libsamba-errors0-32bit-4.13.13+git.531.903f5c0ccdc-3.17.1 >  A ad|p9|k(5o*-YY*J-xhYeo9Ռ7/Z1H_jc\Yꔑֲh.S! ]Cἲ,p0.W/*Ρ<#ʨ*&EʹGG( ~^դ̹CQ^?F6JHo8R%P#c: 24&CueX<4<;4B[ʕiEpYg9`Fwnm3 ,NT=k>p>H?8d5 < Z *AGN`d f h l  d   (89X:>5G@HDIHXLY\\]^bcde f lu$v(wxy 4Clibsamba-errors0-32bit4.13.13+git.531.903f5c0ccdc3.17.1Samba errors handling libraryThis subpackage contains libraries to handle and translate NT error codes.ad=sheep72SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Librarieshttps://www.samba.org/linuxx86_64/sbin/ldconfigad=98778f1912a0fa52214cc6e2312812a110a6fa0fca6379add0d2d6c143e69d66rootrootsamba-4.13.13+git.531.903f5c0ccdc-3.17.1.src.rpmlibsamba-errors.so.1libsamba-errors.so.1(SAMBA_ERRORS_1)libsamba-errors0-32bitlibsamba-errors0-32bit(x86-32)@@@@@@@    /bin/shlibc.so.6libc.so.6(GLIBC_2.0)libc.so.6(GLIBC_2.1.3)libc.so.6(GLIBC_2.3.4)libc.so.6(GLIBC_2.4)libtalloc.so.2libtalloc.so.2(TALLOC_2.0.2)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3a@a@a@a@a9@a`v@`a@`<@`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USascabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899);- CVE-2020-25717: samba: A user on the domain can become root on domain members; (bsc#1192284); (bso#14556). - CVE-2020-25721: auth: Fill in the new HAS_SAM_NAME_AND_SID values; (bsc#1192505); (bso#14564). - CVE-2020-25718: An RODC can issue (forge) administrator tickets to other servers; (bsc#1192246);(bso#14558). - CVE-2020-25719: samba: AD DC Username based races when no PAC is given;(bsc#1192247);(bso#14561). - CVE-2020-25722: samba: AD DC UPN vs samAccountName not checked (top-level bug for AD DC validation issues);(bsc#1192283); (bso#14564). - CVE-2021-3738: samba: crash in dsdb stack;(bsc#1192215); (bso#14468). - CVE-2021-23192: samba: dcerpc requests don't check all fragments against the first auth_state;(bsc#1192214);(bso#14875).- CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos; (bsc#1014440); (bso#12444).