libsamba-errors0-32bit-4.13.10+git.236.0517d0e6bdf-3.7.12 >  A aynp9|>6z~eY-~hȭ?L2#ds ʼk`3kPk2|V" J7F]59p.tUK-λ; )Gn?n ģ͉qn D GFt:[ K챣 &V 8eCVs4B~weo^!#H|a 4ZPi*NcVܗ"T< "Uʼn(kheKh{/ v5s#gi247e4bb27c35766904478d19c543faa41ac783bcc5ba15ae41c1fcf2f4b16e21387eb15859b24d061a073b409e4f4d58332810e6haynp9|Ng[Z^NYdqe_+\gc_ {B9Ohe%>=\1/b~1dM|^VUOr#֭Pe\NrmLGSYll.tv[tD{-Tr1pA;- [+2Ҋgsd q^rAŻxl^h.j m/r0#ҾƊU.2q;jrP"H(ʈp>t?dd5 < Z *AGN`d f h l  d   (89H:v>dGlHpItXxY߈\]^bcd1e6f9l;uPvTwxy `Clibsamba-errors0-32bit4.13.10+git.236.0517d0e6bdf3.7.12Samba errors handling libraryThis subpackage contains libraries to handle and translate NT error codes.ayngoat18SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Librarieshttps://www.samba.org/linuxx86_64/sbin/ldconfigayn08df7ac056ca029cc3d47d1d42b401a535023aaaf16458687580b3f21a141c59rootrootsamba-4.13.10+git.236.0517d0e6bdf-3.7.12.src.rpmlibsamba-errors.so.1libsamba-errors.so.1(SAMBA_ERRORS_1)libsamba-errors0-32bitlibsamba-errors0-32bit(x86-32)@@@@@@@    /bin/shlibc.so.6libc.so.6(GLIBC_2.0)libc.so.6(GLIBC_2.1.3)libc.so.6(GLIBC_2.3.4)libc.so.6(GLIBC_2.4)libtalloc.so.2libtalloc.so.2(TALLOC_2.0.2)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3a9@a`v@`a@`<@`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USascabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./bin/sh4.13.10+git.236.0517d0e6bdf-3.7.124.13.10+git.236.0517d0e6bdf-3.7.12libsamba-errors.so.1/usr/lib/-fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:21237/SUSE_SLE-15-SP3_Update/d2f98d8ef4313516f89dded66bd0b145-samba.SUSE_SLE-15-SP3_Updatecpioxz5x86_64-suse-linuxELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=e1ab57ae5c207a1444166ef05587b528688ea4ae, stripped PPRRRRRRRutf-88a8cc482d1100ab457b102188a586ff32a59326a3dd255ec98bb5e2ee79fa3af? 7zXZ !t/a] crv9w&Fy'򹺳8yk_n[I_:vNF% .Lw팿PB ukCK[!؄ߧ_SUf17g 6`BU(7dGVdf2߷" ][O'~Yf >LtnA&?J|z tFR^ =uQE-;ͱq+,ᤋ[ױPƧ`w=3 !EoE#+SHtj`b_QX< mKw6Zͩ`/3EtsѠA)Gr%kT}a!(5hحC_5OKmgylqXeԴnKO5:UtOذ0ٺE\'egͼ xE ? yH<,9~D9R3 8N5ɍkL`&a^̠0Aox)wx1-eWt1g'hVUBRO[B%Χ G.򑝤5FXt4u58FTJdUIN9q;]\ [ :P v0Ag4"&h@ ٿ;{ < ByŕW X<<]m!$L&v8IԌj 5R"ڲ&0P2$25yjǡ$A_:%$^c5쭁qeFJBw&CѽDJ%M-:~@abJb٦?.'C>kV*8OW pbh@莣Nn|Ց1sOrx5}yz7D=,B4Զ NuJέ9o+8!K}6Xλ-+C̜HA81~9\.$Cbҝ:kU]Lrsa XP /Ƚ]'{(h "mNjؒyLdKGx(#)M\ACMk,;RӼ͏R$_;~Jy V[n#hS2!&>Lf}rR_h |m%7m1m]"OzDf;Os:;xa>lT݆Qm-K6H@.\ۊp#,,3Pܛϫ|< 9l}&Eh; r?lo[ͷTfg/}(Fa.} &|b؆큠q K<%PjE 92tBܮߒ@M#PaɆ$ {MU*$E!UdIos8Sg')́pIdcڔvkSC)v$tbjf٧&hxt٘':9iJ~Yr 3@=|Q˅ÉKZiH*#`XR4&,)F_-U&[kS^/PuDmˮqCp]/I]XR&L)311FR^>oGS !nX)Z}Y ak:X|fR EMbQm[yD_d5LC*_j&]usWn$jFcL5w+ې5~nw뮎7{;a%/.Ÿ8pS?éəJ{)<Ľ|S %3g`8P~BN`Yn).FʅL3얥 1FSN#9%L`ؿE)mH+Ŧ'-`0j1uZH92naive7</w-2_e9r=WyltnsR]X2*jRŸs1v%0SJ"[' ~;czAU} j&a?,&C *Ӷj_oS4 Q2_R yO2Ze~?D_Rwdt167m~Јyn5i1 -p,8Tu ?bCJ/vPE/;?H_Y7MFOoKx􈟣/PA߼m8/UYh\RH 9C2 "(|S.C.eBLiyX5t"27QvGm:B$=Ӝ oTa>0jFhmN)+ Wh[`#&Ǵ]uqH$vC`BC뼇Tq1 ~s7^ t]: ?dơwUS+$ sefz!PHTY^SMOOBQOluI;ei_']u)yka~ݯKiq;b^[e+t3~$") "TVsʊ]ZpyZudfv_A}ґxoۼCKi\nMx}Kh8 s..pK?"族s]P=h|Y'qL.U[D&/%rRs. M1,gdh޷ݜ!r"L=~8w9,)U7j>A"~(&U\IP|)BA6GKܶ$K ȇ0O񠙭wk嬞il@+ [D_ÆTTY(F`묲T0Go?[| d`z*<.+ < 7M`rXq떲V [8 -e ۪!S4dOx͔|q_%2f1Y[Mua,xMՁ/JyNgCl("JW4HY$k8>f-oZ\e5y6Tavԩ9L)P"-ǮMA%t XBH?I&Cؾiw,W]=FÌƊ9Cn;v"9ںSDB\oxsG❆xk@+x5"b۴ )N۬ZX-5ԣݧyKwerO@_V݇m½/KF7v٠:[2O%puh(_{> oO&R8%_I,tRHs5;p4YÔXiz`}x^2S]2vOK5-kq P M@A{Hs0#|!:K4ah7M0 `aMo;pvf.ʆVNH0ŻзE_\ͅ ioGVCQDUʆ ш'5;bN:?T>kqU`wU?xq/"ZMgyOu ͨJ?gPG'(tΆK2qEG}Iŵ׉^0QÕT}i[sx #ㄉY,} ?lCА}fݼmjeBuWBdnOmYލ-(WH\zJڛ##<ۣ1}U_@>Ч F=cݸrj޸\4`e_,P }Nn*|0FK;> íA,xFU4mX`,]cЌ'Uv/]"wa25d>Z3&֊;1s$W=NrDu1AUut`{X $/Mjoc6$7s"ks^}׍{Q@^U>rnr 3s.BbvYIo˃-AN6ݦ!<:XRFU/K|JʚLO.>W=+5fX ?S1 K0QBN4ڷ&3I{a@]-`kG1}cSv0?,$jyJ(PuU=W"N"}>{a!Y=>)pB'CK>:ŽS8ۢ .B긪==A4&C 9jrUVM*J}Dv) R͂&ѱY17sSRZgRƿ5hrJr~I%\#Sřܚ랺(ndcP 9s2lѤ 'tr2++><ͥi:d1[;c0~y,rĖX@?A%}VvҠx^<p.JxoʋnyrVCd|LpkFX35~oyle\hj˺tW7ㄍ(/X7a|YQ>2wFh :aD^!j|z~$ZOOEtJU`4oWN"nX]30yy8îRq["$f= UyUy=>DBiuIBX5Լ_GP)Eg3Qu#QEK3rx+vf(?|dG>HN)D^ RLOD,i1rW zniMF0$v[[yӭΚ 1:o2=Hr*Ӆ%yu@Q5)@|K{ iJ#;ME+,z,3]<|NBȋfmjjᅃjr١G7A$*Z :&''WpyD14o3c[8<#D@{!@qQ{vyCW2&.ͫlP951g4Ԗ&y#ZxV {th +04`'Wc1rc8 Kx@C.;[0db{LQEk^dMLW;vp@?%>B:n@X Vҝ ĵ=дHw1}O9 HoI$ ^qžSs7QMk1,@dj㨭<ѐC* gZg2OI͠$"oJC)-M?FYG;+ P{3e-ByY,/S#egn#@k8oЗ -TU朷S/}u\ =`x,zS[wfư8IK*g`lHEXV[o2CA.l%  ZgBrN giؼNR DhRr_wuV]6 "J'#ri)NL5{l/BTyJh)MqKwNZ`' Wp[ L +5tf&>ygFw-J ΅!wU撶{qpaA> O1~9#toHB/W퍂ކ# lY/g o쎩@=pxa$݀=rSk4@2w{qO<B먶9 :23"݂P[cw9?o(npY,3qEoQ1v ;SqQF$'{:(3'=Dolln,!Cswu\]dj-js*QL9{u7 ̬ߦeo%9 Y۽T3ux]DCIXb\L}YL c>{:ő9)FumWԏk&(i?)oˇodP|f(,OY0!fB;z7/Y<jp|ꢒej9%ݶdpX1z b8޽J,8& LzE4h\pklG.9%ᡴXN;3A̴:Ӑ C q0SSSN5R&=X3_6rruphG7x"bSGD/?&2wN2X$5}=2u-ų=ܫXS@^bG9>lb_ԺE5@zK-2b -; 4[ϖ͔2؃ي`(ʺ2]L/]@|C3:G6lp3$Fu -  + A$ " 8m]}Z?1s`O+@upn)8d~:XAY8PMs^_96‚Dmkw>:[hfkߑ\;6~wAaU,9S^0gE5BI|qo`T3# !JR)QH)tp[ԚIŻ_WlV3UzsE I2ߑ P hcDmSUA(@,dT(qQ8;ys h)GB!&~k) ~j0PׇZASs`k;xK*g#=Aڥ'B(_pNlPU7Y³2\̛۰'= J]k&f 4xqR EwXj8mqC!Y+3C]rS T#+⼾$## l ҐyQѺ yECsA>JQy2ђlZ m~MaP0#0_8lI~jqI~In(kRV[җt'DO,j-z+"Yν;tasIp_|.nv ^b#Aqʈڕ%>KyH%(۩+ }K > v&f`D&+;x(7泂pǨ앙YPy-V]rIsoz̨MkYq៘2`p%w%了rEoUq [LbxaS$\1;ldmAz'RA?г.jp*Hd ]0c |^is|lL ẂWЕe)ŸWQFѨSM2:AAo-V [^ApUCO 9~ސ۩q&>G5d$ˎ4.{3&dE\g'7ᨿ|ݘf9HbveawUJ ȣJưPYIQpY!jd>9D$wi iLmw}P^]&)qͨۄzvYm\`ikG(0MDViOb۠Hj_sFZCZ,Mt>|"Z=\v!*]BiY>gd쿫ua ;@U & 8[<m[q2T8pר &bg~=TS)?#gيե(z|c ½kJQ۸߅Gc 6qad΀zl1cpl [VPA]}QVB3VLOش]+4˾lyAjQS1vr(V #}xrDZNf-OSqqCSѭ ĿޞVɏ+˕J?xB$ ü@\"G/A3Fn{њh)`!m%>~6/SWCD |A*k8`,Bo]!~L';SVO 0.j åa#֙Y):([$]ʣ l{l Foc~(=Fjج7#.)jZ@k^^ FMZ^2(6 }!%[eTS!s舝Y:q\l[bGKU\%0_-OA{Jg!: Qwz M}u\ BדݵO 9a48?- / wG9wbz9^<> ߛr߄ٞ(!&b3W|>5yUCx*@CI&(H%>?2Bn'm:OPF3r?.Dm>ss({,sԈI\/u醪rۢlcN0+߸o)h e(d. tR^K" 6#_7I/B/vR@/[B %SunE,DQ6IpٕReQmFCBw(_W*זg?tsZl5 ߁/-krpkX5#@:ҵz֤h )y!?c&Koح'cy0/rf0)xF.`^f} 'X̛f`SI9<H?R6[]kQ*{cW8KFVْJy} [ΡF=IOж*._:>F́!=2TW Wie}nFE1cj+?uj[T#H3:Otm{N ҃pRI\+GK g/ax"s "gQ8ne RCk%nR(T G*Kbԩ8bmW̊XQJЈQ`M,18QByYC)0n 6r~(6o~%ߪ%4}ƕ8K4z].H;7,)3 ʭzivҿ9 '㑜)%x3ιKٰ襈^&N[ZaU0uM+`$•з vJ7?l܄%5o!W1A$sg/`^Y$uwځt,!nTlv"߇7e1bѕYA;w%Q̤YS!xH^VKrCEJ~UJGH]m5Zi-|48RAگUօWA= Gt*B0ko7b* _BVFJz^LZͿ34}x.wf2`ʍy`,1rL 1Zf͠JuM z"D |7O[g۲v4LcZ~;t.3_FCE7|$Ռd$"w#PeRq4c-T]1w HY3g(Q>, ZkR?'PUiiAGi-m,ז{ ta!O M ̻!㠙3zNhߦ>+XFI]?L>fs7S"JU)\VvJA\*x'p.p6/ώN*Bh ~;Huv%f*wa59ޒ?mEWsn2-F~ΙC idنR!u"U έH;#Hf@w4KǒAa ԯ=4Y鳨ht8>ĀbkC@B@8`x5ӌv@6?qN3ٹec?|""b#'xDvGui#]4|7DY Qq?&HfY<曧[@2ˇЅB3G@>6$ E7t;ؘ %%2{pu1lQ7L=op xUFvn^w_\6 s'X<һ.֑Bi`tl]_u$miN}8nllҦAyiW[hCO|1p\ȝ@;MU*Y5so$&jx|i~ޙPU EBtroAKߒ !_}^Y3&e·fu|{#cy}RoxY+L~KMwur 2&h -571/v}EMJr:p OPBXͶnV?+!rpb*I%;J+s怉Y՚7M*b Id|e[,zM٣nrDu7+x[k7nٶ晴&Fpz ,|=na DD afScqe_q !JS‹GLe@"n0;v*=w^(/g @X XeS܆9c&{:6U5XnՄ qb;fd{sU\ ruAӋk!4#i'G-\7\x $EffEC/ocSsi)+b2?&rpP̽Lh랑RFlYO@qb: qҰD 9V[Kd@FTmlruFh3(M^-kU *W;{U(0j/F] Y7co8d?'w'axBwV?IPđ:ge8j{x̴@عofQ~N qZʎ{u_YZP(m)8EhKEgLp8F怽3.Na8ېk7/эMH,(yfQ.U~g$P],%59Dey9g_t5J!D+ 7߅XӮiH*AX Ak\w^sǸ?bߤi %Ȝ>C@:m-Ŋ</-miw}eҹ ۝c 51bSG d~_X.k +"i7?{^BjD/b?|Y$enV!7S{٩&\S׉c_3yfcD3~ROB$:ogYHmAw\572A|ɥxR>'kȄR92گN6Hd6Bw[9qL >I|OeiscoO5s&g.슮si8>@z:)z0s]@Ɓj{KҠ#aҝWPPn|Ktj:?0C0% VvT/Tp|Jq{[ 4\|V?VZX{ wl ƺ,WIr_0DdIM؃eBV @݇lXUNQO=8K> ZťI˴Lx njǃ=%I YY \}]Q'pOőg^ A!;7ZA NN~@,U}(RB-(10Ox]AOX'ˏĒ{FfҮ<=2SNIk  ż1M_Ћz_Dhv-1FM( ΕJ} &$K?FpesvU%4{j~hGp7+›rD} 3^+W4zk}J7x-z1شј$lZ/ xaO;_g"nk}W\B07! 3ж6Smj =sMe3tGxwdy$YptRTӳ\ůkOSCRYedl%M/OCӣ. ]˅Il];[C/w13E48!/;pI:K(6'iĆ@:>PԸGqA~! x Y!/x vpRluԠn3VѺ@Ur5 k 8Sԁ[x8iH+PYr;l`xb8F1BQVI+Q&ՈޜzAYE'HZC?s)6oǶw6|"tVx#8Pta`X1s]Z/,Ֆ,@6Cd0m0)->%azr&uՑOY66n@޻r:!BKBb2@߉4cn] Ѱ`;"Ҝ:OR(5Ёh?bT<{6 EA9C[=*>߷}S[`B0@'(b$iZ`x;^ &s&vZN2cI:z@oar͆ *w}>bnNpO+Y,R $\C#=ݏ6{v}' h3km@A&\"7-g="URqO;HAe<>[!҄)J$rs't, %5*FMx4\(o!{S &dh#I[Wq)KD' +Җ0Yvpe.