permissions-20181225-23.9.1 >  A a]Up9|1Q8}2w f(m|'(e4;@N3=z[]Q+x,ߑvLМ}ׯ=jڜS,+`2Yt]"-60ӳЛOPh1dsHfg߱Zu@,/'g @ZZ+TaT3v]6Okp299f3$P̋7d4a ; $4 3zBea36f46be31bad33511ef036c56f396f7eefca05898f4cfdc3a7374c201413c2b9a7c56e944708255125f4d521a5e10ce6046b38a]Up9|.SYOeĊz$'=o#/)@}Hdwo,hJ?14,.zw)q.q>7杌w:TtI~qf<ŠĈM-j,̤d0 L? Rij\Q'E;ܱ'~BG*$ %(TJ\KCZpdH/qj^i6-#3B0_4t0(EOኲyEoa|=wTNe9ǣDAAZUX[\>p@=P?=@d  = )JS iL p           0 ]   $ h ( 8 59 5:5>8%F8-G8D H8h I8 X8Y8\8 ]9 ^9b9c:d;e;f;l; u;4 v;Xw< x< y<z<<<<=<Cpermissions2018122523.9.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.a]s390zp35SUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxs390x PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system.Ts1W6^P9;@큤a]a]a]a]a]a]a]a]a]cd73f4760679880a45dce3c9cb05db59590dd96a4598a64a8a09e1ac03effb06adbbc21d59625dd08c777981a37579fdc1d770dba133ae71044d05c154f42ffc254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3be186e053c2d66276c577c08ccdc467d5b4150a19c0bfeccd7eed528e80e61d425a096c599e96b0942e16765255528e9e346fdce199bb91cdb86759ad691289a0e4386ae5ae03ea80e209ad20361a4ce164619e4ea40a71db1e9a3fab8d13bcbd35eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181225-23.9.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(s390-64)@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181225-23.9.13.0.4-14.6.0-14.0-15.2-14.14.1a@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shs390zp35 1640259050 20181225-23.9.120181225-23.9.120181225-23.9.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:22267/SUSE_SLE-15-SP2_Update/4b3d058246c9eac4d680a0bb24fc1a4f-permissions.SUSE_SLE-15-SP2_Updatecpioxz5s390x-suse-linuxASCII textELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=2d35efe6ebb7d2f6ad1a40e2adc8527fc18c599c, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R R RR R Rә[z7tң>utf-8712423a168cd2b5e0ad9ceb0f8f68cbb53ae4fbbe2ac000a0dfbde99b7c431ec?7zXZ !t/[U^] crv(vX0'Ա F@z[ރ0۫>f: tp0by^K{)Na= |5V0~f,z(b5c'RE d1@jv_3Z_Z֚O8zҙr31^2v٭.a88}/:%' pv 5sb0SsP+8+bAc%sZdMx f> ҡ 3Y*3$@IJuUFMsxp!3ET 4.)]f15UVA$ihnٵiX!l#[2gT :-:b v2 T1)8vHnb /9Pi% j'=)/CGkk$RgТX3݃$Lwul.k}ɦ<ó8 7J e1}gc*,0C K 5іKPԅu[@աi/Tk[@hcT$[S,"dE2]86Ah%d}XΥIbXkqҸe{9'!馇wvXGf __:/5Wv\%K`͓Аg$"zԟ؉7rq1tc>7]VBZgX{)۰yn;0"_i ,Jh]ꬄu>6^?^kV,[Ӎ9`ږ e7=e̾ M._j 'K;N\.uP\GM&vhq_pIŎ*kw, 77$__7kœ~j(/l;JnwO5gbKr8H`(z7x$;* FŶ><N;۷TJ!=;NZw2H ^JrHebcM/ ٷ2|ǟcg;[K1SzeC.;dI÷kyUvC-dd^,N/z?T?hٞ3dL)34iʯ *qr7SJRJA6䄗)im tL7H=ޔbmUA|+aB$9%xYɷ//s]MO,TW@}ۇ>Pjuq(V7Ga;(p^ 5>V+sZ0͍GPh&æ1xeGۍB؈?c%3s'q5Bsd.D`21I}_fi )i"^Y@TfHq~BP TyH c1sA.Icܣ+󻼴OY0;1 k̸D6|(SQ _X[9+uyJ/J'YνW2]0'#1K*'=Xd|G74$fN cx>2@ؗ`OlK &0jH={(aǞ̧9-X>̵;- Ol8] @=,pDc֌ܠ BWv}:UzC5A/C:7m*># "I# =TLLȗ-*pBsk /$rdc2kՠ.ΑusC3Slߔ&7iTg&cO.r.7PE2%7@1ZnkY2g.䯏Yْ樤2C"~.?!لDo QiDD0ٙyy'`C xD`1Ezs+f0Do\IZT^ -qLD̀rR}K$RB\;*$UG&؀J"-hx?fD8Z[6: 2t$cGM9[i\Fh^nM%^[b @·wQ87Ol|F[MٺztYL3BA¯`Zɟo>}Q>a?A; a<;Dd3b-P=@@9(q]t6)2*6vK ,.>?6HI v.iҀVt 9~8.T{io05dyFhO@ΘRONH%J aʧs`&r&-N 'T_ZB',J9{؈+vU3x!ĭ&dsCR?Z" ~Vэ>F]p" ;=|8~uSbU(*X!byS>#6>ն$x˕k3#Z d8G:0J= кzdPM1BaƑn ϊ @k(mr Vs2\'`K֥>}v"-o_;dL\QS I@ ^Sts<ʭKkw.TZ-GPaMb01^%6 < o[BT>Zd,q@̺<4)Vչ4I\%"l%&@^QG;itHJ{bpݟiY1܅i|N: Y~=+ Hu!u<΂eÁ[8ش %]ʟYMN+=DE-' _H4}*j͑%iDoF=¨\x31JI6{I#$sIY8x] uɛv,:=ׂu̧GD0tQCoZBO,fYEc[vrҟ/g)D%1݌bsk{/;mտ,qGʜEw9/d:r{e ?]}PRpw<@dw*dI>RIQh &= W;e2u[hz:~̢'p;sðE j)Ajsw޲mVc [Q3֞,Zϒ9gT) Y+=f=42Lv0jra%0k &>XOIO%Hk4M<%TaPO\N0?pE"='I&9/vbQ9[by9jk Jx4\_L 1yu*#m\eͧ<`H@ .b31q1N52ߌt!ZhG1`=U, hiOOfmy%)ŎEbyp>4́/$["Ԑ1%tA}H/|`FVG' ^kt$%M*eUW[>n6$l|B2k̐Q/ڰpWݕ$zu8&W:eS,ʦb7gSSE ?WT-G7RU;OJ~< Y.v(ދ>X=\?pvkcs HcD'Łp%RiǥۅW2'hJ`šnp~~i_ԳZ,[*Qw{{&rIK;G<@{SEHi70zCSO#\`{srÆе3,kcTjᘏtCĿ}OrDB vNL914bTػ50e=Xuə22Կ^{< Xdx%ӘbAr"d4qbe }QOAa lSΛP kDR(o6 Ux#Vi1Zq\K&a%i[ftI]?1\`$NK ),ki2t÷u%#$nЃg!/3+ ۢ](@߂cgcEV,y8߅{w%7$<|Vi#"m@d'?vLh ږM$TR 6*DGӘr^# H^eitʘ@ ~Z(rBf* եkEP͌S6D6l4-a F>{L<-ʙ+T=9%{߳kESaNg J3WՁV`_v\96{qu0O/V!l*=H>0kN*u["=Je ]EA0JC<{{TO[]lV&SnAYm:E󒦂ÑtKȂ0@m[paCp(iȄݣg45 :ڏbX( /;,D[i&{i$C8r)d]/1v] ǭ(Uv1j)#o¾&FGj)+W_Zn(h6Cay=)Ck!L+_u\APtT]ܜzDTNUF~@A :D-T;[f+ +Յ oW9bب K쉫Q^B?16GwP_m|tbUА=}6Yq FZAyS]C7Y`-J>e D-Pה'R\-(!ˣ$lRg 5qڴaz3\;fKkJEOoEl\7j̦DcVZnObEz&~O2C]"m#WO1a^#vo)>Ɉ!|xU JJz^x78A]$UvW#S7^$׸ t zD|"~%A}jfѕN7q/ЯD@^c2nɍseϬ/c[dVOBm  s>]1ll0&[,t^$Hnh?̻ %jW ˙gl II69Zڛyc&9b(uiՒՌ_˳,h#7ֽ )]I]KHjC̏'l D.Z1_>aޖ oSiIbǦ`h_6tS3+`XgۗMb>b V9۞j(= hK䀀6Gf{Æ𙵽 4礯! 4uyjYGdY cWhA]B0V̉W{s[iy"v9ix^~ȑOY:lUIzHIf .#nq'x)5 ZK:΢I3X:zN@"f/׊:s=yZ' Qfx6=eoYZB7ݐ/0 =N;w匘7`X,Rt]|qa/EKtԤ<8u' C)E(?%. Yo^pkbiԣWWv ީ#Y>h~yh]mU.7uwl1y֭M"k' oͷœn.nK zSI*F=ܘs8aOP-S35G fLx#hDEN lnp 'BYlK;23'y44|(x2䅒U8a,|P=¦ZgMImѥt>t:񦖃ɵlf^zBN@k-^@ V =ACG]\ I+-ش\1?Haɭ kkU='R'NVx$UMG nSQaSvեW:…iT>X~2`& x0iCXX`9ޯPԪ'׽ \H;fRo{!&/*KzM&QgGE Mם/JF`1%Eg_48κ.nT췥Ӑۛ];Bm7/H/nMX@ؼ״ro`ı<聊y(PvJ؝3lYIOJn2[xɉlwȄ%V/\iZ DN7 FGc~pr0 9)M{zSZ AoV̎nIhSST4:Bu=F4xȄRz0G:{I'IO{Nk,ϓ)W7M0Z<7;1Xg D 9ߢI'f k>^B ڡTDgw>n|ɯ&,EXe(c#W_]$A`v˥=v:.n8e,LOwEqlCۊ満k)&'8Jk,1v <$yog^::;y)UEcBz _^$Ms}pk;EN9b{3 Bv/[f* ǪmxFݻ-Uc&4cqn  2*bzR>L(yԭ79?R`m(9bX()qߓV4]8 Ќ!WzΩ JkX5EG< rJn(|qްtU? DIhoDbI%l]v-N1_q>Sg@,]) wH0Z1۶ |9 ljo ua@Wq$s{{L@#>&CfC¤h+I[dOw,-#nqk4@? T˗`yLUO4K8~3(ΒwƸC6ֶoĬQo4b:?K+0t'.~K:H6쿯@XG;UA/:8d犗 %?tT;b8eGyK§~#w`KaqJ,nqt"dg3Yݐ午S9sXȕD{Qiݦy/ɧ̞[[GKsԤp:"gi,*5;+aTΩ/aHN?kt;EUYFMf~co)Q@d|'RW#ymn#ӖsTʅ{gN]fV]c`Sk6H!/C0pDg߂H#2 Ʒ~J L=)'x#縉n?z*MvVƶ-ò^&W @]xCW`XX7T \l12="|WiE*iDfnI9ѷ:)p9@7R @sԉz濫A1`VډK2Ep 4b`.a/>E>mɌܩU|%g…,b4A8:7BI^fYё89pK \Y4bu[Y:sJBI):$MmKo 0ET ULJKm͎x>MW,.\Yu"0ZIx xи2T؋g_Z3Fi[CuO0ʂްb-l-[~#?)q*o9tϾ!ꉯ\}ya_gdo`4Vݮlz5w_MZx]ه~T@̘Gdop`}Ӗ! f*rndI5tp; S[U' nόNa^uXMlθkmtīT)\'. }G#KjB[#-dvSǷ`S,iaxn@e$вരZ]' mN Ye70KCfI4P}K Y( ŐeX1s&"9cYqCGmJoGA ][α.93B0Q+Wķ_]j.X/Â9,G[-_ً 0V;7`<%8_W%ȅr pcxWJ50^ m4N]_ Q􌝲63-˜fLr}SņˆV#[S!aw\gz|q~?MVTzi%z_=.&5;.D'h #i0D;Q<>ٻ{Kl['C10Ytsa/kD'2xuB;i?o}"}l:zc Y}"s3#sՈSjwa "QTxOOO)MutàNn(EK(^r0ܤͫl sJ f22̮'.4nMO>Gq.ܠY sN꽤[52iҪ1I(hp;Fg)o^ 1XR~b@ ~q\WJ+8ލ͝!`3ň'݃9ܪFwO#̞Es9%C":$d'TL$(R\=.$aJcX|OQPx\˩VE@oF BHOAck6?垱w=eVO .| Ƚ&(,T_$Ґej2W+H]A_cc Z9Gj#硊M[&d7%ȮHK~R{fY.n&6Pߧ[3~ޅa~j!ے2B$u.JOȫ̮Hh9@T'3[{8ƻ{}//ɡJ2N8چWҺ X銿uV􍄘b">AoaLr\>ixWM +iQtB巀Ұ;^=톸OTMqDU|?{ލz#Ci; 5* s[ Ml]Ș_]r.Gpnn[S៸^@.ЋL:$,r(e'm>ޗ:+{:7sra0_Lq8X8"`sS}Hr%U7>&ZSD1>œ*y^>7J޲3p3AClJמ# 3eK)oz#1ݖ}U'J&=硚YsɃki\$bPBCozu4VRk%3 +Q;^A<ƯW mU ;Ly*BqiR8TՀZ,D+]-T%nD<ň˴pl%?1{Nq [{|9+)4Nl1\N4'Tay=rWIH g Gÿ:8r*e:zU&2tټ.+[1gJ(Smj)b ?^zYSǘZkJ8RTc85 &0/SdB^Nʾd&^僟/$OEX٣]0eO(#܁qKJO?o< [YRFK7DiپdŸ{˒Z/ bqU#}xʙnVX`DVL,&7:Bz\: ) K zFT`-Htb>l>?ԏ]~yoU[:/LrPbHʥ"2\ԡ`#`63E \Մ&oMU>{K/,qs$3a:  `Ц5\;1@ 6ԪO08aпȺ)lp'T>$n>H"Dܻ*ۂ(! S hnN pCN6uNn|)JeH5)}3GFeK1I,(xô!)ʝ@cRY<:?p1:,%qޏӣ<зNED. #V-XXẌ́v?qw䜯q}Kthqb.PwڨU\F&Ђ~&{4ˎĭ|.ة<ĺZQbCl-m4\\ -vwy;G|݇L@weGVT8gp}fWCMOHټ9YUW~zΝ%vz{th$X-ubk3 WR v֘*$\` sS%ČuƘ(;ŝ`HjOu<f{%3$Tx{gA*gyﻪ@<C4īsco/Qp{ĔG @,浖QŠԂ|HBŇZx صչOn}jiSdG{=6&uKg)}fFD+ sdd'3dkL>ZpktZ"gl(8 ',R6d?z9C4j'pO|rKPh[kJ[TeGAZyj)mR?{jyw+a… 7- VJ$HNCP%غ'PBS3Ome՚W:~ *~W=yfv?ksynx=\4 B4gFT~~@%\*._- m9QT@ɼRCX߄4}2dlbI>1B6ΤB[Ú.C _ ОL,:I|.E7hodmz׭pK$\cLFsޠm 9uc^ʙ_{H2gAЉHXUԙͼketH,C|_ݓ>3vl]%|[| n%>Ȝhfu5U/f6Bv;z K▧V̴78 =[eV21oxZ4S!cV=PC^O>F᭢K;[5#a$ {A”2.jjD{ᡚ/9٤,z@AKXVygj+](n0k٤y.#&;w:ϒ:jg$a$іIӺm [y6#|}L)P8> -gNJ{a,oI* pt~ؙ&h:\+LBe ''Ss7%Qi-?/Uw7]DMb Ů2hRKyЛ+ՠ0(+u7Y6yb ,J<j?{I Jv[50--=Ё>;p*{xjCQxxT/ގ. ;XLj5<N`nbEEXG0ȥ~vu'TAJQif _=d23?=KRk4s@9)Iё]9.+>A wBK{VFd1QVߓ OKמY)+w n.q<&ڕpqzٝ SFy@S&F=nb`j4Z! b esPrG`|AEdJ F,و3BHƉၸK}"`Q!L0]]t2κΏ~P5 ~^SE7 ͤ :ChW/TK͞S ' E/Wi#F7B̑j7NYWYL/.<nOX&+IR R#Tm~"},66cA'UI:٨Req _G&'5{88}JcuQ6"Kij8:AWI{:J, Ys@%@cg2Uڴw)ltuɫ 2ܤ4A 5|Ɍ\or,V ra>\#YLRnhĔFM CJ$eמOt9%#OR7<+ҟ6߰}hul˿MnTzYmKtr)&ڏa81eFt@.Ec vI\KE~/n\j|`U.yYm 33>7Jvx|́Mv-qB(O4 èWh'XOVgHM^,m(x+7jN" bfSő})lgw%U72Ӣwk#^T ޭfL~ bhpT*klEaO)Q)D?@_Upf ;K¯nNKmx\,i{R KΠZ-͸90no7ϔ f8 eBuG3i4  k 52c\:C-&ď ^6,/6>95'0ԫ W`ܗsbĽ8˱߁H}(uҼ'\@eD9$W}0ᦛKzYwq(!ҸL>AaYCEu .[b:gJs¥}ZIH0vi+z[Js=@j:D }l[ 'DTSMw/IXlEi%,h|fb¬Bۏľʐ"^wN6K3 )jHK v-l*bԏ1<8m ]uw'CC؋{{OsswNп>v]dd"!awsIo32n3!|b~y%8M_Ej8-+\`8W:i8Achwo b<:gq8"7lMm.uQ]7%蕕M: }57~]OmPޠH6Z7q τuj\u竃wGJ4\(V]SGh㬆a7nV9tv^ GnD\Z^Њc&Fpcȯr\ר?gz RoqQul_{,J? E@ٜ0׎ _!w8qpp@X֙86r{*>.^$*20'`|r-h >{6\F LJ2#XSW'pY}3(^<wxuTÚX:Nrgom,N4uz[P<21 ->YV_R"zl+Uzo}(6@mL\dqH,]nǩIM&ToTFT/ [o,|2d㿾<.g } <;IJܶj,a^5NEB];=عO8P.b2X@xPAZiVZNB[_q(:~HT8Gޯe)0{sRĕ-04F2Bٞmd1}}K<Y>0啟Fi!kꩅ~9[*ﶀKpq͠E4p[@"}<ϛoj0/YNT6+F)Ω~9$ti`At\C:Ӥj(ʂ"OTŁ@%]g 1YHR'x+ɱi72gxfO#oi}GQLJp=Pd.+lg*¿vz1%k;9,!71^aOKݔuڋ|(aO+ 9w|YIe/ٹ=OO#T/&̮4j-)x>CYh &9 :+62G&Zձ$&+q'{,$ @Ⱥ(&nl+[GIY!yШ[ïw EI. ~LnYvO`8:7+=NC=B󛃅X*@ 3hPy>RgOW|Ga+i+,mR私j%^Ԁ nwѼhy '·#38d$;(fI{n>qNu5iJ ܶaެe"vcE+9pO` kciݻk7;<ڦ1Ӱ6p%=Cl}(5Xk<_J3l㌕$7Y&S`kCfn!KZcu,3JÈKhUbv@)7=~ FQ7Z~S-s͌`*{>S|o,š";+44C[xyۍ)|`s󨙅ڑs3r>}g*I#&h3z[w׺P9ꊗbEu ,D0z} Oƭя0r Z sF bY=A`ɂRR2yN[z 쀶o0az1Wbb9'$m-1OxG N.GX` M#pzntE{^x՛4g&XUkPh<1-S0]#-JpgQRh|ZLMz^G0R pnfkZB:i\%q&ŸkĺnQ"b5XWzSETDF oF[`|Ie&}HuÏ[q}|TZCxLquR֦Ǯ37= [1*!ģ}cb4S#ٴEkN#csj xfmÈN ^^A$ſu,:@͑pxLAEܰ8]Ҷ YZ