- Update to 4.13.13 * rodc_rwdc test flaps;(bso#14868). * Backport bronze bit fixes, tests, and selftest improvements; (bso#14881). * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal;(bso#14642). * Python ldb.msg_diff() memory handling failure;(bso#14836). * "in" operator on ldb.Message is case sensitive;(bso#14845). * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED;(bso#14871). * Allow special chars like "@" in samAccountName when generating the salt;(bso#14874). * Fix transit path validation;(bso#12998). * Prepare to operate with MIT krb5 >= 1.20;(bso#14870). * rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb;(bso#14645). * Python ldb.msg_diff() memory handling failure;(bso#14836). * Release LDB 2.3.1 for Samba 4.14.9;(bso#14848). - Update to 4.13.12 * Address a signifcant performance regression in database access in the AD DC since Samba 4.12;(bso#14806). * Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache; (bso#14807). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Address flapping samba_tool_drs_showrepl test;(bso#14818). * Address flapping dsdb_schema_attributes test;(bso#14819). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Fix CTDB flag/status update race conditions(bso#14784). - Update to 4.13.11 * smbd: panic on force-close share during offload write; (bso#14769). * Fix returned attributes on fake quota file handle and avoid hitting the VFS;(bso#14731). * smbd: "deadtime" parameter doesn't work anymore;(bso#14783). * net conf list crashes when run as normal user;(bso#14787). * Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7;(bso#14607). * Start the SMB encryption as soon as possible;(bso#14793). * Winbind should not start if the socket path for the privileged pipe is too long;(bso#14792).- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./bin/sh4.13.13+git.531.903f5c0ccdc-3.17.14.13.13+git.531.903f5c0ccdc-3.17.1libsamba-errors.so.1/usr/lib/-fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:21756/SUSE_SLE-15-SP3_Update/d81ee65394a4fbb1f1c97248650bd532-samba.SUSE_SLE-15-SP3_Updatecpioxz5x86_64-suse-linuxELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=4a10c9493ee02070374f2c404483bebc9884cf0b, stripped PPRRRRRRRutf-831ff90c337a2472b91c84252827be27b45e43b02f4c800cc0830662cc13b11f6? 