$l_G5ӟUGD6(G(w1-Q jgx Ȃp~Fgd-2Q,:X[$ H8 fƣm#UkxTknCe=Չ㚎Bц!nR=(5^jJCѱzC x'DWѲ_)]rMu|VwX7x Vt,=4-Y!XH⡠8`R ~DtZs'^}{1R <tbW۞ks"n}mIEQGeo P(ݸ 73반`=y᛭v[oE8/:?;eA>p:(|]Y/MhXG#mȃ!1"K2KqC7aqR"ɮx B]W˵~E6Dn.%YH}gs%ʨ%戤d)@>ob5HЯWG͠܃yؘbtN#;ﭻ}"_Rᘓt(#y\` Sxs^Qx#LkP3՚\6[4,eqWoo @7Sz>SMWsq# d(G=^`&XnGγ0FAZ$*Bc ;fKkȅok$1"'1F߷g$j>` P)0ʰmȥk2_ wh`[~Xa5HQ<$@h.{ǪX]|*LĠ8vфg_E=#=!yD-DB )Ϲc PƠ|`f (2z9ĩ`7kY̠lUΤ"D%$.n >F}l RIQ-RYUZ>nDLXվ,Sg%?aWP /d3%xyH?iyӕg(ɳfsq,3hZ5D(/raxHG]\P)IuLJq)||+W^/11!ch\2 #Գդ JUY<&~>%;SeJ1%br0 _;Nc¨{}tCE LjOE^X 1Sv܋Ÿ!_9s8虧Z;Kf%+)83r)ku v=3bJ~k^ 4&^7:ˀ'F`G|*,ݳ8WܗUgelw?rv0_XGK7 j AV".l19OHc+eCąʜK `G-# =dxE*>njYlyڟ#7ЌhF$l1QF6K[-Kjk2VM*oUď/#s98K9&tع؈@yvQ<˻1k0e,[V_p}B ^aepgglfmvYb~FHvGG7oyn5/*wϦJSn+9M%Āg%<9Ѡ:#F,84~:+6 x/ Ӝ`5lI=$U}~8 B\ %<GO7`4n ("DQc$ WIW4W{Ock.Șij8֎ruQB!fZ$co'6y>Et өًe-t:n'N/7@)x_͆Sso16 nJk}V7] jd6^R5K@>k9H;,suAc~,AӁW-?wf+ncykB+O5YX˨dC&,'pN0H,OIJ5rbetxx}ZT *C_F4=ȣZW! cp'H[ɐ_Zuc{ p(**4^kO<@hH^, %yjUT ;: Qf5M˻OͅAX̂* 1aTE:qt~ n;[Q#{*et) "0O^}uIȁm(=V3UGK b>K]s)^x@< !q낉hxjr}[KWT8p -ܕu|h^_$1צ$ 굴xt>0rs̈́PN [F8Cڊ:B-d,¡-M[,GrgUsd?NUwD.h,RuC%gss&ͭM1!6X֪2W|l?>-Q1sT!>>53]kgަ >) p=Ϻ{ziO83Qb<\Kbn}?I~ș}oNeޑ;I{Xq4Nkɱ_o!CZFcJU'+C^i}[hAהSㅥwC`>P`M-gB2zY4Ex};!Ӕ,0([;L5o]bee{)Jh,s8175058"wz"̚/G1|L}zsE5bX)gҍadž }W`B=J@ucv:vZbG/M0>ki.Qs4hWJ/hjt(἟\N>C#%NhLw [^4BW2:~A4 W3.$%<zZ#03&bnwo )-jB*V򧛪lfB>!1p9 '\4E7$DK/vo!b0=_#9CoqGϽOk&֓ Z _:(FA:y7Vt8,lJ*ϸs][՛.cQG24}*L'QZL}.:+MZa*Ct9GThSR*⮧8֐smۤٳvPJiM(ڞ`>4 ;J,. \n7#ȅVX[(֢[<*]ѻ!@H.?l񦩴Շ oSL i& *"mӐrJO `?4g7c,T"a{ԯzuDlo`o /HBhN-I;V٬% l[ϙ%v[On3~Xٿ$?$sM ZN&7Uy)6<3lјK&_ 9ez*} m+9B:a{-^;=4`+JS;-90hk d ȽR0 onnY!t،Y4E[Ȭ#T-&{z i$26AYve6FCY'6" %b$ 5V-Y[؏W=(>Qi:; Hd7V42v;$ős o/73@u}bd*ƉJ*_- /}P?gX",y[.Κ?q1M]!Lk:n(,gĥVPLxsfR:({"r*=!i&Zmm+ i9jNzaMe+9ڰ>oS}hFQ~^no44 u9z(MaFjX*,ubm˥/[9^Q~4:sg&#Nw1bήG7t|-ZaH1V#ᴑhBHn˪;* hX uD*G3$F#)tNT(*zσ%My.lCg57ՀY@keNbNc֪&@>akD/52"'2DI$vL+ӿS0h )J{dŧIhlo;+>޳=m{Ox1{m7)%FZrM-=UO@ BsF<)ވ2p(o,ncY#| 3ݘ;&WO)e4ڵ\{3סn ||UA6BJ'(] @W^ȜJpoW|]R{M$s j^"U|*c ډ{J6ׂ}um9,LDZڤ1} E]v-Hg k0RDl5ZŢ/ ?$AOν;fCiW[on|)k 36>;>N?oWœ1*$}펃ؒ&?dqQU-xyqBd)tY{\4u2}j:ou˫mꨥ^hDB߶ts nU-ﻨA@;?e=xsYPy ?Ac2)ci YexʷƕaOt moMp"S9R ˆܿ.lK7E4&?'\0FڈzW#{S-_)}8kb·m]3&3eޤg6 x'Pvܫ٦_ SŪ@2!y^e!/N8ȨJlot}ڢB$۝%f3P[ӣ2'-,C*bs[hQ_=-XUPɀ*t" p/kr']! ZG-_ܗGɽZ#49A @.I2.y[Q0Nc#wipwUn'}[UO#]Ygxnǃq P ׇ UV+Dau7]yU< e" :&N$HwNLpУB_ Byʒ}p9'ňnX-w?kVGE_va/,ɬv(8ͼim Y*p&~ P5 }ޓ mp?m׵i9``\xʧ*~`IVvg l{|PU`m6]P固J 0! !q&bLKݗ&#|׌ ::aPfݏRcN_E_>Vm>wBV6h#0nR$ A[ts+5@@ Nr4e12V>#zǼti~ǒ |W "v7t,_>$*'rsjfmqpe*HB\i n"N)=VGrfwax׹!}.!)h~P<\>Wy _[VDoΨnc@`zUduh[%M)'|`,a]w|.+yctD\7=Ah ňuA-Fm SS9-<|Xozz!6/btƌNeU)q̋*һBnT}K KDhQJ`7޸zV/GŇ3TʿeH %ڼ-{%ZN%&kx8L3m+|h0js.+Kx\o@3,*q>r#_oO0iZɠ3'#+_'(gY^IB>kS֑'OnҷqK5۟>Ȥ5 ͒>ER+`(H{9m.\l7(ў3YgYɍz ۼNEPN)@B8JX"4IKw)㧨a o7S-V# {yiG/įH-Q<`|56Xj@jӳP sPxH[=:bͿdREhN #1$Sq4t+xσX.%,l.+(8Zs ^-QiTtPm&ig=Зjj*~z&6׳k;9qbWE&E?jQd֢#\Ҏueͬ۾ Ub\G3zgCvsΠ;Jf a匶tm&X_bpˋ5ri`SF`4x1-.s~S)@ JΤK_O~_< 3,$jk&Yvk؋:U?\oɍ U.Uk^M|8t3%"}`. ǒݳ$nnn<(J L^3rQ(z>L<ۄrj3D^CG Q{Ji{"P '(j<1cE~󜠳HI }#.TH֜W Hlh tt46,  ᚍ*U謲٥qj7ᩓ(V+toQ1;!B6.&R-:redIwd3: "[^לzKTYw w#G789 yLѬ{x?`E=y}hC4'Dh/RQRkKJ6ezXDw=FJ|!Qc F!{Uz;T!=*CP:md㳱_pRr#F>I8j'>+Â㤔i`sZ:A~yt"2=Tέ.ag]!Ɠ 0?gQ<#tԺG((!pT7~ˤ;/S%W8kYP2Y*u+R1:N -qˑ]91n?i^ORJoحMОϺl4ڕ.7?V8g]ŏ<%<'e0_];2oAxJ2ےG8hb* Pn2)FZ'34"^Zp& e$_׺3CmIf>-=oRO)2v}OAֻwE`\X"HV<?NL+` !SCMc ~A-;0~-սJTg*Xֽ2YCL{EJki|cte񦰇7d#G~C!YX` era͚KfUߌV;kzDV/6 9?2e4MG@#6 Ж;uV&"DUYO~]mq$^DD@j*{2AP(y$ަ;ֈKAuF:?7b}GӫyC =9U4[p):s/D1((kU Vv"| _[8 ?U#"~ә[MOftfHU~2zwזs:&"6Y1})W/$ #ͯ!@KEaWdձ9uÞe6m 6Ym123Frqs;*T7)c(,M`%*(kY߅d~vNԽ6) w`XжKm̐")QDv)0(wfM snԖ)Fy1-@K7΁澢Q~ۍMW(Gt-.RKtMF[x DQ0)GȼպA%j⠰s|!+ ?` ]ʀo`(f%7rk6փ >*x CI 6 9p;7oo˪ /h)l ndm> pK |ȤiTV ~Ur-rWO񿬢B*FYV#+tʩǵ{$d rҙ0:V2!a:v'g% hqB'#j5lecUkү tSrbbeZDj\a$]DyC^i"JqYGu.3O1AlsKsmWϞk. 7€IR mLzuMI_X`}sD[?c*2+HKn2&LC AM*$awaih* L)Â|FF Av xy,F&RaN} !Te!Lw{v #QN9/45* Oۯ`%7I#2՛BubŲӚ{IorO*m-iP%T$q͙$ V[T x8\x]Xڙe0YN-|]0N-ec4Qȵ7?!H,RR'@3߭6r d>qERyj_WiHJ~\ xs*~=c[,([/A98/-RMk+;(sG)\-}'5@] 1taK  yT- g(9ښ^6Y[Jbfl>˷kcc)"`m+5`ã 'a!9 '>el[3l,(Lc Kl5gd].JG =-3I{gr5zAgVxhywzv8)6Sx1C}Цg.'b rװPQdT5%R]d~!c!˸|DJf1X\rգS l gITـ-3:WV_c#!S&O\'xo'PͤᬇH{ىE}(<ߓ$!cz VnXzS^s õzIx[$ƠsaefAs_$$vk"iadžէ|!GG!q+79E_G,)4boƌkpgqHԀ%$1&48뭱C#_zj2pj6NJvybT)GMdtmq!z67Ҙǜ.lj^h ҵQvr澙Zfphyn?wSîFx- דL5L0M8lB&}/=P}kӮe Hwok{Xk#mҔ_>o| +6.KƢ\"zp<5ސdIצfR&'eӑ]T>`PD BU<׮EP~t8p!kCoJvFn~JÔ*p J|hx|!f~-/'_@SM4Tɏ Oxz];Kn&X,h fXmT25s 7 5I5H"F;l6 `Jgިy|jْX"mXy1q ,( :}-iF_r\c0PdCz `QnS<Y\&=̖w}oxy8Z%>Ui#tq?XgLM%&XDX%c"BHh@l0g! TJ]6Ri7Gif]Ѓ\"C4VQ{yfNn=_qv62׿x_)b> Vj-Y?tvoVXl6kZnb,fi?hH2.fl)Z͗"R{@D7օOllز خ"=6Vk i2;|ЙQ9Ǎ8݂jY>H Hu7<mguFcpп@&31>&h}(hdkd3[`P+#TP$9TWWwֽO*.`f .kjV> 5U"MhPEr`+YLELC?jMpoR#+($Ȏ2dZ)N jge2;V`Y(1g!zLeƷ/2XE|99k J_\೯0[_;CcZ;(*uë69'L =-<X<0 8L &)R] `HFl Sѥ=/ˇ#b mDq!Xoh3ڦN2seEl2| 1k eyW<Ժ_)M{R$rU_SQȇL}r3j1pw'D !cf문1knPbUv$ŻijYhސo@?EI>lP^@gjPj.au<੷Wb)e+xl_.)*Uic,)UGlIF&w2p{߲9_U M)fVpG񘿰7?S^;Buj'?0a i yf/Q (6 ;$cc-l跧a_YЯ냴X`/ VYB0?b=J[kI8n ^EEw &ҋpRA :HFp'vK J:(Y^zNt_S´c<C*eDiXK`HnZ,<>]P@ K]qRd ghoi)i)L]-ɠ 4nkc쩷 nDq4,8 H^t"~1ro]1˧@{ڥj]}Vʭyo霠OY7Y{|. P%;zaR9= [)juKg8JcBӆz.k-_tcSk< T `}LD BQ.$6V! s{G v"n\^j6(9ҬG#ܚdr>Km(om,Ty}x#1Cl MU;zɤ"ˎSɉ=bh>|xpWf༏v9(ʔ"$av͂0V:^Ay &tP[| q3y{Z6{{[)t_މ}ͯSF@ânh ¿ y9'O.`+΅fdyt/fhٹQ(ߘ@%v=R`O6cbL-n$Fc|vg<3)m=ږVSZ3YjҢ &O8«:SJqolyaXxZMa9~O|OO _ݞJ{*@ٔc@C:gʼnA{IueϤmT!\_gU?[rZޛ`z>U No:F#1sA@"ђm6 'HnTa >ըE?3sZ{8έR5nQ-Ooԙ>]9pMZllz'o,,BBZ>)'&,J0Ro܉s``- Qǀm{pl eQ=Jcqz/Fqt?wkV>eҍGÞT؏*k _>ͪ9D.]G ~R/W3 %HҾ *n.>L&O 0/hP\ қ l`-c qMJ=&Xᰞ>{vM:q)Ey1Q-)[gxWZ:kqVGVD){q%Ȫ22N.쾟pӿOul2 #UkQ-tJ,9e4q8eK:sn (WE;n LNG2/YEGomDrm4T?J7Ed$ebCTu5!mSFy䔮HcUD P^{d/ycriD"lçBf7: e)P,C7ƀZW:L6/|6 =&J-k[UM'|i2wS0FyL"~`}\]nS=y1}8#DkSM Q@!E_"d:8 4`'b Q҆3R m;NE˵-PBkdgz32th(Re@Xctc7őBD><3;L,Cyxc6U= ľo ѡ$.dt",٭(\'m9? zA6beB|9pk=LsuuZ Zo _{K|^Wyv_`h7K*D"i"!:94_2K=+L\ 𬹂? ΄'yq2@ A_N&TZCT~"L[C2 M~j/Ϸs1,b}WoŦ[z-( FOQqU;#\QZKc#!ŋ0A8Ոk.)B[c6$ss+)glN p#DNRUgЦk_C|rnv48\h蜀"nA*EYV4n{cx$xwkǐ CJ?Wiz͇|t5tZ|w4Zn֌7̛{V24Gϟ2'(?p4|F<5?Jʩe\m68 \(C3*&:}tE@Xt, Xĉ2I\M8`y[#xEO65u 7]t E/CsT1:,nókifW=ޤ{7a0Xb99Tl?خ(|䋠VVv"Fofe1ZVxq_VI.s3f=6zpyC@¨0 >6]J75h21iGRCE6ϬP0ƈWeΫUF(L00Mb9!rb<9COUz4+Z,M=W}Ak2vQ'}Z`Jx=$Y&M:f#j킟WbrA^;cPecqRTr-%3ʮģS2@(=b"xET9wy;ǛSV6}$,dXR«յ|C^o.]xǃl!BInf| KЇk7}> 5ry*x@Bb%oH?3!.oHęN{/mkইU¹d QwT~v=|lGNW -x,bڊ~=|d=iESR`xMwY rmq3٥\}*jۋ:c(Rf$5,T@t%j739X/翑c@B848һ!B'Kѿv J#${3U }b'4LnK|R/h\uϮYcGw~J2G޵ݍ@!7Y(.,.Q @.z-S% r2@e QP j# ^=]%{ct7" 1ۢC%bHЭ-$RbHGd98qbh@R$U!8$m^VL %ܱLE`oÁ0fqT<1 .?򕿎/Y1dk"&hΌ`E'Ojvn_./0hw[a/Jpb߷l|3A=#C ÄYBjj:yN4ʏR5]Jߨ[Vz-ڏ/Y)"r4w(#TX+^n5Y>DU<1`6^ rij֑< .5LMvW܃FlVux9fkm#K7[gNVem˾hoZ*;cFVQ0$paVu RmY4 eI|?rU.DRbB4Pk@"S4ţևqcs-އZѩ '"CG"\w%6@z|B j ݏW[x[ AL!`"9%]s)HBشGn ҄csUoy ĘizDjM]j]?v(f:d( 2⡄-u/*UDpjǍ' ZVF[2E-bKo?P#pj%qf){@b˹b4UЌAd [@Y~Mmhh42KN=n.8L䑂wkM>3X^w:ɍAW~"M$}!@=9O~o-6sVR=ɀPԶ҅5+\iKHtߩuJ PPs. ݯ6UznO" =P%.N_vxúEx@{OE#6<":S~73ִRO՞z4돳ȚR vyڿ>|*ѿ B3j=Bpk~đ/1"Uu6 ~*jB-MB{.02k"kl N\6u"1E@\su: dcsII-0_t7Ǣ(ގf3ŷ< SMMۭM ?>LȰBatm6zb|3> ܇ϓ=:p耣ϴ(5Jʜ7%ڍAW]Gũ%tݩOֱrLJm!&m47B\P9m&q/!}3W?&sX..B;Gl`V]mJ6έHdci`E$ "vi*Q"]K^\$4pՈz\kƖQLJ vCzmtD} /Q%F+k -͏qpءMNZBμʚ@Jt}|i9Ə{E >-fL`m/wv{Tw '%,KBLx_R@A329o&iI 6Įd~ف.d߶*6mC H\ϔ?E">UZ;;-d$/C hRcC/$^Yi}/Z*j;Ǹ*HER<X+|l`HD kVة7mo85͍eh):W>ޱX&[IdbmuaBr.c׬geS7w uˡFA F2K;o_\o FHNuF-x],*ҾC G܈s1;d,ƇF4nܻH/p[5n$,Jw|y)i1h MX3H<߲kCm|^?,uBn .6>`-ԟ'kP@WGp.峐8d-_T%|6xЉIq|h緤CޓPwWc Z+M0b cݔ̍Vume.m6v`RoXHvJr. U;ƒBhֹTS?Ux?&=!٦P=s@xX?:}_۱xm/dvnp LPh&03WkqoF ZM>28_c^# dvxjNkuug!<(]lP؅/`7' 0unhp&-)8``k"6ZI(U37}(^}[D(GnKo,JwZ:`e~!b{bZ@וĠ-v> 3+(~T+h ꗶIHBxl5$:*xwKi6sB5"c^&Q.}mBkExە9f)[JZH0h%46~'c./]/fVK^1goJ "m+ kXآa]*F:YZdqM{]mjnro"#.hi Q1Jzl7遛h*R_&WH3\7#4+߮7@%2:9}ؼ~(H%&yvɚ1=x ι#o%Gv&,!NiFY̽%gK!b'Itn L@@+VCSDE `m~A̾BH?,Wuˇ9:w{= { 6 YR2OCީ#O?le=YLg5+|e/цÁܡ"˖=؋:F Lͮg@%T:5ω ehd19f̙ 1^ |S (&;z۫XY~Ukxs!'tH~NIC>L%c!͸-}1w6UI-gA40.?2 S$x`\'IOk4|BJc`IRL穒%-,T}Z_^&n(H2Qӏ-d*)M՛F T}A#*; I}#C9(nZ"<\TuK $-B/RDLm\n hIq2,9yzw6"ƺܮԕkw;]5ztJAM?/o),e-fEõg2ۮQw*+"?gT]I@ihz:]b(: V 6rg5 8X)ua+f ~I#r?¿Y/Z0?G$E.}0t {Q3Q=Cak TOZ[z:YUJ4bqoq$*gs}-G[30 +=p𿖯m-}5gI`w'ol0iկʐf W;#khVJ@!Q|WG eHC#s{,.Ai9v 07@rtkڢ꧖{cxo!P:iB |'Q#F^m{OgYO6j {X%}]un|Aftl9-Au/:O;]?A OavQգ{s܀dvMSť<~qשbX$8n` Dgk/&FSfʟY!|H2 +OO=ҀIRUzHENV7B#@~mEʛ8bFP.Dj㣯[AiT;n7n/4Od5l+)fm%jk´^dAii8u};&~2SR\ڟx!37A.W$֙YDnGp!:VOTø02л%vi:ک0oHO۬깄"4&tGtrcek|A{YPbdh82~P@C{(P*5 dn)nhn{.?$,zҁ$F~tv2q=s+lT2ISljryfW3^Q # !&@,ob,1Ui}gk r̊3~Lo{nr((,0O%rZ7.~“׏mW2 {/tzR' AL^8$ `*~tWBPJX>(F v\nqf)1dqײV62WFMZ6LǢ`V{M)mZEbot֍E۰aZI4y%RrX-רh$H Ӹ?<{W6R3scT+?_ #PJf0]&wU&A|nyEEkUs]0S3Us:Cs-r"+y0dnr:J"H8^{qHhK~ `3o^uwyᐡA3abƞKN+hU.ئΫ#DsL*$8ñj |H.YCt'~zcXݘrG1,eXv8Y<͞_TĴf?2M01n H/y_A(eܕN]R?=qn4xv3 +Ehh*gT1 83)S?\F tAK?}CaV1R_tWx7ovng%v3G܏yBk0um`u6tZU$ϖ Be;|4-';rW"%a]`E4bY۸r}{f͢/fIbxJRg:ƒӈA.IߺgDt]&4,Y˖)닙]RNhɠE6sO+Vnv~ta =j׊EUUTs6?h;Grgz$sڄ(tj/eo_yK/5.0:f<y 'u!oh Ԝ~(Jd!1Rp/hgswӫWhs'ro(A&([>41D UHȸ??F?&oP?W:ߛ8AʉQq[.7+u1YT '/]}YT#_H;p}@UBBD-+s;e](!6ۘZmo;xНm۰}!J͛}AŃσ?-cSjmJԇe '*ϠIt 1sA@HW'p+OeȁYlpa:ץ'{C&ZcxDIjԓ{rD__, #S|h*V>E Ճ@'-b2Vy+ă-+d!)mu jHl--t~UQ= :IƊ=e0 }}tGb,Q'샍A-j}kV1e*IX#+37gpעr˼ErjGYf}8gsnU3&{0z gl-ɺ|w_hΏꓕa7Xv›aE %ȓJ+p(1j;.^~7`Yg=rܲFNzB['̚;۟pd=IBmO+G,excL˰3,%5pOr8H䜸B7i=o1Vʤ8Y%/1⋻ I}i[s)}rzG-Zz46(+} ΡJQ AгZL\ 95+eJ-0Hokx_ŗZkuu|Lt_ΫelQu}ZKf8.dmFf\ l.z,[@"T.VI濥W̋Ur$m}ՇhQ1̰VsǞ +Jf֛6wN^ \I(/y2(|?v ⽤l4c,DЌ2 ^{ۅG 64xN]Ub8W6diLZJ|; 3ڻ {Cl:Dmǀ@ JvfU۵*+ߒ$KgFZt )|v$p˯|j:?+nvv*h87Zᯅ[!ˉo]zVk]X$@{ F%nXtiaI3Ok*ukNl}CKCzz7w(}ӥ 6hJ31hVQžYB}ݢKKb߂y#k1#סQ #k'a99d- Gޘ F-.vx+ݰD=LBV 1t7|nU;P"ևFq?%uޗoz$90K+oRūՓm7:OC+'ֶS;t<ͱ$ho 12Ǵ'J+T.*XtmDAg &ܨ1Eedo T)8)]yːb4^V>޿y*W|9E2A1tцc6}*Ό^&0Ϙ-e^k'l,vfy8@f{bi@+{K뙡mSj|T[dz21g25i7+U%ȷ i¦Gڱ)eοWf +K׎_!ś!]*ք#ujlTh %#$)+hVk%mR/B]m]{܄۵&Ralzag1Bb4 ޘ\zD4!)KJ<_62XAo l.ŢmN&k: \H_9/ A,M ZD,r-:@ e:``aqNx8C6&c-m =2Uݙ3e}e?>6;<ϨɵBy!o҅Kۓs5 ] 9ݛ7#m+Y`u^TѮ{:M;ݟ32a Ka]s:gĘL!{}y=#{<_ !i3".Y;F^:gCn}]ǒL&/DmaUv>bSdwY"y4h(\?!wvˠ;16 :krkjdPV2xı%.a6d{xճ?=y98QyU7ʂ…뿏=]UJ/,xk*쎛}~14AfI8~R^ۚHo@Xs ,":I8"w(ZIڋOMХK*2ray:ïb@"w"'s1V'Eb;`2R< c;e2M5QC `Ex-y&U!V~V EAm{UOG&+K=sZ>Lx[߽or&LaĽ;Zt폨ޥk"J̨m V҈fMt"ΎT/匂Ypni{nƥ}>g {Ko!_cؿsbJHNT!\-lu)YM^:ݷFXՑI`MZ/4 \zkEtfZT34a*CauyFD˻UӱùXDU؞'8nLmk=M_B-- .^9`!Ke:kuIS6,@ ۙ|2[%n} b$)kClb[Z&Cs Viܓv _C pT$6C:C{6rf2f^)>S+Ey`TFԂm=E:O:+)PfSlk?|1=JӿčBӅv"rVw7Ђ*l_M>E @0RK4)`[479S)5n@ƖR4 n^(= f豏 זOgrx N '#dQp5K!Pk [˶IW#qZt`h$}i;NrHd%TU~(xNN'.iFǨ{ɋ$e4ZWTC߅ab+ZWoz5Q8'r䣐(aJM0Eg[?ԱQSo~6Fri> Er 6Tox{k[bm)Ry\0m=yեt1w`FZQ:`d4A3dI46Syָxݤl<qCY㵆HIKsjOF4B};ZϫxN7aFř&灃tZ*`L18ubՁl(ˏJh1C_FE@YQ/% ċ}=1]]+j>(խpϗ!rrHSU7ΊK :7K]`6wZrr}x.¢ȌoncT?%&jjtf( Q7Sk 9CO9nu#U4ۖY`Ed\h#8_Gޯlխ,8jVyw=t-d^8EsUx3[䦀RGzjyX"K;;$[#CZ\##Γlx="y|.h7+_Ju|tB7i8V9[,CH_jm(ASMh*?&A2v&Q E:y> fBQ5W/ϥF ٻ";Xa"0.$ˤJϺ3ڥס`Q+~nw1वv0lG*dzzTksG}Uɪ]O.e~A'<;ۺ_W <7vφ5衪6rз өwGZ/{1R%PxE% VW|`X!S2p+u7^2.|ɪ&dkpp@ՃO 0Ac&?(ԛ?$ˁ|ދGQZU8+icC&:VDyӔ3m_K+ۑEEf{&{Rv.DBׯXk{9MIAfCC*],URX$ 6{Ws*^b<39EوS|IyKn.ywX[#&5ݢ3xt4&z`oCMWw$FYLh iG;^ѵmF5zo01od쏆mg 9;/ʙJ"cCCWSIۤ៞sr-qQw򶙔zԏr=g K/6HqW>ryBhN\fLbzªN]'$!k旚gMr[_w\6]ŞA(of|xS~G:N^uB"Ǖm"?_#ܢ hZV{1SToY^_ʚ nBf ?y)ԵrռM,>qcpKt_q1,XDe] _:dx!FH{\deiʟGӧ*"h,>!w-av"FjZ`1me_9Hu%5PgŐ YiA JL7<Ayk* z~l:s2b.1&R xζ $e|Ş`4cR÷v>^\R*D:_ g-:3h:DX[$@0vTQ;9;AJs2TYZ[:pg}F3I1%NH,&߅[6<~V<^ǎ0i0ae}n'?_ RNLP8;Ty-?!t±91_vi0l{<.\ߙ[$-fiϙT->O5~i9A%.Ti٣g!GU%hI7>gýN5{mT>sO9no/*%z,A-wg;Q5wk>74k苉6FOM;0m[ b+cJ Lҟ@]cDb+\4:)-lRxĔCwXn7W^jeۃ4K{btG]M]g :I;2{bpS^j2C:^~Y6/=8?N ? VUO؈p+TLDG ") cβoy3#oT Oqa'[I*"LE.S 1l镸)0m7ܑlloc,{%%:xGuy v6U>0"krqA$L`:8Kև. ׌88蛧ti<>:t{Xcv b gO?Kh6@w̺ܯ_ }DXJLɠL3b4vuƨWLa`'g~OS?2x(\#A*n5o mA3Z6 mq h1y.-/w\=Ē ..Wy#7G^oYa /TM^'4Db,'u~6P.,EDG,NB*IoiA=%pQP6NW1=Q.Z3L4'(Ne_ip4,íBwbfh `L\m!H`Jl e9}@Pqk4c^BGf)e>AeLM/s=]֗7q<>Pyǩc'\ގ# dx2߸ɎF.`F7,3 2(o!~w9ځal _w]^b'%&r\DcľFA{6 [5kC칈1$*[ MLjE6JdZ(>8JcQ[>RQjt[d+#hR.g2 (`+SFTs2gJ_wɍjKveQrv$eE|G;rh;jN B GzVCtCb.؆]ϲOヱM)}`TBzФ)~!E!΍%H}ezWyzǨV/yv5N Ev# 䙞l闡hNߣ f,8`Sa&pV lkeفRs6  y GKg%?e<F&VOloSe+-x/{D-H)g71ݕiKвhTP}{Cfɯ-$Ck McRQ3;:u AW)Y d?fJb6aƽfZ\dbS8"EbS|eto=6 ۥ| 靀i:r 6l:'Ab0I! Ǒ ǧmn=tjTh9mB0;.o$* j/C tǢ^ mEAcJ1 $efOAR`jTA8R"S؆dN.wԡ?אA/T8oGoCuj|wp͢on}z|YH¿F! /[]!T>8[zF(kxX(~-?)Γqm-'7!;C%Ao)r{49\$r8isBX_ `[ܖ6k`)|V?[Twɧ# La־caKg̽|ˤZSWZh[c}_I'W6*.~khz^w 7(N_>ЉʭFٳ Hvfq|@>^B ^w$ u$ߔ?Ԁ-1\t,S0N >xL?>Nfj8%9eah6%My5FB%]:@)+ r2;|έr$'7vא۲&7CԹK94H0_[;|QM7 g;2RN'PwA≝͖VQCġ*IظDݨm(՚2wWYa`u1}8S:PusưbְgGXxxsN% ot# tRɪC]>d+- fO80q7wwH (J|VN3Ǔϸ]xCMد[} f 2KڈI cKT4uSڊL?mX8OϡJZ$9,UVȩv`J҄G"hp fB~ϒj$tUܒj/.F^OPf-7Rގ5m1BJi73| AǺ9M!)zDk" G=M71YڝfZAK:bLΛCc~vtqPa?÷?j߉pz9~pΛ/NJ\p(r.5'(W~ΰI DY<'k|dϛ }4eg )SH_/"ă- E%VNq< *a/<ВP-0(_-sbt1ٮ[~ ]sЬN{VR/9Q]j#}O_fo]UCk]36S cve7 &gջqdӤP14Sӹ l.C. 8PrG>VLu<:9>:&u3CIhvUuҾ]Ǹ*ᐪ15;IJRz5ii;*w>{3``CPZ 3Oj鏒 ,HرKrt{u qWӷGVCͦuXzr Rܥbu,г=(/ZK⼲bHKDZ!(ec ,` (Kn0K WQ>բyuT.a6DGb$j X~,]␍V`J#L%9}6>k&D; ?="zFDDi7Y}(CbzՇaT z&>a6d71"+NUPo<~.~D-S+wy=AJxn@[?y}_Ax34Ts؃"ے%P #6 cdN)ڳp:d}JhnrGC"=N@쿑3zGnbGʳF'\T~z?3A8N6KŌމ`:SB86QL0tÔIt"23n?% }D $_4:+iMoς$Й7.H6؅J4!l˜VP&˟r/cAP>8(: +=?_ 9`KN7;pC1:(.mm-(ũp]Vh6OzU.6>T?ogL *,"GWEy T cp?+Fx }pݖ;)=rJB߉'}ӎ%&V"j(f^#`9XWE7w*,25BotsPȿ|S n%hɫG Fȭ&ÝۊA,8%wu1g:( F"=$+vQ 57] }I\2_-|NeYV %FnSקR!H$:m\P`$ tQ cm5I-F@jpk օ&O~$HFJZm!BЇ |X:p^H_~XR1?'1/ aٴэӶdyI3jEҕ,~ O G˺Ꙧm]7?B8 @HcA'X_gro@%#(KP[>BΉ7*&|zx&}vbD &fwgI0"Kq3̓ݳnKWDBQoQ V5|OΧB˥M.<0NE4سr{ >@:ur`'9Mz, {'c}w;Pߓ Z"kTC`$1XHn q4OP?ī CJre;=mHwPU_$wWdPjnլ!3 7GS6qVE]HW&avN grʂo>7K} LɁ >3EUlРS[~SeY:TFTbgkyC$ZK'_ ?Z4}Ey"Q- bC3<͉d9{n#?o# A8M7Ќ 汰?l@H:+F12uVКu#ȮC`H{v0>@BKj׍iʕO5~\BB,:*R'v߷();3 GrB]yر)>ض+M (;I &uoM trh4w-[&۹0)nyF1eOU^h6ig2] 7s x^Ť*/R8-zxe(q{iFo?Or>e/g"Zu'(RZi*P/S&5Rj-l]0, -0 ;Mu͒٪zXݑu6һ(LCFȥ$](x`J<=tz^``3(Q+alмz9pTaXUsb>y.ېוmCg 6 %L-lfέIzK56AiX5L@rES JZ2"+0)(kSoRV!YHcDJ1=8O(D{6p3/Ԙ[{>.ay 4M4أf|q̩6 >3#8n>!<[h4ݙȀ;QjP`$#XSl/ޏfIqNRtJ ˱dqeGN8x1am,"ʫw=\W q@z*rkDΤ7x02x(9#P`S;K9He<51qTgCG(F& M\=a=0iwBˍ ?@i8!saG\VZa. Si[^8[Dg3H„5NyW?~,BU R- 8q_9z8Obwrз uBCYhȕ Ҙ{P.$XR/׺)9#<1g8.f@#O'R+(̓mtX$-8ptj*${yL8Q׹y} ~gJPoS,%&&Ȇf(Bbhؕl֌;v"jUSJ_JJU:#e<}sW0r<]/Nrs07,ohOaHcf!|nB^(R[La4X0툅a H_s| {_^]t1F/᷋gU C 6[!D5 |Bf[E8:A$diԋ J\!Ent{_^bTCw͡vwOxv7]W9fhDǥb53Wl hO 14ӎnJoi1FM^x 17E6)TM_8 er~CR!Ʊ-3)HOy#wpø֟/Z0_|Z4gj@+t5Vt{6 ٞCzWь0a+TMVp|68=]Y;ac02]yQYHfD[/oKd:VZ_@*Gqyyi 8zZ+r(DXǦ*, LQj"BAj;j)56{=MnrVLBE߷⋥@h"3/X %R?NizzĆ򋼨9`o\#KCYhZ"7㠖[9p pKDvNQ(Dˣ=-k)=DV$LD-(ݟDƺupJq 'ǻIkڞGw_KyqCҷˁ 1"`;DQwS)=z%]I1Gިg.I1)ԨfHS;n{4o}WSnYp#\/R762MtaNBP{vQ!Ol'DH"_Sf6yܺصbhrĕGZ -Q;vZՕZ>Z\ C9Bgޘo_ ՘J7Pe}@H1C 5{-ĩT8f 6Rn&3{Y XQ͓u| [ u.A\(:zr[LAOYA$c(/eÖ*3׾)Q<]K'\VN](Ns8е)DT!O|jfC:Fw805?U`?N]=uv.=z(OM&őTb;pSZbMu:*)Uw4i͈B}]l3: *1n.Kдd'DEA[TɁ߂R K-k2^7}}E]o0:`eӲا.bs'q`mf>ʆ6SmG43JQ'&E7Ucuњ揤KFl 2{C+[lƯ㲿M\! |M,/Vu)%/sa"]kj󘺺~~wv7aD{q?p)IDد҄,Gio$/1B|2[2~"m$S XR&wޱ\N_ }m.C^8CxYDs)wZA{aY|9?7Rٞ̈:H^Ư̻Y|X&ײ8 $|Iۓ |dyNp^bEk c-1-?悏?qw7 ]W0X$e^`z%IdeffM <ȱ >^P`z7z]ńsq- <ᖀO;MWKu8/LCptP@ԯ%ΧCT CBKH*I 8%{<ނ=QySuyggLLЮ'ό[ F'TE<D˲tQZ|Cc޵&ЄOJgre8^$1Dz*Ij]yI=f2ɒ>E{i?@M>4r=$!+?+ݼ2VuzxchǹoN(jE&/-\J2/@N `Ld4k;`W#P5ua BkkA2ci1S)F~`w̒$>) *_5`@P"+pя--n_VW2ݾCL,v3)&|=) g' bhN4jɇ@FqZ.-)s}6ܵnak9$]pTvQe30ԨhQB ́G7nl|F5x:a)D?א=^HCކCdiũvaЖs(/BUzhD[6AT%JU<$9(O]P !%]?kzҋfyӂ=y} …X鳜VsC0r3-u0Fǒ"vd3`8fhZ@]EX_RG=8CE%po}gr0.G6BOybG4Yr(嚔yT4FnxAr'b_8<Z (ぴdR/Wq ،eUUKFf_RX H}s0`&2{c4hֆ{BvJcZϣKA7&qsՃ`?*A>9['֩US(#OQ$~Ɣ0G)0i^ 4Ѣ4+ˈ%oaigLjpG9y1Q"؊c~\^/a,`:Ink{3Ώ%Է۔ȒnE0RşėX#Fe?X1`g;#MeTjCmT~#`(I$ k"-Ņ ^ڞ!ڍI3 H_;;4;7!;6Q)gzjfO:`y:/pʧHXzx/|n2\PPAw" @b(@ WK%"ZpOl$> VR:Ttc_+ \ҥ&=&~1+OgEbRG['g⃺PzsMD1zB;/} 8(kǁyQ} { ]Uy_ˡJ%;ϛ;sP!1ٝCg=UasL$2!^7ϮEyzT\\48KЉ+C359{TM֥T5~tY\ŶHg}2Sq;lNd!z ʉJp0+JR I9eӲځGu<.o?!Ci:=w ~e΍搝 :ؘZ{Wpq\A{r$$1Q̹=:n!Z ?Khg,l st}U=ɳG˅ĨW>룄}j¡=3u¯n2\o=9#"&y?CmfxjwrK 3>8r4wZ:;JN*Ή5E ^X >TB1<u1,3nY=ꄍT'VFW'p@s[k 4$Z`(Hs$>X/N"nU, 4T7suu9PpQj*,2$ zo9BЧ5RMb5V/ NR6$/ Nzwq(Cϐ] B́h3$ d&@({Ǽc35fZf+ͪ[~_ @D;!O_!q*ڹHp!j(G E`V1h|4L.7*=zh#1Q|D L2X㇃S&|Uc`^jkmtLV {ݔ"*چ&J@S"> 'u 5Ӊe76ݍlmyxE$j\ {tVM}P7S,BOድx׸{P] #62؆-W$v!9:؟g.__"a0qn:۠8Uho{f(YA쳥,KLhBL| UŨ]Tv⚄.2nܢZw ; )?ٖ30>.{ՂQR3eʺAJgdfh¯ᓉnMN#c,q60Ok!:;'B|'ooesx|o``XY ^({z,&+O"/ ʮs}:D j̓ʿu(ODŽ{G=wF4Cșt@u YJYa-ZdiХZ8 EWxg6H)Ofvw̭Rphb@S-|k`֝<)`w5'4+6!)&)77 Cf+ Tɢ4X"PjJ;KMtD_lpQnCAY9-Y2 Ji;L G]a͓Ea 0h/ RG6P?yhto!%VPygë{=0N$h CMJ)i`[N9֖VټfM f¡>%>Fk`\&';v<&Vfr7F,fTXX4q>xeI_xX kp4r'lQ>@ss8h2EngxTDYyYϲU3i_ [oY D}6 7A\#:H5۔׮ eQ1?rdE]tjλ$Q JH(5"P Jϴx^@c *ݤU2?ƻrT͢jS|kE#gȄ~1u kUBH C:wDUE/p!i\dO%lC:I^ t}z35j0YGgB&s,=bi;4#{?i K/$jcJdUHJuFV/Q%pityiD[%W'_7ZXM!OʶS`.#X朆8VS; rNƎhIBS|6E& q|R=UZV_Oi.=m8,f }sBU@gA5q'#zqq ]o;R.fG>Cpn#ZP(V7t`~߶‹QicZzF v=ʓXI&VRQK 1Kŵk_8r ̳r'GULjipo^xJ72zbP>,Z&*<̊]dsdLQ=|`1ߚ*As8Y{#|#Vd=גڹ֏&0=xv>u(yAt9fpb iҎEF{ K]L\tf;yow2DOXaH^7/Ò}k-:{wY&c,@!|YNEPH=ղ[;J "i`1[-~} SZ[$ҙG?1ϻ6L8"Z^OM!e搖p8sQtDT4p? ]g,'S:R)y7d|dC(?J)*cţx<}R/HB -,07R8@cvt"e Da\rwYT֑&2)̷cFQRֹu:9jWY! O>F@\8.]Lup[8V| rd*C!BW#T[.}x[( IH8a7V,f;eF4RŦ,JKpxl1Dlx,]3W2e V&b6}H팺veOTB׭;i!%NB1%?8lLc r"S IpJi~syTi&%3_—:X5`l2N)63A!} *A˔!TcG=0=*wDO,xNu{ <+b~JS5쀠x4wtW,"aWS%{K .7DŽÔ[m5?#V3G[j+)N'2Eo5cp{z tG0?uxxjwyE Uq̭?_]0zP!!9l9OaX@qę ܴ? V`]G p U.x;~Jސx`!"Q!.вR\} ="xU7ʹoDZwr&IB,UsmP}{lAѳVZk pdsh0EBq "+d;tS3IT5\;h`/E_/ B#{K g'ݿ.:'(1Ч% (׿ y_r> ~Ppr/lTiVM}`Љctu^c$;}.:;hHuGA*w'8UpKǦZt*)bju ,1'`4vhF?#R%rBAldh[ƷBQaJ&tT-9L!SN'oX2I?P̓|AϦ-yeI|^P f )Cb``԰Zoo:ڑYbCC}2/o>.~E`ݠ4SE& jg0ME:Ԉfk.pt\ z4(VCJB?sQ111ۄ҅RUR c`<}G @$s>M9 "mf7d r[zZ"B SIɒA{FF2?ʁ %'RvMkM$ROAC"77}4"Tz+m`%qu%84٥S&Qmv>PWfS(mZDE^sX1~S^ë/-$erk*e7wzhF?ԔJ JnZ33]IBWwSݵM2=#yw3ГBr+#/{YMԘI䇲gXV YDoQ8uNW1FclUvy6l@k0˴ѭW^VA^ j?Q;56T*ŹJYYpsT* yXjug-˜CIfABQlδ=ϔXqiuU wY\o{i&n%*) uΏR\lNwZ}|kEx:*|L{1}b{2Y aH,Cز;Zg˳cb&I- I;ix]Ƣ K܉v׋{ʐ[oE\w& #'Dݮb1^u?#7L1{ރL ]:P%&|1tVcQR=mri7Q `.9H5,u2FxPb8)DcaqB{v1xbHr@E;Mڛ|F47=`qSd6zJ[>&hNX(-t "q-=y[ӁeD{ަJMt;Ih ډOMu_ᩏUtH: 'Vkk6Kŋ)KVZ jzUPD`\#g_]jxU9jȋc/Mc9i-dLɶEג@W>K=\{˨d!X׳.]F.;N|;sDSBZW ocC. EF Y۟jy6l?-,Dwԯ$<5 4w!eeR TEPLAMJe:E^ ˺(BB\:') |a;=<ԝl n#kY (Ny@&S1dBXƐ&[I=6aĒ }6# S؛ %!`?r'F]&]siP-'|}BA6kTI* 4/,$ڠƑrMvHMx\&L/xtfcvE_4L޺1DgR/?ȯ4_B*cJ?:p Mm1vN0?5e'D\[~\adkY_kO(3E!)F'dک" GG g0c.>P8ٿÑ [7@}R찇rvxN&єn5t>6Lʗ#g Eg'fuBQ23{=ڢTFWg80r|y\rB[EAp[`toM"|M0faCǒ EߛY\A@XFs^@:mgQRy vYme:FoԇO )g[^;'y5ؠJ"ouOSԖv1b8P Ѡa1-1ǩj itOj$1NLX&8HJwM!Lv[<OIMqw2JO4[akx z{<g<.G@ǸZ?ݣĚ0q om21;a4L@w2Zٖ(x5f[Nj]smNQyG_qdr4?1ynDT"I3-pSƺ덳U ՃF4B(ݫw$-fW{lC)LX:Df ]bOxul# cHË3JnZ~wv0i|%3Ȳ4b&KeL),'FJp Sj/GY5;D4~}~GpjV[->lgs $r+17! ufˆÍu?uO5ԟ|GX[ M%`gs!x as6}Fj}/W$I*l{uQkȣöncFwoZϪG@NP'iO6Y 鸫3ort5EnerFBDhR."n3Eò nDVDe|Qz]{öԤ9LG:o3(WP32r/m,yBrQ2J8gaENp06*Zh$WwB(8`ȏͷ~gæISJF24]cJR'wc!EoVD 54$t1ÄXȄqjQ kOk!p$eD3I/D7r/kUfU3z򩐸 P15e4+DZM⧜Se?x^qC gqO=`W=ŵQͬ=ig)lE<c@ hxr)2MG5'QzU'};ۉx :٧" 9=!%YQ@^?:@LdR=z9~1zxgIG|_'A]~IMVcDjs3{}|pl#ve5eIWHÑ(E,;6KJz:wXL72wYp3%Z"9N aUhm Ha"{?1,/A>$=s=+xgOD *R6TSoU1X hu)ĩ]a-IhM45sE,ˏVy a,SD[E@'|Q4yk紤V3$鰝t#7VYʪy!vBC|~;eP>D4@$;{^/`s?r#EIB>$V ((\)\(W\ `ŰlGUl/^VZ@=dI[pXFZJ 7o+XE} ~!Lk1T[mmx#G1~]4EWrC`(7"ve$$ǚ| Q r{`|j䛅8zasGD.lդu*6^tac]3d%8@7*Vs\/jy0ՍUGIN501O彪?B 稠N;Tch$^)np,|m tpEAkwdbf>>VJ0)-x']ۓ$D<>:)W_N1ՌA?9ZnAkCjFvb^[M͏#G-RDe=e5a\ A)}>;m!,ށFi33Rw b|/>Hn _gEroGQSvLg)`tz vڕ#!H쐙5c6c~E2Nn0=wa̺ı0b.G{4{pf"8) ˚eq*WKu-1!xHF&*nUfY0GUP6]X}A't؏9h@?a\րyw2p PJAUDVȗ aKv}(xgk `W%MϘߤ뿸CB.]CjCYMX>B˂fcmR&E7GtӠ?wV 2_99VGfNsh=pl.K~7Ð;Rw m0udI[U/zQĒsgr,k7Xgs):eNw,(!945'E@%vR@8e!VG/g9NgtQPS),+kfk4Zk=b'c֟QH/$*m1RrfAP5]&yN$de2jף`F".'~/d$ob'tϒUUxRﱲ+&BLZÏ'JTPN6l~vRNE $ u9`j|[ y >l:MSFm!|}faT>ޥdMrfAd\~|6S5uOq?Ϧ.,Ct0zД@wt~?_hȫÉ$"smN[U)Yc4GϱOexozmN]Bp*h 8~;K":bR漰{"wZty 182'EǖdYW4g#^/&v GqYn KZ志BxY:,^vǪRA1zcm`Z<,i;c*ڕ>I5$Tawbx@M|tczGd")_\~ eZBRvPI/+A8ob'ZLˣڃHD(KB=M?yvE?`SZ5=‹51`<k/@gCZsg FZ325PB  Wa-i@[em !Uo{Ott)pMM70{$ ~."UŬy`ߒ1!cdgƇFӎAO$ׯdSѳ6sgc3T%.9oQg8[K^&= X#%[yJ2 Jbhm`fU) ]`qhxX@/2Ϡ5Agd/O{mQN-jIIh {mB|RZ؜#Ez2G:51& 'LClF_bKxq!Uf|Hؠ$R;; _W[-yj~-px%3|K~̀9[*ԅkg BaT}5b@jiKL*֦m[n-3|9șqMտRB]鿃 \D|7&5P3w%;K>YDA Q2_)Q]g9S{F1]bgwFC4$imoY¤WO,ǞBtxICY֒YЎ?Wp%s56Px+lP: X>ؔJf:9>*c2 upNѴȞOx(R!  @- $fCDKcMF{Ӵb#oxYm5ٖːP[OTIVTF2-/ b/p$+cUs܅g'F:M:  +:S)KtVBiR} sp"xyéUm:nm{0/Krnb #=07\hIxr~KfYC;D# Hb;aExro7! ѹIeGVt} 'XI/|jO 9WzU\BTp( 0aBoP]-Hl*ڤAg ~_n!D3Jw K{u_MUWu=Em>wNe9>ޚ+ B$qv\/xvO$t_0[\S5`1c*h_ (V:Ã`0/>1<ܴ6\@s<Ʃ1PƊ++z.Sq#Z~3TMf3>Q|ZqD}2W֝p{k.W^7XgFf5O^)N~ֺY %o+ё/yt7^` \?kt$yѯ3)Ȁ1Τ I1ʸӣ&Y5 ) 3yT A,;:t?7R_yXEFW ||WƻC\MCa;n%9nnD-`J3E[xNK-"5D!#h%h'u.@l3zDۄ4/Zr 8:zLZnVZOgԹFq^ԘbXn[m_`iK}wqJUf4 7)Z"S8+Jb5 {v&ዋG%yx5w{zg&[R.6Eו`jpy/0Qbfr%4~4:tzL"+tqmn8:$p!E+2YT 9zaS }n;ƻ;lGl> x(܋#FC*`Xf*}%[E\:P>yIB'މD|KJ]K: ~%T, ^鶎RDРl$D5RTgv9v톕-D+m|Z"0Y0z.;-(t кMWA_l 0IXLiUȁa@z9۬jjr(U&. +[rx;x:J2m~LPg\"`51hSūR[*J| c]$< ǐ+(,+cڐwBV+cU hbO迤+Q&++MMO/ e1:Iʫ,zS!l{[RWUslRUҧB]b3&G 8\|IS;X$mi$D.[]%1Jf \uW8uI_ ėRQjddDM7w,2 ;'0gre9h{1COLW`0"(o|B.[kH 6b]!@v+k4H:xei`IȒ6ŕ2zݿ aQjyٝ࿲Vǀhۃ$i x}3 yǕG]X9B9tSShy&!_luZFtO[)Ub0.WQ.S xf/'>oG$=.XǦo[/q}W Zy>6\j1;Euc BL'4Al Od eIF:zٯXh7.:KȚ;{*ϫI)}#…IV@9I w4|u)jZޮH69j٧Wfǵ`廉ZS4sq^Ý w{>8]+vOZ3mfF_(\P7V*+0K{0(iV%1؉ 2 ̗m~]7elLg3Ujb۩ t.#dtEpc-wIW܅D< UW ϵ'MuXN~rMHz/я^/K&GL" a $:wmOg9OLƖ4( <*1p-Ǘ֒rGA ^jWl-嵓(p$Q<.Ojfe##&G|'jl@8wՙYY.=h0v!Uh~{"kɵaLX}J4 #eÉז\RGchk6>2޲8d"Ƈ: א07*WI6ށ//IEĿ1^sE.,Ias:\< 6UGABPjy̱vqNFh`4A+*Uzh*,kK\Ԩ8"ibՎFG`b׮@hAH  : W P|#d>p\Q5_[aAiXdLx+5>y͠pm#j]pVTZ@t f O^Z=nBH"%h0ǧ2tKba|HYB=0g#|| (} =F[S 󫀎ῒ'j,|=[PNw[[3٘qmAPM `"y8[i*ؗʫeMPyq ;T >1qI˷[].'" aKh2Iq .cWx63}чn~OO*fS~KOs ).^y9`jBTrK(!ƻn7pG-y9g2 ͜Zor'fh 5E[ Z&vMn] F1ЏtXBfvO'_gf40t3:ӿ6ul<:afα@ݲ Ѯ(Tc$YF+gW.YY{ۈK8ׯR &퉌}"n) mbĭEBRjQ/=o1cmsBn/%V#J`pC%U*4\gygt\|PW ׋Q݈q7?<,UjpWEesxa6IJ|64g2p-e3=Ȇ>4s6*hv{ {p62 UB 1*D ջq |a&hU#6 ;EKvP_YGtFg岢8A:@ xk2QyoQ)0+gy;@;JM)EթAv y8/Mnl8 HX$(~ QR>?KҴù12 )0('Nh7n?4NL8WWl"˕k}9% ' ];!{k6~ Y/p2T54Ŷ`Oby_@+8NU51l-dI91$%WKn^8/ jqSE3wPKq;Cj6LmjٯcVҫMp"w#g P<ʰ+K9~:0| T砒UI4s4PY } W]qkoj/lIӸAHık{pƉGu+e: Ȭ!M31{5dJ|{/I$E-0|EMD0ؖ4%4S(}ŽY,-.YW4_2 Q dȇ1Lgtyy^Ty0s}Gwɲ-إ# F>X!cӟI1f8'=ŭ""Th3e|E~a1 )Ѐ $A-.^U`]pMtzL\+0{!uJ2Te'`fm\chNT:סYõoҙnoȹ8xsmMT|!8gToc^ K QH^ YM僻R$bڜ(N/:a$9Ś\̤uL$M| a>jFi ]v,d\ufZfq9л A6A𲘏ުN)*t=lhGl6STjAPh%S'+<(T7 @~i +\mqS]4dėttɝ=DI٪#g7Zht>w]:o0_{ķng>nG;uʍ+±5mU6u@k{Ȳ'X /{ـ]jvRZo5]u3"S%f37,g>-&<|§ g]xF]b'=f &@R4 E6V L{|>5!x LP'F'xy߸$pUT(C;#vצ/5o]`!81L&STM 87#h2>?*MywzZa];mNl!ÆGgx-u2MaѠƢSfJB󄵙K &46l(۔*בko5 J={ 9M{9%WCK%K LʓThUIDATPt6.# G'!/gdAՌ'(iHij4%N2 ʈI˂xyw',l%(Xߴ#WE P8ĩ<kEͦ/jVBp 5p 'nVnDSCm#y5ҧIoBZկ?p;XG2NJQ $Ċāklӯ9aEXr:k8+;Hz>20[l7ڬu~W1Go)voqb-a%"6lP8p9L^'JDjJRa"r]v3&(.? +AธOFݠͯ/t +P};Crd{6mܛMs[HŋeCmРo6 vug߃'fLfđ3A1otLzhẇIOog0M֌sq׶I%'߾10A+weծ Gy-9w8mit6*kBɅv |&x m'; .@FEuJ3"# ФooW͘EV`9=D7۸M|}5`Tj"l]fkNhyG(3~Ww=bu++u?]08A-@O_Zw&ܟEBPi;3C%_ 1'Ram \ X5 wrCNJ0@Tѭ~%ԳrchX j~Ō^D{2^g61V.l@Am'NJWQP¥tq^c]lc6 眙h6R}C6x3}]Y5<ƒHxxzQ($&@W'S|Z;oR|WFn߬˻ʱQy+V|u4$ 8LѰ"]O;↍w.K~ݱUq̓2Ϩ}8{~B84M+[hPяX(t]K+5?:Ұ7kEw^otbrYj ^Pd8,U<";=V7>qt%Tk/Gt&k,})Qk9y](Ea`ÇbDu/p94Yi#(VC .m겙Ĺ;drcSrZQ uz&ꚫ G<,^SmUۓ7ZiD$5XL4@Rh4 K~E(jއƐKqĘG ?ׄvP!/[ӏ/8ѳUg GjkcIׂ{-A*f='5 _Rc{ ]4~!y"@L8'#yB i|Imxh&vT)mDxvl!gIx{;I͜wn]i'RI^BYp`݅,m-[?VcLq:Q-wchKA.;UMsv1i>ҟZ%ڏ3xlxѕ |[ˣd>3IcSVm䛀5ib- o$t}"^_dqϸ!2*m_GE_[Cbͮf 5 Ң>dYѠm-t= |VX_ s[8뺸+hjB\d{lX]&V\=4.60#wZD*_E*V:ehYcYǐgCG2#z0 _Qd"K>b OCpLgF-^i݁_()9Um/+xl/Xjo4y^cCrƁX9"}1tqqǑ҃۩W9AqE~3C/*u,(R*`ӭu;^ws'D3vDyoqE玮ƍG5F#[OYQ-m2i‡7#c 'SۗUbtYp2~ j%(iXS߄($x DȌYUht6beRo CRhZlӃK##$UE_no|p]KBf.CdzcK-aـN;-2ZѶMN*)VNDe}(dfE0!M4)^2w>a73[!г$ihSRJσY0A`عQ\Ea` 0~i@eMH/*U'!\4bD6C_-. Q@p)z@D4Ugɰ>!y/ϛ NSYӵ\k FE+W하JriVy)@V[-芝+#d W.Cy*v/;%Ѻ^~YCmҥ>4WVˈS3-QTMl1Ѝ{/x G4"8R^rJZϮPaF!?x@CW2WyRJ\ Oɒ]鉛sz*t 8ܺYi\vnK?[x^@ e<CEN%USQhkWJH L,ix=:iKn`mFlGW희gj_^BoȮŪZWNA!IDPҶXޫ ؖP,[Qk܂ " VRj 41\XoA.J $p֪y?c:H#&ҧEB^X7;r\YHW}y_"tsQi[3DIV,X4J1tᘩ->xj!<`qB(9lmP`9<*ܿz9 m`35G5<}'!Uv&$6UE4RUk\ ;eRe!96D7:{'zy=1N+ GU&+=W72[@gvH&wŃXs8 ԬY/&Cd* |؄~.(&?NOCHa,'T07Ԣ -C#XF@#.JwL 8.o`uԪQPxl cIv`J|Μlx]?}Jm(ݩك5QmtNOآ\5|jt!@Ʒ7lTvˀ- 1(Ye2lrg ml`Fl5 4  X~M1g[ QxgVMF]9 y&@X{L 7\ jփۯ6;[>^nrE VfbߴDяQC˶o֡pUDq;65M(LE;SaafUH~DvP!!.ΥtJ tQ3c4HqaJ#^DaE5-eL (1s-(1?p;AFƊ~LI-CW9<GzvIF,D1g+-%„9҂^AmBתec%394G8Ĕ&j}v˻0lan/R|KǺi` |tsm$,3Q1jw~}V/1Pyy$9 p۝moSbxe-KCV2B^:b=pk KJc|٩5'nyQ\t]IsP:0Mfv;ƸnzAWdBބ"> X*{75ql@& bL{~ C ~YMLx,:2Z ߥai0ݒsIe|goȣ 2/17 |^1W,).SP,M^, ERіf}+u4rTIHoӳcjVQ j06%A{,^|BXCK1WB@7\:b&nc ͵# RCYt9l1/,?-[mu' 8#+`Ʈ6z}:t&Wq" !2"5-~Tr棝q@6/74R`j}:6h#yEI#.A7qB$)M{Hv9vwG{k'/,p! huC\A{heu><)#aԯ"c4s MuL.^3e]=pIfE 1A+\NJ>嗀 2g'3xUX a73iQV<">vr%gTL04&w!AjpF]=5Be$M>'WCՀ I%hۦ^@˜U_Wfy8σR"1|L8N:}0䝗w6,j{ e4nh,0^ذaZ[>LArxO:n>np32ꋛJ1vsb6֐g-3 ?u @00H\Am"d';x2/O"g?%BИ0KlDւʵ8:'<}tp19dk}L\QgRwj$GɬGG; ׯ՟~ѧpT uxQ'c.+|^gYT32{J.{YY8SeGtƺ^ǎjǥFE+RI-JxYe|i,K=Xm֤x{U[6‹׫l\cWs̵_L@̭h`7! 3vA@T^ExoDPUd)H{Cc-OF{ Z>#SE"MDkZnOhda&ZL&#Pq^;da#T:=ilOpCٺݍ$Z JFF|mE8IqnQdjp'G;^JӅsWLq%ݴ՞q.PNA{dh$  ̒AC3^m _  Ո5;!8D=K^FJQY*HҞ.D$P\AvLކH?jfW't:kӚ0w~-Cz3Ah\ZQ}x$-`<5!4_)57r>w)qCGxN=h_h!LQs*we[cVpYѳŴoVINf =aY*P#xʑ#b!8N8cbXos C+gCEv#t$bҋ E`J{)h']"08- vi)^YCe˰%/TV5rMa.j)]Q+ Y+3:z+Vap ,GxS2pɉJZFvwAs}VMO7JO43ĦfUk U ~JR!96!m~3X44A~KfmEsLIg}GOXtѨ:9Y:ϝEn: Bt|Ho*#s=i\0@:G<0}/keS @‰%[;s|2 h g[$zco9Dpc?~T2NYPc$B,Y6C2O(0īҐg (McQr\ZG6"Mev䀊ۡ_;Qz,MVt'!u" %ڡzr[fp[ECcGr:f.[B'%'/wď y/+(*5CV@OjQQ;OG|iڸx(9_,vh#kd2xy'mSGkoJ긦 e5l;{%v_n{$>Xń3:M2|y4ߍwf*CM|0j+vYovh)CC!LmR䙔"h.fT ³HNнr} A@'c/r9YkQ2Ѝ^>xi֕iE/(9"^淏:״fI # Q:S>9 9)Kmgb0+&ecǎ8\_}D1^̖B6-f *a"#hV!. 6WD 2.AI`5^JLLJ}w0?.BEcH5HL7NA)ZFJœw/7X B9=Iw%r"blf+ J ^^ctks4a+tCm"}OX0^"kq[;j_"[GK.0+zD<2N JyiTFw} EPP_! F/nTބV۾Oq)`]P/{xjt;o-y <,-y׈˞2OEWų,N8os,%On))=_1MitP4AlPuQT+ѕ?>݁yQ*'>ThN+,FɚU5? Av-EU6}]WY kj*W#>->ٚ(g`V͂J2|Xej`IJրʆ#q߹ĈZ*Kf<v}/FnO `>rCѰ/KsZӃQQRwΣFl=p) ;jy0NK%>T0Vt*{8:6!hgѝHImi]#Wu#w g 5DZ%nNh15 ⌯@9;H`)JN+mw[9}b Qyv㠅tN>VO3) j[2(zjd&Wmη!bT 1dg3l%RvI b_ zAʓCC@[d|F|Q ?~y "_`-gԭ3ˁN|3:B6hoUĆKZeDyXd/igOdor G3h̆44؍:| T%rqAńp ݘlGa"Oe 尷/Y8[XkV|_XPaND~7DXi~G68Y[jA]tÕ>m ?24eKC"bnզg)uWUdUr6 rm|"+ ].ܠ6m#0`c~RGUTnTGq ViCQVzP׎S0C$u~>0OYK8$#Z_'A˰Lpm Idb2lsi?"(j |Xg1Q]҃1!޾&5D$ޘ@M ҟB.̣7&ZJ^-O m6 "L!e(% LvFi:/~*7$o;ի-*Gr1 D`vތ'١*T?t5,NG-Vm֒Tru/_R 49ߣZ& ?+ !%G#%0h ͘ɬp`2 ^!RLI(s!a mNx qˋ]#Ǣ8m2 3\4f {=![v<?nU dy1qt#5IJK~\Y:另Z OwfC\uɲǺ̈Cī0'>9)0DZ_TCѝyI}K);ؒ"W ?3 "Ћ qEP3욐wy>?DqRM Ƚj`E6DDT!T̾"2zCHfɯ^OU"!$V.1<= {q7/47s>`2r͈2PW7,qVk]S1%e/uPP”Rzq̆d8s`TyFc ^(6.DAfB0%r es[#ļWƞ7 IYa$0}D΍I2s"я0xV6|:6o jOj"+jlgr@ny*,Eun'qh $H\g0IsxNmdz49#5 b[gb}B[ݠ-'"4dטH~Pn`)}&lK/LYd,G;BE:%gN/]!ojo!IM&Zpel+n'#ՃEQ$Ӱ9V|d9?M):AFA~XL"XTlO8P+}Apg9!U\* ?Pa*2J5jHߗY%4I?D2QNi;SUޕ&`=\3KA✪M#hTԝ$R'ya]r 2FcK8BiezF!Nol2Ma aYH +kB%ǝkd@WM1 !zh%YbkS/WsBj֨ɐ٠4W2N΃ VgLDW޼XRxD*"3 El{PA5V^C5)U*0pEsT,PG/EF-*g2-31Z$–H;ubwq_d+}I_oX ,; ĵ)PsXna[ ֺA뻳^"2ppH%i(χ7].Ɂt Ky4h&E#GxH?j_`fenY!_&n,]Gme.$kiMA!$]ȫzHUѨ1^W[e3؍7vKHAզxX ?U#dR&j}0[6 %k0tËҟ)y㔠ݭSNR-ʖ10(aFWdTcRkAv\M"LՎ}OE{ehlTijr;~ 7b]-P':8Qd%g* wż[8{<^gEZ5;n6G*Bs7gH^YU޿oATTE0M =㟣LHҝc+Od 0i)A_q6U.%Cjrg`#z/)Е1&)*S`l`Tź6Ru&]_4@BUyYMLudZ|Et+^93Ʈgz=$S\%o\Ys+\r"FfVC+Zi0ˡW\g13ӱM*tKf]0Nո)ʩf?_|fH="d\>} Zˏ<#o@c?.5):2pUV湣AkzÇRt䎽ݎ~jYpeMN?cs`} w6m 3jwfغD)0 ^R7nt@FQ!'ֻqa\y-y˳;7af|[EgW:%|6t-:^Z&"z]80,2٧_"[.B8?.场%\IoC';s5ԣ';\O/uT8S?\SVWbzYu1-Bo2,b]WlEӍj.(vɤ'`\Y?Fu9!/:ALk͋:xu8b>rO6.kE:`5+~5'tKozVLj7cPFGQE%=-ή$+j3OK"ab/XV JgϷo:)6N3Gh۲|>ԀX)4/@kp dWEE>,F5EA[ YQ =wV-gK}*@n #J~iP@{2d'2>#<B%6)@`no&%\.T+V '@u5yZv%FDF&)죋Xl4VS~i2W\,=жtҫpORKU]H)$^cȌ@"oW!Yh;xy?5Мd$h\$lGs:Pg7,r5618 we]R Jx(`FRRP~܃I&/!TxgoTM0wٶW|kٳ IU? {fcas%/rNWVYLi>/Z4}7f"5hOzP\WPk|;9#AeFVr3 6S]-W/ ncq[+D#P) Ze'_>?tʳU'1e[ZJ>T!:ץއW_p{A}DQCwQ )5t)S~vP`Se[ޔ mۙ)I<`_+ Aw3u[ldU?88<*DP%@ }plClb,FfaO\t7` KOy?\'TԓM.WzfP !:$LH@YT诼szJdg9)ɗv-EBrx@Ns,<ؚ~]=Ebɸ7qaRsD2]4i 딬`o>{Y D_;c`e-Ra$LsoNNYhm?K"30 [FV&oP Yd_w: _=D\T5*k :9@jmX'\-TXuS"EY O0\d}$k8ێGox|26LHD|rT_-9_+-2vm!4Ry+6۷Y :5߬lUxo8q6Q`=;}{k}:ILN^OyS-@NkTD_BT{-@HAO;ehOth̙ӅvvYmRڂ; xTˉus |2V)A݁Yָ-yAGjՊ֒KbKL5K>)irxམjW NedsYh==n ?o=KMqhKDӹ+olMUu1UhJ%vApy~荭br|q5\rА ^7kv7drO95}E|qRNQO||($b goh%HKމ"w]]jw<?8{UG޴}+sWj=o.ڄ8`6.Yj'W.*y7h[[y0\@?of A;-nx jVq'>.bCEKQhqJ\3;`#30;!noӹS+1"\H93]Le 3/g;Iﴣ>m\>=)EO b&蟛]CLi;E c*ɊVri|d .Q3kj6u+wS.b4Eў^bA<[+&%u a59Ub3so'{JS(RVyVYv 2w$DPَ s[YCM!'o:#ϱ͔¢TEþɓs`N]ӟSˊB*`!0*jaAiŷ]*Tr^ <@:#XF#GK*(5@c As% AuhbۊL0Xu㓪|vD.,\tY!k*c۸O 4m1?tx=sR\T`_~;:9GrBr7zcw> }jœq$=nuVE[_.DQV"kPDo-ۥۍS&lĝFx6vcnՄzQct!$e)|>1Vž|n+;rP9lUT:r* Rm- >0a'['c@ӑyvBqG8Q C}(NL$ 8w,3:s \诳|0>`pc,0N{Yf׏]Um.RgdS燘qRe"tݨ@0ɆLe-ֽ0nρ -%&Iaӷ>eyF1-woocZ揞Vm}R;q"RoګBܠ4鎹 KơڢR\^1eJ ~+5M1rZ~͈kٙD p8V?c/\=XЖAa1A{% ٔYGxGDYş./SD5_&8FW;˟](x$! 2K=bm% ?@מ& T6+y'܄A"&f29w"Z<׭ʎ@0]܊Ѿdĉʁ.9s|y=RPG-nj5>m].̛=[^وZ] C8D5Abh4q~O]󎜏02qoh?8 ~H ?ͿG17y9ud/bz4р%d1}w45a+7-b5Run4 7fr Bpfl1s,ڏ\emKG#r;xsiUytBP]C1a.iO{3 E4reƟYA,du>%*)寃.wNR|ׅ@bV&XӓLA]uBfί3y,sƘZpΠMڑR 2e%'"ɑy;ٹĵ'[:qӗEWHD: _lɸumYKN؁_) "a2FrFx_Vn6-O=9X 8dum#\­ch BͤZ#j?~GHnU4q5ljR_^:+D ?-JQށd?>9h-BAMlѣbӊ\hl]p2>Lץ bI n@ ,dۛv@9"2ҵ0Bx׻amoC 9 aN?RrLjr5%nk#&wdd\pKS\PxWf1n0i@#oggqNEcIS!omV =QRx6 R\[* /{0sCO^3ogV駫ޙ c_؍ndin6zxҧ~0[kA?$JjҼY%Dl*c )J OyYcl)~A:QqS dVR)j6!ѧS 9p Ho"bW P#:^ئ1UM$m4w;JM1v4a'p+v 3ũo .=%sr*}}e,s}ӫYXBIdM 4C0tQ0bUfA!!F$zųKoy>>Wx/[yKzTHeIeA{_زM`=MA殄!Rʛ:8)]6=SL5]c+$V]j%4W=cr|+˭▄2q{A}t(<PI $:o6v|ڌ]S.9\)KKla\ij :C~ ˝rbdu^' i"f WPFV⟟Nt>7mxϳDUHFaH<-\K>rqWͶfL$Ly~bf_TMI#>MRs30BnO}Tx:.H[b ف9#|fbL\,9t{p,p1JZՠf  |9MOhF >Ӣ.tC;,`!WW;a> 2 FtFk>J]Q`?J1گ]"J!i آv\_k!tl4zGҴY  t; "^"|lf"5pƛ"v[omL׉e@~Ivi 뱬_cSZ0tZܮJ/DLGDbs} Vxg; i._@4%)a!~t3D:Yz2hK^)lOzZ`A͖;fp,Q$dN[t !6[+|(v*3rpq9˾eY~ASa"|ܦcGNg אRFhbP ud iVt 7#۷oQ sp,YjgJ/dF!-?6$f%ò# 4M?= pK"mϡ~bkDL8fhU͗4K=? 6OɳIJW5%d!o_ÀL 8O!.oA,c瑿 t)PM#O0N/}aigjD~g7z޸!Hǔ*AYI19gϢ{ۄFiH?_C!ͣK s*qQ<1!o4X 5oz#;9p{(FeG WyUH`ɯ6-42C J)#K$͵1*7b ©,hMp-0 yAL(z|Wp;w8WVݍ2= =1?e$})7 VP楊QШT"E0 fqMov |lG^J̓Jq1Ėf2rEܹ3Sy>삫rn6D,syJf|"Y)͸<x y)˺Xg< nVтhL%PѶ0ؠ,km+,o" w@il K4sE#UkF)#^g{iC.rHJ]iC} /lib5p@pѵ*k\8̂>G (~?7J{3 l+r/.ZJhѽH6îƕO2د5ϙDž;:u9D_ZDo{;6<8k|EA~QgΩ(NJ4,R:M$~v-? ]mpIIQ1Bȯ?\ ^ GW( V/pm@bǨGх[>PN6eF~BwR#;dA*&,?/x'.atrO8qu4&+GCP5MYy杕]|c_ S[N||Ө"@ #YHē%H?W"|cag0)xbHv $6B.*@Ns4TikٹhLawYCq암W߳Jěiuȩ "%o20=dItzO꺴~1\Z.7 (BCr&kdK}0ă;?u'`u 0AW<2i"b3(0e=ihh֊n7*?bwv;.vp+ e]9T+>h&Kf./Fnl#~1'M.obD< eD9U#|% ,?n:hdH2hU ju$V{P.rgz"G:.a;5Vp( >v6o9NӨr?F/1cܩ`/]G)c,;' 쉹^=Ԫi/7@\s]xNsR*=jg$?mx5T9KrgGi71T!2p 0H́Ԉp^Jo8::PhщFa?ܽ;OrזL?}/ѵ+8*tl ؒp [xW2lԹpP$`L# 3"yǣ0N>Ud-TToOEN/Q.#8Y}ԞO,+y= ䷒sY|8$ax<ᾱ7SbqbbH@F 0 f=m*9>kbB,ԸE.۔׊?@y3;հLWPEo֚G,d#3ɭ%x)xmÐֆ=3` BrkTGnƜ:14}T77ڵQhS\m螓+(9?^1m~1pcȻ2g%0NvlqPKX!ϩ¯{tӤH] r? 1Z[`GiPlD|R8cIa􌡉)ŕP -mj? >fjWh\ ?c_L0*RζV" ۳<UAۢ [H.NHr!2.n ȡ9%Ӂ)k=K{32BSP.4I)E}VF^\2c7wE0I~N@+'|OrM#ȫyz"ejӄoU&ߗgGrƉyE-sSb ɪmYx<|$_w/Db@tV|iǭ\۝ Tvt LnVD1 R ܙr^7Nq \Yr#]ש!p@uԞB۶+cBqבglǒ Fe{ uHߦdB?LnU`8Z_TBC]g`Ŧ#TW%fjMX0H,(lkþ?xl:oС&*qze ti>uKe!ك(%No){ QBtkXz~e{W9IʆFo0! +da6#+hV20;NL@ XxK!4v،Z(nςsK"hCՉYBb!˵bv?(qOK™FScVt8+b}Pr+~*ĖOhq=F(AC'"`e⥬^Ξ%;\QԥN\l Q[  ܗY-?ZМ/:>oq 6ۂJަ+ϑ  G s[!6!$m:3٪؋xۯ^*}FTD3ڲY6}p"t)M;Ӻi*xkݲ\)M_ZpBcLwFd b\bM>qL8~wVr8M3&UpO/Y*~Z$Y$R@@H^!$[' G&*/!, p],XCO\,.>["yn6mv}Oho%Sb.uʿavcj !AU'v)т%~G\0ؕ`LtǞظ'~[)m`iį mI7zʺoEN\R8rdk(@4#B1c՝Bpu1wćv]c6<3ӜV6)T'w?T|7$s+ЦJ:똪}IJ^#Z"G&?SQ )ຏAm?o4U|+Qw=4`Qp!59rHuht!k#w[nf2e~ W?Cb\A-O{YcETU!<˪\FĶNLW_AuD5FJDofi۫^[P-l8 2f9e5[F*sU9ݢBHA SM]6a^4RvmPrF0=:zDTx+jm->uϬ7o5NK"xs.&bY{'%E4a˫)N\=AAB\)׸Q̱-gu|#E+=G1{VZ:Yt maIjiDZkNLDtaFiLpl]B[,xAzU@s6*7`h~W6MI⤑'II-@=۞$Ko~!4 8=z[S9|giH8xǡ'Mr۵\'^7dQj@4`|X+ouE3` u̚t7l|bze߿=MUxv5~5.-vM4ׇnC/m" ~Fqn橗M_m08I;`'!l}D.Qxʆ%'bK\Vv',Iǿh]qZ.<DžcEoͱq r=D_<2*&yb"P(5c{V4勍p{wL 6˭R`)jcNR}jłA:j$z. X QLKAXnSa 1M"!6`X.NdI{%\6JdXl=FeK_O|(\@/,F8Ap4Tyo:8QT*ٴ|\H/C0煞1e752qxU4rQAXUg*l 7UBPAU,q/[gB8\]^{!)"߱.j%g7jɰa~=Cx+tļ0)AVZ+i!=Z@4=6by$V#㵍:cs47Gg#FPXVDt^GP+C޿<Õ L?ۓdB>3qNs֝(Ι^z%}c 5IGc#!v}ɻfÒ+%:²Un6ixd׮#c7MrD ̺m}whh =am/AL?wRŏ~= Sb)6I=zq'(9iW b?4|HQlh('?$MMƧ*.#\>c0_=v^XIaʊ]чXW[}V$ P-/pg|g?dg*7y0co3Џf Hg`tT1[ؐ4t:}:@{7>!A[wU&V^QO'3PS 5nabb!6$3?Z`$ T.eGrsLLcRۖQ!,}@,#_rBs`GS`nLc,jE;v.a9QTs`Nn@MN3o5.[kZգ%Hۦ4Un?DQ:G,%cZyLڞr|G6Džk~QQbɉжau?ʏ6WƲ%ݔf;5WO$ ̷[D >▍k12ڻ҇xg3LZql'G&di~6hWѫ[z;Jh.>I%}j,0|dbXw7^tR^+܇\^\_(\"P]HdtՃ&Acᵎ▷JW(&zXIGg~`>Q [ D.8jЁJiG}V6 v ݵ/j)P8 Ns&$ UQF)Ѻ`b黍:MNvf-[֏])|ȘۥmUm7lZ6DP2g-B# w ytn_'sO\9' Fv :}*"qXd30̢ݞ0HLyrO}愕.=M?v3Z[кZD4X g{] lgF~d;mWzkk H c,VR$ygz 0e":gt'B [zdj8`V`2<{ C5O[vm#B̤UXc559' aG MY]$6\wu]$dw+61-c 7Ͳ֦~'Jr,jbj~D 2U wztpQ 5*Yh!,'+> N~X60pɸ$bg۳[4 k|r)9;u-Ej)eU:ֱܑf-d;2_{qm?~ \$en z;Eix!i#z߱Ɂ]JZ9JcYKks X92cS+Њeajݐ&Jb ^-|2p֠82cJJNDux)zW/iq"k2Wl$S\e**\Qr\δsxdgiwZj|HlL!½T\T c4(:RMd61LjīJt M뽌b/ a]ݛn6- -BIT6~@|YmPho &pݟUwUɞ E*)3V rs2W|C}zdp/dnAfx$%LM{: S^ 0DIZlO}ܥٗ1:7c/(9rF5겹9ՕYpO\N6អ+݌[ ε2^ )zCSσ7ds٘WŠ pHL% y+49|Dy}UBZJߪL[T*7U4-~'LBh[l~ZGWP}ߢɀHBsTbi.l@?-g^g. bu6t+Wr*Nٯ*_) -'Jߦ!r~_GuPグT?4Lc2˝1+Y- c+픫ȚT7xJ:hR8;]NT= Te廆f&fgJ%0Ag'5H$fޟ: {9mTj&4ɬ+l-JVP #C= j Iljۜ](' n=²iHuHu@?px:^sis\_G eQnd%nq).u8hj;krH <3Q4H{ -r)\uR1.sI.^Pfh<z`=]Ť?h|qð}܉+Mxߑ ^.=@.kShi}3?(t԰@gM'`*uxuN7i8 i@&P dGV6pŽ-51R|qNRmS ZGP&fEsYB.YTO h|tצIΈ.rJ4 ܭ"0HRߜ r+LA`+Jw"cSW~8Tn{TIK]5 * ?MXQ/gc"=sD_Dϝ (*4R]@atZhh!o2U3FH}lNEOjuO~ {+a72 ] \*P.XJK|//ryg'%_t; h VFm?#P{{80Ԋ"#I>G361ׄ]ϜK?)zYg xtfIl/fg墨-&xNWƢI>ިDe ={p }i:|g\S/H|CjMq\b_~-druM>5((~MQc3!kFKpde GM(U4w_C@TGaf=avIl/eT?| ",]ԥ4(؄t@*E'C1fQbL'Q;7ĮӼM$)t{gU p=RiMX*̹7{FEQΨeo之 &/aF osl 0`A~K ~K0_2 @ 9j9y+Trjd=WtQB F8=f3'Ѭ{+UѪ S5]?܁}g愣cYg rP8 M ֙~ɐg8mP .brujck}]HyڐKT80gm"0!o\QF_Z RZi:[:gFLօ^!KknkK SӊL5"?X~Kg\9+ sʟ~K!?]7!M\Mڧ@s“Qy/W"2~D>Xl .OGH(4|~E g"=m}#*7oʈ7:*JB4LE{= ZّYk آ})ymy{V %"'70bB"U75Ut@T<{> GK|+ `΢` r jgI3R6gpsiݓbVkC@*$-CYX &`?l{rxq;Z&\%m1uYl .voZ;A㳮rJ`7lWIqQx8jߝ2i PRSS`Wl[sxinFZ>>etՋ %_2%p:eTE $ݓ(4+HqCq@@L#xCGGv^cTJ{ &7H0ƀVq5yuU8)\'SW~t2g:ɺY~}baM`#z`лs|5N(vx.'^4RSdN^, eR7RQP ^:G!D 56"H>x|WjD]5]Libqga4l:D lPF<'bGsY gl =ߑE˦։sOrM4Q|:]%믱dc ^- {Μ۫ha.uUa;|A7%DƐ6_3h<(k mu]pDb׬d0q'>;] y`C.ǧ[-L33oP,z.fAPKu!sSml7Z/-EҺ(C3fsG6uiA a9dʤ| s$Nt5<~j˳!wIO9ٰ%dU&Y;XsQbRyA=IGHSԑ[jHkTGބ^c T)'Y4ϱäŘl\ӁՑDyџ~//VE5Gq!e+Ke׹,=AD+1:wk=% N4-4춡'eBe\U΀zԧzkЬg|9h-e͢,d/eoAh 1(Ah#3n>?AkH|KMMoPiv6#haI/)=ŵe->!q!gp؆ӶOhCT$Q1Ntx^Cl`X S9Ի6^JA/=AQ_0z;6dwKGM%4tC~I?\qK* 9gF*u{Dց7o2f_[bSi}f&sX sxJ\}C6up刋!}T0 tjw^-UC| Јa@*)z)b0br2Y"V Ԟ|ٚŨ_Xߦtix~ṶPF0&ht4"4:Xqq8bɶr6"#ۢsv0,mg+TAX`Xd8(%CHYztd:֢GWj2Ӥ.p%T/)ؽrn1"noݴR)p֍>_Nfv Bٸmv+RkD/謥#_)צ'jļF Zg&/ZZY?O <|kBk@)e@d?j8?A3 #t>:F-S;VVvQRxm{ lBULY4~F (ϫ9vl<>r&@̏ >4,F íwٙ乪j-C5rޓyZWpk]lCa/cH*+VX*" U ~~]56{\cg +:E^77C/}2n4@W.[8f_ۋIO\Oa]O CUK|F54ߺmեdz^+rPN T5&ferè֒]wFd%3w `b Oc6j4!y5:ЮPAzZ@3F G>(|4dE l'Lڏ{JF~1<Wp&dA'-y:~צ,U΃aRD%kF@ύ9鸸M-/_20 گʼi`DƑd>Dz7j@r௼v-s;}&{Xl%^</Ȓc&8b #Z^VV o]0v-0 [V׆ecoZd^%s7*@ޑ@;rfh\xObVR4w3R݅B7ikcC YWD~Klg6M%MXҠ*_+*[s[A9zĿ]ދ,󫼙 F6b=Apwr#f0ܲRe\ugnޱם2Ǻ Da@X GftH:@ M_DF+580%F=3:ۂg>XuS^UsIV'VljqR1%췠Чm)m?%4XQ 4QlY5M;Ӝcэb$&^f8xGؙ8f֎мwT Kz/ G))qtv - .qc u?AcQ@I[$"1Zϝ5^&L/n= 5l яoht / t_0۲.sז<.:-), ǚFSIt(ސK^i|YE\z {jZ/8Hi) qX w j8?u:&v&/ ( =1c\ƿKM)M=!h`[ې(!;+@=hI6_+I򽛌w]TfR65!f"b9i=[UC6eՂ 1m].L^ƙ{P='-ڣtOQؿg֠"$C5Ad"P+c1;($<uN t^<1&tV:2*D1SE_Xj4ߐs՚N= DNOf^j,D /~3qttkfX[\XQNDv"|96V|󈥽M/Tu-uzSFWS_*cN_IH()1攳F5D ߋj@Yop/|M)+񚝸+Ee{E4GTV&zŃI5, ƥg!47_x*"ejyPp6ztdzeصn?"Fe M^3q8 dդIW>;YJ zK辟tRMd饳}C'}:EnҙTNp4n &xxxWNmVW`_ȳ4"@j$'}0$Od*g% ;?uWzem=h]ɂԎa0|c1`hY]P]s]e# v@M&)C ⾥ ~Ga?9"|IX! Θ5OszfʾuB:ə_棔F1YZq W+TL)POo+՚HB31:q(Iں,w|^lJ]K%WhKE4F?Q\e8V"?g^;|TI%E`K;^KfgQ!RBHA`-vgkZN&cLe4 MK=d"t+SBR8 WÔ^Y oK=C^dTf%ȷK`m=<\6/_܈4/Y*y]woK.|j0OM*|BTp-*j1ktkt}( s g"[!oأMʃl`1ܱOO7 t<ì|~ji˹ ~K7<ȍ[C5PUV/[vq/ WMe,S^?A*@ftP| FW;oan,rr V(4"z(}fn6UEQ"ân|E_T(pMX} I_YH۵ۚOF+&AonЇErh!7tP!G&Q$NT}v.9^-nzL][4]υjPWF<?OHoDG̳F`fKق;1Ot_m_ȫm'P6[˷KO _Dk*<p:f#\zڎ]-O&!Mu H_)9T+vzW{9J'qTݯ5 l8/VC/+zao,='u;Eg 5f㛦U~').zjlr2Rc߈_AYӉYrwILPڇ AOrY,?ra=c/(7!7[߾3sZ3*A 1*#GbgowtȨw0ٹ!h-lၘ6S1} }aXM; khޙhʶ!ۣAԮ0 DH) !SW?K/vw"LW̮Չ*`P񒵎%Osx|jȍ+ G)I[,X;xhƀʅDe}0r>LZF_-x[|%"Gd"E7Gf:{ YK0D{Y-^7Q`pO]>y]0!nayD~tJn:!g.[DjLC~0r6 13Tx OAZ6JMSqcj=<:? */s1 ɶs`d&R֢N#M z %Po, ōp_a9)tDѶÓ`=@P'IIp)}ղUlɽ'H#69<ً %TiCżge}Avg{-#.f ѰeGߖNb[V&1w?ŵX(yy$w|Zka$ ~OH ;+YX= /b8cTQyaMv\΄y[IP>)PDL(g[;z\=WB01E%D/` 9H ,MvZ+fּ_ $5$4reK "مP. KsN[]kU 愇kǨ)qjBjb˒lIț"d~Dޯ$^ qt l^p|g\j UGf6-v0vvJ ,[ZfQ^ႁV]`b^Ȣ4$`NyD7R>Iw9ӑ(BD8Gostʼ=y}j vtH*UJt\h5֨Ւ@V(('&T}]MiQlTUy'c@;Ըѧs?1V=cUAbבnX:[v+o"O6+9w9}$"aco[ABz" _ސs?(֒M?Kk˙29?l Rx ֵ(IqA1@.*34dgLњ67@DkWʍع42Wxioƻ!-X\3Ilp܊{~V֫=]͋_5@{/@!rT<$fE.\u:v_kL$S`GtM],k 㝍 ϵ 2.R "W;lGEƲ 9ѥNI3NNk_39ڊބw-@M ۩WaѷUc@0~ >_,k3l$&N~Z% öt-hDJ-Z e T\'eyM:+_ lQ" BjY$U"׽޹5n7y|f4nͬ\k#`9yG~8&98M$y$S/#7T+_i2IvzhDhP!U{}Xk7p ķE5C|5,K w=clhOQJ__# {h["9?o%]3+k~(|{"5Yۢ!cBHe7n)N-Թ? //|ek8+Hq&i 8 T7޻ "Z»U_#)9 , `TnDbl6č ɒS܄M: 8h+KPDXG*̭3{Pu3ٝJkB }qvN`X%lb͘҈l__§Tޕy`!wmf X[`7V=ʺ%$O.aj ^5Qa a +;tۃzU\dJx q]Ƕ6qUeyO~1Vw?@Q仹 /#[٣P ߮aQ*SoLiF`fkLWY܆(K $_B}ΫtQMbbԍ9lLm#;fAl]^*>x HGO%r1\6*adŷ!crTuj `I a!Q"A,$%@n y )YBu=xrJ1ojve*U|\|D1x Ozjͫ&IE ٮBk4C@>C*ۋWe\lOK*͜B~nm9X#c.G/C۹qXj2Qi9c"Ke0#p[NNL)iF{+lc#; :neӇ[(csv_iGx5H\w8#ޭ;&!=A\Z#oX"ei[ұH[SG ]m|maxV $3{zi!pvyH8C$nBG)LK 4lyqB{fdV n7wٱFo"9S m3 u=6ܔݘ{Gn9fƕ`N)Z@ӮZȗ94t -cvID<?LPi8;-;*KqtV#.JBEнߦwYg0n٣.W §H{R[o)Ƚ?Cl^r'4ȸĭ\۵?I(zxWo(-B+9\-paİ8s1b59Pe`u:Zo* oi/W3p3SssΩ:9 Vq=\^^XZfم TśebS- j4 ne;/ ޒE׫1J9͚7ҋ7ClRcpV>f8"a6-%z끖|8ň*9`]û9Tk^2,,-za )<.M#A+wrlNsmYvJ͐u/'9)HxzkZ~{Ws VoV}tTT'ӵW}W+ĵtVyE&vU2^5"+iiUN"^eJ*t)ʏg|TjW꼻 ]L*z(l _q /Q skIG $>ⰸ5k9gYyiYJm0f 2`_KRL5|+rUuI!Ln@|>}Ehc#D(2lHdzՃtrEU"xq`ub%[2ԼÆx`=@gզLjc sGLK]%coݲ\ʙ'a_~?ՉŸMQxaZ2x<6R霪{*žG%YdX=1a)g$5K HB' #JfؿоYlR3"؜=x&i.+6v͊5'Čm8/ /9UrOLSw ( @5L^.zR@tz3c_hƯ?&XK+[8N=Ə9teQykѵeIx.ޟc$ш&J2֬w@ZN!baОhC}TKS!?y)Poxvs4LbS 4ue (coER+,_ úk$pЮARGD!Qf W@е{jTsY|'QE`Hr?>Gz%s NOv8ԧU3Kكңe=&m& 6-i9>yD +sU_:;&e\sE(b/$1 Y{[/y9/?@'{p kOK$%m[ޥ{盌LiQ-?fnj* w_ƉuaJN-cޟڙg X rdݠhCi,}Kq? 6uNHS GY+Nht̅?jOP!*>UbH@42;EV"$.3&2yv8 Hd @ۇrwqYkiIO|7=?yӈkS jO +Eb\Ěm!Ga[@?E+#IG 2h!O(1am&u ZJ8.n?j& `Wzf( G+Zة[tiߌ2ri$)[VhҤ3)4hf)@s~#r܋uͤA~hb)`Rc#3^W::Y9st l v]s+@8]$j0*ՙ ~߻*4"Mq%i)JѵHӅ5$Kؚ~Kg.[t,Wj9RV, eyV47ȥiSLDHFP+u躝 /#S#/D֖((#Xb%x6#HIMhD?igM7~Xs,Pβdi3gtד2}J8sU凚XLt*.Е:wq\S!;A\L }=qW/yb:ؑ $'y Blӥ=t>I&*}U\h.y5ƺyui^ۅd2& Kl]7m,3iSboS\7h8CSC`v3QsREa[cdg̿+J׀ Q4>`SkFX'ZގY̋q%rkBZ@J1%?p!1ԿcHϫU\ǰV^6N&o(rOzw Ď0q Ɗ~)Ws‹C[ČI57NrA1PB8 I wڢ<5#v&ظokiR様h'jgQy/R%vYq+ABĭ#=-E7,K&tzZ<5OYS-kRU, ǓRLd3+;9(l\ovkqdZ9CJ%pY NJ\_,Oˍ$U/:^+_a ZyFJs*&\UdDRGG3u^hUl:AO޷\52P.uel+A̠-SHc MOCV+QFb$Ҙee{E@1u QPUIfB@5w;K,2#~r27"?N 󹴊W3E5֞$"Ew9H)j G d%M ^WѼ&_lS'Mk&=Nܮ8- glc]323s$чLmSXc&</_X jCKL_.'mҸhIw(mV2ޓ=QL#HXo_ή\(dUa 8Gd]rt'4؈ldi+;iA |ߺUqn AWiH(TnB s.HR=BgeQs#&]"+*;FxPL[KښuIMfx"+@JǷ( X g}I#n}el,I}]EQsq"auN6BFr >3p;c1DOD1ȺiN-|Nirg+*I~jȤz7Qxn'&$ OgV_v =Qwj]>a "oiJ*C;bj|^K>8D/И^5006 /Ref(uTRcKy< c֒:o  vɂKq!SP|8îf|I&h13J#"Lap&uNY^ ckl\Q(/\J 9y)!kzM0עK6q1x3><ų~[ dϏ_@f6-=:~G"tk@wYH_Z=~bRUHQqueQPn~ /)u϶.(gQ1{jU7yu؁u1NqDK{j$D迚EPy%u|F]qd[؋ψ&Q3 Ѩ5i)q= >͡EƳϵ6Nu()Ag$[s@'(/lIo.5NqpU<7Zo_f*,ՑG׶O 䡎;8 &P= 1ֲ+@E}{bW%FI`p쾦L2x0iԬ /:6Յ5AؽOX>,3rwyhVx[>hXo*Tbt 5t8a%G_1˿j ; um3'U 3ǚZ8a+efI:Ȕ#%J @wVZ!eE Thαh?}Z<˿lQ'ܐXkKPo.Z=H=QVI͓!EUhT`O+S(.(3d|9T0MfxΔ&l-sA,X鏹h]o"iڑ CJ"#{OTsoDPfr}!G}*4!#ZC򦰞I>&qcg#i0%ny9zC@t ~5l2Czwx\ЃכdÂh}o\dMMFUimZԩwGP]}p(V,-?T!q!1U3Dk0G2BZ5٫a@Pv n6KijX5>7d' 5'BxlNS1 f Q: v`;Nb>(җ_f|fJ\|IBm̷:܄.xg~L ԧ}33Md(,mR6bsmZnez|Y.&mr}p{yI s0wAH8•J*@ !-'3_o @>J2۷+ ,}vr RpðTJi)XQ y ܬdJPB:ؤ0U}8 1dKXYAx3=5|ΚMaPV>CݶڗEcvԩϜ&vѐfh;˕ti CQT"Fsg+&ga;{k ~>wIX:bv/m,?OӬY܃!*M֋)::chL)h*jh|e:Y4`X}Ծ',`?\gkJC.7SNm5:o)C2Rw/k Q/4yVhtcˬ"X qm89UƒXgg=eS2 n(tξޞ}ݣoq;-7Zu-Ф-ߕDo\Z:OI&}'ÏEeEdn\_sϦ{eg(_i}j%?P8lT"LVkB9-㈉Y-x @UٖԍXhSy b6u2+qhSΗAw |>|x D>JD\QR!KF&WAsI %4y ` Y߬Ĩ%HA #!icw#5J[AQӯ(a'b~Y8 f0D] kߟB,L& mV|%J-,@Rai_b n1":~n&g>Sqzcv1!zI0ǴU0~Ŕ TXq MqugW&ō Noғ H] &kkȝSRD_2V^aJ~AJxIln =Pcq7IUA_#$WAl$NUOaLJ U#MBPsD'l<{ ̶̈SB31udDY0`Bb`ko ,%'+b6z^ nP.Yea󿷜i"{r}H(Zos'Ԗ4(kmK"h{fIp@HĽ=gZ% 2?u x>G!u˴ٴaFmsf-uSܑ X#.jit:& }KYɷċg ƴrKz"鑂7o%vo4d=W۩`01F"WNO>&]D DAp\$k0[lF8 jʄ̯g:s <û᱕tיQct}Z~<3´` 'hj/1 H _D"ɩ8v5./QrtVOmk^UWOLz܄$P"1X/cHTP<\Z+ PKRU YFdpXXF\#?>,4ϳB:._sbj v,V8kÄ4O *c*0HM/7-3%v:#jYhQAjrU(dd#0ժ|K.<}xܚ}θ~>H#V|mE0ucdX8yNk`Oĭ̓3养H]hqP2?&=2C}94`bdfxfOZp5x O*"(7̝)s Ȕ6bQI|GҤ_\кazI}=@/v4z=/:OiA~,L1r.e/g"*C38m=N/\!A 2t0P]k#-*==_ $Y}T) _~LFϼ 6D熘,6DWK=DRy+7A%˹ cR5亙t8F9w @DZrQ(ɔ(0- Bq8ih+4qs\/1xD.WUM"3:YXmԉI=H㔨@c &F+%zA.4B?Pl=XCʇ% C 'qj0Jز2&UMr:`Jr[\s ,oi/uGa+.p y$O$uN @WI 7q7 " Ե*'b1[{+P@ GD$)LKtj8x_ -ȟp1i:+ ,c4l햒3Ҏ1 /QI،C$y_ nӐ:I;N%P/ 4dbϘ*v:,:2˩Q96۵ښGU<{˵;wh֗Ko*vdeG_ #EKXqZw}0Nɼ[Cw[g_?HeF466T Oj@.0\`(ԡĆջ$M;0,,l8?l33,~Aé.G6\Fϛ|QUܾVk!3s%B~=OU&e؋Ƚ s.'0N#qRN,nˤNԿDEx~\i9U8al8X0h0 ߛg%h#2hB/8'+l#t0s3<3}睩h.ר1i/";Q"a,\~Y ʳ67hM%2K-ߢw_ tY; Tvgh~DF] n$0NF-mfBMcӸj `OxB]Oll5G(-\r3Ih Ui b,ee-#$f<hX%ҡ`ط&Up#Z(3Ur 7„Fu LԘ7O9%Xz:)TNJ*V`12+竾M.Nd{eJl~  St]m0hى0nWOWqJT$SaQn)8/~|fejU2@&1<$@Xyzϴ!69yK\S֨C.iޥR&+jj8J5ޢ{,IjpR 2ȪR/$\[:/f\Ų,q0}ޖ"{5cEbX]zD1c;MG%: |lw d.V?*\D)ߵP}[0ȫ,5T׬MJ9ЈպӬthp,n5'U$C5rU֭" J.=D ;P85BO0ku"\ͬ'nyTɺ7:q`sd T!=\bb^}58|U֦LdGz ]csN7Yg).>{2OQm^h~.UgZ;#`ha7組շJE9}I蒦ƪBzgyz !z qB3~jߧ_@ *MͬvF(OXt!^6YvҫkI#vIkr!>8>2?UVUoo uYbwuD7cQźQL)oIˤ1Iy$0g|=56+1]RuK,C #]Js*S@ YH ӧ*ػ#ߴ`\D!M]E]i\8>YK~ajK!&c>ǁ7#X%`Dy@KR[@6:6yrQGe ejǢSellO02AæI/Vƍ!kKWBTΰxuY svgWāgIaroxfMCڒ94*_]`'H̘P8dVFse9}wњM ljt6AM"H,YR@ƠHt5jim ßT|q5 --/G Ŋ ϯQ;.šX4bRKP6x`$!ѻ:|?(.9?qs|ˍj7UGޠ̈2𭋂eMܛifKlleُSzh BgT9'.F{p?#w XamiÇuEc_>JtIt_jA1>B,fGQZ+" 7ew6@4QX$#G% B_!Ԅz(m5l"fMc1`C|A˔!SA^[L2> $#ryPa3E#v@52 ADF7jGNqH2⠩ert;?*>oq@yg Hus W awM Mfs>Yw2 I:(szw_۷qCWJh/>m3REٮ9[_DM"&OVv2'gL -SLJaN~4{|]&7(Qޛ*UUwͯiQ͗0J9_۾][gSŃdZ".ҪiCVS YmZabt%*?OlrUgy(Ood~3Ni.E(+%QT1%^ƾ0nMvDx]noz[t7}BCUO8#3ܯ qk^zAK2=ەZo!$wMxjaY=E&#~EYwu xk`us! fGxJ5GMMہ=gWTZ Q2$'S{^7IU{RPG1e྽-H,:v>& k`ŵ`\ rX.b^70Mo*yNN53 m_Yk3"N h!{nK?(&EkJ̦2cUW;*+|A/4PXO i%gWX݌]NH +bYv9iYX5=admӷ?r&QBd/Aio";щHj;R[w~[OcYvF銙 (2F#Tƃv~yyMϔ=7%,K>%k_;sܲx7ގ&w٭ wqM_~׌@{.G@:-u;Us 7Ktjr8:ilMORtt(W"jȅq=7@8R!Kj/": GwR/ꓽROi F&*ܫJgbAj(Yz#RO[V*jۇӻLEQÃg!L^2RhR)ǧNgpT!FB\"+| X'~ߎ*D=_,7L{ fvv=Ks,\{㓌fل- 岀z X,ߚ{ ySYU*yd@tG*WZJ " hDK1:38e}#krs T^]0Ef*$XGɘZ,bdy6qDh$ V"JW@ 8>{Cţt@NҚsy%P%KҤӂ =f\ELIm) STzx(1#Ѧr'BAiuWS3mF 8g8X!_?iJ5Xpa<}%)scق89d^umB!' ΀<%`u \_R.zQ jZt$r=2V0\rKId ٺ%|«7A^ Oam nZ8ͬc1uetyr] `ٮzۛ[ZG59}T7KXyQnxh> elٗ`L`FB+0A[ SۋP Ѓ'N,UlLXhDQisWӆ= |p6g,Fj|'mTNκG]nqxkY֓Ǜ MWx9gz51)*]Rӹz#DTQ̞0|;0֧@kH$p)_L8)/KXO#^#;!`CbLUX_)m0q-a=w?rGXqӞ#@v՟mڰ@4 ŽL׵x&2$R)҅;Hÿ.=_oZJn{'ɳ,ģ(_!g>֎AUBt/XyЙ"n/#t/f:6 ̖hΤ!Hڙ[UDJS4~9F hh,73!@nr8W(Yѿ<=viK^郼A__E!@I\`/>^dq wzN a$~׎V|s~ˡ.645Dud qD~stп.3lh6a{?Ic<+S6598 ~ ;ٔ9R@h>::fYٲLظ̶ٛIv¢+(jsÆnܶQ5_Vݭ# |٫slxJ"6~iH{{u݃;2S۲k w|[טߧs M߈(nNմi 1Fv}=y3Ҩ5*Gz"`jf<9ͤMD{z#񮻅YXreQ̙vK`3mW.I5Z#m;+5gh*ON'BU-1,"Į9{w~V,4r4Ǟ.mA-EF=U#foujHr_˓oསhyjWipl0 4ŀe*{d?pDYէIdK0W,+jGPn`64(J!V]#M߂-XdblP7)%HMA ۇqd5^;:=6w |\=\:0II1!@a FĦ:GZ~\`@Y{wѐћuUfEsƉL-w>@$\S8SΣ_Ol p*R5!JѨ7J2>F7-YqO i `XK+y6$-fְᓋ0C*plnE;;3}Y>ꝗt'x*]+7{mO._ =ջp$1nZ93wTh!\/bOEY+uZ92JT떆YvNb7}q6L8 -R~F-97o+oUM`HG R9O0 osA` |$*;]j_P1t?E(2S=ɓEtroj~ei̓Q>wB&i[~ϙɁMN!2'5 YD$*pCg{OzX1 ؝ChϹk+H`aDR#@h /QǩRŮE $V˾X&Uw#)kj*pC ޖ+;9Dc]| tDnS$kqS&VMsLyJ$nO3=Hм8!W Z˰\ρ, Ymo>.ע%0aJ tЕsVjwhsd~hۇ54VJ?+#KtsejѾgm ~/,)dF \Pᢗ/?!y1`[s_d>>,oQ`JՖJqS=H7W^5 7I)!v<ƻ @%MRMFp@7z~=Yv;OCD,>wd 8ը]0ak(uE\dӦ4:s^q{A;k/SRNu|*mK 9RH}?C%T c@(I6nJikӃPt݈=ˈt3VS(F d]v-·Q8EDVls^d_C44}b>wѮ0zr *}V*I9Tn^g&ev6:%)jӫۭ!%`H0yő+]lmNN70oJH=' `R..:8OazMe( "x,z~.[4BjGRL[{F}^ROsl}0GvA-X53|h"Kfw~k ko:9/+{ŊyB}lAzbGRS3˓vWH p߭`vwY?qFVhzǎI35W$[.Û@ɽqa= Jֲˠ%s޺MSmI Abǎnb/3^J`ɝY{]HqrW[ZToȏ9H;e澁yl N,G"ӆ"pjw6ZN7 ?v#{23q8˿t?ymc;:D _LP>J+do8 '1tDSKBK`@>|ĻQn夭IE6Fρ%>fG{;bkZMo NˮָiKM~`6tջ H"!9~goy#lu5,یY@Dg;NkQ}nrxa1>wR b D#y205Z0&4f i~7ҿƞ6?pB40eQ6 w7C+Ig$tN݉/^;y 7D IYJ[PߊYN'Nw@O t 6s"0\Bpp$%M5vI6L 36mu+;6ՅVUpǫr*gwmس.Ѹ>?>O)vZwT#Sdl#fGELy6ʳb&0V]KXHƴ@s0HSKi%͊w5?JFVqf<,s)A0nN}uǶ .++Vj*$MYcfm\2 <3 % @T3HЦ~fN^.%TD*lhtհx|TJl) Ӛ,w@ v|"ia US94]*;TA *WCT`@Ti}Ep3b"!Bu3xn|.-gMC">iy9Ujq޷q,]|ɷ)h-K.j2jgnZpByqm+YEZf7cD;~iY5um$)yoGƽyB4GDŽ;,0%ytLsqZNO>ڏ ښEZ=)U G}SQ,bS6٠J6(g`r/69XU47jP:R X%37dXJAaqŏzYu.؊m@ 7 fbطĽYLʳÙ+$nٷR+ pbjq9y0NJ}x7 KU$I$B mhλK1K)%[[8x{a{'ʊʚ{n$n9)a|F[sV2\nڅJ0=?zϝ!-Laiʯ^pWS2rꌿPO'ׁ/Δ)dZnhK#_nΞ< e#XY'j ^=;^(Zvrԟ.]QAm3ilBم cn_ˢK7Xڇ#eE݅648ň[)ΆRfO;Qx P$Qn5h~s~ё~k- UP].k '}&Yt]{",bfNlxudxH^D )õJ䤚, 6֘7 yM" @Y)#h!^ D ЙmB9g+FVE+> ɢӠo~!U!2ײț߳5MQ@~-7zIuQԚg.'+hpá5Xv\'b;N,[ -jަqhQ,@1+ 4QTlkў4 xZ@dǽ29YuTR-b+=Lr+gX\( tC{T+۝ '%IcF  }w"f BlSG o\O*YHDkQ`CzV hyFZȁ\fH/FnxSP4Þ}?PàL %0T[gT,SZAVqĕTdߩLנE@%Xla?<3G.~^b,5aVL}{8#f;0_bl~Ji"dԋ%Iv %kp ә0KDO/7v ~@kRj77CIc7v:d0ERuT:HJi>iSɄ]')C-\gwMё.?wrUFo54gwxTeՙ3+uȔ!7Q"oO/Gfa(C]#0d/%^^98Xgf%Hbvk 9Eϸ\ѾtٿF2x?wq jڿS} Cx'29ʰ ٫[nK{SdWSigW BN }wү!$vux6N \rCπ~hf#G`P!T!AN~N-BJt4g=;vic1^+X}HhP=޳G㒛--E+%9:5kEvvL-jIc/t0ܤv8D\7iU 7rYjņ ^f>vIfX[>؝ʍ=ʕhɉ)pX15"-̱.7Xɚ W e=s]m9 EFKPQkBBЉVV"`'0: =،iLLљ;-(a[Bz~2<.Fѯ6HeFi/ᆌ}XON[%UAyq}뫸v`)RWb!i @..fd4'/< 'o=&]/>LY/X''<ݜy4.~x[7? 1lB"#l:wV^Vf?TN%[TCҴBˁD&CQo̩mgB @Myzl|FWa/lb 1V)\+7(ٮ8X'yVě9B,eYt&3{-"?/u`ww&"fL}H5)Q]׿؏nKp1jIR5~0=>/'2ݢ䍘Ol*<ڔqr3#u{,WHnZ15ߴU 7D|S᳖\VAXIO3{d +ȊΎ` &Y<}nQ @;&Gd͠O7\^ -I&͆0H27/64H _;BމdU&Zi3Pw 2`ܷgRh"CErʬ Wh) &8N?P<ƟoJ9"P RNmwQ ڨV gɼ#&Rƍruŕ@B9pd6LBǀ qlP92JuC<` M_)g4?\.(HJd{tJ# =5sI ƙhP[^Y齶[A6-"'8;O'G:}e:/}0]/ڴThBc&l@wIc6RH9Bp jQ$nkm*pw*,[Lokj)A=USqi))?xr<v^L,%ٓbz}L S*hQu`5EÀѨ]3bж?OTjsk%MWގ N>T>E)8 '.ϙm8I]JcjtP݊()%.&#$˪W'־m1t$+\si es\iO3!by$gn쓐㍶ =#S=_ B~9TmyAsʴ^EAjB~vCR|vFJi**wY<"_HrI+D})fYgq{ԣ X4`jb6C..\%AxxZ(>[}aOV@42y3Vz莯M%+Wt_(jnR=EB}x.Uopu.>T V~ (dqѡ֎q7£7t Dmag-̳^?Tէ&m,Y_(<` !bgu_Y]~=S{}^*n$[-InR%(CH R׌uӒHՑ;߿*T|4n5Mkj;FN> v,TmQ̪~,@/qN 9Ik'l,Pu,8͗b"4r/0.4CRYbo|/'¿#xN2g >psqDڷҸ?o\-7Yni 5Pj9je)K/<]+@y sA~fZ~_C}⚲〲XI0MA>Hm  B`z= <^1qeuh +9u鱰%Ɍˆ)gCֶ[}jn- X`Pblk\aU1{ܒ ~q/FPQ;W/b\fhp~M~Ĵ̿` Ga'&V$5uBGS"OFP ]tv}|5g/j>cQ {ƕ2lNǿ4%EtM*J 0?]j#)ZB,mMY^ bjCX5T֙v;3(IWI;NZA݀j,:ftH%<7<4s-p R}SEcOC{_*P@a&oa4[ d;f,n* {y;9QWhܾ(' 5j# !8>ϭds)!rvE&[Rch#V7x7cJ5}iNj3z<B0c,N?[$^=DlxvCN7e#hH-\ڎc}~ȱB؀jB /ao`M)ASWhs37~۸gM@uAVy-E眦oyt(P='3i/'YD-X_'D՚rh7]EIb@ #d#_CX#aV.Ԯ .w ;~BZ*&90^S[3K?+]zLa7Āif~^LҕcTҌĊ'>$i7zYZ7ƓO*vbi ŽǃZD~600;oc`Q viM _9DK܈;ȢKeu_~}iO\2=YuU#DT·Oc#PFSSx( [-Aֶ){`p%k2 3~Ǽ wUw™xX9fW՝a!ۅ[["Ȧ|(ϠrT_?[DUV nPeUehbe.|kiRP_F)'hpy6u½:(Л>.HpYMR7Lx[Zv8R)ᐢ&pmG2x.7DAA36cBH I"aV}Ah*$pnq53&ȾM_GG5~'4ά 8"FWfZo&ZU(b{%ki+[5")ߪbWh_{m'k;>ҴK3H_z"_x__:FP(I?ɡ֟L; uD70B LY[8ykxKV; ێ.#&MBwZ)>->uNO8J>bBSBU3dV{]mTa4(yZvc)J+oU+NM0ǰIxDZ1iWGGV.qU7(.rk01QRB=jA+1&yu9]3q*s;֜ Q^jz;0pOn898r%=LN=5R3e!<vރSʥiڀ/ь e_@bDd&K%v<|wC&@88 h܃=}D~gZ6I:g͐7SB{ge(^42PeQ9N!eDaÑ3DJ&r>6x:1t0֏k6ܱ *!r:_mk^Ӏ?ەJPO~Id5h+QҴ31tX{A@kN y}r4ن4_P܀Km Jv ##*Y$P;T+][pCagi=syH/4vLlgMlfz. 1xuir8+ZʰKOr`Vs, 3ɡJjy-^gQŦ'W+'kiDDr+5 HQ-̽38W%b->D'_4|w7ҊR7H[ҷ@^`w# fucNh!_h ^LBo(owΆYfާK9PJњx:.:$ը8σF  e '?k4`9j`>1ԖphqP,J [vE/뵽"t2uGjs(O g,$aP*2?<ɕp04 BsFtYb*NP501iN2X,r^kqrᤡx؈G hPIZih+}GƕB>7_,냲) ݣjI`5OJ#dz+9bb.ʋ/%9 A q|euwCn62UHt鵁@#&~^ E'\_϶K)]æLgb:|ċJDu$n :w,}| i_\O(hOԊl2l3P7]'~N^å|S]5lLjSe2!xq BSޟywThj ' Mzv ap= ºꑬM>DḚձO+\na[?%6Q:I1 !KRȤTZ] Q;v8tet(F?9cqvd52{oo J^̗ KDKS>wY_P%ֆ"Hyp]*=YqeI"e'eQْ.g˸mVfKѻݿMcgM09TK]j1 OXu,C%K9We tl~#7ꂖK$2͞Ԓj*σK&|hsbknkv@A!_G8 0̤u#`aB)UKmmxJ5<[Ĵ(Gx?Fv] S7ڐFj;f-f&N@8/.2fs 4Sm%Ռ#}Ҏx+Խy-φCY U' _p0nmr"jPZw%>}|ɟpvASqdzCрD1|p_<=J)f3'2VHk%{ ݾƼr2QMcV«o쇐 B1. n"EP;([Ơ- #,@2*}c<]0$CR BdSl7 S<->ːe()kXU }<|p8ȟ9BֿVZ9v2i"70/}Ȟs >@. s KkK ۇ 2>A`KD>fN\ j/yOiCJ R(-aFr"4Ð(}8{v <3U|A>,8 Bk/]7hK$==KNԩ p"4Y CN7ˋ icjvya>w.QI*\_k$5ArOX'ʀ#%%K(v<ڤ c%uɻ}"%lFa&mpG ̿s\Pղo(\Oߔ+PcAH>nyN^Bh>/ZlɁhuiY^Ft"(^ ˡWPD~]#= .#ˆgviWz؝77*/9H aNMxAy). {3l[w+W*ё,*jA7.Nwp"F;SK~H7V4`F/מ睋LwLUNhB1gbMTZ;oV\U9Y"gm(X̛$OB%Y2Lv-X`mkQcϲ uLm| λ}mF-Yb -(sj|U[E_]d+A3 ɻۥIOutp,Wt&DĔ@DH(#&[\']V GՉ@ETiGrts)MPi ݭf1k僣>9(  )08N)MԍDchGC y-fomATD+7H%yh`p<& d8!UwOr' cm6mR`S!|K,퇲Lj,0KDGJ!W44:G yB!U~N×iv?v|S,O=χHBxN@|ZbI4kS"L#䇇&M^6UngY ஦|^bqC]Bk oqJ4r'Z^W ]5 ̗:M w8i/E^GhpޮcD+jp_LACkt?^'ZIr?!ٵLf]mS3*H37Y~MpY jiJ8~^PIc&?<NiLλ?,IX}5LVHo:5]\3G4g C2B89)Tӌ>lEdIu:BfqWaM=v}'؎c2 vF >ړ; aȒ+q|3d{eQx̋ Ɇ4Z5ojʨJUYޛ! Na䍼J]$a̡$SV>nPy阽ҋAwX Ԯ!X="JDIUy_6ߨ>qPKXrfR 5X%(q3On')A`ȄFd2^w282 hPMF@4*- ПJl* (baQ"977WOzZv蚾-XMG`+мu෵}1dmf\rPĮmYBΣҪ\2*wL1Px iByx5ŗF;N,uśD_٧E "5 i؄kXKw_# cxʋQH69l@vshJTeyt-A;xpB 348* jhtr"Y yz7RL#:"9hsT=oζK'>^^%"*@~,تF-SAao 43տ"+ׅejh@L~H vnfm%}A@$^gȑ?/r;k:uԦvxM|z#e_]CPf.I9=MBAP6',_NW :a] )#u@/ 6{ ޶S x5~Baۯ7Fu27kjkvMTl@ 83N9_ˎ4փ" ߺ1]R|pbџ (Fw%;݈4V-+ڹX?8 VMui75L@WJCn.#X߼ x S¢6}3Ns{,7է6]z!T׸2ֹJGWIUҲ;?4=o`+mUa#QoU=%Eۮ?y$%6wP; ̓y\F"*(&P=c{K(+]WCnB+-.bR5~_ܤy ǎ2 "-Xޭ&7ղ=#%5ٯmP z!WhOs` ɅghduG_WW-R]hrftA Z~-zi_`؆ ꠮: S&_nwCTLu8[': O޶.tYJ/".8G+ =b>p8ȳF`w?kd}<1mj*#JǑUHj,$1(U `ٽ ZK2;{H_!ΚESlz]h'Lkgu`%|;Pb_M9Vgd-!4 ZCsj/2$hMpƸ#lB6\IWVIeTlfG|gެmݽhdҋƖ/C5!KjceoN%A;wJq@~ ]N5h)ZϐIij=S6Bw"_` $ .Pi))Ƙ^s"Mji+ gmoabP۱Ϥ~*" }+㲿AfT#MZJE&\ OW}yuNE;n;u$(k9c6uopsè\m}6Gnmq}v7[y[Q 5i>>ԟO33kS5wJ) Ffq?O;>#-}@pcn,A-Qagfw)U1d[hTR̝39#%WT< K9;#Tx b$D\fC|# lT&~1:Rt?dy,8$7d8*[*79GOS9#]` fƾ 歸+o泓 Ў@e>'dnW<$A:YiRr '3%,*w%< ;:(7/jİkMP:6ڱ۝T)T:}f)2@P]J]6?&rUY$/k{x$]qWyG;ו؎u?:a 8UVb?oGE0 lf.-Cihul9.yghtK*r,(eѺQ%xAw8ut8ãhc)^kB/?3{, #O8\TQtLpGWW\z_*ŐХ _ؘfUa͎d%юW 7=*EU@}ZŏsP`%_H#dkfH$1" uԇh+]P)CGhYC%m6Yu,Lk:OIq}YY%۴qQMSUg u%󾃱C y'Y&R+\sߑAR2ћMH_8kR@M~V7Td*<kom5JNX=dy(/u9i-^% Ue~RF1H,,&cG FN/3~^fo;섥.84`/&sۃ#d1ޕgM_fn'cpNq F. [q yMӒg R~鐨z~N*uazo$K^`FN%c[%]ҹ-zvZ0uͨ̓d-K:+aD-oqz`a+G $ Qc{$30E/ ̬]WcqP52jQ`-Ƌ3nCTZUw. *-_Gi-#"o$B% cYĚqWOʰG  2O|! tՁ:e =|i3 R=o+; #PT(q8SA\L>{,ESE `DW~'% ymoz99hĦ(8}:dY7b/#+u( pgp\Vk|n;63]V3!n ͇}!$PF?,%'./oOt j-mk2zDPl3tdJVU* и?o5xx 0g2[Joϒ|uV Ke [h`L!AEw?n#l[Fj"#ElvRFКy'Io1!D玩6hиӻ&ŷ,w2K]W,(J4{Wcl+4G+դ>ZM~$~J>f|o{B ]Fט 5 pȺ]ыPgE,Phig&7ŤA:m^6X~2޾uX p 'Thaej[ K$ݬꊜ"MMi~"_I#tI5("vgMiT Z8L?0*7$RXv sTĭzp]0Bv ,{94k4'bP{yC\=~ՂDu{liQ9 ZwC-R n8x 聸f~%S_E$2K8).({#ba-фfm65|~p,_Wki'bAqz(EwLpvlgn4~Jb 7݂ .t~?Vz^4(1D^C$2ֿ xVŴ0V ^ (oCo;^3k:u:)ʐĭ? }.mZ;TtyeJ NbP3Fw?3cE55a5倵4Va!^߬567ߊX2:a(BI[Km`ArQͶ7zr9Gi;skLzT6RɔJrAL}zNv^9 [[lMlw*y(>@ثNDԐ%-[P.a~z6@V6eN$-M"3G&uӍc?SL)WFWxQV:p/݃_K`_wF`1%R;tzy{õlӎ)R1#cR涧XnSxm- $i*jUt}3f/E5Ġd*_ )DZ0 2~_`.H491DsF4X H]p{]^94R>W}K a)>ȕcW7s^v!}mWni'l~%QI*ב\n0rLX''n{hv#rw:3mW:R;ZrGS8f`T4V ڴå[Q:9@0Buz6ZA!Z(8ƆEJΚչ)Fxhr.'))Kw$_ڔҎ(L*O ViT7Sh]_?\kG\fz,)Zc֎ce%^eoiiFSOu!PK2eR:Wy;e! [H؆v[n.1Fma]yO eV5И;N%a]Jy}Ӝ?gy Φ}(7{I(bZX*/O7ԭQ*0jБI;36Aj_RqbyЅA/B ŞN#g뀰 zpH*%${j\#Ɨr@Viz\z.F4 ;[3GQ6c'3ػ9lOH]Z}(#>gUR9UP;P]»" _ɪhXJZVa=17v-BnbLN+DzysX6M.ݹaFR(M1_mX"U9ԟq(62&N֨ J@)KhNDb.pdLvIfi #Z^럨NW }=E=r=G}̡xⷘηU Zu,[7 .|̬4U8`.P4Q'qȇ=rt'.!En^1WӶ]|#+ۿClRZHRa񠬵ظo*6X7掱b[b8h6MXytϜ9(_zI"fg.bҒHX$rJb?ʢ3V\)KߦFY\r^r:E$ k~׾j;(qӅ!<$%SR C 2D#?%lQޫ0-0л+ 6~()Z.0/5nMJvhv[X -ZY&Tm@֬VG`܏0sq6Eu\ko]*_ (dy:F25m:L43{Z~{*@'_@þ+{fؔ31myncqBg7~z T*Tٛ& F@%~ Gtx׿!ƽ8,v‘p6}С7u]Ֆ8oRy4sl!p.7(LZrAfil%f2SoǦ"c]*%N"]}rg!Nj!((8NxF*{(-VZ+Wf&sn˶8_:|ٖ%'1l zB5J>,@L`[ -O\|i:JˢI8bIZsFC ~kᄫRcwXŖJ~H) Q+ C.2FӱD8|þƾ>^ѫ9-tw M&XK&ǰϽ7uƔ9ף;.:=%@z ~:#CRt m|Ǐ<'5k CE2N+Fpe9No"&%PHpk^ {k\=Kބѧ:ߏj쀜Ʌm-A|ǐSY> rޣh;*[zOB 呁+4(pU\O=@F!VwϘ0nrmDYS0/3Ph/S[X9a\*m()ld3UrVSjV>#_ VْWWq1s'iQ b-*rdp²w(9jnhbGAmڻ$:|VH}T[kd:]VDXugOyދIe!|%| To8n 5b>C(# \l,`;eI/JjtyԵeMID3_HctQG; gNsVd;vVve_vk kA@$vCC x,$bamB17JO p^[XoKA_>r|лԞoCKܞ/?q Vж3[9=$՞谮WU@,;+#T~jL"89;]%pc]SKt(ชz#պWT nA\ {Z-]FFV=^y?0}%n_n%&XRm4;gwD;eWWBC{d_5_ `7@u7EeE`>1 LCYnce{IahjdgS+eK仙A% 5oPS /v7Cth=+ύy+c_ⅼ` ̚\NBj4KzY TȂiܰ+_}Eûxkk c-i2`EsS*|/U kAVdظ_jz].""#ۃ}}!1z* - ܶY8<`\^nkb$"f) jM2r]qQpL;+ݪ|"+z`Ty Uh6zj^dltpخ KAGZ%XK˪' :0S]lk(?}Y|YÝX JT ; o!AIƓ = |҂=FJ:!%DQ e u ѱih?̏@-&B?we D:4x|ַ y'P$x,Xy"5  3nwkU5xS:BuPBʤ@rXwQ emVRdRC{ 7YX̮N`lb/o)97mJZ  E%gOtBx5?!Lb Yd('STw1ٗA{҅Thl(23όs]ƹ!GILrFI4}t Æ" - R0Eb$]$͏Wt@LTmW.*6~٩Q5x$zHg=+UDu5ox'[eh˖_2Uv~O.ܺ-L EP53|.=}tlGJjbm+?c 'A&iC2Í^Bk&nBڂ`!>0 R1uKe#~H{Y:M<qӇκ;) 9ԭnJoP$Ѵnwp~Qu=,`XNT) zHN M~eQff{1LkwAPw?n{.t,@sOtuXp\ \<5:$e2l/( ?3anb+4P:^9/-h Z.]y"P'}չfRI5K&$'ѡWPHZV- ׈{=U K1d?# E0o~ofñI(&)|uIWɉi,}}yf#rՙ=T)GF AF,`8IiSfxXvr4-^bbt{*][`ۭ4]%)nN'_ 2&={I !;6ڣߋL&tvO5\"9J%2dj^G@x m<2Io~H'[}ٵutsuN,Fʕ)ao%V2^]ոzeG?ZWkw3HB L2]x>鼡lۛ0H+zUY |Z)4LzNl8,Y%pEqUxx׈ 88N ,hBEA3jU䓋{獣IBt=-~,4HhF3D<;?ڢwpeOydOMQwHh̹.(cЃHm{8&"5?!#ק6%`2}֝V#r_6Xu>qM+ϐ?5L:l{i^K< wJJRQe`Pn4 wZ?Gޢ:+ܭ)8vS"$?(ndΨxJ)q'Z+j, pr(r=ؑfuЮw`%b퍖\:ֈII j͡ٲfyST"Un2z8SᩆD;KEdxW})uX?*#W'R$r#kvߩ-DQ-Ѻ_́{YTˈtPC]CFLG†^ Ww_n4rk'Wf1V;y )qqg| Y} .7~i"hl1M~ZtҚ:ݗjI)< >ZN|y)Y_ }F3)%I,Vf $@6b` z׳52onEȯĩQ~+y&%dEB .ʡvZiFIpά+n{֏pߊړ/q6;]UF+c64a%y~^nq Cד @I('w\w򼗓PϥvYu+ kqLdA ~tnCҲjSnA_u}7\}X+`%m9Hax݇fʟYu8 ?08©_k /p.p-);|fUK="hH:ⁿGeMY"-wk<ʷqEJcYɪM}iG~3ܟ4ݖ͵n4Y? G摃οKVȇ:j s)&t!Yj1C`+ڙ}ZI@>q7{R2ԟX.y72EDU#UWT!$i *JYFt鬽pd1)Pib^R<63꠰~:JKeg)/og \}(;J Z&P^ekLmE 3[F3,Ǡu9U9&aY?p\5:8ÜuMkAɒD7p<ڄK$Z-&DBuy.p^5{9'Q:s= 5O&V> . Idq62@H^ 2LOY.okouy[hi0XU?`s||5!`O*.q-4(9P⬚ vt,p)Xaha,~fF'v )$ 6L nNxq1:Jc aT~ -k11񊨩j.9~rrC{$ݫ~ O(7+cnԙ|q;y;.n#?ހ*騧GDAShJC8nGU<=He*U's9ѫ^VL@DfiAES Lp Ot{lAHku ̶U|alWgd0Þ@,$z<66 hkit:I2qV偧U?>0wm#Kt4z '`jtZMU95ZlP-fD"xuY`iȋX;j#}_wFJ1Z<ߐT˅}:2}bpFpQK*9Ӄs#>#'zcHE0PD4#8We0Y] ܘHzxcoJIu~ >3t%-|r*`}JgԎP.ri8hj@R5vr|ě |X=`E,FO]= au'er0ajX|ߎϽJK_̹C2'׾6 -{:jS܇ħ>&= D3A{+%3 ?|`OwivXΙXx>1X#UjA6SSp|}?a۶\ARDjO t!=Vc K#ͯbUW)IZ|MRx6'RL+"~_eN]IAb1Â37}_THVZds'k ayZZ!|kG9CQ~Z8'%t۝dzK wZ3=6UuvRy h"^pl eD9~Q`884݀ֈ߃IM&@9.ZVFl`kFzI -<5<`_eҰNK69:i?sA^\SvH#(j3Myf:'c&gGq,k^i6q=&tt*XvQ@{/k^4UŲ`Zvqq&꒗YD[<`fA|17[EOK]\KLa$fI9?4 O;t yzTv%Bջx 岌jSғ:uIڹIZk}m`scpyg]KL% 胖 {5}܂ư53,,-1yP召X|*Pl!焗w`F6mYMD8#W1k&6`2z#]Zqo鐃FN77g;{悵o;c/@H!)x)_?V\1{۟FhE[/!llo*z߹8R7zЉN_Z6pY2)6N<8ݝZ{I_' B&;^6g/oQfҫ:B E]V3ݖ3U`;ݦ|1|8|H;/O8Pc""Z3%:$Yx‡hq+Y Ev$F{FKn3gZxYe!Dj$֏("'qv1Xb>dbjE.Y}Roџ ^^AXJhzډ֌0!A<1b鳶ڌa-YsMrfq۝4~m:+SŢԈG S[՞vi#Oθt+!\dr= hq,r)\qxw&xwt ,+ @. v'JlQu}}u?xe̞{X1 ͋׎gAi G{1Aa[ʨ˫inzb˲aYju=uxgKL%Z$äUj7f /Î\~2MmOKi* 7@y1$+8j<@ԍ(T*3m;&>0|/{I{c!@39'wBeF =m8OF APM>Qp^`Gn{Cq1Jzgd~X칂ӁDGuĊK耋rQfxafyj2Rsӱ!Ϗy-ӥvB[4OMG) By|EDnP^We}$bae넉Юail!}}k~و%̣޹??:mlSye ז'ÜqH_^V d]o~&tOSY wDϧ4zрz\ob϶f=v?z8bV17u"gҩ򲶀 z0)C5eEt8lȴ1Sja=5߀^bq \L9QCʩanv- 5*""LW*=]a^AQM)1V&Yzoɟnq:WM%X6uz߈`4rS4`˪WC/-7g׷(- k<7Ѿ)Tvk ^6i_u\WOFo[2vY6Wv왻NUv3sG<] 1T?`bs{e1{B((rзP@u7 3)͂K Ff Gq%o%7ͼv'؞"NfXzi21PgyNKU?7Sl{ H@.%9Evy5vHS@)]wq"q 7r7'DZ@@T`?<>E.t*Ag܊mu :[hKGCSմxR1Ua  z7Cz8rs|=aw`i?="#O.ٴ2fYlڳRh&v|3-}=*eI]9VT3׽dpiU0i"R.1Dw{-9‹@ htnᎢ~&(0`6Wp?`"T Q6/R @v WL!%"3({PK-w6v"%G~9ӥ60 q^-1(i;Wfފ8 ~l5΋NY}rů)a2_⩢>MCf,hnAW#3GqRO(y \S?j:s†E ]c)WCm2s8~ł\~/zPdNw-St&rkfG 0+VʩMVϔŪp`յN4|O;ZϷe"eAu5!s'/$#`yDka }ԩ1yHϊfEUO A {El^(Dˢ@_һkxsGy BL}30I}rи64z}.T5pRcL-+BsRĮb,۠ifnAtheMs`wZOL4sm {.CӤxA4d䳺M3[<}w>} i*sB5d@PsMAw # r%gwzK.Y S i Mm(7ߑt@ ,bo,@!8 K/=iTIa!_}|'jp,;F'7Ɠn|6r\)ϔ@#QcCI 7+2"VbiļwF;( 8 :4}o}H ɵ%_Z 3u4:/oM9WPօH Gm!gH|jN|he9^U`@xtvoO/TA{S C!q@fT}j}<:Ip'Q;nKCɽi @jV\\k 3T<HG)g #a(mV] # pfH^e ![~)q:jHU <4UO椛S}cgܖƑB%Jn&SO;DaC-=j.DfُY_^@I!r@H,4`?bzgGչ\a S߭;434vK'#NynsyPn` -mBzi y+ᄑP⫯ oI]wY' ņ?q\Uh 8@FO#ED\O,Z7Xv rC]|c +8sT쌗bVڒɪbQOQ*ʺ_Z;Qƶxz mFc8 ?XUŇ'xFL3R_ɬj@j zj ۶!+-0sNaq=∛6pvlpN&&7uuz"FQM[އIQݾɣ!#tpNBk_Jvt!"x}ve6/zZbWm s}wܔZcpk~Wˈ=F: - GeB͋`&}#y2y;rS9TUhÜee" lZoVDvA|&ƽI :G}ޛ2ik}IsG׮3@W8z۷JFlyL A 킣c\Ȯ'A\s)unEHSZSQZRB*#i'W V\& g!#}= >_By@u&V/FYXBck K5WUsrR0^Svb0w36Ui (va-~~d=@Ԙo ;8 ;K