libsamba-errors0-32bit-4.13.13+git.528.140935f8d6a-3.12.1 >  A a^p9|p_ik^ ,\U&/s I b éx|,q];H%6M?D@EQUnGio heT=X~nD-|Smf] ws;C˧'!5?=l~MU}P@a7D? fGܿ\B*v`%&)IVCn\ʶ <̚37x8/qj7݀L247c13d1a721e0c8af2711e365e29fc8ba30394f110a8f67a391bb336fc792850294eaaebfe8aa54d6fefb75a31c0357c7d90739la^p9|1GdPWAҥxНIL8@J6[ XfX3R_Īz^L:,8/a$xkLݙIO*`f^_V›lE۞f@u^!m]8]qSԗ'|̚0 U{3G/vXZ w*)//fo`VLw&TrDioOQM f,>p>?d5 < Z *AGN`d f h l  d   (89T:>GHIXY\ ]^%b/cdmerfulwuvw$x(y, PTZClibsamba-errors0-32bit4.13.13+git.528.140935f8d6a3.12.1Samba errors handling libraryThis subpackage contains libraries to handle and translate NT error codes.a^dsheep18SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Librarieshttps://www.samba.org/linuxx86_64/sbin/ldconfiga^dea57c9ad64d59072b1edf56b42545ad13a8f12f435a8892308c06b98f1ae3732rootrootsamba-4.13.13+git.528.140935f8d6a-3.12.1.src.rpmlibsamba-errors.so.1libsamba-errors.so.1(SAMBA_ERRORS_1)libsamba-errors0-32bitlibsamba-errors0-32bit(x86-32)@@@@@@@    /bin/shlibc.so.6libc.so.6(GLIBC_2.0)libc.so.6(GLIBC_2.1.3)libc.so.6(GLIBC_2.3.4)libc.so.6(GLIBC_2.4)libtalloc.so.2libtalloc.so.2(TALLOC_2.0.2)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3a@a@a@a9@a`v@`a@`<@`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USanopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2020-25717: samba: A user on the domain can become root on domain members; (bsc#1192284); (bso#14556). - CVE-2020-25721: auth: Fill in the new HAS_SAM_NAME_AND_SID values; (bsc#1192505); (bso#14564). - CVE-2020-25718: An RODC can issue (forge) administrator tickets to other servers; (bsc#1192246);(bso#14558). - CVE-2020-25719: samba: AD DC Username based races when no PAC is given;(bsc#1192247);(bso#14561). - CVE-2020-25722: samba: AD DC UPN vs samAccountName not checked (top-level bug for AD DC validation issues);(bsc#1192283); (bso#14564). - CVE-2021-3738: samba: crash in dsdb stack;(bsc#1192215); (bso#14468). - CVE-2021-23192: samba: dcerpc requests don't check all fragments against the first auth_state;(bsc#1192214);(bso#14875).- CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos; (bsc#1014440); (bso#12444).- Update to 4.13.13 * rodc_rwdc test flaps;(bso#14868). * Backport bronze bit fixes, tests, and selftest improvements; (bso#14881). * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal;(bso#14642). * Python ldb.msg_diff() memory handling failure;(bso#14836). * "in" operator on ldb.Message is case sensitive;(bso#14845). * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED;(bso#14871). * Allow special chars like "@" in samAccountName when generating the salt;(bso#14874). * Fix transit path validation;(bso#12998). * Prepare to operate with MIT krb5 >= 1.20;(bso#14870). * rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb;(bso#14645). * Python ldb.msg_diff() memory handling failure;(bso#14836). * Release LDB 2.3.1 for Samba 4.14.9;(bso#14848). - Update to 4.13.12 * Address a signifcant performance regression in database access in the AD DC since Samba 4.12;(bso#14806). * Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache; (bso#14807). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Address flapping samba_tool_drs_showrepl test;(bso#14818). * Address flapping dsdb_schema_attributes test;(bso#14819). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Fix CTDB flag/status update race conditions(bso#14784). - Update to 4.13.11 * smbd: panic on force-close share during offload write; (bso#14769). * Fix returned attributes on fake quota file handle and avoid hitting the VFS;(bso#14731). * smbd: "deadtime" parameter doesn't work anymore;(bso#14783). * net conf list crashes when run as normal user;(bso#14787). * Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7;(bso#14607). * Start the SMB encryption as soon as possible;(bso#14793). * Winbind should not start if the socket path for the privileged pipe is too long;(bso#14792).- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./bin/sh4.13.13+git.528.140935f8d6a-3.12.14.13.13+git.528.140935f8d6a-3.12.1libsamba-errors.so.1/usr/lib/-fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:21699/SUSE_SLE-15-SP3_Update/08b059d7b5a0f63758fd796f8b3745b1-samba.SUSE_SLE-15-SP3_Updatecpioxz5x86_64-suse-linuxELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=55a8faa8bb366de66b42766c4a73d520acff3755, stripped PPRRRRRRRutf-8a44adc4eee6d6bbcb5ccb286eda32feae76c49c0be97c171c0c9ecc6c2b06c5e? 7zXZ !t/`z] crv9wTh;xNFnW~"Zee(glgS DhUx`*Qfؕy8oCfW|sx?ⷊ S{|6motyJ#r#aL _܁fEKD5㸡 rnzb)1h :u#j`DyмBqed Ne&Br{~ƖM/CUޗheѤD7F($ !3ˠC8 ༪`/q ۂ ֜fÂh.} /!_ܩc}b[jsRWS U@jfܷ'i? ;soWsO?aעOOQY`̎cI!Fx*t@uKS.Jg=iL0u:瞤5 顇=dT6dVbE5,y)fC\1HTZ>,q-(W</\ —M]i Hk[YyFr&a%M1]>qjWճ2vݽfLcItEtlOD5-_8:uפ򝎭Ez|Uiu &~qQ-bj߸t XRU;cA(;n31WB x]P&xwF+!x異U n[v\** ڳҀb0;j#uRRHK/@93ac O=%vU*wxI{JX])U)=uy\ QD,j>t%cz֦cuX': Y-3}WlMTZMDע|īǔ"@xyˆ F5v9@TeKV~ LZf.FT8=Cj ER_Yy6/iˊ6?@1,7C:sȮdNU>S=_P< &v1ag˴`f(:_`g5 ɃѨL|-(.1/)8^` TPVC! WDN87Oi¶`) A~dV\2^[(|#z` _fKH`'W38V)iE7N,rmЗ~3ћq2Qv@'To p(!dp;irBJ%2C0@۳ڸ&M({JR_I{^HP3/,ŔmoWy!s.wpÇ1,Xݣ6kZ4aqnMI$)#F9-sbzF&hg2R #<3y2+1p!GIAR8e}U*FL,gT KK?%ZjYE?IC d[f !oмXa,#aQ'f_]EP-Ob@8dɂ{ުP[M]cviGZ^tEy/cͤ6u~9&UifdMHdy֗ll\!ù$QtB*8K,b 8OvYP%p$^IĿcC^ru:Gz8Iot'9dUglL*x Q<AA1ɫ@_Br?g)ʍWpv?g< C )@̪}f+[z "o?; g0Ylܤh>[5.vqyI%f;QF>J5:I앫jQ)J=\',?=*{p(Inشl%PPW rge'!1m+ 0V1XXSislmBQבP=809(߷KW-Y'}ԥ\{P~ieV@C^Ž|xwkH#/Uӷe;6r)&Eky B"LjUѤT-r6?{uM}R(CrY?=icB/!Uqz?q^/V#.&U.nJDso,Q[2LKfCh;Ӆѿt#i?A&ŒMICGfh:M ,x|k 1ߤ&NL= h) r$jħESC3܀/JXj/x!q/=Tzxy4] @܋9'SGM[Ũm%U ]<8?34i\C_]vb"{.E~I IG4bCmTD0Lzo (5$1ɵh8¶rzsmpo,O5B)킪=2SZBk6n:u]6 HǍ`+1:ȝejOpL;ҥTk86 %COEnaԾ,G>(-C׾daסEσUJDy5bd$DǶ|9Ԛϸ--||D6y\Z,[jJY4hURYk@4$pF;;EtܝKfY'3r8Q4Y%kqǹKLΩ~TPή6 '%2>Yc옑9I 7a?w{}r:ΠZahYa'q[ 6OujI+jՇSiA!kBXUm xs&|#]08ijSX6@6+̺ -`@3lG\0{~ g;d&geFǤv iB#˛ {Jy H5A|Q?NQ>h|Yk{]%i7W2(6bf?y2 UXSH;d,!p rñ慇 'bq+4zbJ J+=ОWkR by4KРBF}j.> xw.0}ӲMBz7{P:FY:)q(3 <~/v -KEq^{0;qF +TLO\i [G3AM%W'c,64:yl;~g -p5 /_VoGJwl_{݇Å8v"x hAreLn{_׳]W%{2QT3>Y':X$EQ WD%VZnť.qN_e*y:Yi*c 9i` 7[$\ \J#BWe2/W;dK B#!R)d?9h\- 'O/m.(5͡*>4,6Ǥ*vV~'L1H/GTap:۞xtdKZ@woɖphoҙGnω3&$*z8HYǀFnt$}k؅'͓ ;CJqFSo֗  r]Ka މ F ? 0^`1 &xX(FԷaaj2dI۪88N-_x0ulS5t2/ꏬ(łi acgm|v&9C+6.NN47Pu,6Q5 Q'r J0C8H* J?^6rk*gڶ[YK nS4uev`BYzQ&ɲOdnpNՏ~{e jQs!Z8Tmx(_ \~!p7+L+*]G_{!j,&_lF.iN 0o)h20<'fO٫K]ɕ)5_mw:t0G`cFj,\G~{k [n+kpF{6:FRsՅ/ۧ@W˪"2/i lXc3Jbh:qLTSB:{:#]>&G.ꪢyJ&WǗtKad<e]t+NDIm }q{h{ IĶɪڇ ԁYƀ,*xEhcd,/CVd^ih-|z,L Q|sapQM @"6Q+]kmX +q/dA4:A3Ĥg"- :0L^\< ="dӬW((zӑJT2Dr ywx n- ~Qy159YBҖ=[ iߨ'siCzOZbc;⮓#lUګBrQSuQ2˯!6q-p!yy-SÈ߸_}\dZ:L$t:~1Q˶3+Ux1GeI0JOF휽6$6 80Yr(I[ VMfun(VҭaBZ[r(Jqa%lr`.: کa,PK1;noiX􅆬SXY,!I~\Nz2(CjPHsFqhnMLm Oaz*!<9`cǑ19]_;IRH+jn8a!w;VrmܑA\5pvykqs@RFxkyށLG ?|)IVѸҗ\n#>M,:$-6Q~o^aÚJ(YCp?.猦![G hffOEFٛ֜R+ޮqAjDf[Am ̾)<ׄ'ݠXҚW )-$eNJ=+5ʩnxj ~.xk&HL\1pJ}ˬrKV580NcOާ5 :9̾!_.F]-V3 "WGAj-X6­Y%,tC=Z)=sKsnʅ6|_ mB,RlU\ sW$BlSTjpL1 ŽS]#>S v?Fʤ #\v|5 R)^]"wQ:}S4K>NcLjc4xrwU0lw,nr-Xe'E{-uTh_x^F Ϙy sHY~9ԂPUf?7+N wA>(p[)In(hsaX3EX,a22+28s7 g-y<]'HGѶv|fi'yP+\ˑN0T4B*l P+PRw2vL6ځt5݉Qh&j{o6;G!`cw_/B3` s_Ɗ: /e-3A3r&EDz  ~aNp T3XbPVӘ1h(Qi&9wZb5|v5J^jkoVCn燢[ FG@⹶`g ejH%`DBkz#OPVK''*U -8fmST8f gDn+}ԩ{vRDvW+]0XTQl@N(b=8zXo3Xݠ\ʑW4RU"x8-(%+;tw `j5gz:Q;=Rߝ?ABc *(Q)J@UT`7(ݛA7mijrr)HR }-f8'(]AiqwGuiD'0ݎ6 C']B6Z\p~捺mVv])/..L]FupØ:5fI<)O$w ~w@HѲaF+ahˁkEET$:yU&}CyIDIy@K6035\@AlA `ض7ft^A:PxD(>9vwk].`nC.%Ag kr^PxW#30 <0 ODk$CZ!Ыhwvľs5*DB t3[͓n⏧LNG;Hqg z>$.st:K>MqVX#jnGGIaֱ?*NPφ։(SЈi*%xILXeEWB䞴0\|:5>d@ZGSH'KdPzv7.C-C%0}+S} ^Oy@|IxB>dz]l$wy8Y)É4̓BG0r(p/8=iܑw/HNzjrc\q,60{#\lO.{H4vWc / .*>:_Efo麆w޷?,{&@`4QF_Lsl͸i#DWGlKaߚ|Jd ?t]cO)U}8aN,?7+.rdS Rȵ{@ 6H*,Gl@A͌/&5 h̽쁋펏б/Wu C{2$tDTƅ8PCX8聼%Q8{;UQx:Ym$OưK;Q01B|AuD + ޵ 4~ crWz*ܞ^}+ ae$ӳb"ׁ|J@P+MYr"&ֵmIGߎ()> vo~n[V;f;O/!['[1n:spK0*+?{`7D]pڎ r;v[:@gc $!U 0tSeH/\ EaI~^y(t#|jg>;_>u䩾?]:ǫsIhi5иhm٫"<0eS1޷M-Oy;iCg6-`ap ƹ0u'US#6.v]qX3~L@W[ FldFb|W"I),9](]q5Y X&W 2\i(id=$̯ψ 0'ZC\f{Tizq㺭? k]*R !qL`Z=dd"cio~|r7DK)E7ZxNm.*S Ur^sn'?!c1< -# pJM &Lsd]@ 1`5X|NB~f]̙7 g|Y( ɲҽ"Yj7]\)%oV, ߤ-3h2+Y@z[&Z&D bUo01aΈ_a}4th $#@b ,;?yھh|u}k:NUJaMuZèiLRqvbI ^@AB|u\ Gk.vsdu3˴[4?%˂T'b!zٔ84СhL,<ʲkRF ,l~NqdqwxVb zhAT%OLyDIټyE"ZLMD+ I쐿&ĄwGlx:jjԒ00_[Sv;F ̸%'^тN5T`<^M:3!|uy( -^;Cob[ LLѢ/0y%/k,hm:yV |;![FF`a":"6Zcce.=ˈr—+>ʶ8D{@eg+^̀'80'WQ,@%ǕD2?76OmeDezSd2n OeT?=Ӭu8LX1hTQc!rk5dפ?GNl<ʻqK=e4I!5{ר^uԃ]a/eNnNFTC(lԩlP<>JbqCa@!$RmdC `?Wſ:HOc!]BkƋc+6}@ue2١.T"_Հz5,JMb;ȹ[. l= 24Gi3(.Oڝe&+(aA7M^dwBNɧ@^Ed^oI~ͪ͐g@Ѷp72B(*U9V%RXV\EvQkcdUv` 褀f?<$C΄ _a~ .HUrq5Z{s_kJZ.>['Q?)Q h~ո$%?*B >6k -vCI'*RYp-|tIx+jM[7߼M74CLĿlC:0Q# (|yi"Ӵ '6Ӣ D[629@Cz6?|"Q8^@*\jI/VgucNҦlZR M UpeNZUl7kY_bOnJt6nHC.b4]=[nf|+j/G1IoE QPZTݓ=~ '3Q;Ds 7"K(!Rpp`%3m h,XJ ]v#=78@J Ac䝂E!۵l׮;C#hk5 ZQs'Xx _Iͪwy7Z9@(j{r)(V~b*+5JM`Y;+P 7 oc4H8*hv~JDT̰ԽrE]ة֐ybd_H8021r?ҹ?s3s縒2Ms{4TUXz lfmws( 6EAe'dJVϴ;jěrV';Ċ_4jVb^L<6<qG(+8MCe=Y,$Uu8bY)4bth2v,\L96}cz3zl>ۮ]@pl7P1=ՖOYoEwV)K ^%M۲.32;\~M0R9g([qWܲ5{5u--?S[c9]F$BN3-.ev#m2R (E ȗS)\(;MQ?Q@7Xad.u1ٷlSoCQR0`Z0$) h:Q2~yG:.#{"* PVh,ZU=HRI ${jlͳZB)2"kMFcQҦ팈5#8;c5gKߧ,7.Cah``>lb7_MwZL ̷8C8CuL"0.3kob;b+AY'ŏd,D p'}k1z&iç?L[%8%/$1Bu{*:?ƓFc6G5J?{HqfqI9}\mpYA |" 9Y`0`н>8AytKH]lY 4u}zqOCl98^[HmsXDW<`|T\Q_eŚ F7e#d0tӽG)Ho7*##rGI2eC<eV8~;j{uhF7k %Gjt:nmtuEBXl cŎ+`;Sye_ob̥A+Dܺcw@;*o"m‰ ;7ZՕ6Bh4j[{oiP%ꠊ&!j 5&nBbn^YRAh9`9ec X~'ؘh.e'<̡\KR Rm $fC{uS\v541Ƃ COӓE1?@ d? 7dĵ [YV2sׄM Y?m0I} ̢1$0+AMuUhl6r=*Z/T~[m(uvONXZ5rIX#Ta.+) F9ڱf>mgQ;:ԹCD՛Ey~Bf^s8o/R/ fpcN )S4U(n~i_F5ݤ^Oq(8^&`ऩڠkDi Ś ΝaF!K (@ҚulmR|("|m!KC^hf^uѣ a%a1)م5[4)׬m^JH<`Bjق))n,5f"c%P((y ;{:PIK _ZlIDau9]tދn ͂|:7!hXN;.'̋] M"2UemZdZ11_@)~yEGRl*sAVjΆBb7of/)Lf-YSWo,u֥~jV=%X <֎6ad? T]@`/k ^P %nn3]/Z5Jct!c]AnLXc~2ž f6{һFt>,T,MA|\BMOjf< ߷sY,cڸN{o+uee,@,jPZAfR)o螨p~V|ZlSEr*#L3ee͹^XH8bu{ --z{.HKa+с l2U h($/%H6u" wY"$+;TEEZ&~H3ZCj-断Z2K]}fgsK7a@ĩ.WPc)!XnZ)Dh 6<ޓUõJ>#&[K+GXwDYq{sJ(uq;0q^|܎]L-_oݍ7# < ݘ0guWRO2D UgS/Nau .M("}Q2*ڻp%"[;ܓ#?aRe&H7Z$BT-B!/mӿJcgFQ{L3AN5RC\ުIOogܪim}hLE n }+0xC&NM4JEq۴@uzp"aɡ/8.؍T>!|2Ęܮhz}N~jzêm^k0ܰk/T#H"z.$%!Hd<Rp ? z&)(|ϿG S>*ڮK2H uO";.nm <S'X2?|+v-~T,DMwôCnʋQxucl}럞Y;Q9H BӲ{0/ Q25~Y.bη}Iu%r]mA(CSJbϲ-]nU>,ԅːTZOiT[3~ho$V9MLA@]uU8`e(g΁r 2>-R.>\"pa( P yJ-a%&$C]TM4M+@S t#Cb ge%yuM %An14똌 [ Q=o2pNXzv2˻3UZYd0=K%azB7NK)Q)?Q9y.ǫID4/ry~wql߅*6)(AIEg0`]Mp\V#~^+'%f*fşvdž@2")~2_hΗ@VW$ ^Yߦm&2 0/a-_\Zi~^b9M:`Ȫ?E}0";3@k-7dz'5/BɳAz`7NV [JTr˂k=Jz<0+SؠA@V(dE~lg㶑'0޺:O?ư~XξJjoV7-0aw~?K߫rc~5EoC:0r+kf=XŬƷ$> q)6 &7r#+yc#8@CzaI|[VwrH8!H9 >yGeqmCG֩ g [ŶP%Zs13qs'B+ɶ Rʐ\nB[o&J5C5DIVw&e6G-e=k=[0&}#O$z4uJğ)+Z /᳹af)(Yw =~cL$G|57tkU}zcJ07iBޏɲi,"͓'l-Μ}Ӟ^Tśr(VgT'@>[8']~G+xX3z2bU s|vj@=oy}}3P:f'IโW֯1n(jMdjE5wO˷jqQXj tOJ kа)fLx)rGf$]\rpR[\, |2x 8;NNס}$\.>@f(:ϵRp^y_Ew8 W6_#׺χ͇Q@){7\?1Svأ7 yݲ@޺R7D9)`6$ CCyεe-zAd}ja'4 _:2$.!\VxZ<;A ۇ[۠j;VБr4j- :>׽ yɫM?^&jëzF;#=v0NMД)ҩ,k)_bѧ?ORBm DUl* z2!?j,eJ\"ƜȞ7,F0,@bGRg[haa WEmx>\ q/^ث7 םEb45p`yѳ46K\%-؅' JzˡX*y{F`HL6V: S9X022swY㵈n@5ג 6 B, K*oQ~]5n#L@@41#l=+ ~a*[KyiwE It<>f}! y;èY:BП. ѲlRh|{#fv.r94h:\c3VP{ƾ䜑9k:-ٜ- d1|y]B _M"*i8NISe e"_6!q[!(⤣ m,.4utᶖN/= &.t?;ŒQ,ĪB? 3nI~ tHluCZ0tK:BMd8/\5ScBoW͌ Ҍep1ZOx@WFDy|bJ3q=e8DC;yf;VvJIi{"rt(]2/8 (CT2nV)S"y(/l$zz}Сٜ}; UUgnRo_)x ^)?#68T)["(^ҙ' |t#_ JTW?9u7C%m Ghb."XI#yd%icQHp6lH uu~.و2*|(TեՁ߆^s~b vnjU ˤza˔ŜZ?`E$`/TVtQ֠F^^/? 7D**Y̌;gbhy3rQi)anӬ]CI8?#SߌńʡQNoXT7xi&ܵG,vڤ[*8֬4A&.6K@TT(:(n wAx>kc9g.}c${>6<_w9A bj7!l{V;O b삟y6z^ s`yёL5ܔ:܎t>C 9 5QսldPy: Y#ȎvQІ^I 2P,ޏ1GJ8J[+ڷ9tJ` O!_fu$مŸn=GQ_>cq1,`sD'G6,T!:%HCh|[sZTP:o;zE3nFbsiuIm\.Nsl8f%f"n6)YU&(#49 j;yeĵG1 12_u'Eu~= H@|-bjuӯ*jt?{ On-ˉ%L (L/Z |B79W.XpħP LkvyIQs]F5WBC۩t푡?;9+g ;|!9+yT@Kv+8M\X] `"9̢TH h 8 x<8>b(+X@x*YH $2C=Ly}c^nii5-O˅onf qE=G+S݌UZ&Mܷt[NT„w ރ T#<&{IJϢ jLׯM@2/"wS$\ljl-+Olym ~{Lkݔ[ky/T\2Ȋ}dž!8 }T6Yn QY ͌g˭ϡ ێskP=}\o2q$֏:qy%l)Q5mRtYE NvQ.A#'=@gqmaS3"Ň)_vtWtsXW񠲁 ?A:xwA&_ ^G't0͹U@=j#JV'5ەJVdb_я"}P mu$-#l߶K!2"qdVNt8渤~c`݉id՚.x8 ~؍ԘeRʮ |:LlJ{sŽxX*͡Ҩ28ާ`<GNk6H$#$Ik*$- ׹9b{b)^%erW</FoUU9~;%@Q8w`kwbQ"6v̸oJh/y4xGXL/"dh,15}K%UW> lW.PssIA2ܗEݭӫ7[wy2̛M}\6,݈V \ḑтg*LaP#BL5@`9G6өVtP9 렠XDGeg Mv c]R5AҧBqMCj8ͺ9I2cWK HX,2!3NSrAxߌ>Qkڕ뻕%h4tO~<9:7B/Lo `^8mn݆Fp1t4X4] Kː'M/!fw dJ\I2,䜲 Um;% IdԴ Qu_ol$Hb$6x@rf 2_A]@ƽ%,޼wUgNQl81 =#0j'!NBNA]s./1j:PI9deXImϕ/v\[KW'C*=\2drIPþ%GRb=Olf,W ?g_Ei;b{.yߎ:['o+y? 5MZ>'A d3X}3PdSGOb T)WDv{Hlî;'h aDޖZI$=F6!6]olD{Mx͓f$---Cb:7W4r1_j;5^&?d=k$lT0V;VȀ=+Ro)!<)_ N J-̥*cTdwM(abT!aQhJlwz'HTZsҺ`,~bME:6\$8ΛGtÏ] Yzo9k<ޓbcf&-j9_~!K731&6-h<851LXhu\N.Rv G~_{rjI *GsT>rO6RO`䥹/ 1=td{0 )̠>ݫ;l;7QR2LhE3tfy0m ۵/{z:x SFV~`_¡MG~QnluԁG(Hײ0]0Y'c |~./MӘ|G4ђ\{HkFG抑"sT{t"钧Ư,KU Xe>ۋ7jU_aǝm)lӲ$r_K&O˷+*%ᗓ $Ҫ&>8t^k֜lS&)RF7X8c2FJb6BE-N`PC7e*Msr*SoH(+iq2=p 9!,i*q5sŗ B…Vq<,~UK+NAPq iéR0CNɳԴѿSX[#_be`!ߩ9;m{РBiG[7Qr%~\uuojF<&bQrnyG.UƺZ߼C]G?8z0PފVDEa&"sD {&1tgse}:*ߗܡަДL1 R[ gH^*j^Zmq` (%< ekW{t5F`CB4k?Q{*'aؓ~4Uʥ8=*n,7/Ν f& Li!gNwg۷ʗN`V7{2r:=`).*W\Bg g/Mlt+KKX5rd:m(˫Q e=r8}#vq"}@N;oyBIWq9/V vt cel6X <޸BgB2G,ZgbPAcM `(xnDz~' s[?U59 cPLT_n6ST#?Owr|D͟4_8H,i`1QfXO@z^ʮ![mq8"S@B=d\ӧ0ve+ףE ҹg25AvsK#mWgST񏾒mq_˷"GIɫ@GݴpGͣOXzI.CF)TxFKFGL> Bh,S=;̍m4^lNbT&WRAFg'Q#srM5$}F x0lK #h$TU 1_?JzĈMSsӁ`27M- C. kc<@ ˱ j]n0 Yk`&S-_HƇ|M祚D|9ޒMx(=l(|?`to0=?{7[I\[TјsGི'>^lj(LWz!}u!#ST-k%Jm)HV#? t0.dpH #IC 8{Uƕs[9Jn^UZ%\f,7hB)]" Ę<мC:2DY"lIN@kz,T;շj1@>h[[\|'R#EGQ}]KgmK>jaCGzF y ] &9RAM:ȚM5HBҭ+e1pv"\\f\1;6ޏ fB_ɸvF~x.;f5-M3M4\Td.d "v" |JHBk Ύ${/gLJT  δC@L':^t[ȯX! 5lN383*=H Җ"N9oq Zq\efD( )(}Z oЪvZhLjѴ+ZcBpc?;̖xB9xQvp\maM3Am7 :JHb+TBOtrhMޘ(+:3._E0i<<` uhD -=e̵6N)fÕ4߳OFgc&akC_'*Lhfvd~zm:bftC|ZVcgZvИCoP %pILaׅÊ?[%O-ðnV>B)}ufË#bX,}P+,k_-Km$]A!) n0L #.Dɨ*]۞qƙN>aF=: nq{8f`:sIw;TxREߺڜfza!\ Vs^Åx.Gi/$즿v(Ћ\ U1}1,)z%!A,;ާ:Bim:ߓ>߆AN (=̭p>%uHz3.W)61-m G:3Rx˃_D-\!D0@|\W+[w=0A,6ANҏs!.x&1%Ӌ*Vǥw#cc W?sp;h9 U/mJ{. X|mf;PRa`HAA$ n"v=rF|iYqxQ'wI<۝[gv:F&, K7xk#ۦU ۗdžZiڂV=n*UOsd {](],3!{&ܒtdC@g,dQZ]7(~ѭVk~>_;3r;(~?ZulbT>3 &g'WL}F7_|d N$)-9e?US,TeXSjdWl^$^)?DF;Q4qJT^^=9F` .<ۋ: <̝ꊥ>a6HTFgf.O(lH.X_Y:.xX+{2KcP;]"¸٘&EpVOZhŒ.tC~Q OޔsGV$RSF 2Tϴ 6TNSɸS1v[]Y ww9cj*)c+jKoHRTH[Ξ=4y Bi<1FHJ:Mzĵ xe"6ovϮF16N\5xZӼĚ)w;rŒg60ID.5IIDb@.Sin^vIexWeKf]oGT?ӑ?݋tM `@Lڋx>C=RN}X;TP&#Ϥ~//r\`$,N7 ܙ yȒ$ĚN5"aϧ]2U?a >¨]Bs{Pt;p^8;SdO{R7j9L>#ha 9V8֗b M꡽_ۚ{v1/EUosj T>V@6ޥ HۥFPIKQ;cOlmN4gj"Ќs]12Z=-!¡,Qi1L $J 05JzTq6qSIfӴfQ Z,#j3_93**z !R%J͡Ϫ)箶 [#ue1M`7#Ng ْڠ@WJߜG\TÉ6+Õ홼+UoJ A+1ܯ QqIt`m!Y/}g#ܴ{j&Sh-ȹpС/w cY@`*6S,?4ÃW o3O*l_@Ug7jZJ`*~FPՅ5hK2{1v' %ʹ*_s/fh_]0Ctݛ*8Պnp$#?Ser6jIk xh%-+`OEZ6x+JI-k/(y(;UUfC3VM"ImTn@- {2=[ ר$v'怢%SbѶW,( A{=+T}댏?s׊2Vb(.{U;{TY"X24SvHO ntԌ- CiDdzvJCHiӦ=oRu۟׵6d]LBNu)v@H,Ο; BrP5wcN5~a i~8lL."Ed< NH?rj~F0B+WYճͨn59)g^~ʩl 8䚷AsP ([ʥ EX Ze˗O-faHMkG$PW_x˰2J]ѡ}Q# /,㗄aA9< 86`X%k[ϑq݁n)-߰QP$r M~@^O!`#Ckџ[K/xB[ҵ(7q%:sr_MNjy M)*,Tv3H[G&)Mo*4 RGW&YB|z/F1NKT~7G8Mȫ%eEm2,E+/wEpi=_ssZ& %{T.TdLJu0\45d؃gf}aR&7.adPCS/5^B^nH|xL)9E,ҽS:Gs HgY 5"=ŽZ+ɁH7b[^Y5OoZ!a3(zN,L<}r^($[s2Yk_mCfzpyV~vsK;b: c-M!ѥ]ד t ,vnrMU8x:ڷquXZ w:T`rq7ˆDXNC 0|:J&-kEܕ[9|lF @ .) c&--ʌh&s̥ےeF'XrA4d7ޒsR4Wf KϜq.$~LNYӍ^c}GhفltʇYWm^|>$c#AM,JT"rupPqt(鼸3*y7 {\V:L`5^,^hB;bֆŔ)zMM`t o*X *h;C:0 0.XBc՘2X4]k gftݴJ22b;#GG<<%t3>㩦#^Q:%ؚ/T_ v='%U˸ wcO1}BaqX(W30O'lcW}3吼+{:w; {%ОXs!dn2*0FdϏ`a ENö2}P+ֿA, ɯY ŭ;5 t-3dNF׆r@ܿki(cw%0`VwX7Y;ozIde[Wj!+qu K7q\|M х \q>2l,*!ƵSvFs9P1`yac EW_-s Y]FqXJ3,m:XȔ_$24m3da+ww}LTf9xR;mxbuݙ] pwOHwݢ xGi>2IvgF[ `F?u@ܮsLa Ze˜|yWFэ"n"0oYY&x-T7Y떦ڎLey5&vh%_Էfgr22)5BZJuPS0Ɖ$BaAyBpvϟR_=9:qǞbB?%Myw"a^]uFAY,p?3ӭg/&uw2XC /,ic oV@;A+ ]{xݒrRzXhTVpÞ΂m&(eh=OhU \aGȘ'nfcrIFX@8_̶"|e Wr_+:dlB-G5\_`1!, Ji]x#U!?P= V6ܷ! t`ٜGNFp:n!Xsr]CbN>wJVY{ckFȓ݉65؃$ )pT \Z 6N G(sDJuZ;0#{=5zl #5ާ@ G:\!/͖dJQ$w٧?{";GyΜU]ZƢ:5a$A\b?wEv ZL@O7TDYbB3,,j3ɳ'!RCCyrX؆+V] 2\ADp`ݶsV1VEf|P <{/+a9f_py~AۂT0I䘃8FW8'S y. $?^YNeޓo ʇRվ֐cyw) mI"BE臕Mm}ʓq܃ŌpmrNVWLE4AH*Cܶ2"ȺEέUۻUd?:X5[voö{Xݘr#ɴrzhш׻F4$ɞ",r7P8hNʩp6]Û>T:ONߪs,֏4[1FMHKL=g0:rE7|K9|FWt1Flw=ѣD  k|u:W_`g_E^Bpyd 3+AA;Kk%9y%Nu@.^ne3Κ9u6Ab⌻aH8/'Wݸ`c]H^D%Ie:(Y\[$q2ؗ.aԜxf' rjVOo<VJvNig +88*f]=r%Tc d&VeJTUtcmڰysד_YMq+&Jh' K/gl>#ɀ;+bloWFgaE5`dTfo4VCŀO`eOcH~AH f 0Ŕ}wSn5!‰uuz ug͹Υ1` =k=+v,?1 y0( uԁ.DyGdf*%_ڜAX&w)==ZnS*q7zm$\-(\J2oh%U jz fxQRp s~^HA)B@5hK||ZL\ڸbƻ b1% Z`/- <0IC`W2Q[F$^)mG[14V8e(#4Dv˶6ϳJ8kyԋu7RG.?zkOKj' e~@g};7LʂƎch)G;o)Y$Eb+ޏi! <7O_KO:.7:s]2QJڸ>7n}:ZmKi*)ⴛTs 4WnM6Mq><nXi9q3,ɤ$YLaT1n$FmEm5>:ռ'H؝})k%bY$"IIh6p(X2\,W' ︢~ `9l| l"l>)l|?q0B 6R QR=g9iha{A1pm\ m=jgey8(D!QAA.yM! 5t_Y砓¥H0ml.rl%4553zUiˢ#Y.a3n4W6dwУԾһ_&O6®d"OA*X6ԯf(g,¥# F.< u?4R.JyHL2;njX̮ϩpFCw$gQUDm>z{zV =:?|LD={熧QW-*䖗:{g])<;fn*=wzY"q B"M~3+j%eQiF,t}in~]3&tezM$F:PLkwIq>Z0J672AĖxB"U yiߝ`J)A6|&P pv8K.lT%KGnCJ,n! $8ܣc _ \OD3bI~[8>un%4XvKF'ewk\w ,88%A@`#Wq`vITpX6nhёf7@},4mݫ '`gq=oe:05QどK@bt!ev>:GD呟]zR5oiUO_FTӞ$^ Pw NcƇ>Zx*q*:{KyH6%G6ؘ1^ܵܮJ,[Fow W UN`>+ L1*Z4Tk C`!m#kuFaܳܛl/7gtb o3+--@8_.J‰f!%Ǥ44h1OBQ39Cd4镟0(lfyOb#T (?rK-}S㑶\+E]n(~zYGID r"TObyg' Fp!Hh>Vh!%?|%˜sMH<>| K*1js8a;8È~ostBh{;4'dn1[֥k5/RS4i[Z?>iIT[hKUцew*!He r!=P:[WU 鸿vtH TD}c(w" o q«84}M9W+go!̫wÌ R٧۩7ZF,"3gh nYou_TXMS:M$m(؟yVud7Z;h^>kk>l1+P'̖zp\X7#rs;rԇY=yn3n{ HʏkcRVɆrL:'fѥ(EBQrD7\S> r&PR ׈mnʟ(Mc&ߵ5¿L>aSQW.Q+\26!eJ(S\N-FFvaTB5Hc1TpG*IqIvjkӉ!g}z`/Rugc:[qКq/'nUX("M-ˡsͿUnJ9qE&ġUc됀*JK]؋{.\NIǴ{O5 Vn(Tב8a4 unq1FEVt1!ի2g72*Z'%Qio^vɄ6Q?sr_gzƢ^dF:܎ӌeAS;|5MvYB[XgJ-mb]ip+MXw![@f+#ԌM\Cܺ4PD()]tci~}0j - G"?ec(#>a\,86/ڐT5σ,W+{LGyDFYfCvqj5?.؞)Mz拨_K 5NXm Sr[:Bɉ_v77 NC$ V?. Ԥy]dV!mBԽN7*&9+ $2ԍ)Z%^b#S1x xxM|4 o$ TeGPJ)\gk>/2;` Zؓdpo$2\+֥qo~48c;!.BAE4q8&%pZ~qukL%Wf!9h@JNk5,eX y- e|![T|*K5`_~Wz=(Q42bkhn)LD|Pef9 :Pl&C|D&k/OSM@?~(⠝x"$LOY'tRgPKskIV/{GKGf7%hM9O!(*[ک( 5#;\ ](Hϱ ]&`kkSYЌd=Z–{Gωhr"ʾ8p%{H5>y= ^ 1U.] Bw&dDUa'.m*,МCZڿ]\ F1>ء4N%/}Y)DkL=3xH!! 7Pz6 ʠ/zQJ3l'"d̶^^6#H,j[~7sN=!ᙲ;Қ?"^ˡLaCz{Y/0=APmE%bgr4YkýR3c1逪>/o?) 9[4H{82X*n I r"6:=^`+&e/s.HҤ=o%]mMA[F"z@{4շBx_|:B5SH#L+•: 2ToP/XRT}C΢lH:Nv9ӅVo<6MeJ-Cx@ GKDœrE0nRQM ) G!%.Gz;aB+,GNOlDfZq"W`zNb?*3[ϙUXLj:񱉐c>H 3%!xqщ0Zy?#i6EM%⻐ o˚$Q QАvG+z  {%Zԩ\xα36tdQ.&46`d)o6GV6R̀-yp=4:'_ f1ŒG3S]ryֽ>mz &YQun|ʨfMYZ3K&Μh6c}aѶu;b[$vՐ4V D"|%Nwk$G:㯴1C9fu JvV?0ȸ3Vmv^3 ÿawB:M %wic' U{JM9S?j[?Eu->wH0o<+(%ۀ@W6| ?lU3TUoPBm6EtD Le/RWaFl?U[^,>l %̫65- u.1К[/FԴ (,>݅MLM,b9G˫m nGN!){N8`Ύ*9|DɁb}+I8 h\pm?\ 82""pt$("^u.\P6I”:Bx| -]k6jqxURi%ډ%)̉f*1V-A ^,;mEF.f/?u:oï ЯT0V[-{^¥eA+Q/SFU';77({XX?߹RpyP9;xl喂_7ZQMf;)3* @i3SzX+S5j]' ;kġ߃v[4T"JuPZ+,G+QJUn"{x}2_0JBN&#$˴o}J3ԯ!`vWy(lM,!ޘnޟcv23\jiTTh,)_r;%O5 PL }ݯL{+lKg_>:oA%^ytsHX#zC9)ԥwzՊiRWr%PBJUF@Hwa_7LH8M;խ)VDĸPҿ[ ,]>2Yq]B* ëLt-=͐ל̮wpdTv>$r]~d"IoQaΒ,&nrdfٌ:cRd*:tמV3qXkv?(~s. >c$\c[TV[ s 5 ߭>I[sW>yMF7"[i(ऴͶ+L\Z^<@Xh,>fFt"pr<;Q*xD􂤏Vj}`nk3F?z0 ]S:\^erMQ4Jo"D1Ƕ̦w)A_OѼ>횪Ť=G[*3JKt:a$fV<>A5V_ OC39Rr/hGk̝zǏ)x ڴnL+b}&j/S΋H^a~7ScyY6qOfq?`<?cd9R,]dc%}$h WPuL]7S8 .ꕏccU8#>Mm/lDX'Dg oË6g/Ufy 0Jڼ-/ 4B/(VG0"*X> krgkS |Hr]H$@,? 7\N]܆1[A?E|'_-օ2jlPO8b!"J6x97`q@H?+™lB:ԾmHINbhŎ©bu7#~aVў\sJ^'k{tkiݘ;cDL x|={}e~kņvZWʥ&*†*6AdpJ Mi΍!Bohw۪(? yVT؍,G4svyaٿ=sxm[\+~Q5"|ECLgg.R(cs^5c5Te')4㈺ʶ{/";s6\HpĩAc$ūO|_N|ìuxE/,UjB@hPΊ{mw:.`]%Ԯ)뚧jZk}*ԭv%N U'׸2pEנu۵EfBypYAMLI L_T!=Jc&Č S˙-? J#,#w clئx&2KS7LD %{]>] AFj/FE2(ӫ2EP)?6,K}%1MY Ȼ\YJbC?5,aOȹYUIKG2 s,m0mzD^qpx'mXܰ?Cxl?8P>Uh*-q }|O*&73.PQ,/ E7t~Kv)̿T?ᨊ. U Jex!W:\ˡFOYE&VS]A#~?]bKr;2v@p@8)aubSz{p/lfFxT*texI0KW23Ġ=AjD!msoy+}x Rij "-Yz[ҙp֟z+\m4$K#㲠䧤QE貞Dňڌ.W_oPLLF(}IN/FiM,\S[:/-U}*JM0Cƀ CR[a ՆhklS.އ\&`zJ8Te:"%ߘLOap;ShXĪ øSQa5Qs<.!ǧ:?O[_\=R#׎πh]bvrr6!Q$)a܇;"o-pT_VL #pkR`Qnv?aQzp|B^H`-ǹ"iӺ@_##yM!ca%LëgI=\l,G.ْ޼RrHPjM ʛ1^J4֛/(לҢG}a#}v$惂i7@K.P(_hȮ` = ZB+lΕ N6q5WWT& q;w"-ܠ{ ׮"jZGhF?ρ49;3 MRO,2f%$:oBV#J0V 7|G+/*>߼+] 3Yd:`Zfa*zwփNH) PmF$r %aROXՅ aڛY>H^ڋ3w)TW #b=Xy*s\zKCJ3@J]vUdg bP1M,]xY !y3@#y>"@+}g Ĥ) Umֳ"na|Re)KX}Dӫ=0hnpZ ԩy i+ Qj?hW[ż_wj7#х$ͷ YToN&qT+s$rquMP{ JM+]%(*D9/LuU Wh.)4Jپ$| #%agK!s͆b"}m@nIJ(+RfC!#U-+h:ֻ#""jp#z u$l4jvM'8xzz[U\1Κtع aqq2ܸ7{nSwXMvFւftRabws~&@")y~ǎ^GE]J<8,?U6v$CuIa_ϽxTC|{no o1ӯlH WkE#2NZg"hO4-P pi ZaԸ^2 6.{j3i{xZƟY~iEsio"2ܑkqe/NRLQ_ߨ?W9x}f>!-jO`CJқ!7' tC7a#]8liIP.iɵ3;S|NVK̟ 0J B,|s }cI"hG$`w2`L\wĕscjF$M<&^V1 LJٯ e -E牃 /LLƐC[Nyȍq^skHT-ɍ-=fx#ApU}N-Vj#PhQ' f{Isd)It*7𷬧;-^Hawh:׌xMӑc%'q-o"%;YZ:.[^0Ojڸ|ővS#^‚UQfEzcYL s2ӻRxaO;YӪ{ Wߩ[,fEQ^ ~DoI|"m$hkyFN<7px@kȔLPPD8[7Q@j|w^ Zx~Y|Oly)R7GJ sWg5jX=cE5 W%/7v)ߩrH4Jyb\lGu-7 ӚK|ö;oIh"FI"V.:OZN` )8T~F\nqsT-:$~G pHpax2;w0:K|C&v>Sl9e:#!Prm'@Uh/}EImjD6`w̃EVs x;5;k2]7˖X.DC5S/iJ7,g;pyv  nN}^܍[<,=F$ +;"ib? 4 m#7<8clUe GC G9IJCGb]+P?"$hVӭ(:5^1NUR抢1߁:i>0zFiTk5dLJg?0Lm(z5֘ /8 %fzA@xf D\4 J=~ڵmJx!=eubJr@rLKw RmE1qnKp~GU\1 _A7,sR*=RO`p&u^  X8HY!iV., vAD ctW9gCL+\?pCnfYKgL?y E`?u 2cMP@}wʸZM~ *$^Yb5uv"0 XJ 8*( L8 iqE +' @$]Kѡ+-ȇ9»m`,ڻ.lmOd$JI^U{~B&\E0s)ѫ-70z{G"ăa$?$'P]Ib<:o0V5c)֍I[[z}KO&FUe +MfJBxP){}hA#KhU"Ls焱!z(Lv fhq6pb(ch,+ۄslռX` ;bA\=[}6+2mSUݤhqWaB^UW i Ab|Ɓ lp̲$F:7}"9'ڻ }gwjіLdY\[k)w4K/{ټ}!~JoR k)IN)W,f-- O9ޢbiQEKE{ך UGTen]"(>!QMAP: -?mp},eK!xd(y@ҕ"ˎ07gd3b @SE_;  SZK<ptD"MYfYq'X?/o둒`*HAXosYR6c 5қ q+ kiPM\Sjd:Na5/oml HyG*rt X4'ↂE*[ÃZ]/W= Љ"D4LV-QiPc6-n]q"1:)|Yk1fQ3ޤ#he*x$/9anʳL °/ŗʀOzΪ:W \C<{Yp*WFyH娴+=2fMa8fټSX>)t3COuB}3}i^ K0I߿(Oޥ :6:UPg`qE v(?@Ql" 5qXZݹ8#Fڨ-ol !xtg]4r(fI*I&hZQDP'&.NlffG0g#@_C>PͦOFnE0GV. ݃tmZذ,wuB*C23C1Ww>m(31LŹx͹" }r{6?>NU%/& \d&Ǧ v@5UT U1瑾C~n ` Z÷bI/ NXs w*Zuk@%m(]7|HP}ոӳvjpgMu4PlY J^jz CNב F&ܤG/JiUN(4'Ȟz>mlBH[ _fb !dHR&~4L!t1I>`ӸI!DT͈7Z| Hu, Ys\7|j 3s?(2QVIpjN ʹjZt)Z K eU+Isq0jncmgW54H:7 )/3{70.*Ң,ò]óO^#~υ8/; 2؛YYS #HJ 8>j[L`ÚtC. =nYB bq[Frj))wyINNv&%&Y*xU4jH>ެF&I}4)VPΡc)٧܍JnͭW0K@|@!q)BvuLÙ׼Ę*.,c>.!2 JjDY{G(=t/_ISWp: *􃱼%΍?ELcdFJ7@,WҔxZz@&z݊q_DɁ,flݲӅodMX@Qy(ʓDJ >,ĞX!ZApU;F~w <TTyt :gݣTsS͍TzphB N)nO}y^7:q)&3qRV|^M }8~/?DkGtR\|eʐ;pn0hfY>0B澊wx7P7RE~seU:0Tl6bxַ Bq&U4jy8c0;hSRe@MӣDq%_tQg#xv<)CeA(AE޽}*Q\gZ&WTw| U5YQWHb d>zzaa< c{-v=ݺ2:{XqDPJ]L}?7K%N2Z%W-OX7ҀS3vB88\#e"$vGYV |ćsc)we|J$(DOqdx^Z7Ɋ76Z#q/w7mr&l$dq49:5PD!#C#xV_O8HS^=zI8"OT5ALsVkZgH[.F"̣A? sשa3hfwbAl/U~Ŷ5ǩq?4 <ՁRPBaee{+^0`ƌڑ-pU|/ w=JBºY$D%ۉjI\뤎%h!c'Uv~+r)_mA8vJ]o`#A D:Sr3s7Hht%N![ pU˩7i)ĥ C-VXR|0ؒJ>Rl k,(sHN%Yᖡq¢t2ϩ+)1;dAm;^Zx sPXvoT S/6fI yQ ]9e' %k&vE(mCn Y3d)E#IV!6S7AݭDg9HTr!_'ƕgab+L[͏V,?`$+Xu’W`tz*t8 lEt̿L X~#DZRbkdeF0rnYTW9zW-&GR6)0Z-m܇(o=VVlot~P }2r;C=i!mz].y-7P;Cb K5 ouA#$d͡7W4vTQKUtZ>V.+HThІwֽ_C6J([ D>i$hw\N{ #؉#|x%~~tc.|vg6O^S$3jCmSH~h z0^'iوdAg+-3EzkcS^s"%jKšm o9>K0x~ڼ@&P#x>֓3ȸ,g*43fɍ8is#IEDR2DlϕoݔԱ#^aq~7ADIqrS眭͠lƯ!) ,Q-KL;w>m/`G(\Qƫhk3M+˳'{HkomņOs P豛!#P}*1JؔȕI6 D~z\H֐#- UV\:=^6]dUvm7@: [Xq2Mabeh;,-3y. v ݰI_v[b Њ,2=]9J- Rd[〾& Z߰^Ky~T޺b_WǞ'pw8S韩iׁjr3v7tytZZCB芰V^'+跋dfeQ;-zYS/Ɔt΄؉~#a0MBF5n~?m?@&Ҿ3ޘ.")֖vp[ah{ DAX=@et F1Cn7/Xs%d3ƦrY/ߌH'\ڭqڜ!Zk}tu=&?'˅X,yV_\j0}Qw Eh&OnME2u@R}?sHh/n'"R;Zs\hUЧBnd[^N9`ʉГdW܀.Q$m2 '\"4]-~d;n0杻Gx=7 a Y_?D-1UàV!î/j(wܱ# dvB " ޔKY/AnD)[ʓ 1qq:!،vBd}\^uR-i9o<>B3O0Gl@'X++]G/p2}Yuir즫a8 %g/.^g9֌.6oN7.9<i@ΓS˞EB}]B yV O|9T)ký#!ӈ%*J%DT+NaQS#7 xK $gLPia4^pd&qeyH5hj]AXDx5_@wWjmXFd`AZ,^]M9IѺEF8 !Ë5-wgtt},,:ZESCL|J^`NEquZ fn[z\zA VI6I !C*$/ hosz nocQVi";q[ʘ"ˤ}.iK bUx4 Jhmz#jJw`Y~OY*ܩ|cB.yY>Fs 6>O`㦕xyy:´ zIo Л\=ZV*ZpfPl<\4|sӧ{W([23/,B 1)2;jD8b3Pnܷ 6[56noIW4@SHt5jr.0m;g C}\<–׳LnT]{\*ӓzAշq?GdO('b:Ŗ9tƇ4;m +YcD e h c:_5QѠ [@I&I~YP ɦrRPyyV(BRF擗  d>%D B} -0W"yWo!4Av)sݨXڦSQ1v"}oۜܲPp:$:3]GGƟ*`UըFPcz p/b׼<݅E+Q!f%_OZ]la恣Hj7C,N 1xpe?!E Y1_w3<_t('T7労6֚2^g<~п f(.@3F^*Bs#GL&U]Wn$Dæ|&,OF"~l q>w6~J3n\@l0Vw:5WAm zY'/ !j p-ɀk~UrYWOr4'`ྶ5ڪc@4tlxp Y4q]"bձ[0%d<2e0萿 .)0O+qD\&¡bX5.Ueˁ*o 1 ,)Wc$7g*ViE #Bߤ11rc|5 ؎]ߝTi((~j^]}w3E_AXru3^]-F},EC=wϜfJa]Pb+ƺTa]XYY,ߗGu;a }C3%Wi ~$q>~K*J޾#"]5tFUvGڵ#גWQ"4ҋ k}@ }mNpż<2ݚDWzm*0m B {my%C uqLTRw9JQHW?R{I6lOaUELdKe󵦇P^M}OjNܧ5K{O$#j9atu5:"@?,pI5 *-W}%>ݲ8c {D%>?f&9x.=|X\pWİ.DDU?surH=&ڠ4B,B q@yKP!l?ͱ_yEsDì7:!G5|PR>&Vq72U$lzrh\Yay/codQcڼLD?0.~ J@pNegd=f*|O]'7oj?}LrV^"*2حj0P^\Ry2%8e4EL>>'`|MephǕ=}}"aY Ԧ;ƒOX@ ˃"*A.w:f2xuYG?} 5\*Oف s@<ܷu#w#$ޒYueGW<lXoV9 oV !D)Z ">L ӋHvg=`.*Vj3x'6YM@ 5Gr_6' 7V-tr_* :TMb#@=.J?2!qg͡6D>,ys?T>gfD9_MB;~,8QF\.aZolԷh?(_ߺ%W_ 9^7](_E%PHg\VRT B`5LF=uOɾCZ:d.rX#/!R),ͦRjs h18D_peWÉkfl͠z @[`sQ:"{w0NDmS_-ɜnaad%GdPqc0^mzER%v)74:=7yN:pb)ѠO==u7ԂP@zj%X٬gnQKRDM5 q-ـAAhηaj`90+6Ȑ?VҚ .w& qO a鏖K/RA6Pf$t$ƮMaH:  XPCjX~{RVkgb]fDǴj9  MNp BE~ĜFӄC$ tX1_)V7?~Bd\j ϧwufVGJ9NR*:`X/U+}WTeB#9"غa԰ (--OΜԎ-؞9_\w<; \Z|Wgfg <}~B&#J#6)s|qLSed.&f|O&\/yI{LjnYCG]=DŽPBpF ZKFC'H4Iw'Qxn MܞJv ې(˵5xܾ|p4Up`;l;REA{uM/ P#,>2k DUp?f*vNd.MI- cM0j^\GQh&PleF> Q{ 8Z8X@k$Y>Pu5'p~5CJL̨KM Y)AFQ7ydS1̱'Enci&a!#e~*wC\3ZS52`i/H;JAZN|$P{1TK)G0h{X>BK_c:WVd~ l29!erK4tJ-Q\glcLJzghF1g ͬ9.9N >rsN, N{p_O+$.#$L>] SBU|)l(ȩH;lQ!SOwWqcݑ, J PQߑ+dbrI9[99.ؕ vo9@ ֚1"_^QLj ~ M,/#ma\X,hxm;FVi߿ 1l =E1ٳW{*A$f >C0dQh"_e"}=JsHBWN?c<')-4p=Pz)kލ HjR_L/v '7k)0j.IjXrz@Ǧ7ŢpXY.OȶjPId~HmlU /"#xRPqwx2ia1z+-(g"(RFyȎ9 Vp}{2;P&tg[ToַTb ߡ@'MGG@J¿8ȁ?1\o7h bjH:]YMÞMtEIgv)+_a27xЉXWqsSM9?MT+Ejb,і-`ճyQ?;4aR5:K~7Έ^eU93W[vX埢eh8k\چRÉE;/{w[tǫM*+¶$ݳ4jp;Y +tVkΑPvϳndnLRڍ9yBm7iCn5qhrP`Cu79OMNJ#a4DͿV̩ S6ti :*/vЩ#b~Pتtɡ&n΅$&;K71ylCR^i|~]% ! YR@ HA"Ew#<݁0@:B=!p15ڜ?~$T5dIfB Zbb>RJ883 /&h?+uzd!7DJ/iMPzs`]J\!*؉ԮV|*ޭ3eJIM2qp;yy (|SX%TaٺOm^ӆQ7/ WzpHk-?VOW/6[N!樐( aVR{[Ip9roA<Ԟ=\ t +G{M | ܕC۞2\bsD{:[yLojS 0 ACRC:4)NqSew#Gt ?v: Id"g n 8Kt{WCGse57?ﮖDr3&1+S@ܺGO\.1ee!lĭS BUEL#HwQL߀| cS#;d!@o|Kو$ Zo,Кs&w}bB%u(, M0Iɝ"Pi>26 $6j1ȖR0+-c>ڕK0ljt 4dΘʶEVat'U+"II|^# kw jX]oޏ0qORwRq@>fc@T=v9iW? L3 ɦ&P\v E zb$W HESHb S:p*'r}z0v8BM<x Z$I>p܀1s0)bC J!t՚{dZ@N,p霫hCv3'zHeJטo 70_j#NI]a7%7;7.ЗF1%WI! D/"s^xL68mlX!p(]@n7KK,xna|Ǹs)ʀG<21MBuU`_6峻P 87j0zGeQe) _# vgHD=jmVE֢۠\oߪV-7ee=E;889.28p8L')4Yh;~K&y=o8|$I\ئ2r9Nl<׫3 Z,Qmj/3:7N&]q+\7(Yٽ5W "jx Q]zo_p_x! >3aw jDe |;Wf ) ?I'$YTA2akMY^Ԕ/p;,#O三6\Ӿw:aAMTF^oyғaS"Ⱥ% 6NcJ!龘ٿ:o%s+Hv C[wcAy6.73ty߲4Ԭ[?:Ro* +Ag=QbwN"hu:M#bd\{9 _?3F㚯sE 6|q.>z晬%|{Bt:ja!$soX ƿ.ҼqN5E?xaWY/HO0߈NvD4Gp= B!f}Iԃeo) BaX>¹FULG'l"˛ &Q1+~2x_D I#<|n5;ox%7nǹPQ/K QNUL|$uXb+=OUfLo­cxV{e[~Ϋ4g㎮BZ3yX9Ŋy9XAiYO&2)}@1alz8cx5gIz{~MiJo3 Ç Dᜨ@7uI0=F\.Ƥj U {<hrzN^;y1AW  Ysm8Ao""7.X?wz"[H6XO7$ę2} D$M ^Mlьbmj^ do%a]DJ,0jחdbװEx_]7* k/V!ͣq:#*Ql` u?)Bl.Ϡtp4rab8d̈́ I_3nq— 6e#[2Ws+dO%RXzWr^ܮHDtC?tiEVHp IxTQ¿} &( I u+FэT/4Is-EX/R)KM U%H4J@~ mvt#Dr6.a~oDtaV>pK0_]T^El\UoB?,zU[c@8}IT%::%&')X8fm 5f4}2S͓yu2V+^q]-?G W1S5SWQ}Z.tA#BŸ;Д/ 7Py-h+" 1u}c}L XqhvoST;˨W?$_(8kIx"[:NrR~,#! }M@a{` we"~ ^P4e-?VN۔+Pߏ;bR@%C<rv傥gEjt0aVT9đ.'M )"dev* 0 1 8[Hm$qk,S!CXsBYu&ٻu!3;;߰$iz&Y²Kk{["XcJ2\4n;saaGٛx6rz׸ AZ޲ݥ:_=G޴iw L⹴IuZNOˉ+V]r$I@$IMܐc6xSy,ʝ'+a9!AN"IC&Ff|~}hQjݲ̀裟#ڼk VI+o?&s6 nMb|8(<+)Rkf1"DS-'VElMfODy3xVYE8ϓyRe=Dpr+:I;2ILb[NM欿|Eݥk3iE?1z'2l &j?u&7!7b]m@x"Թa _e; k9jm'#jx֒j]>DBrw?Ҝ20h-eh_ys:s*Tp6鹼P>kG ^}e 4Z>.5I xs;WȨ1` TtV&U6JikYjiBGUNL)˼gqCI  '1DEלqBt~.:lZYo_x'b`"D%L0?ldתrT~#+Ff<gOWS8"f"o5/u|QD|oPQmCVLq(5+ cZV,|d$i/{K֚l &LjX(VJ)Hَ_&FЭf#f/R_61&{FZ03Ž1 S"iDgUz2L㧰16Ad=>q 8 4j4ސi/~DzwV~0cG6fChҋ[% B@ٓ gG `1\>|59d PwAlDs"2/lyG+JB- HJ ͳw%"oV@=;/H"~2Jt_M5k VN_UoyujU:b)ۿ o] ),C{gP, ΆN1I$wOsuH7O}ju[:r([x܏#S12Vғy#HݵCo;[mݰ$eAErN_Ǩ4 0G]i3`mH\P* !iMjEh|FȫQs-T_H:!w,zh nQd9 rAE(pgzY# !.BC' si{QQ?5-O786Ӭ #7)zܼ!<o)]Q 9^HZS63Pu~;Gx?Ȭ0,s9#HBP-'k[`JK6&dȄN;]׀hзoN.e3^iE&f^@,,PR5#Ng" vZ]*3q7JA""T~󠘯qIjfkZg}/&1* "?Jkrw4@8i ű{/*ཛྷ. uNsH'ISV tS %銿H$0+q/HSLe,+[p_-2ֽ_qɤRm~ f c1*AB-\? ñߏG&wGlVgdK) }^}zEZnm|#Ш3x. :Ne7)*dYǒСɏY6E7J͵-)~7֭E`[^gloGOX1 S(?| e\p!cJ`R'$/gCȊm9ߚCLAuSb Y:ZDEܴ$~ܵ0bYvQiI$2uyiϗf[V #BE6LQrx|~g}#`8I(BWAˁmȊdD 04 ^#4<6,AZ*HxOp'k=˦T*- dɫ)2oa\FxoJc)| 2NhKtOwEocsa~W :7%/7Қ%ND{-`7ſ]Եr|쥏vwЕz2 <[ʢ255ț ̼͓liO#i93όǣ9UѢZ51_H ]NYK;ksKqXmX_lͻl>'3 b]\6>Xœ>G%bjWa؉z Mg7\,=C.G>_,;1a&`=!d-1h%=a9 6*O !Qhyc?bDj۷\6wq:u;"`iѕ~ -!QBJE`ئxF9lUcT5Sg~ Ish$t/ݼ׶ӯ5%opN:p35Ÿ>"åi3 70 F 9}K]DT*gݾ3}OF瓝Y| ?-맯֢ص0Fy%hc 5k[wr9T@dz|*/Pà4#fycU,yDPb"-B9q7oɪjܞT&@}3m\>J\6p%rl?9ihK[sIS~_"AI%T[{n`\]/9zG![6+% Ⱦ5;T@!=4bVwh3 Pv;o;. XVG.%'iDa֜pȜΏT{Mk %A*8-D.Zf';pK6s%YY@#YJ5L%}".hP;/'nHt9F:0`Q]e QҨq>e¸EW:ѥx ,} HD_:)nCh/BI$IPv @VgNLZcNƖ梈sC4ARgGLa%@i.ol`F ן/fTo@i[Ajh1 OZ;smEIɬE3elUɥM SDYZs7e0WكTh(IU'yԹAA="<=paȩpKhre8`&= #8.:Z-|`nŴ~݌-M݉8 خ@Dz;1TR[c 5a?fv[ ОX+EzYC׊ Mnc."u*M"-qVrս%,tVg Y072£=6c90K"!wx_;O߁Wy4՘b] ct{d9Ax$[[+Y\(FᘠGd((u(qN.`pd24=PhSr:]&]"/r/sB?(jj, YFkGa}.d-hy<~Uӵ$2vW3}0RĮ`Q2su 檶= ]j7V`#o*)- enη3+z)}vn|T0qYX7Ƨл {ToK0r_*EZ1)㟆!nK^̀9a@KPEԫrg?E%Ln _0 RD[sefáWn𿿠s]kf-jC8D/Ov5 ō=[(Nљe)oaSfƳ:gفa5=撯S֭c@s/)[+[‚)W7,e03ӃR(66j|9Cָ`卝[~'yA>+"nڊ5B3ƈ-Y\[,pOSL(MEpr\sA LmqYaQY*V}\êXΎǔ|d7z`'hS80ĴY3IȤ`[pN\\@Ў/qE))cdE3M-9[\_jȢ[o Js3;&byI[&ZN]+nQ޻}C C$Nx!@e8>d 90(E9gb~ZaFɑfXtYlw wyD0tY)j aq CU4}/m jQqF ed0v{7+wʬ-eB 3o0x4 9jz`,6jTg$LxM;o!~à.$S~㼷@)]>hf~+Yw>KG@d 㦆Z>dLB@"_)ЀU%Xt H6r^Ǎ?0f]r2+D~62"ԑN(e~}~-O.1k{.k~A҃&A2OZWrUrZ_ "SCR`5 dNyʮQj@0/q1^ζ3쳂ddGDT%;g!l[η|a2+ۧybGtIt}+hw2Vhnʭ)vpԭyg.Dk^&e\[j1]UMΉ({ュnI_Ox}gJ~%5=LYκE\2;Jpk g2'#$ he̛fID% T|ן?ڛK1ޟ3-=!|0)I񹀍'-A);:wa[f$H2 ).o rv;6w.qmZ:h L:"0IJYހ^ `<9 f-z0m,IS<ߔ2keO:{fr93$#LfQ25b [t w[]Luj a\]`2* 0]A:%PHݐx@"%m R[g*nt<_ĢnBuH%~F%=W:c4'|jV#pA<-ueI~6eoRx*Qdۗ%ޙmH?;:=!>Y7x㔏bf.e-M> [~~材NT2g@A)F2L9L,NG%Aw4dמE,8JQ}re7UD:U %qg%Ɔ[7Xd.a7j_Cn7-f A׵ˈflٮauKM+ԋK`ͼŁF-vsٔ}6}24r:gO; 4} HvM|Z4pqi\c>ҍG^^xb^ ykG\2BJf(15- >믾5ޮ2f(S}dz*4O~^EDy '/QLs`Пm!O@O$Oba5!YsĪgF;sgYpx?h'Def܈5+g h֍̎"|@EG)*x'|AѕzlO` ,0v46$LxxV 02jv&{\jKe O@eΩ+[qAvl\<B c Yij)Jl=hYke B[þɂZ5aԆC@e[,Қ4gy{ .Bॺ`l%E9EVFՖ;=RM$8Lp$)Y 8d: tJh3cϼi{NnZ_D9 TuFĿ0ᴩe iY^ GM7Ӿ&ʉ6lI>fu934V\ifEJ` jzk @hv9>ك}ţa'ިPN)td4 .}h M-x_)XI:b@h7E."3Q=`8~f 'm2AxZ5rW% ?6ֺbڔwv=$mWA'+ Q Ն`xouJ~L3.t2q Te}Ck@ m2'.R=7S =K[D9[&i;nSxjfIv18}hLV'/ ɓ"x_uSɈ6ըaLQ?m\Xe^IThGR"rޅN:߬Vpr3L&>r~nË~>>ei+;8$c+z7!ќ1)lmWcd!olߗ\'da~*n35oW50ZxFi߻|0}'FzSohl#| K |GHw -6O1J:uvd܀SXrl81r[TVyL>׶\7+w1R$)i%Zfe80Aۏ%K5 @e[}):Z`6 1Ttx|AF>荍UIm$몬<']n\)5DԘ$ӚþC2mR3PXfb"\%P?],͈cs fh*lnvad\lTPhmQƢ'ZR9-egXl5, j~k+S^L8­&ԡӿN~ȩ٤jԦ}/=vѤT滐-YO\@.㽑q0D 7 h&P6(= yƤ&Aei]HY&%cnp.Be(n۔ pdС ^"5^O&<׼ s柂 kx% j,3G )0Uu+F霑;d xI;);ZőimCF&Dd ? V(_^3݋Oaygqh J/H]ϩkrp\덍  |MBoE H ]]={,нDDUps&dm܇"3֛fC\ HpN tMuU)P;:$:fݬtf;bw6sGlVE92kMtW팰j׵ȁk4atC9FWlI'r,jfFٴ{WMcBFOԆeX>OeٲrJmĽ2bhRL}xዢV5^qlDPo[铮P^Vvaheb-dت'$1~0('ϧ.]t X69]xWm\z#Pod%,RE!0s۰fl+Gه\zJzӛuy0:,C'!L[OwT [:󹶲[wCQP7gV8$IG-:Bwzr"92B$】%NCVi{p01t4?8#7zux3 %긾//l7=+*Ê&ؤ;HzcVd˧5'G̪5RF0`"n{GSY~uB^fwB|G+%7]e_1=)g'F'9;ٞfo6AO?%f҈'ڪm8?l!v)6GS06`ٶIZj9pYFD}<c[Z.@I8guQ4Ֆ[|f萾L@켊f`Ɇ6`72_)= |jOp!Ӿ߻)bcQSry;2YiaYi1LޥP ]*R`!&wȸeHEcшM؋N[:v@3h%5//=Nɗv'62sVMnWP2ȼ;{-?1_&zу)кفCHP]H\3Nj Fm|7͝lLDU.*)[qFUŎ9aʣНr\P4VaJF"1;#*:@ݦ`^N%/jEHlda(+쟑zkMctw~FڬuR#'#e8i^ΥHugEReR[c 䱖l0ΙJz$#G JKb]"b̽_Ξ~Co7v<";&zv#OOIc& 1*F6> fz=ƣݸeL9b;$ ;Z2'|n(ݥ'J8u9Q'{CTg\7;|O79 B~V)}P^BI&UqvZ7.HR'd̵2Tb<@tAU@BAGѹ[AA0{$$W`dߧ٦Ҷ]3-uPt CfQ,6I~ L54 ]hLChuto![R +˸thg2.!?,> d=ڽU9?!D-qE{FzJajE>>/ ߀,7Rt^S;A-tfci~OUc1¾,U2 Tjٕ<^Q5폆aYâQ 1$eeh?U8m9b @D MbjV>O*d&>ຢ[;8[ E9CTFB*{5?oxW;]|߄#9^c]O)00ʑJR˿|Iz@tuwx.f2W[%ENF4y{0`|G~4W ~!b Jn86! mv^  ]`Y@6}%N;rظObP5QX |N#FB,/- -,#f~{$߅VZFr{W5x ̯|sYu,{{޼ՙ2`RF|_ԬbsՔt03)7H]v (F["DbIZpn+-i{#x!-NbuEzZ7uĐO ]`-*obqtrhyeb [KgK,̠6-7೫2O$gD< 1Mh 1D% :3n'b&Y<ʎ pri=ddVibtm:Mz}cֶE ip!VܸtKt~3f;.*TܻbwRWFSR|"iHox.QjxB/r~@ Ega:o73BIB#.&ef=x@ 3B=xZI@yj`6 E㬷rm`Nv?<S@"Yj2.;.k qO>-aPNBέ-t0;Lu> YYH>E(7EY<uuJ̒͌{6r/obuW}F~V5pœە<-36yleHܒYoNl=/l1oF e`s8N]ť̻ջqDk!`V32DC=GΚa Ig'cL.!84-}`vinV/zR[ MlRb о~ݬ.IdTg3fHkc~lBB1YIWp87)H?hyZ}۬w9[N1XW( GHF=ъ' ~tx#BOK!,Ҟx$)&C#Ys_+f_$P`lVM*`ZYHѓʉ{CO-}x(zZ$t6`m37\*bng)8ߟ~6_y1*8J3+oLӒgyV蟐.[#j LԾ H09EжH[~N"}2+/z~,o.y^)7G㞝 Rjo|v`t-e|P66+H#"XRXaJoi;νB E[GT%@=˗7ږf2 1+CL. "(z=Q~61UJpٹ,q+-0̛?^](A^fv5vXZD0Pl((fbWJ̥u}_:BEeeΨz0!62F)PSaJVkfY̹0B4zAt`QK^ٽvC"SCԌuX? jL_M DET2kڤe 35rV'< g`MfX=:N_ ֆW:5uזYz$spqh*Bf46NWIw.k:6#"M9s'\dI[fb1F[|`phcʚ|<$@ݚ9~4  JJO^]*Ŵ΅k.J&0ע\𖗥4=qCcL.4  cpx¥c1? !$D~Bj(%FVB#@G(A,HcÚLN1IY8Of2 nkek .x" +J*`?Kq{-O1=g9[%"xi<;)nX=.-+g%7'GpQ hMDDT@D{ ag `K o9O58kNT+O,oF+'},^SQmL.Ư/3u&o0qU䴸*Oa#3Đek!eJM[AY"ڤOs8x*6!{k9󼕹GJ0S ,ov:E'tCD)#-4:ŌnVυo+% ;ʙ(- c?YAT1?KۉkGQqҡdP" >tNl;wgE0v]LVJ@ =~PHG VoX=H< PVp':(*w^k"]qLȲlR5A9E7w@DgP=y?ǂAO\+ge/5rb%8Q]Nɪ5\pޔ s%8h]Jp{XȹyO!'T^tǃ%>W\Ujao~'A+?M o5 4b7ڤ" : ʪfgГT<Ć(t;Ϊ U}! @`A}L =xÓ<|Т ?@l1IUQfEZ?*,KjF!/47!P*rWQ 8Ҹ-+B?_դ^1֊-[A1^|dϯ\`0hnV*m7jZϥc`vRk[KC] 0%hwDc7v8%p&`#)SJL.!SrufՔ>ϑxX{3HFܒ %[ǂ7Lmx>XZXOm^}̓m[1j *Br=LF#_63<:V?y,}&Jyǧcf}ˢ+QrxFY .jsFՈLد MU\pl7vF*ck>+,j!HUWD yktOmDt| 2ת Ī| ‡)N)J̸oyG q{0P#n"(ۓЄN/FrWWDc&M:Hm ~7~LRӯ+4F#tIwJH 9o{?) Cn׳cꦻN׿ljUe,m bu?8X%fHWYڊ(Zrs\ bkbЙjv_ghyBlgf@(`A>ѮJMDބ N>72\t:7nX!B'8+dmڱD[r^ 1WMي CbI޹(q]Y[ nAy^Q:xڠdM~U6 .';bn~3H.Ǵ_Ha$Z+@;j&4tz= )Y5 ̹[}7pd:y:_TgC*83VtV]b=Nl28OYHErdzQI7X %&Ł+ƝM1Ϯ8Bw.[xRFoyK{kFjN-Z2bS!\_H0RN7ZUn}=?hQv7)ٓCX4iaή+5ϕ_DhQ$^7ٛ*GQ} *%/E x8 d\"oإZ58 S,ʘ$ u[r^@P -c9-<ω0tB{TlKE!C1)\bf-qy! zY Uuo[Et7I9,HKOo<䷳1S7XO;V:r"u^`Jo5=kb'gu)⓪R hc.1<d#,/`z͗NF6f -oR[F?Ed 1 egdZ'l- &F)!IzZP/GriIg{?_KlPQ遦$8DuSY%hQDT[5 +JU7sm]o) I*灬¤Vyyɷ<\emӟR` "tYt*u5d0۾ 8+CN/ҏcʖ֫1RsX5g^2 h.Iir|:l Xo#?F<0rȹB7swC|P[:V9uU _hόcQS%db74sR /16:zcmzⵈģ.:`#v 1jƠ7+RrLlc.jqn_@NwP֨;k-%If[]ӽe7g7ۖYF2eCa]Jf2K'j['=f~1ϜDcS=}b^A!$\ @A!ƻ5܍~$;ۤiH|Vm\ @}0sSA.LKA1w YYtf:q剅4x!ys~JIsf 5M-|$1a`);/ I4g({VC hϝr8V 7oo#ӱ9jJQI_\jlĵ4yJTe΁ [ZjZ7OpƯ #!rǩ+VYWN|' ^$2Uwgyl1i*"ٵ_K<F/$߸ rӈk2S[GtUtZhxup'FZ,Ao#ghOCâRԾѾ my@ctVXI= ( K514hBv.yy[??5ބ)JQp'|򾐛~>:HHe?R:тr]w K厲ijUL6PSrnW1`L{*moh`?2@a z{2F^q, Ycn.-$ U-c 2NKu"-fޜ6=*L/. zO_ہ[*3Ӂ/BUގZ4"φ/#ޒHfeȩVq6!!(#}*VPn|'_iIU2`zznՆݽSC4:Z`[tig07"C*&ALZ *gz*\gn4Yv Ж0]ͷ iOMp8쏂%[XKxە!hp~qQতka+P)0ueq'/ x ,Fn/U֟Fbt1Ē+A*`C)uglf1в-\Ϋ%H*YB.-蒗ȩzYHFN.]f҃ZBK!+6SG.yˀOc?1*>M]qbKWٵ_X sS֛q3ۺmse%Z*難%jֺ"!~~GߛX/jr޼ :'1`7oz[}V.@6~" 1'SO ٔ웍 DƽM5uSyAA]5LdbڢVt:e!آ𰯆?|6EX)Z%HtA9{YέޒjRHfzMÔI lt|ZmAҊc/4CUflhe3p D3k"L.M VS2C7ᗬ%[!gtʐQD- NUv+w}K]dA NMv`e\Dib9#<>e;UKf܄Y&Ŧt31~& Dz1\y\:ÕCH>&4wA rw&ozzfӍfxO OuSãOfdTHT\r4,T@p쬠Pϵ|/>$>5d^ >- {O\W؂LҘ v6TE~*hCA3ЍpSvNW {秝Y3֨U lrU xV*eɼ#Eb ; 옽z@{02l0%]Z)SkEIGR>ި7>2@Ccp'e9~n`R3qQ*a %Eeǖ,@!-=ˤ8zKk(/ ]>o~XSZWB;D"-(Ҕ(熣cRv!8!C`]vˍ!:V ۧ:PurܵNf)_myq 7&cv|SQ7I`6RŚ袮{~,f,TQZQִnB}o8#Ib;Vxr0! 0*Z7L, RaCs&#$SG[,Ed?)}q^)Mb%܁<]+PNP֝װYs<>ɣ^P1 bk9z~i҃nk\6v.uEd8-5NՊcfEJyfUc8ɓI @$3sl6.×e=7IZӋ8JOÆaFMN^֓$!({ h0GWy2Pn8Ϸpfqf"`c+ 4qʨJpUOC,ٷ?׊ܗ@`P)L8y+ocT1?KAQeOG;N'=C]uiKu8IF- Gprš-=AȝPH)_<  ?Jwy$H'&rugT@jZzt.jO ǾXQ Ƴ7VZ:Ģe-1fpRԏHr,T1d= 5?_ȅ­9.<>btJ39D 45,OgC Crw MaLj L2B vB a=|gYynba3F=ءo}_iF?! RLhu!GvƵapC[^"=1&NJv<2pv^s2|ܓzC ?;.o@i]A3֜Ku#z.m}IEh`Ym}?NMƪЖˌ]ըAFQc{F!<3\NN*Ԅ.ot!FeR5GKjч mC[3aGqZ,bDrq"n`] i' MXߥ'c9&^фqq_ۡe ^0/8&|ҼYI<uo lq2n{Dz@Z ױ޷tHM,SX" BG5V=ՙypJc)p3;Ψ((-O>Lە 86T9&,1$McCH~2f}9=jwTHvw.e1l+^MeV ^ u{D@[9q#jlHi!>} ybU?hIأnT|΀&tA+hͿ'S1;>[;|bEuV8*lTnS Cͦ=ID1[, |-9A?cw\eRwTfwV|iX\mG9(gQ2>"X\ϲl7H&D9֍/V.ԕ~.Q8yv:4MKQ'—n ÝfE'74ăs_p/"_*hutQr@M[oscfK:R.^#h [>[$ u9=>XwT)Rյ=2ncsGXRaC= PAIxSP.O$RB4ʽ*\/g 2%?ks|"&A;j#$RTT5ŰMR*RN\5zMUs\CX|=A+CvX!mV[w@bn䍳;]iɑQuW$CIxVxԷS1{JQZ]]4^ hUAcD^-񢱼u@sZu}kתpq[=+@DYwQx [7G [= U}6QUp/\B]2!xE!T 68*_GPD^pU ~UDeY@(П"Bnխ.@r\Sc{1LAX!u#si$-B`Ylw1:G O TΞ7{"׉*;oq&Mo+UY(ʧ 1Ze5.׆of@H.bR4y,$q[эnړ2WG[:WFp{(@w>g}pdaQm:2mm8+{]-uRd*&($V^MJ`Oz듎LZk'uSn ͛ n&KeQ!3;jAV 6:ф͌.cDA/#fyz ]vϻRoe8N{~^ >:h.iQLW*̸iv☫<1^cF0(5M&Q@e~Y"1NP~o}-&5ui\sUq""nrsEԊ3fJk%ȈjhsZAkJF8G,7XTB AA=ԋރx"sꀒƃ Mz^8.{l.)tJqVYGmGU\] b!;'b$YqՆ+|/spఄE,h|±(3ܔr!2_쪈]g,m>B?WqUYO7ėdoÞZerN.å+4Vc♉^7aFs'VnFwss.`#f H47c-oJL,M 2/%y!v!_GssaG+y ;P~ fg}ƅ^bbwJ;_Ⲅؾ͊G ({H<$kCb@A)O`2qSHS)VGe6>iYbd~-C-;I&\Rw3ª7^KT@{w1WO& Ý7;4V("7GuS!ޙ"[\m^I h;5.X|OFٖmBAT #6dݧ[zh5Xp6Ͳ-υQuBtɝID.-"e^%14CG8DDvLJl{}/Qj1u|Ю8gk/1,\L+BqXӂ!W! 0ljPNr-ׄC<&otqax1 3^u* N4]2Fa 0ozGD|Ȃ{=No2SH`Ż zOի(fX&P?GZ:baJfpXkIϑKdVvQIk{#ˡM0 -W|=Lijv=^WwQtzc ?2/zH,Y:q{-?{vZU&SꢚIOn^S1{Y7鋴چRwo ؇kik?9 Tk\ den%Ia,޳4mM,I2i6Mļ <*F?GҦs9x5 g`Sp{'[wn`L dD)ft+ Rl:{N$ܭ$|l37 svqQkR6%ϻr{ta'mauJ]PEkLVX銸v[zS^aG;ز&xNz_vO\"mo]/0 # f=6$R%u@dg4J(uvA _ֿ杧Y èMvM:8I<|(EMJ5E/ra,bsb|łr ҈Ԗ+a3]$DZky@d 102 II)0'_G'jtKu&FGvd:GFtFX À/0? ;;OshrB* xz0qB)24- OY hAl+XxϷ*u]<솤]u[ۏ[6Ҍk?jΏRrŖGRtZPpLJyXZ3K*1ay[aTj{F]I{G~7KED{R4C*(n+Vtj帨vh4.̝ @[M ZrI6ekx ƶul7ICbY zcn՗h0V A>3^U勣tɕI4ZiE3ǩ9g*)6[mvuRsĹSap3Rː32'CƮx]Vf\E}y-̽Nea,SrTnW4xJT6@?MO(apqz3vQn Wb1p3T|KMkk g٨\ፊ٣L;jIQ_-~(]oOSepHlj;0?Gt߮zaj:tC.`A^wgDq(\H }mF:|CWs5(q l|%Ȋ_A 1z!J9HXF"kUX_t[ǐB! p Y3V7=]Cr-{}Lw~nZϏAnRa-zEXޙ(Į+ fMA]58a 'n_`o( Q>IJI PлHf1cIڗΤ$2LkH d)l/V&-<12 cyK:.RЗzhSxeɁE9c͍y V5d? 39$&h #Of0_IIŭ ozcܾs$[;1'efr8S*Hmy{$YIZƃ ak23XOWgC5ճ=ǦJ5ubHE;r(M%MhtFWHL-|DaUBC*ùU6DnoD `w^Q=qL* R k,g3%%@4]rfKݙdfے"N|'}'f N] :.eaK_1 dEp:.`75jn!~7~et|\Q%_V>,}9&SΘH_^Z9qDl1 4ԊrQ:6Ÿ͗DI|;w= H }6tN6nNx2fL7;F3 3Z/ٮ-d$P6+`;31zvTiAP-q *J=8rPsgyDC\( 6dWM~7YOWh1ƓߴRP=p3v. IfxU{Ov%(s裑IM0o |GMoeɽHtF&_ sh& f8bD*U* M ?PjNFy羳ˉ cR* ܑ^1. ŚV,ilR*! {AT&Yɱѥ1L.Gn}Lq>$_OX(3A*-xoߎ൬rFB&(tP-b*dUc^|PB+Voizrլ"L X{b PRpkY umx^QL;QhuEAJ3M07H9j]%|4cBқ_hf21bd@^7fFaA0Ot}nıh~6Vˑ^W XءD"R7\ gZxoS8ж[Oѥ-P9̠g[oz ]P9svGsEĥՠ-&zr $pV5׆#B79!.i[ꠡ'n*ĸw)W= { <bph[, )RQ$ʦ_<:/BT8$OM,ޅj;*-\]Νus\ئpV9dJs]/; #ڞ=¿\fG}X19a!N,<}OJsy[hRR.A Jpɾ5R[hILF]`Ì4͒}C˰wN"iV-L9B[긋)ڳ{"&7sclL.لf6L]W Wl7UZ7C<_ZZN]?aI.ؤr)c}5b*bA|c݄w%HNAaNɪ9|2/(䳙z/iuKhzM~|OmڷލMBlCn-X!i/^8Éq**o'6S͌˾ %-$Bj1-ANR3d $o\6*ar^;[^)[L0ʶ.U`Y|<|hM&NJ2Y*{Tg#~|)jɡVx[-}f.]?jm AhƜg G0ʥ0i#~!PP3S/]Z.IpL{VNMHow<݈]&#iDN\G\C/wl>xꗼmKL3?ZGwh5|u]_٭S_&xtili_M!\v9R2`KMH_ !$ƙ!`CmD飴+KF>x|C Gc(Tp0@ 6JSj=O,1r9a֟.YPuT;~WdeDd=/<۾ȑ#%_L7{'MA m0p)gj zy^O+b[eΠryhOs]S ?io'u\Ϯ1.wwزSL&`%b9NJ{eY|zq/4Zt\I6*Y"54)RqSEܪapyB!bB[9ҡLÍt-΃[9Z5D~גli+g7Po]ĕa*T8lhcզ]m31C{8E+*81 1 {>Uo=,@/ͻ=ì7c x|i[~re;ĊG!ŽuO-C*de M7'H/s]ȨbԆ1-cL+6뜹 :*Noa:kחʠpT$n~x;]O3`[(8mchl=K2`-.t} |h"+M a#i+k{h] u6B]T'|j8z(mUAᙇO\ a(3$O_$W a1=y^~)gCr*ZU{<#Oz4\<YĻu5' `F Uht Ǯ޲gQd=],#El*u)E PL?xvпdAT8p3,!H8Vx4mvJ"qʶ{Ũ̳7ɫe|*xohB  /Bn_3 (>/JŒN}NJcv=O <{Lw#T㐒m-c,T%7kZ &E*cLݽ ]h:^3ZX@Hhԫo_7<GOD#[qӪ#c$;ۚɵ7uwVd0# *&"0Uu@~ݹ8\&q%&pep͐=}Gii)nܙ~ B Wq %%rBcTIEp(+UV:)<ƺ|x>ıq@cj;SM@d)5VhLm;{dw9N†BS5aK^|wqN +m:З^*tٳ+0Hgdь ٸNw#dFV\c/}\1<n͍ q7}M}mH (v/ҎVu6ء0wpLFUiQJ[ttzp^%ݮJ&H/% ^x`6Dmݠv=#GhcU >,.\Z^äm9EOPp^t #'q7\Q:XL~b䫄P M>@I?3~DCi ( /yЪ{b.PWdav$$mū$<T;׻FtoR#qp4e+kTSǜ3b(^"Ka]ڙ4 \V~r)KW,?kqO8c4}2$<ՠ K X3;E7~FnZKNv D?{q2,?_gPԑX~j68`0W 'قMd0l{!#3k@~ O'%N њI=h?4_MYG\ { "tEo؈}$ FV6:+.R{I6 N(XB"l/0_uE' S }dľȓ˕&]Ci2ؔX2n~][@K{JOϻPU&ՃLHw*Cums=0SRA/~ Kn"+(4IKw i0%mW 5_M(|}( ~;.jOe y7 3?9 قVEnOSYYN _)Ҳ]6?)4Zv29>~muC=jYYa vm+ f[g0")?Qi~"UN%I["FY|ڗI~)p`yV̠[`ΆKW 5o ` ld|sM!b= 9'(gQI&,H< ;> V*ۺLΓB޼{j7BlVY1s?y+ax[n96 Ah)[Y!&f10p_zm0cy<|SBʐ/@ݬyX$beqʷ_,5Cj*XAǪL&H ff2BP._WFN>&emPB:LVgZ@ؼIw<|YZeO˰ѽ_D* `XVq#6IsȥKxaeN6͜ꦼ)JV uo5m,I%iAܱ~5L45CyH1 @Qsm$K~+ѬXDyB[ W@CD d1\"#d2ˆy{)%]w0#E6+] 9Ѕ~юƿT!UQc&MC6/ѿ4 e+L[p'/J3}[B7!ѓ-3<-Ix yN" ZX"%K@5j5h:u2ۏ['w{pAgyá@bDteDo2A 43uci&ݎZqY#.>]{\_F&QU܅h%TP  bHY[W0eYid8M)c昪ֈn⨲.WARZo0Iyaڵ`>˭,zKb x*8[g(]tO:Fp)}Jwk5u* Ο|y\ lz>"."R0%j Wx[ŏy&B5}ZzY}=wdJkL/sţR1/=O?dv$nϕ{n괮Pw/)sH3eS=_FuٯDhjz5K(";)/pmb@rsFR"=Iz{SݘqD~1$vC1댙G/٤ӳJ^C&Ge*]ee9lUa$%I]&>O\/{1gi=K&\=JsCMօ4V<>(\d^'qMrwJV0 ?s"d7$r4si~5֡$qd:2GL5Sy@d.NY-d^ƻߒTbxK 4r_S^*Yf ްU6j;H~M2 t_lLtz~ZWk+KNpsL[c&K,)*r{/l+Yj[\,PI~iJQ1p/.]Q/p F#<*U83 ;p]f^< WV :dmn-Y*s:Scۧ1 Rƺ(#fQLCdc?8Y^ɳB,L'B1JgEݩEni8)-R 4&A@3uɚFb 2]1SJC.5Ml]}v8]*|x$ꢓ1aB.elLtq7l s9p~(6FjfdLV7CыCG¥"8CcI-CKQJ6nz')Bg E$hV 1%Fٔx]cڽ|$qM7vi~ .j<ʐRj^/ƽ̎}@Q׻%o2}iԢۢUl1nUj(/c554W( ΥBF(΀5gEpc$ƂG h#fg1}sb!mӞ%B 7".քrQLSR*)c#y(*o~EzH KF%6 ~sYZ#|T؇5nWL9$H h!3g1c; xX'iDz]5*RъHX9GC,kV, ekP bIV-#@8f셯aY= xw圉Dh !\J;vYOk8\!'? uIu<:1A ia,UJN,)m_je^uվXY=xtڡv/ 4de#8C7+)cg ̮o%ր/%f:=]%paZZ[< t3^Z/ ([x<#FZ>Y ")B,F?d!I%^O8/_Yޭ$VDۭ^+ǧ9n <h񃿊V"9-I2"gt r⢅x0oenQptT ˫}'"=!#9wy,pr!P;[PGǁ?r;gx O6ﳴVt+X쟎\vAe kWIq춍q3}-\#N]W80ٚ[j(|4ij[JqxDiӍ”q0vK@׾"%[Z(7qUkRu*2<&TC7 qFbs}UffV-bk({ʇckvXl>SqiJ'c,܃劌7*\ &or!_28)ljT=Ogy@ڋ dq,=5dɦ7yԼlKGJ7Pө^O֣\E8賘L3m:n$$/7n35^,u%v'pJ<;;ij9仂D#zz拕N?[VJ~~U\$~{Ba=.*9]]8Iwf1Dc/+~!+G;P;4c(`dQZ`R:]r)mʧV){9=}AފC950Dš}9FpcCZk21iS/A|ݪ>=O3 |T(uuj%`2NpO血K&mԊLVےzwS^F{4PRK\aB.lUprAHei"XBaCW4#ݓ3ӓIRsKc}~4:hRcfk^ MM[ `}L2=זJ3A%psPpa"ßL5sI~"|-уs)Nq͊L&9&Úh)۶)Bw-X]%(ESX0NQHZLsY*{w֘3{ʋ.|fQ:bdkq~cжz.WR (1v;fD|q}PY!' C`WP,EA# ,Yl뉙T˯o(PQ:B*J&i(ȸ>AAkPU%[\#dCeVYy@p+LJtVvNq`6V%4e^RpKX[hNx`;ۥ 4gTT $v/LY )*(p Y3RQsU-OwJ!@(Z$̍ڸ9yorG KbX$KuEl{̳ !B_iA|AmmЁˈ E"ҵl K%=KU2iܜ|WNSwDth}FgX Y3~x5|u]BRxXۼOפoDXu,y 5|U&[˰d ng9jʑdDM>i `4?Q5} ƭH5jh%Vi#N@$*BRAR)Nڟ>B O<4tMrܻ)-8[ sD%Y'HfmW0̹"h P%|t~KL}2<-r9괋z,Z2=N_Np!~ X E>RuSbԊɴ wD'd7H5b7Q92ӵE&[73'D_7nJ{o*突F2GCqD%|4zex6Ì ȃ03zvbM! cyF=qmE2Eu -ko47=/ }s{b8*Qˇm5=ɜ[XԵӳ#퉛";E@Ԕ0#TxR}/z9I<1l^H; qD&ڀCNidoaG%oQ Uqܠү[PJHepwמ`Uqb`ggA$ˍ\ό?٫ ~>!I.,ƍ0G%ƽ Rz$ .U|FTZӶ1i;?3戴x.qoA-قb{!} E$LG`W^Kh+c#'1+ Kf+`zZᐍB{-ZQtN/Q&6 FE:isdGAqc%50coڼBF3s )mL@9Que6@~%BtE>6]%/rBiE:Z+C(Z+Z+-Fk껡Η`< TAxFaN&>j'1Ѥָ brK-$" aO!a!/׹dh.nT)I! ) pձCmSWlWUJʁ/  e "9x8 P3ZM-zMŨ5n%b3!rS\7IQnXaʃJje41o:EP]lɵkAzygDJn}C$/VEYAғ2EGRUgfU'[\̼gըE)3rWD0@XN*-17YOѽ > +W?)=sDgdn0ԣyPSNpըข2w_QyL$-Te6vO݉!Yk@,@hHvcH&3"]X7JntcB?ZBO'HgY Yf;hZ*tZ#о&C,]d:g`S |cf:(%u3@mKB-Rsz2X^0e:{AN]Kg\T`5qfJ7\/U_Tuim}"t7$1IJo\lZZ6hsn$/-!