7zXZ !t/`] crv9wWd>ltAߟ_yw3! M ^h`,=kЍ?u@ֹw<V .xBXUWಂz"H$`;t&/0}2n[::C+Z ]d4!Y{,9AۢbKl=f9x6+&0; 2Tӏu^j'ޅ ;p0L<3uE߻ebrApKL TMP|, &ډ̩[-u'XF_;4D9=;A=IGbN [VCO5iyiOÞ6JMH ω&};"vV'Xk)ך3fN$P HԔT+4ӘE5EQ?y5I"Q#XEO-r$x=L)Qu_湞[/YuP= Q|I` rX +G+ɅH(tJF@O"kz<ð}ϋޢinvƉGE{6yIM48 5)!z9y֓%(Θ)eCA0tJRf*ѵlJ:ጒW0I tfz.֓zԦ̈́`VvU*L˜o`!ߩ h\| O=԰4{Vz5^ZhBN2iϰԵB!ZǿE#ׇ|m[ydn;؛{wT|s‡[!xj)%g!xw6Ep Gq"bT>ʷϣӀ D}/X=]0G>VHa|l/µt~i~/0M̮#џq .,1Jاhx?=}eKuҺۨ)Tsgw"p/z>l9Ժ˰ldey'\Rf| bF̊Ciك&7x !o)?511p|Fk~š)oL@N`ڇ]6UyƌycT>F[zg-#({;Hz{&=2U=*I<% i{fN:F]lp WݩXSl=fD܄C/@%Ck`NQZL/0̛^/&<,;dp48:G5>`. L{t]- |tnykӾ ~ z3?3+ʒ"vՑiz=k Ke7TJ2L|`~~Oٺ[.{eAueLC`Qd <stPʵy}/ά2)oc&Iv;:|~?+]=0I^/Is|MN_s;c.n#hsyg Ȉa\C25(S}))ݒAN|?=jƕg~@Wf 2$jSy mG/)U$) y t? :~Kdh z.Ew?Edˤ?ӈBO,eIk=1E^awc!+"Y2wꓷ/9p7ߙxL:rmM2&Xe*/X[Kf^i*B4hakCڟCgpnFJe7}.pQ.@x E8QW)=# c/̯t58eLSK>^Ja y 8!içv(k0{a & K|{C7rG-!(ΘK}JGaZ'XN*(=p(vq:;r6߱$/FjvKr)voPs5M>+CHs=)`Ģ%9vP wۑ{M ys}/P's8SC[:e>;'ŏ~"At=47ɬ#`{=9%~Au#ؓu'R` M 2%$|ѽ)&P<̈ۡM 6abj1B-+䂾f6aE9m3ݔ&j庀[2%V1:d׼BK,4<%"x pXC,On1V+C8x]GL4qg :Suh;yvtmxqjX1#ADg2kgM|O7IEq\+.B\ I7;fT:(9Xz??4$ʤ/97J@1^hHVzIѰ266wEA=a.ca[z=rȮ.`*d£^`ɀ&"vuJ5ϬZxrC>bfե9H#v~k},=`u ;N5oUI{żQ/0@qa!Z~KU1K*آA}_F9( M$JpȌ駗EA5J(կ'/gO&AߓP+;;͙X\Tը>.qLj2eO!{Dq\PՇIo)RDx*0eU]d By?Bx{fٗ:.-RMZ!9"ߥQOPࡤ%,o! Kzy()ԛ Kxx)hl0 3Ye؝u";A&Xci:{hMA|h#:gonqEָиm&@HݶjzrߜGu@ύbZcTClk+hB yiCyphE^_,qڰ,jRRqbڨ,!ZB.)ff?/Ap22>ywYv2e .L:kHs76HB3h5b'b)u!fPCx&1 ;? /oBW/LR)vl'p`[ ݅rAG/]ӞVuqo&o0+J5sM OX󗃱xX$VԩaP]PatH ,~g^נ "+1pM:+ט ci$n=R:v=2!IK"/wBEYV^L3)}cSi>a0ђsю~ ?-1F)pJY\l ʆKYcb8?oCI[M'CϿ5,gnPIz6t^=w76Vm>ws)pi-g"DtWsxjHX 撓{mc!_Ѵ]aKnnRY/EgcY!W!~(oRm[  9rhշ2n:dȅ^YF FcAݫ,fsfò ] 6,lĬ?'Hk\:+[ iؚI`Jih&W}\_rn߀($/`'oQ-cG ܔ",*I~l`}*, g;#;RۗG` ~S 3+%~ ߞґ$b5fM:p]Sȑ] MA4ZVɐ*S$XEc +;!i?*Fq7eo2Î^G PO-Qʲ +z woY `He +",L+@ 4a6+-K:_ [_ c@V{}ǥd2Mo"и @}7aNɕr.Ɂ切'gיخ3=i? TrCmM>9j1IlRK77 sa w])+3φ>tr_XiN5H_.r`CPyBAjr@:@Wԩņz Ya wD,4!= =H K c0!!Pq{"~S ܋(`9b2ִZя]y؊2]Ys&u@FjE\ҊRD A6ҏ1hq}WP‹o xU^ R-%r#Fqj3t(D9#Ò5_KO lfzEtx@*L%7|F̄Tp d ⋛rroo%-x7S ann(H'ب`MOl\r2WH(3,n-N {hPB`a~I)Ui'Q!z~V+/)& <1"iᘆy_Z;se\@*a8 "4ޔ;&۝dI_e!9$pVm4 @x>Ԗ!0TƞWqp8Ht6q<+nɜB*,j,us[k *ܤ3 KS a"P Ŧ`D33Xcr+oJ:fs%}4;^ܮmV߅]±_TⱣVyzpRIɛsPB76 ~A23Wedpn^(`O$8y^,} Q!KZ2U79[#4ģ. ))] ^*03*`A8I, ؖMw4&@DԜG(;~'awMTnRfٱrII>Iўe/Nɛ)D_[n"h5hn}SF;7a Y8<!뇼V %8=Qm%/JT90p]Xr\GQES$z泟^B8tw U??[&RF边LU&#ɞD&f̠jdO:Rr nyWHs^sQW=iw> Cxn <ǟh['o+φ$qASt䤫t`ۀ+gz!b^ZΑ\k !1"n-y{Kw[6Լ3&JJxtJL=5c&VYP_$!u#Xҙْwʄ=bxKЦjYSH'B`RǻU{FHzO2SWN7_Ͻq^#pAH~b#Ԋ$裥gG^#'Z' 8 `o1QƖP h#ޒukQpӂZŕ1*h`Spa5.-{tC1wnoN (MMeOssW-0$|G&]ĩK+źy 'n-ɶZQ(5 Ov$ W5$@H?׆0S}a иZ](C/~hȧvPfօLAptJ :X3A.WP>v8f{0MEZMi͘,)rO(IД%&Aԡ]N >)?jAGRqm{x`|E?q0H[E~1"Ƒ>i&SqQ"V#P&&1o:dO w:ΛSO-XBkXMQԸkSE楟,ڤ^5`]m od7s=Q*3n-u- 4?W} 6%GSs s^.Vm˳]ȷh"A#ۜs<"~ՎʵQ1na [v6@A:xvsW:gd?`=ox5X'먹fiյj8ΐJf`=ץdZVF98wNea>yr45ƓM!M_JptNc:է X@";pT?"d ;&7FT+l2#u!搂 Pv7素p^lTYPrwD'D?K@\n2fRsY'Y-?+70 ,FvNXDE9XXDͲ һ ;삨oF >[CvMpܙ{@s@,&%Q =6 ,&itL:5jn FyԚܶK$'pG aB>/OT"~hK vׂ,++W"_/o(30DQ\"RBztXKؽbH蠿UZW=Ee3!6x~%ŖHn] )E-`t=Ct-l0*bdTjiV$EcrJu E:F{qZUPp%j\1wLFHq)2;ySmQ֍Z}τsٚh=~+b 3CZujga_cuQ@C}+yE[U(~GB8t.RfhZ@edxGFQvg܊91_֍Vo[gYk1:}|rG>&5lmȻ^ZI{`ށKᶳk3 0\P@#kG=A1aoD(WZ]xDZc̑,w NY]0 &ʳj>aAZɖϢv5P鷼vzw;{?-`Y^gx;B@i@ ɃgQfSEH)14> ӆ?u&h0is<݅=r>(?ÿRuA>cV&㞯=97@A`pHZՠŁ{NYbMnGhʜe0U];b~4{4.peu*$%ןa밮|&1(/z>!| |]ȤElj&G '! i+âzMN ӹ's7ˮ 4-,%_\hg12@V.qu7+Dιh҄R (ۅW1p~Fն/mDg :фLLꎉDz0 Zy߻࿶@C+C J!h$@Ã%BJULV_?dq*(oK\z/Jmָ7!UU_7=\6D6CԱݽI^TMt\15>zBjdZDT&.GyMHf;Nd[|KK %]hlijnA9JųMmnUf⚭!+HSkj.9R *pc12%R!G5R4.oK95l`šdp_k\2-dcvW#7`G1Rʝ\bK؎f'S+3Bcfh/V.˜:}W *lm&e6}!%er,=,/,R.BD|$X:ْyU_ٺQ=yBX3|hLL#PHYJCT~e]1Nmi~~N)Waj M10A#zhPh|9z,A3;ȁ/KϺ9t&3^.Av,E zx GpBoA4 6pr%əͻ_'=b5S7wAnB)NJV.!JʖI(\M8ܷ:A-襑JE8XcOg"QKsIx.YLKTnIUM}t ς_*MihRZfѶgrЛs\d^܏жt5lw՜wڷ7,up dZ]yA-X1fG&]x#Fڋi6YH s3ln%f\Iaunp$..Z -6׹nнoj0祝:5ršqVw'YTćSEό(_e 1jY޽֙θRo8a=Sn<`Ŵb$$kd; ֫&T6^fY+d2rJXz„.j.0wzc2fa[uKab3l>TН&FoN.//vmީ2ѕ<# k*KSؤEZ@Mج"0[_-ѓ mnZsO\q⁸Vg0'}Lo`re"\&!X'LqYWz;GC櫥S=}z*_;-cbkr"μʿiwCWhZ'TJՇUqUa^9{RǾYU7>!-0 H (eۀlxS:tT.M-?;Ͱ-(4FG9C $[A9Yp{+n'fNG@f `nk"f-.xڏŢ?u&;fP1"X\y\WZFST-uL6+t 3ZeâFwJ.2ie:-]d"6 vdc]Yo{HQd.OfO',M_pn-&u.n gO"V.BfڨG4q?w]$P(z3&^[~njuOm h_a4G6w[ӂ"< /d|;45Gf.<53Z%?Q51912ӭO-ЄkDp|A3Qߙ@w('ٽ"3}_KB4fd_lkNSxC,* RdN-Ə\z/чPͭ䨝 RHR6lLR)CD 69p_Xk}#|EZ,dz!' >4"XBE}'1#}  \_EIvgE&+[ p8wN܄/u^KