fx~K3U]LxT%eIL1~zɽ71 G?C a3uBv$zD)\dTiljU*s4N_',? LAz+F{szeR퓽54o>w/6v\eP^̆xgXG@cm+ ]-0O:·ӓ|1 \B=w5g΄Z̈́3 |QFnKސ%B ~m-4NY4V?Tm}(u;^`_ NI{AT{E$a*UmH"ګnz>ZLiPˣ1È6DʖZ$G%#'1z{9Bh\5B;;Z÷OLW?L|55ookՐp?n؜z~nNYELU݄}BU]iqX _@tz|p ʪh[5١# Qo&-S jz(zDtvuΈ:]@tAMbҰ u1Y[\Ϝ((reBJW66sYc kvg5o+ y%LMzTB_>DC}Oz}V?ܰ1KhKoǝ Yc&4Xya*/׺ohkiJ&~Q=4yxpTXws7QlM;ч~<-GaHj[C!uq@D.H [aZ*,7М?|CG+= ^?HF1q7Gxʄ14lοDeҜ EI@qdh`Ə\VRREv?{<ڶ*m,Lp d#k2N)0LO; 7-}QvF d,K Ff[66%ʞx]͖K6y@X;uJ)<B&[azs^8~t5n5PTc3pLeYs> -Ԡpǜĭg&];yzBDE` sD^soHi2 ^z1<%X|2jƶbXp`/ +9T*bJzb CQ (y-ptYP&q606;TD Ҡ#scc#/?2zJ q mI9ScB\Mi/ 7Z宦χILrLJxPIM֝~ Ӧ B^bg נCE{UNRi(6s,pڎ Ya&^W= `)N_Go:8 X:Omͮ4%5qt WY导;T0gR9>/SiT^OnvG"Rq(Mv57aN3LGQXH4yܑ@%K[B>C. Ҕ[2}Z(m0喡al;vA hbaCN'܉#'c KuLjRM %CF)sPCTMڿdӷS +bw]EGYq-Dmխ$k%n1DIKw um8. }?3`qܛ Z78JuzhMZ E fGuz\q{+%^ٮ:s2:E,28{}I%)?`olMUbu`4Z7 n{ƳѸ= 9b72˓9O"i.E< 2Th0;txuK-EY!g,dOLjnmCRJj^!sy .@8PFroIk\ko.rHD%*' $5$N=߄ fJaٱQ + ҂.ZʻIm&|*YQ(X'9tq#CQ }UEb# 9Bk>~ <<&0]g by:`?C3c ݶejY&3%VKlu: hA% l3v iq?-|\$uQ1 M m1Y>sy'x]g{bu77Y[)v'|-*ɎyϒY3N~/ 4 MsiFKe,Z>K`-"%R<%b;Nq/giѿ{ja7EZ(b||]тl8$;K/m%P$]B,i»9C}8ֲD$¢Í;I:Z8{z ?X`vw#! (CƤm!EF*+XWSH|\q_3QY>ҚT|nKߋѫN)ЫJNu5͕g-8[=y .[ps_fM%ڼf,U%.s^71⏁H-Ć+d;1A YXԽ-v?;.R?YCK0ff`{ 2Ԃ֕ڻyxePU$ ?hP37wkvQbNcȩ2ee01jۓ6BϢU {\Ʒ?PXqh>݀3th %Q:$뉰+R׳鰕se3<ZÈ+X@q1qfٕoebǾT 'e7zCeEۗCuLNu*N6Ը#]ʣyC2cD\~1P4^! xi{}c3̅NMp)m\XQoS%=Hctۥq sPCt<Zݘlbk\YxNmּSSޏ/z)!&__1$~qb²N!D] 0[OB*r5&zQ6Wm^R! Ts(i*\,hZ^["{KZgbDl}qBg`rM"{=gA<5'W%'js1Ow\I y.ZWL/'ti*Yta7!ؼGu2W?`c|rȡ@J3ی.LURj e!sH;pRe'$:HSvnHku`mN OF=vgn}!k5{l?~Ǯ3QAKƶX|$P\̮h7x6Wo?TJ/#o*MZ0췢 x `~>gp,;, )8T Jbd @уox Ay`/trD:20Sf)ڦ(Oi:mŭݝg[̃bBnx+Z f܈~(3/_%)V3pLLMqn>ju b#3Oױ%/VE ,}^PBVvIgz:@n6:n#y V~X"ʗ֗MMs\KAM뎳){u/ҨϖdOt]a ,M*iKus_@,H]6# (UW>C|vԟP#%wʎϭ(BHlU_2ʷF RSpJ]xЅ<` q .+Np'79Zi<}|l{3d]1EO{T2K{.WP96%0$gOfgQtI8Gkx@0ۋwYz 驃¾ڌG%ҍmo:SK5ܱ@/M .!+]4M`DdR 4>S oˀN-(4jNnCP+f*`ʬM#69[?(cZǖ:!@ $5m wZn>o #ʌY D=e&Hyr1Teoٺ&Rv&do"o*v {C79:ї"4$.*Ȩ+XwkJvqbko )\S]Zux WNj##/'2ܺiLcMnzs4% =D<{&&p-d4%3HE fmhjG#>.<qT )Jtsޝ%HjBAq6ZMȦkV[^"a,:> 9\BtJ+,SMVv5zV^;Y#!*i˥~vm*کcVzpq&=UWf$GcNa0 Ҥ; %)n Rn78y!B݂ })tk:2 e ,md~g ֠ E0d‡ 2\g~>xCx`Èw-s Q\*p ,8>4 &B LoΔ>6.`ݺH*8uoYy|LV#Kcx%؁Ɗk0zk'0D0CC~-qٶx|!e`EV4Nߩq&`a|%cp(H\q.I^xHJi%(Ug4/Enȳ(WτFt9&IT-)ċ~ $W&<٩&كHxJ 9uO{| :^|lE看ǣ=m{!a%cEթWaT|lr؀b1+ HY S9(>+]6H+?QI|=ԶI`d/8؏U}\{B=6㯘["`queMهyA;}^G DUv9b>n9g 9(V8Ԅz&*TAPX9AsNsHӨI!>bGZa|J8 /Sr[K jUp|K M$?l g"q7uXI_]D SOB_ O:;go߶bp8kT$=/~*=5 _,q!̜x PLƧER.jƣE{Uo UN]A:6/##7T.Nc(2{ gFC4DȾl6It=ss2E$ʣ|5AR7ȺR* XӮM\gM)UR,B"\Ea*-s34 fgemޒ{R>h.# ҩn_( ,'삿 ߄&Ŋy鹎0ёzr vFh+fEfC65Ĥx̿y}'VK;#.s(Lb}c0HWyuR r-jlh7MF?!?pC!5ɜ{7<,xAqU#0} c)4zT C'E쀟.'1I Cq)ٽߐ /Ye97wkOyqT2B+FBД\D#vo'P'vD Z 9p~~rb hrq#dX4LhMC1 `˟"L"}RE3~d}VJ;}.GCx/VubA_<|S1 #Q}P `mT;Tnesc Mq{ )34tgLhrAX<%~jD(+@`V D̘m0P)M:"X0$0Mpӗϕ@`0w">W` BŨlFfYx4It? X%LtQ:ЁsGMEt|V'al[> L3"6)g1wh`AtsE8"s(RE[,l%&YWH+i28e v%t͋vKR Cވi۠tO0#EnVkhO*}Upf,Kgf m۰CO.`Y?=\/Ʈ'z-,;yJ#;9;x[qET>%@Y5rjfsƩ+|l,:;5_1uL]@!-?kΗƏl 0]S9N>k- !{N` TU|y 8uO")0Gez>a0/mS8.8H$~p]h|27^)oQx79)Z5Ily" &S.v37tj'{rm:IeoXkTmƂkwzZ2'L* `)x3_nn/INYKaGqV~F"3و9;/4F/fk?$;r,OuoNbceZi;cbޔynEI##غy?ECա\2q Jp wٙ1'T̐ywBȓH2Gr'߭y?>Wy!m.UwO) ׼HSd3\O g=A'H] [S19İ/ÝP BDadF&.h>g 24p̐I?J9 ,$<;hi Ѽt_Tv,H*_ej>}$I+ג1b ƚ[?<*c1SF|r9CY7\pn98!c:)„:a~8.iTObm&J}{%\ {$ôNw"e;#Lr3ҼwwS5V9D?5uT)tjmiݧUIXPw*yv޽¦65ýuLu/t\2U-ޞa[@L_6DTx<0hȑcEu0¥a:>1)~ U;%5;GsVIpaF9 pyG1u$RowrD=]{wAd 'gW&S7NY5rE} kp|]w I$ѥ1C-75yT\=^ s44XFp,j]QL@5 _yK&34 mWčW$3@$Z{X空gsR:"4M␇_Dr]5#|{ H dF} YZ