޼?_aq+ @|?K&?'yiT+qeB{"KLU {Yjq佭G?Ws/QoЏayٍIkI^d5xS EJ<s'd8 ]}A5'hvy_/l|U0vw$u 앸 L q£q`/m/fUn 2>';/J4+@ewog bp/v_Le9z+T,)-uj &ѸJ}P ts˥uyq.q4ɫÎ ò{1uN`$PN$G΋> &ieǨF^G$CɃaF)$3E.aC45tdnZ.q!ձm A9q 8-  Cu;⪵!;wJ-A遭*Ha$Be.Do$ NýRo\fS!?axN8Ժ' dWΔh 'ECLL2gm_ŢZҩtƼPkiŲNzwj{þ[\Cj'7]*0ҍ;*Ympr߻Z5fc^&-vO+yޚM1 Q=cg_e {@liJǼirgb_xJ %B|q~Ӹ^ucX! <ئ_\皳Khh>ŷB[zS pj_X4Ѽ2LEbU"14i_lϹ& *H{mʃ{$m]6C'BuX)| jw9FL eN=|ٵ[jQKaxD#4̦,T넥,SrY?|%\,SJU80‣N's`Mvvgt];`VCPv~"]V(5l_h >7q[ <Rv&=SV^,ۑ :/FJVwo 蟴An,f$I @"rF礯-<,]n2`)5:8mac3㏦6 Y 3`Bv 7j;Cb*?sD< zXF $±Iэzn<#+Ң`B0Uv?vP5}l̦P1\MpHC˙`GDDrӦ5BCS3w?iK5^;:3܆&"70m{"`fF㕜%,~\ȚLVWRys'>*uRv1ߐqӸǸ-HջOsx*CxIDA䧟(- Tp yZÛw E@sط4Z_CBȒ'W=ΛMHB_D1X(`1W#IyQȷZα]۲2խ]8<7SbhN$@UP_EQaNeF"~H7$fY6|9SR#MI `rWCT(cj1h Ł.?'tJ#-rpp(I3:Ȋ^ 3 7(dBES _s#[uӂlup, UM/ǃ@^-jWzza]TdUQ2K2*=NB1\$Yy~5S>JtݫKkQ歹֏/4Yx3WD4tu0X;p\{󻗾j P{<&X*1z* Ɋ7[f -QAωmueGaJ &F7\HlĶ\h㘭n[}J{*czЮ̋eϊ<_H(IOƖڕ23ߓUdN03g?XQQ!2k)ѱwU xOL6C۫~-;1műzUK$,1y'Tg{^ӀvV b7VC nr>h72ȼ*0VfGٛe.NN+3́S-I9nAމ6vY[~+<}`*"^lϛ=qlj'u%ȗL 0Q=?YR^c45J{ԥ>kjzYF~@VTb3hUED/N'8z%J*ߍT3k\s{9!KWUQiY-FdѨv 8ȧpExnu1@_Rrd52Q8—lYOLǍq\h Z Kָ^HkM@S4tUs}((uF.!TGL\kzO{Rp@u>7[t |o9kxAY?(q,^Wx}t l-ĞPt(q# $R`zV v Q+q-g7Ƹ/-Ѽ`gx;N 4$m@T,X|_JNSHuR/OLތj+;8UѺMxuil-FZ̶溺+0R@0dZ3.K?6rC"/YۂʯF-4$ňv]ƅ%: ɶ+gh6\1yRfr/' Om'+hdG&#|@(R4)ˊgx",j(k-Z،aU3oSc*EM^Ka9q s1_I"Va |)yy@-i~\tr_齟LI)xf"mէmJpweͷG6!o=~װ;ǒb榸_26O8P !"U ೴9\kW! ӐWm(JEg| w>.[J:zbNJȮ۫؅;<J6o[ #C D T;qB#yߒj"O/"!۔++ 2J(7w shLXki?^F1 zre'=dzN.qcB#T}sꁫtEcҹA%iRpљ7Vpb <#&2v_٣;.&Eeg:0_'LAZaڋkXjY֨#ϧ|m&N -ptZLz~ *Ի%ۇ{9}>*ѻ@\#ߊZ;gozi/|%dT~Y2MKg*l*FRّB &iB.ZhRBndANRʭ69›<G3|s^(܎a[Jp|Z /KS=bKz9W(yբ:(͍R w/Ӊgh>?uT< 20;c*\ XBV+3xmTD#AؙĮFog[r1܂nB.<;N}6b2Ұ%.ytsW*C$"SKecjp>.h[jq)\"IxU,%O:L[o `\}U'&Y*jj%s|>z?,wCB)RrZQ2TI<0!::%Xѕ;ߙXNlZx%dM))wо巐qs%8ߚ G']~ZG1wIkz](nIS>7Vſ_=9xkӒzzr߃>8dEZTé'aXń7H(9V`btb蠞^7wT 'h֑dQ3 *{YR~e(vה9S̕,pbM'[CG5 N|haZ#'K~/RK;%ͧyMDm%~p@ q&q[8MiIsюs]֛ٞD?h4zhAۂv0XhP">uwRegŗlqD:]B (mG'Gv6MH[ 8^B'~\=??"Ug&ž$D:P[?5= K.:%8/_9v6")Af/*ֻ`d*^vwW\J<?^mySO.!:s+NLx bԈ,rwVo='@}xqD/0- j|zvb`^*LEwu"CR'OqA@AɪKIBQJ, PWjv{M: utjŐRګ_w1b+Z% I]a÷ %\3XJM2y;@8AWX;Y2`oU+5Flug!UɠPEgfti9kInI7l[n~P6.J1 y]!C2ˋ CXhh΂zO\ vx 5[;z [8p2skw6/2H-&(v1@׳@ \v(|c#i)5,_8&?GF_vJݱE(ؖhDs 9|%{KH'S  }ji0zձKwj>~#ŢvDZMW;1-\!,K9%%/\@ckLF)GZS6@y={ND%UvAGkwC,By}*wUu,%lj0Vjc1,~ Angʤ4Of*2뗔Ė2LN6gvL0NH #j]Ήg<yP>#{A,yzwuml $lIiwMCST %X)كXҒ:pC]9΃ H%(bcY2Ա;1Q-4ʬy<`hO)@<71#~P_H\ёͥCF[Szרc/̄F,<.{n0d,YG6P-Z@=( ȲJW${RiYbE4nZHGhDz/2dd`!p͏'k06.Y԰a|®X}F3ZC˼eU;Qnymsw,2ӭK_20\UΒ3>)~m+ޣt3(*o-Ir nBHy{ߤG jRVCĈQ(@4̝ . ;ԱҲJ0j1y8SW}E+-"ex l?gAQ&^G@K.2L nmIOj .A-Trp~ҋLq5p!!4Apw2Q; DMR]om ^9 `Ly/xDߣى_եȧA,GMTײjC>Ⱦ[U-cif5ꄂlinc$(b`X4˨ޝ[G:G*}p*mA!`sDIqDjIYՊ>gqhfknw9\L$-&̘H ^9i]>=2B PyYpc pM ߽z^^3F,FdA5Ǘ+?,Ҽ\xL';j^xBrI=) $#W$RrWM2-Wg?,ꝉ'˼q!)b'_|T1KZeC$|Er܍7!0_9|fmw4 ǃvkq˕<{rO_;32GvA@e\[ax0 0o!dgUy/ 0,4X,%cZ2[˱YtŰM31yzRzXos{ӥk^ó?nټy6Ι6xYmCi\o{i`|.1kͰگ/d'9W)3,'&U=hhHe()GhX=BTtj(c`R%"hsB74Mґet &izZ wh)ФV=ow~GPvzz2 G. r SAEG:)| ˹lnz2:Fun\wlA*2<5p,]LBpQP1[W5O}0<60M0M|-WG`\RaqU&$x "k}ґ_U/NV.w5[̈́iZZQՕZ4UaR \GşvϾb|^J}~!<]$4Bs2>XE(n;6|/6_X@|1tn"03 wxcVn*^r ިP*3_$J4\y7F}'Z1L/8FJ};>עOo7OLI(PW5i tv9/K;:!#V|8]&2j0eFr\ʒ0;/ 6b[S`Rzse]DymqRH*KrZ3 s*Vp?;kYdI7m\7kRm7cI&v-V)/3󲅏8B$) ?)$_$0C{:rRSıDw=j{lp[Bg*1 GUs_BD,BeHV#u&,H@_5]%f/;F'th/'x>àpآ<ղj6H=~O_PI!cf֯}rK>3%A>ʇ- 7WUH9cxcL2Nw{'͕FVDA)ђC|60N(Io% &R_Gaݘ|;bJ)JBل#gJO@"[{(&Kʻ܉˺v5gHoQkp4-ʵd O kЬf̘|hT5SN,& k 9g O#McFaC\դ#0g CsG*ӔD 0F-J`s+27Nv7Yr\&T^g F(FDyAu8-Q|u@˕;0O-XEX՚eV!ji^Irc*ai3P\ڊ2+p6P4rC~CBFI7|$7- ̞֘#l i*'Ӆ1t7/%@d-8jBG ޖ&;!Vs2ٯ1 abkE'00cA+nK4~&Rc!![}#l-bbJm0,/ng*w*v U L[S cɋEѬyeqORx peGIxgkx"s(`K"րc)0Q!Bi}Au`"xV_n ,$EҔ-e!LҧcV+f";l=g:>D ֭8@dǤv1:t7Nlc(:풛E®* y275Ӱ01Yhqo:5ٲX [ qgC.J4R,xIu 5fM_cL ּqaI+fQ<xxϡ#5@m:?"i[,n㧺ŵC-gM;T{L67"4Q܃Ӝ04>YHlGӆֵ~J r~`fRD]A1fK .qoNZY1@~!-(o?m{Ĩjxs]6 3|7b/qfU"_AYW3 $S.N,@ifC;YO" ÿ8#>pk0El9hqbpT#>2S~ ߕ 3z m!!; e:1N7C-+IE Z7ޭm l_[2P.I)!kvG) Y) !@d:ǩgl+#nE >.z1o7J 6gCm+NDz=8Y^ڭǥf \r#H+Er %v}Ջ،"vU( Y/d%C-ٍ:D l̏x^ }Z)Hn  sq#3Y ZZ<[7,+6┏~g'wq ݘrԩxؤF9J !M0ѵ&PxMWT>r{Mj#}R! |82 iGTKUYz1caԇ2[~BTL<X^5Zy8)'TB ? } ι7LiA .YQN,H(c#N0auu3L@,> (-i>&)L5P:1f6Y`Lb8s,Y`Ww-_guNro) O x 1p)EF]넺)#ʴ /.yy)rҋ@pkݮ1Mp@§k]A1 3 4bB!9/ zF9Ȟ1 .7fЉ1X"FDƞ?D ;hMA<]F-|LX_\m)F ̼HYⷿ񫥅n­}E";:67b4׾rȤS|ZeS &!g,tlDaNţ*u.]5V$!= JTHN7]O%aҚ'ouqZ/Hm@tq}扲ĮzP'Ϗ4h \ R eol|XV33]%k/{PcҾ\oNCY=Žs{eOKד>H48ChֺۖHugSAlw"e;c}hJMy@]kU5q}!ӊ6WhnM tYm_D^k6߱+opGfʗgDnj|tD#''$-.g.sEKRިv,pL( YI)3@t:YyCe]Gnj6 xA,<[<)_7GrEvxOH~ 7fp J2Gh>9?-[]Zap3)5M^)spRr7$6d %w%>R¸ I'y`O<]/nT(p`5D;J;S-BGS+זB* |(2h·1CBJ0l{{{XȋhXԦ*Bn5W_>)\ʔP2fX2toam´O9elt&yK|"R#al!CP z(A (AhU @x}7ۏD O XSohc+Bjt)Ӟg")okRF9::4f .!$_[IDǟ$.# [w#BwwB%7w7- dfBgw-ysZyptnz%~3/oBԻ'lb:;ReĮIQ+Rύ\ }yXW,xl#J9O@;W(~PXhšV6ړ}UO0Y{eI7? zMG£L}'b4_3jtcMK-Ḩ(SDn:%t *֤ fF%lhE8Q@ؐS7]G~l'x FmҺ,}vts_g nZ/K{3&Sץ8_]Ǖy!irl"p} w? p&_0I-VN>7kl,w5ഁ0X%n9qvYX:@Y~xMn ,s_fV[%`+\VAybIdb%1K6$ם ̿˝Ǐ27LZ$I- $P]iɲ)As?}xKC-D?ScjFVK)0 x LemW=yTDS$('?bFR^O6> Z#l^ zSzxFΝrQXPŸPđxC qᨾES9qOJUЦ|k ?\W#!TDSPW97u|/r_UseһKQbm;O15˘r-+ĺZ pqާ(3WM@?񅋽&xhI!Xm|$[ L̕d+1=ZUə}OtHZ1L U` DـaXﯕQ!.B5B= HLє ڙK*(mQ U6n~/5fy:LA$ZP/n,ÐH !l?\_TԒ76? Zy; pmNܶ DɲeiQgHA2Knߙ0tWy _e3K>1@׷l>MJD> ˀ}]ݥ [L/ g4_<_E 6Fy7-Bov_zB; DaRs"zx7(fY&e?!joޤ%Nt'{+ݣJ⅐$K#1d7&Wo<]ʸ̊ C[O*)Q9ȣKI2&o-Es0eyf<N!agd6Z!m(zv+ɜmccLsLuUkQ;n]ZeG`j>kRNak\,/e)R|piG"^&אka=bi7M|ŴrMp+$ AD'h6c>29I7O!#ˈp4{o)֜wapQy,1;ZOp>b_,J3)jt М&gɈgJ[nc]ƬsKCQ4?\4ڐ9 YOS-#Oa)7Ӭ-H0:mi3~_2°ciXd/^A"'F iFTA-3<"LyuJaOkYtE1ǔSrC[wIԯgXh?rmjiSӥnla?~GOp\D15c:;t H|i^5!Q?AnQ NKF!Ve\EϯɕFF T烰˹>yM}'< KfڝJuȞYJ|їuVC}Pf꥚ .KK6=@ai~k!Ÿc; Qe~#ydyJ1?evLCy yC=,~8 /yWBZhYubohW=Գ{t+ }1MJ:wC 3jV'. A*Ϥ)\Ed[2fp=ca܆œ\DKЈ&\VH}-)t h?'*{x,Z_j)^s| Mp5ҸP/'\eHo,Kc8j79QUMc')rƛ ,YFT{-'~/ _ٵ"x~ŀķV Ӫ]jH<57ł*@(r`:%1sQ N'96OHӯ.CPBfN3DJ)M:MIcN2B/kF!L ԅ2? NvLJ$z6Ӄus0ؔ%R&àT@-o R`ƖWC52SY[WuOÓ―x_~ pt 3t0EـLCkv~eg E_R*Xٵ ZoTs HiA3hJ@C*ajJao F]5E[Fp/[f%^Pkf9"f9NcmCvïYm}NǑSٯh_Z捆"t+·mdD|#xYռ֩[I~'Z<ۜZ 5a;7 Z0S\ pHiⴻxK6p'v}1jCTA`E'E,^=_NdWMu |[71*lҷs F߳{3ޝ=xy߰p-{?wnl8k[ E #v.XctY1=|(f)H.atbi5 5Axt-SQ,wg>Gs'۩APGJƱY#y1Lcmxz=pQgd.)Mt Yz]팯,28BR#jx\Tq2`"mE6w ?x;xH{R˕?(yt& &cڗ ĜDEmS#~PhlL&T919`{Qm􍣋YJ~]0e[@C.`uc5TX#Au6lw0)ImɹeȔ$\ӽ1s)s^ޱ'2M1e6]^Hz C*3> 7% Aޣ!,FO5(jzSQ{8ri?i$NȖՕ->ʔ)QIŝG,>/K)<:M ^ *>gSnHaca $sh,6(X}.Hmm^9*i{i^Krn7`B.\z.r_7CMb&V0"zZX.\Ѿ㫧ӥIje8#:?Cd:Y$ r 84zヱ%%$-r8`X%9j> 3P<}zpBD|v]6%a9zbߨsX7wVDLCufj.=CRp+fPo ltt|~yz 藝gͿI--(8o-Wlsl>|WU&~xItg"9FIfu2RTՏz0УN7Op1F'`ޛ pH,p;V:ZXCPĕ`' s ɗ.$hd̮.P (=Oz9$aY&<"P,xJFHu d!>`QP"bJnn,oa y͌K쁺$ٝ_M4 7)!LNB 7Fi / 5'IJr1XQ"/y˷zWm3'D["'ẩt5fҰlRU) Ym}Lc^6 Ƃʊ#'M)^t11BCuwƷ-K:"NַKa0ą9!{b3c=Α\<}2B$'T0Q.Tlx.u ꊚ84:HF7!*|WӲ$U|E3.ݢTήizW"3oxaO +ʛ:*a-߸(& ZJ Y&nޝ]Këg;^.⊕K ɦf&%+QZ<+?"-p?Q!`AY-󅄁_l0t1n ߝl@pa*F;M;LQٔBC.E\<$Q&^a;9,Xl`T#&@NB{w6%B兝֒3{M5UmR5#CYXYR"kIQIΉżkdVE:`|#:2Y%93#pٮj~XYnFZ^E%.W2<]JD}|]e !̈́ a6= u- )!0ѹ'Ԁ68n2'W{U7nñ;gCzdzq&܉>ۤxd@R #6 1ȀZWHs:o3F_0qvrn{\x d7?Z!4O"e\oP/u"Ax3p!Yjrbq/eS|\,[W3/Xsb A<3om%Um p~_O4_#}+sJ?ͫF[Hɨa7֓A꼾8A"U Y;Ǫ kV6F?ODu v cy(+КxGu.(E__[mdXv_t,[C$qӄXk+4Se= m/s|jξ ` 8Rm 1!aLzƗΗ"qj׍V2|V/79Su^o@3-%R՘3bHHl7v"vfƲfrixMlF(-b : 9>f9MPψ{$IR^'/}^jM| ԩ,=wҰ8hU̐6pK \qmbX:8P$jndܳZTmw!>T=.x~o3~<{ԍ+0[$ߤp%M3ץս3Ed/p$ Ŕ%-5;{e}eӄjyEahJ(;aV ok9G1s+hX8QT('uɌv:zY?"Fz\B,,>=iki{Rz"ʔ'ohl%:]b>'3ZͤZ6qCRGPHB`sowc̹xi?b~R6bW,\%ț_*CX~l4Ĉ%a{3O/&:-N23\ xM BQMo5&M')k^R*~I%PFd^1V,G w1tnӊ:W_?:.[3?`$*nJZ&\8{4"N^( <9 @?s4{tlU5 }!ٔLFUC "!aK|&Ccv`w,,ˁlItw.eAE_#`D 'ej?]AE =,zM%ݷxDn7NY_`eT~r5@"N=QK <k/])| o'gp  }[޳ "ښfƸn?ʇ#M6V@,AC='2+{)khV%xۈVIKT.3=͢fҠNN3w]砜|(_U0$ O*'.AY>1 ЈhpҪ•Y1hnRD=}1}OW vCOK!om4ѧɄc 0֑hUQ9=p؅loNiQn h%@}RICȹ㚿2eTFd1Ur25B%ٔUKH]w#x.ĝ@1 qIY81֟5Bf/|+f$(wCjcSWHVهFd 7Z;Y(AF HBx "nd I$K7+;}ǞS%?]A0}1* u1Y#1ɥ+hˁr<#ҋ¨*M9e$-qg<3L3'O{״9vCbٚzw(tRbyT] Ӄم}Op_y2vte+?srsʋ\e"RH!/nf[v/qgK29^ Vݷg/svHwgZ6(xY֣ e3NC[_QMT$_(\3S py$TJBHtwMܗlTv  m ]"}k+1z}׃'슛{ ]~5UCsn6l"xuP6§Ң0ƹ!)21Z8K*Xd6F!=;g,mGԇ3g}( n Ѝlݪ: 7, q [z7 Zx>wKhA~ÔGw"U5']+,--._(H sֽE=Ô)"ŠTn(yCE>Txv(eNOrl| Z@ =ƚf+(W({-k8ɑSg]:JԽF0n& EyG$BHYe:Ş?Z.nչv'f[JH 0!6)kE/`l @%yE [|;E0?Y1r~cpE^lo<3ke&%@[m`ܼ\^/s WM#dǩદG̘H]/abFwdIĵPGcx\PPyYiiavagvg xOHOW4Ýv6$?.ўUfMo"o`uUNE Y==Na]Kfez@Gԏ$J)Way?Ng(a}HtK3wgd,>4# T.x:#XccNk udCA]ku cfEKVмL} #kD2zV6*ns6l2⮀q?.It>?'8a#4Y;v}=H'AYʼ+:8M Գpl7|6tvq1kIX?' =v'ܬL@;☵!&ٴ'CU;\X /_ Z,"#yuO#h2ۜ>;wj!@ibeu| *C=c.I ګKq<=j_LY D$O_jVVdt^|eH|=9f(5 =bQ?P5bNƃ40Xsե/r+Wwj_@'gi@'2&@ޚ)N+, /r0d!$-#/6/P+-q}g9O>#Ӳ& b'Z8 wjǀgL3uNmJDavSAڛ@v qf!U2律~dQ7vֲ G1%2?Vj~Fҭ;ɳ#UFXcUG6PX2זňWK:Aȩ}mh&WA93O5T!|]yc^[P#O (9r.ܩ36Z)coHqdQC?}$"`?ʐ5D{\=uȏqVK"%8۵u(+K~Ҷq´#AqQ!,n*ٴw.U9U]^B 4F*~f/:YZ(wGm](h;WDe_f`naw>kFhQPX uLuY#p &> = *+Njom@T^(̀B{{Q0O)Yb' ""M~FZR_RX4yt\:)\~;ƈM ^]X:!=%^%Fu[sْP(@3WzʭۨB*+@ LjJ/ (Ne6j5<ڦwMiS( gxD|Ftf'Sc~8`Z,?jo젰q d*GKޅB&% u[Tje_~RʼsUKmwݺVh}Vd~NVsDrV1n'\8,^miI.Ћ= 6 +ӋSJ?kDmk!ӡY:8?j}k`LJ*ƎTIsEܽuΒ8l=3cꕖu3 ;ȭ_*dHdžǔ>3"L1hֻRI GYƧ'r3l*x`CՁ=\r%L& :?qr7ѯi7u~gdC0ڷ5llvEWꅱ-gı7הVѧT17J@Jqm69V<8kT/R<,'h( ֆG# _ߧ'7Wh/l=jI)h@df0|x_Pa,gCL;Z8;hsI6y)6$0@8)JfHu [9[-[ TDz*p 9ǵaQq_ 皨9 US}臩@I6ETS&rīB]~fV| ~TIz)^ g W[nI[(I6jB_=DË\?q;ه0Y pNw6%mhm,,DǓB ޷Q2S|D1/.+.~DjAMq3LS C{X /V.^z>s=6k ;/)LFf :gR]S)26xha}Z&:YmqX\2*,УXG$2BKqf7hE]?FL]\_i߱q*9gQXʤUKI*=#BFUqu)Æ͆h񸥷dn[boT0FYieKIl62re{E~*ڠЮRL٦B9dMrq,~yJsQc%o6bXD#UD-L_K."d%q~L>0 ζ HeZU+I>ջ`Z<ך%]a'4ȸa/_1~=Hq]d^>~:9V5ә~lH $Qe,>oD%b_277I-Kzn 8uн)g#tn?K'LAX9RI $g j1.O }t%X3(\8Gjumd6CHA$BXŲ}rp&:)7kߔF|7аzFis AsE.2+ogS(xx(swE44K񑄞z JŴtDgI3m6>t+}l92ʚՒǻWqiN%?4Ri%Q`ꞥW3=ܫ9ȭs9}BkJLE qu;qX'"UB-P<ˊes\ð_傴ܑͧU2g{ #\|Y;i+O_ .O.Fw7e8(IYc1npLPK$(1P {?Uәp6 4oet2(?55;J<gYV9MetlNZ򴝷R0OGL"ٿ|b¼`bDzwhB dO5sjhUs`aHFP`:[s Jɘv]&DKZ0< ፦$T/ o_9P_=Iin۬r\0mO02=.xoId_nm(A"ku_`d8(#`'UqI~}|8 [$LDF@pL^ɴFZ FrxD,;P{a^A7C se!}S"ƤINlAzxEP/H@iIJw_frܠx~L8:ĔJĖB hU)_ Li-<42xd0HAqf/G'٬EeQͮv:A$; k))f^SQy~?wr}@$A2'P➕;qH KC:[E^AGåWm6)Ё)hq:()`BFЊ6F8c`6IqT( S `8\ ?j:, HՈuM/5%f$/[?iD'!ZYUE/Idtp7WqU2̩(~P*ͅo@/LLwv9QOۜÚe7ń5h"Fm!` طH/bֳ-2 naJxzrxqlR@ x1(LP3A#hN[E z-`~rF-Q> NBһ҆4U?ʭ 5k|#b\y@-ȽZ4hiYK6">+[Z'pDzV,Dpں'Ӎg~^|͐#JXZٚsJjEl`3"ue _|!0Jdt?}& eW{+RzPy==Gd&&yMM9xfAY]c Cςh u(<,a&’;+6lw\!MGB2PNҘ g@.KlKXq0J)kuG(re߁ œþ5v 3f $ă4Htf̱ ShfAtFAj׌u0Cjl* HlkKSŭBi^(dU{L+]tg=uQwǝ4V/ސIuSN3'!xԂF%ޮ7hU9 x` `,zߠg =^OM  ACܙqquo*r u0r>8`tFX%/P R=Dnms Hi ALΛILҏ|J n~OClXHÂsm&ăTg\]O#g>X^Fj|>Pi8melB@F< prq$;*ȽSITxn:<@5dTie'nΚu ZI -cJTm+)bƈH"60ʑ<o&dFc&82_¼Z06EdO"@n<4/r01{N;EΕ:M~9HkG-ʻ澜8S,0@[bB3D$3&lbNM },*0Ijdž>6Iޖp^5-0 _\t=,~>_]8!e@.M.GթqhBj2czsD7TTXU3QUaoK2=B# S`DdpgGžnmѤ͂l? &C`M4^U2q00Fȑ*MτµPl%OƮ}eق;  y f +bFx61Rd0d]@[@ /}k|m(~YZc Q_jOt qOry^ gTܣ{hfŖ6c}ǩ'*~6 =+]Frqaw Oqv4<kDё5vʿ\D~l/ 6q^?zl$*+oo&4KmeN1AHwozN`³sVL 2"g_5gQu|b CF)Gmjh>:h,pmZ20n2PЬэE\[NU6 $a$8֘h@'$,‡emJ#qrB~uJq~) WX%KȱGcYhouH1$ TxԷT!j-aokXln-if=\^*eE%*wÑ2C` ò9I sYuHm:u { &vY]w$,Y1.[t]җogco@@S5H^ S-}xw@o;1w[ca .k?,):J{v} E5)h4؝ᎊ 1)H6'zh+UUnq€>-pv!K<f,6V}IRޙmfGL18lKU BW۵?mdBt$'{aSIu@wNalLE/!xV62:ltejˤ˳Z `si8e=mg'Mrm6=+%N-Dca5_8:QGJK )7]yâ.-{>:K7_Q7N VGb3?wFh_"&pz=>j`3Pv"o5uҾZs( 8艝 r@!y~*UH%sw[ 1P?y,]ts5/$Z㠖!ߍ+ 6ctsNn aˉNYC|9OxE^k6|?pZ_|c1Rm*5qZ+n2;ԱyTV0c_ oM_w5I )efphR#Q"X;U#TB'goԓ5ݗ1,ςoDYԙiڰ6&͖Ռp)Jh N7}|ڐpHA7⠽&뱆UANQ9CGxk>C6C5 ^izR;`'\2q!4hthq|!-~p~;41qBsS/#s~`t /l-y? ȸ-;Z<>#]=ʙS[X8!P#8J b4Y'.@<5Z.ٖMGǝ=J "&g)Hg9I(H 3MᎡ^MH<<4)z7)=LFz `bMj籡aoė4 s;EtH\Թ ӼC;A\kwh2bi_HҮu½ܯ7x2͖J=O`.9 =D4dV8(gs ̟^B)i)*T>(VCS49%xA'{^}. 1.u<6-.7D~t)u@Ǿ z |#?S1ꄸȑ̥,Qh)^)i#5 =4qs*!ᖆ&=.Ԥ!?/*:z::ŧ+S:Y&G*TʂzH]\s׿?1bY{C .]'5СF@<9|=iP(\IBլ) oX@*ٝQ'f 8FPܫ)ÚsqCd:L\HTO aHR_*F.f8<@%3)s5,M_߸bW*!On!HP2 j0+ c'6(p!eW.Uι;ScM0O{({kq O qD#T !+D I4V=l本Hᣃgtv͜ sGc-,2މd[x10Wˍ)ht h,\ndoZ!U);@"O\H$^FbH<2_}{;{:CYMk ]*>S/\2!dVɧ8evx;{FEN,T%&>sр`!m}u??a^,L$b[` ya+J d> Ce*)Wyo!+;qǢ&/Ҟ\d<( 0}tnfvMᡏkUX:}5ѵuzO~.Q).U*HfHג46?Yo# mK &WKkif5,T Q_f']A*ɾuP('_P P؊&4NKYNT/H۪#h4 Fwao{3AkR@XeG[E De% :Z=PC6>>]kT.⚬"x:ZhڧuU %'oN6Ȝ9kH팵}Fh/td}{Zk|6m#F\! H%5M, g4<ujzZ9(ʁY:rma- $>g$^JSjN4YP{@]J2ɳ+kCJ&to`\>lʠgѦ\R-j7 !̝0fk9[N< hzWan G&&ȳ2YJ1]4-m[?-/Eh4Uzh9|1[w&ya^S%]MNF]|^iS7 g9ObY&ͤj:EC ~?8G'eyx -D`e vתҊ)DMǚyK VJRM wU1+$f(O9aװ-פ >SFdr$#]w`͏7*x݇zfWqh =+JET[>f҈ofidHoOSAH. Fg}._F6>L u޺CKȑ(’!xW< $,#" }6Ghh~YCbkӭ1{Kژr˟?)AE<=u Jȭ{\fc`}$nH9X݂aU51~$'2F_/imwTK?I'3ɪevgRXɡiWCk+LF!`8./|(dp87gglz. (94$Q=a8CĂaj0B;QWgWϠjUuؔZIFR/ o -wb~ٙ&.I{\œN< E1TPYvsw. prYj'bM>x"C57UGpT!G`P]VWiʼi]5=G @#k]:5Xy69$;!Hv`|ş6J!tԲFJ{ _(ԙ؟q)M&= uI܂|f<.6)x&Ny$>Hܭ̭4 MC;N I, @8x2<g?k J[맦 M߹,E$ Ev{O7^m)=mHU>^psg:(5Gwx\߼"|K?9x R?=a' V5G΢ז$){7#Heeo\7⟪p'XpڐWKhT=-, ~?jL_m̖ρ=K$/`o&ba(/##,6jgq[ia~zӓQX:簉좐iM̭u{-U:ީ;rЂ @tRv?W\e_c%rlШH؄#b?_gc3oԌ>鉨^$Rg9ZNE l m@(**s}NAJֲr2cL}f'qֽ{l&}dggt%-( x'9 E)(ry>:*2n3ϩCz#icΉ2=n=yZbWj_MK0Թ?i?aŌy0YC O;E-mŞzt*sJ!IL3(d[8f#4Q$;TLE!rL' Ԥ4Os4b ݚo*Rw%K徖T)߉֏ZAt`Vr%teb!v{,?t4iǨܧ̺cXcmz_zu~H7͆WB*Јef9fTu`u ͟6j0CJU#oxu^ȵ,!+< \83O[{~SY٬c@%b Ũ Ud?m>rZ13в ֆR, OrtAV{-Cp T*cǫ6$Jz4 xbx64e :bJ)(ɗWfTh A? lh|ACڄ|6lq +k׷VʭP89Ds/|7#?n΂߆>d]mE}S83KG{ }8yRm'Ǯ^>8]Vi6k^ɟeb[n+q5掬h,M%P:Wp]>%HVf9$MVlUNB(6.q FL~!.gNhɞ~yG#;CbV AhsD:t CO:;|C^ p%!Ih#6t/1-߅3W 44[V㑃:rU=,Z!%swUf6ٳ1HQQ?=*1X̺|]`uOQba ae i&v62ᢦzFmb@+tFo6JX:^c|WoA]A)R vLhh}PBE=cg8f`OAo]*RmSW$371F-7PپT;Hm {D|喠ZxxUZ V.;:욧,'t:v`~F@'5T3Q=TZ fj/]3-h;Mrn F(Y0]m*C4 5YSX;̍>Q-{f143GjP@ߎ4}QL7ƗN|SlA5q".xQ}5Zpx'Ovh[Uwe e@=W?DX *: H9dFe L5S9CS=R'JG A{e#FHyee6rYa)̔ y~g:3 '*'LFHݧA1LAGu;t1L&bOkҼ<ֆrOTsxFB]L|;j ֵcJB99#%hBurU58ɍxZ8k{EG8f֟-K,0o{OQ 9\x;2¤(vо FP0X-eOw;ȃ<_ KC,%fP| [oTE^rcnl˵;Y8- Jۘk?n8!W:Tg|Ơ} b.#<҃0>֘zdG]Pԛ܅4:=^Q?I#W<-@j8|1bލ71d8$MQ@O * H(:T݅.N䌣6AN2{ 1gN_#%'hj=Q G eSHƽI2c%i8!z/26]ș?Q l^"Rᔩ+{e?x^ޠu;<%AC43Q M8J ܙF^K>e,]0Ež \9 %=5)C|/19~dڂ j&C@(r&!ݟ'@ȝDBxMHݶ)sXgv_;sM_Pa%AQUT":< ]H3A<(Rtmg| A-3+ st,~_&K=Q5RœzZ]0A5$cIz x )ՠPG"U+fxH6f ud0®Z#0`pB*!Xm@TK1Oi%k 5Ån4ar)$v!|siq)@Q.yC#f/@ [%bpnk 獋<>'pn*!Q ]?o{ .)7ѪʁRw~j.4|?E;2,VO&V8́x;zfHnIo>hB<ˉ\=jUSE$֥ş@ZjOn9{8x& )|"zO=$ Un3j 龝¯?~I}2t$u %;؍ɪ~)|IWۀwl{sh+zȪJ3P9B h'sjK_۔F7L7$}ݬkD:H#3i ?0'bx3%/sQrKBEa:95D d5 nV|"ůL+x9nf'*^WQ ƫ Kv ;).!@X;ҏDC溰(fk_ 0}'@&g " 1eL`^iL5"*JX|/ēN9JzBȹC1w?U]L!Z W|YԾQ˗y+nW藁hAt{WI1>0ȜaRI׻?OUZ* ೾OcDxe q *i**zJg/3eR%&%NW1|9 ?t@3աY72mQ2[e=`&#,`l50ؗ4g/.^^rPܴňJ~^ϻb)Y\aPWq8n~jJ"`s'NE$ec,ܩ/@T#},Y9ן$6hk *BDpL /Cc$&i( Tzv4CXz4ۄ b}F_{SJo jlC3K}<46XĆei2bcjUL#j265Uͣ 7'I`0!^,F7r8wW(h {J%<> %V 8-A%䛷}8j@iWԓr7sZǕFZeb_mmv bfC9]zbG1ؗz2\PΝ[˹XNhT3q.u*|TpAbk>MpV~W(G;[~6JhQvy!d 7a[ѓp~NjJY6,"l6v`'iUXTNzhtZnU,ؗ蝒8XWGRt\@/x>< ySFk1blrX?u7レl tF*d b{µ[ 7;|bթڟyFgƈB,"9Z~$B GPp13OqBFE:CPU5Hs(d5ΒȀQQd-;_ )c&W,FKs/Ǖ \-W-(CD=nۭB:$PDFx>OMOwKfwYѽ@p0LB72ˠ "3Pw`]ς"ԽncmB;^pɨQMY[n%{a]x3&?ͱA9$$4 I+%ʨ*"1nDQT/g!.#C+JP tYFǐ[ ` ?NE=/6K1Mka,+Ȣ:NA(ͧʊ}MNa[GMCAiN4!K콅ַJ-,.1/:~fTґwa! it2-;g[W)[jmdICx$,fb xj eEδt^Y q38!;\Cho',ZQU>ԻJ^6aG2Rd/r̨Ȅ #v~VM`x?k}7f% + 덱FOcA4uKƆQ ~kW^#`c'ڙZD@#)&nf_S e.jK5 V{vxZG|dD?͌|+g'U+]@&0v4eʠBD+^!b"}Ղw$o*12&E:4_qpa{zuä4TA!(oS(P5ߛBj9P+#TBp+"OjP(Ԥk%U Cr>+=Swи8g %2cKxx󟁽[j^ե@)wr&*JJwaw F6rO[BTMгIbi,Uxv%d %=eL#AOO>(BO^DdrSwL܈XY=I9ZU7B/0sַ'BUG. c^ɿ֦[f( l]m\ݭh>Bg2w3)k;#OZ]F3 K៌;<+U J !f#?,4AZGɌd(iJxtwj%C/546ZvQW">OMo؏2hԅӹsH ^/.3: BÞ~q9/P߳DFXd?NnA6J?a! JdT=^m q&'dL \ ~*(k(p3uʭCvAN}GQǛlwn[ɥk_yp3T`ي_<~ΣѪ%0L-/!3S:vaO0ZpV}Volq4|՘\.Sw A!r x#|PPfS}Z}Is*=XoKї_Li1AE3j?5kQelnKRQ*>D<"Y\yٽ2Z,=2<9tMd  Rޡ絑[dX aK04P71"I˛KQ.%Eɞ3 $[uD?Ggw3W)ަ:Evc"Uϴ]#>emZ۪ ~J=l(9d 5☤tcI/"Q67(UU&&] ĺ%Piю0Q r,}HpqoH376"/j;dFjDLl'Vcq9S+)U<,aO ">`DVg%4suk^wM<8ӇYeN->%,L |_Lcbm,3y+y: ze$lex{mR=CiCjMa!E$J|3RpBy%i ōi Z'x˔=e{[w ܽ'\D:% cMaMXvMd=\G Fl9r̯̜UClI R\ Y> P DV%J9OmZgz4)0_`ya88솧ۯh/:"uH_D&/pfdЅ_*C㱗Vʣ<(w羒Z= ̷z, "kR`CKZŘ[O 05 :Mx[}z\}t<+%hoS?\t/} CL 0J=/Hյ%!æ>`hT(b=y3u$@|[4zsiKj\dK>܌ۀWՍF,#ވzh` -iD]i9KO=7ᆭ˃̧] op7e!߉ŧs2sf?$L*V#'m?[_b?Z)]^O'-S0ZUN%(|2XWP8zI@,I]& y$ݢ /x6 X ;8!f˚Y9]sMGg#Pӟ܅ك1q5QGsߋppd^i)[eM1t9Y ,E;Q6'>Gڋ71ƨ׿sPhh O̼49M&4[2 nm5Oor,N4zPEsI]ËKOvEڔY < DLjEv3y.(ܬ7_wJipܙi'qԷ\;Mu^}u#k 8ħ78<]y/ (QM^ᢡaS)^U0~-1i-NÕ}6r [uwP!qwn 񋮢{I6HcN T֐!!ax|@ KֽIy.[OvWqR-(UES "U]q5{k/}P,%ѕ^ml 63 )8~oh_$@kaI/C+~^D qF呲V05)=Nn/,q"/"}y/J`թ% ;fd7\Ö?:DIvym:j_2s|Щό"θ,H̹$&g &:Ed("o֌eJ+FʿL6ʡ!Q*/uD7g#A˺`BM VOAtD/. )OhpW`<1W쒪~c= RPN DѺƁ')O6` S1҃Wx8 ,;&r8(\G͚}:r<–Sov Auq6 GOi9uRCU3@R({/Wp":F5aSei&B;c#LIN[ӧg(SrYE~+Ԉ\: dNpWEvH3a1?HRGwFj识b–q'|䣩K#%務O{-H]5=QCF]3)ҍh! a{z@yE| 㯱AKBq=ĩSĠ{J<32e,Zy,p#Eѐ?rަnբfaU7WiQ `UxHE&" J#LC+0jv9}ga©p3X<}ZKމ<WNI'=`˾hHOK"Vg a 5D Uu]qOA:uR;Y6mCO-z5;zJ| ~MWtuE w#u/>W| rd;|(,ꋻvXp5G59}mOYB}jI&nZեKyP _:GNkh]}E*5ry PUjQK\s\Ԃ_؄Jdv@VME78SPC(`yC$>05v!C2t^Oۿ;E4X)Fc݈|= Uq:C~G3T+:J ,ȭuҖf; hoউgm{۠$'B%* E ;LDžU 2S!A*s%LQQ-i[`Yp>FKAOzoo[X/o!bcRp@*)f{b{ksBвm6{MM+kY[y3vvDIV˯alRA\bR$_M3dOlʄMSN7r"oN[Z"5ji^?cŝӘk~+ u z1˭8:& ɸ0$!7\,<<6,EQ}>Y8tJ^^&fC֭S<. y}C@}zv.5lD0aNgҮbHW]~*YdYڂ]\gcb0{p;gKXv ,&ReUnq9!kI]mrمSC!-,12]h1ijҁ.@,쬲k\pG7&Aemu+v |q`J߻9[*׆*v9KgSPX. 9qHL ,pIY2([5(ؾ5᩻Am2kՐ_sSS]wX­J/$&edS[>_!,*z=( Y Zt`orsMh:Eg%_h4sOjFc oGOV0ttҦg@dGJdƭ#Ю \3iU55D:KMli7 m\}P+\Lu,╝5?2P^+0wwՖKc^l?E j0_@RYo,io%ɦoX#R/Rz nbF3rFR+Rr8-"2[2#B#"[BbkJs)<'e< :a䈔oUr !4w2S㨳?=DHe l[4/ao Ylhv ;>xAnuf7Ώr"#8b8oOO?؈64AS!"j]sc;Orw"@Z(Pd80$bu 6m]1ߎf9sfOgڄb{`/AME{&~Ȱ&>,a2V=[iԂ1DM-1yU>[ً3=8etZZ7{xA.vdWdvt/GʣmsX~74="S"2bNiN"gI$OݸaQ:h}/ø&?O; St;\{KqM(`{d- M$UJkh!W2=+I#KZkb,vgD1K)?5P:/1^RJH{V3}Ǽߕ4Q"cB(ĵ1 I;Hz{; unp%2aqf/fK-4q.=+(9X*;ʀAeJd3S}GA _ $nw%k]4l LҌR'w(挚O[+6#"E1 4FPsڮO_Rù75oT݃b(2r28@Xʫ'O(􋈃Z'pdȭ=jS*!EqA/*̞ o{66b_t !d>ᦳ,SJ𯃟4|0xi\$հ+*YͰ:߄yǣfPW~ {*{yus ߙ;pޚjCI%W *epreLju:/to-|3]o^Oq ع%3&mIcx 9PP 1b*`#9ܖ[pBu)Wt\ȕd@ ƎE?,'^TģA_ ߧq͍ VUJ`ogmL1b|֜wB7"X glnTZO"롺(k$ۂ9O)x ŗT6D!g%@ijOLmi4]j'#/7A)˵F)'+1nF!垎2Zӱ_#~%WXnۏjE&X2q6p0-gYM3͠'T`] U3$EvSWwY;kKМ=]BaUbi¼؇hXjRCG>$BqMylh \e7 d>8ӆlNnKgeZ1+`?/W$ 8f-Sa#B?WY@[?ւD %o⁄HO+K$>"̒~*lP"<{mPebD2m}r8JMMQ ~dZt~K,$k efGqu#1p4B56XECQ$ o+>9@1^ ? $QO4qk2m-×/5!N͓^o| @X$k 5"by#z/~DUtf]nol&?X,FnQW UBi$X[ޛNaM%RvYEc,㘋9M쌂! PRlkeDak(&R%ՂP_9z0>L[L)-+u70{-4ߠ]bSٽY&"S2y_ @k|8DFwHv}NPVH]T,S, Fu<;82hovxԌ5!}b:# `ph|4qQ~jȚ?7qS].*IG,ˀ`aVyvɣ47nP杄w ]rt_NB%+Bt\HMa2MG WmUR~tj`Q_,\WAfQ6iZ,`͘F]4 HJj!C$5@wm6G[PGcuBIhT' ʹ+Y(g'IZB 6s4b 6-b{J }#뉿@u>j*yک[Y/hD) e/;Y,yφ6__t-`:j }P_?,e\(\tF8oߏE LX$oj5m,D :=S͇Vc7Ka낧48Uf=X}TDx|'ŠDM.F#@w|X `inqAAz{hҲv@6![~ASHWSG7kɵuxPvtSgߪWs`Xjp]hr]S8nhsH> Щ~j6r :VSaDYrloB#~V+?{`%:˿=Қk._D$\3o1{uxz{qԵp$iWqSC_^z蘤8؍Obr ">"[ f(Wǥ^7H3b>tM-@$қ#~~v1ECZ!z!dŕބ !QĐٟ%_AmƂ]3g̐J r[stz]!s,jd`1d[--֩^rMMT GPpXQ!r?QBMRd}eT9. 3Uf0}8Q[&VwƯn,- x{A[ <{ ؿhU!qV*:эoUm]e՘3nG ΍[%9Х|km_^hzs'ԋ$64?4s@O@V,20I7=(;o,{٪lt}Wmz[le,lwm LY7EmH}|{?ȷr,C=i:.@.Holi3X>(n,kL,9ȳH# { ˅00E qr< SH&q'Zgo ᝅpuIW cgq)f XYCE; 7^DWTG[:jLC(w]%1u10c1"jr D^aGVH֪KtkN| WD7gj[# Ed`) mn>!!{ɛKomϕR#tv0ҧ3籚 ui͢')%A* $JW;? ͟} C1K-sW@9>3DoH %olISVHb3Q'U!Y' gHHY`Ws#JzQև v1?ϝO`qi |0e|bHqc(s1~-J"Q^}pzۛb7v|8K:${klaAWA#%~ܬx):6sɘϝXE^ 7Aϫ 0`]Iq)oA"f^`BNDr5{:5ggd-X;C3cw3oDzل\T=׋8.N"*yccR~F4@ G*^ X*ʓͫ*لVզ]QTxY=0Zs6C@.Cw4V (:$(4Hhooj0c)΂/TZFug2sْhNL&[$}ѲYucM>1OG7\24/VO>Dׂ!q! l6b;>ZiʫTd*ea*Jnc.~t@IU _v숢\mR\E=]w&`N,<C9w[hr&\Z&<7/ǮS8l_A(:y[5fPJ"%}0ҲEf_\.5; Ê&0y2Nѫ#@H `nR;F.yc ÓȢq^/Ru#r֚R!" $I,;r` 4ڋtQ_;lT CGR8!)c=2.xWb Q&s(P`5!}ۙp4F*l1 d渀:*"UB"͔;rDxԏ54.rz[NE-:.B$#́d~Y28&ơJ(C9FiPB\wk΁2TmM4抐M_o܇]({*!`bETkf+76R7EHR$Q멈0+88M04NJQ͟,dr|Q{ax 9F \0zH b!gA܃J2r=K4L\@ ~{&@D{Goa|2ˉMl=d1D>Jj^ׂXO^:e0VT޴bkb,\%sMtB:@h\$O'zcbms-Iք#;Ŗ;t q<="u"nH h9-&q{@jcTCw5,U+HY!@s>TKC-ܘBUu `Y]f4d։I*.hqM8 NCZD/_~$u\#b$A~S-P3}+$ XqYŀ>o~Vcʠ@vs>oH{RY[$/0A"/!Ήx߾cg]Ϥy$R<4̌[rڇFRM g9:Z M$|FRpK[-ΥC`P%p}EgoZW45] ;v&q+aTrKZ_%;卾M2}_-`kܩĝ[ g u5! \tFQ`.p%,iO ˡEGAOsNK~ZBH-P4g Y7.ȋ"R8 vB?*txlݙi\&myg7ȵϞM˜ڗwBz$:^^ݣB/cwq[m%76j{A>uSm(M"UyfiStdԵ\۪o1}s]ʊЎL1`$fd(:Rg BT&|EMMVOnaj ?-{;%~bRQ}VPb49(7nkQ$?,P1x +h)@ǽy=Su;1F^NXlK3C:a;q +I͘<2))p ުnRT|kbq!2wBtJd)>A;It['lu81rN^T;Q ;$ٷjd.[qcIKpM0[Ox5\NR |e'%Q=/,=AT[LmM^u 3ؒ׷~:Tkþ\hE {H(fm\dk.uӫLRD]L)>bv\g M0Jq ?ΩҽF S=FN[iZA ͔'MYa_Z}iqrv>돿 jM_Ӎ8ԑ0+86MdXQ3AE_"- W<]5.tl{'H[U| 8MI@ğ BL;UkT=]25K.'j?Z>0%#d87BJeRHNEU `{4}V4t5x ܚ,a'+'U%P(pQujR. Zhi (ժY1Զ7epH~㌲B89Ε&\0Wj%c'3ֹfrLӉ)۝Q~C7`l˵ЛMƋץv4HDQ r L'F!T/e=*Qmypq3!a& &7(ƶ>VVW#QL9ZA Gp }UdĵdڰSة/IT~]D$G8~ټ1t:EvҵV3Q TDlTi'<RsUº_|D^+*uKci`‚(m+KuZj=:Rvڅ@0qa0xDͮ #"UhbB  K`8$4L9 ,Vc)d g0ZՎq ˫cC$y2B39sP,x1G.7!SSke9%iW*+/~Z2GÇ~Vig*ley%NՑh!eq` /M(R<vl* ?+ Tm&1ׄqaP̙3.DW}f(_}GmP#Zhjk0G4)nUAh? &ĎBL߅Qۋ3A!MgQ+ȣmL8t}v30bܧ*32yͪAgkې Nɵ\3FFQ6֥f_]k=ϓRynSIIP'D{`. x06ga[\Cᬁ [&vG.s뱲8*!wFLgHWUqŌWTns(PL . gO X[˼ǔ}Z' 'eH28b e~sXKxL}j(u;?2V]j r:fJ{0' dNt/bjE .؂2p05 "aDPaiܽu,%)#XlQG8][ ҹ0.cGފNJT8CERpNU؝Y.Jn-zLdN?Y7o7_w)+Uc,F^z zT }nOIY(QM yH^Iy yf HBt~'FGLǦ7;aTjAllU"G{\۪u61 7ok>H@#{,ǃf^}k0APOuKj[)]d5QZh_PzqUy]إ@;3 G_#)t)iFωp.QFAoU5po1) Vǂ& pn]_1exr2&}X+/Ŷ'+ZYi =Kď7)0 S/EJ}gjdc@=.~VQa8Oޡ,'2ݺrq') @Pt[t;WY^HGݤ{484 (,xqBVDBo|p*s&{etz$ZdG^1b+TkHE8kj @ofJM TϏ!0frxUdU)^plsO x0{q4B.T@cZ|)3:( l-4$IѲAp!={3&5Ȍ :S#;w1c]D]x % @?baGvy@;ΌxEز ڨrCS hZZ<=4ZbM2BݖX]ch` ze,nu6s:x^,<%D2:iV!v^" g:{p;ek=W_S~g'xH|^IqI=(f?$wiT6_($-RDŽaƢ}KqW_5BO^ʹO7}Szʌ:C2)>PU>,xǛ)я3vnW' wՂF" Mo=[AWϦߪ8d-[zNgD݃fS^3sg0Sgjw,1/׀/ïPٓ]&c\1e^uEꐌM]Ib!)JfU%,9R񝱳/TόE:;|Zn+oNĉ "E,g7_X̬@ʌK(a0: {["㎌zJ>/^+u%GaVY)tM8 @6Kfە\E;bԍ:T`o;+jx–]Ȗ|s9%!A8kpJ^󡋲vl2CVj|_Yɉ¨tdcdw/fN~.Rb(ezX쪣K!{ӣM5XDԖsfY+-L=1cg<Qr]gHix֎.XC.Y|^@;! QWw/$=nQt,".KB e*LO"[COʆٺ{^4O'֍ {64oOy̲'ÒRu5Iِcdߎ\fv -v0͑5*.gvB!=S+a5=S!a2oPӛ$WHG'iXawq6ȬK9kNm# ԗE=?8򯝍(:t/( CJhfMgT~!eJ3ajvu٪=Iϡ3d?5oH*+F7Ol;IȪa؎(gP6_Ot,Ƕtٟ=TGۃBfεR,f ,H;xͽRW 6ѡvz 0+&~C ,21:``#C,Y:E CF/9Z*_{|bCނDVQY=>|uc, r# ҤMxK43PռpscidAc}''E)8!.CA{Gj~Uٴc[oH  $X/B8SC!GfJNQTA7;=:crJ]&9#._QhB )̤d rgZnx0Rao: }ĎJyw?!I;t$op,?+td_Sht#G̅IR_/m ͨbFwwhBxNCp{'FгdHh-8$- ~m|? ?o#cnz5R3fw`\o޻YO[2U 7J E:\o;u9-x Ȥ6X?6jz+Kb^XN_JۆeB<@:&0P&89ˑ!^vՇȊO `ax8GtT Fn_YRr_ƥ R k@yEyz1*K*Њ2|#mbG{TL2s%1%E=J#y k=QMB''ln2xRb)嘅ڰf?"Zu^LK*&p2'"ח/2 @ 6Y';/KM$8d t`+֦}硕QنU>ڔj"Nj5e#mղp&g QMY^Fk*wn8mBc^`6b KG+5IYۊ q?Aʌ Wũn\SZ߉Pcz 4I~7~Dպ 5ꠄ&O  K$ج` crea]aw,-{dݕ6G[rxUB µkGmv~]icέ\BA&ôYbC7֨h$)荴LO%DQ`pA8F쇦ˀcBt$e&#B{AWYZx?9`":`0{gњc n)C^1}3)2 XZFy3ވrWU"'Eb^_Bf+FKO$@V4E:SyZю".YgT/C I\C6|JΨ'|xQIN)vm܇2/`5fvʔp*G\d#`CH[ j} lAꚘ Z)ˮ$6%2RsD~L6J vΗgb󰵪]R1٧ՒwXC>\X!ljbg3Gr҂sתp†@4S@q<8V+oex<9?՟>.` >~Sr #5Ϻp9??#uMkXȖ# 4],QŸ:i'KA֝vql튋H/Fֺ8O,t(\Bǀ.օv<{Ѯտiz:H`TL&A=f"@.N-y/!X"2BT,TIQg!fR,m{\2SUOEeMQql|\!eJUŀFlԲA7Gn k*t&|gP9V@4$ y<><*/I&[(,xU0Qdc"x>.hݜÉ_$G%FRQD,+|V*[z@?zkPKU;, v'(ץ>]8"b襵;rT5g ״ijB|.aL]@Eq[EG m ؟G3GPfXBU ΚPhD]QyݨB]@/A9pAd;p`PumSJKYyC\1nqG9uڬzDt &@k/`֤3 zc ˓s֮ ;ќ&k{Qa,X[Bɭ,hCGŤdշF^/^] g@1ΆN7 dμMK3lܵhIn,_eaמ~9s&ƚVܚ|%'Dfړ1#g6Ѩ,<2O6}i>~›D!&CdTLۆ=c0nF2Tf)YO܀y_@'͕W髆ĢȻʨWY zMI'w/(N4lTT7J mJD{毅o,q=~Lc ?Ӄxd%ۀ ͨ ܽ$k?3##T3VsشjG ׃63k*@ V*EGjQ3(hs4ti r9~?ָ:sNYrCL-]+UGLSg~bH$#F}/LO~ 36vPL:{'dm%ӹ. 8l{͉wDD喇nID`4(֜e;5j3O0E`a4vISO6yX"eI.ħ&̌'<4 @vh1:H A߈E"!37LZ@2m+OR^6^t][S佬*N7$VK;7wsHQOJ_'# oV12@!8N:32M[+yjLnq(Gw]_=_ub9p=!O*‡u8kRş PǗ eHpxnJ:/ӑBf`Qny"L k3 pRJ*Vg q`d>!H4AQOyBP #:!΋T3ibhТDz{=Lm IQ%׆8t1P6&rrn4Yb5g{WaEdNs 20F7bmk{Kvcm`I,nh%GXPF#IW[qC2'Sh31GD;$LEًmjs!{'9dltfQ-ҋs.|52G78Gm>O6!K{4sYaEs:{9MlMzٚGN3~Ńp"[ևIU ttG9k2.'M{Ak$+F uSBo<߁$Y!D9ڬW[cx5G$C=j_-XQ^TMRrcroF4[r~@%U*0+>Ly;{21;ЃXwnjOŪVR0EZCe[GJ'Hں O+R%Tuv,΅V;@zI$oA@)>r=h6z@jN9gm%Bݻ0m+ʞ![ӽ"UV+3#k0@p4RUb׏$+> RBT[_ʦFAak=ÜwA m@fkDA.߱5)m5,߮Al |k#5Զ9 +rqLSbBC:9ߞp& 0Br fi[c!z[Za ZHOc=Pxm߻:[,{~U(֗ -MK3Y;7M-]QEd窉Ukowܜ] 4 8 Ҧ)̞Z';X`cs2wB_:+NLB86V5I U$irУXf*$Di7QҀ@{~e^=Q%C #J()pr~aӉV~.eK`dfaUW+3Z705_b<iZ9R 𝏌7]5S$Qj|Y+>sKXj0`K җ"-I[9#tR?#6lG&pcZ29M0nB4kw2sqg$e =Ր@.ymvɉc:մ}ѦaӸy|LeX}@.&->yp{_(R&B*%RD9-$Yb0s 0E&N~LI=>[?? #tZ!`&OM<D'\Ր&dZ5s`WZ/}_YSbFv-kE %Fn c~VP6,AXP.WMk8o oÿ^;+9.@K}`~<#>ں+BS z :n4>нa+-b4&{Z@[W*MMO h!ɣ&-AJQvҴaпZTQ[^"G+LArY HTȶOF%{eXƀq(ʠ$1l\x|hG|wZXߨBj#u%-yM׎U-4܋-ؗfOx]D'1,XNk/8|: fG5Q POMH?kɡ7zv$4#jjp@Hݵ>ǕLBNHâڛ$_o:Q3}teCԹ_"R)SBG#aoJOi6Zՠ@Yo#C#&bDg$ n܅ؙ98Ë17Vr}^ N+9VR#Kb&t_ȻILG%ԀL LW,DdV g~Ӟ_~nsV^eQ!Km5[/BEi "[FXj徙Uz$"ul1 B,IANݼAťq+;'afY09`>H.h3ݪX}9B`8 6rAi1Tc.7xvW.k PW/i`q2qC&/5 ΫI^fi4z^7Dsu|oo宆-=^-,8| rlЇ9b7ď wQWaf`r`St8I#\eS̬P}ubyO(狹VNsS[ x9qN BI &6gG }8 w@*(eRrv 浧6< ]3+5;·Hf~1%HrQ/D1'<~9Է* 6:zhM0G_ \; d||N)16,3n7ƔY0EЦy*2 ?U=XzTca_"ا엫"ӆt̳Y[11=wY8è؃g6UhkքS'1FVpN1K9V+ODh/9pA&-Έ݅o#XI>N݈*0=Dgp!bt>|UOɅX9Kc^=\"8_a.1<ƉT}_#1xr1^_)40!B>I&Q6h~\`޺ rEC{U==+v@sqyYڤ@({JE7 B3/ ,X%bMY%u:sf!= 0޴,HҀ^ƀCql18jVG{/{P^7TZғT]/s\o) h&<c<<뗯7}}ײVbu&oZKnUe.5>&ʀ6tl,8X0KOτyqT&9ljfu]7Fg[,,龍0v-ld#>=D WH[;JCa GDNdSDD2ߨ9:97t\$WTG1?y$ū\4,gTlϣ{%wDV{-m#EiiE5.$ރXdw0317McToņ  }?ޡیRLW)-F8kFWHʡb'Xfo@" %K [+B#MvW eTH h%&Χ/~ {"y? RX=tR ڥLxrw({7HSɄ4 zkB (gvܹ| TZqR/[}gS="袂ph`7jz52 ;vo YZ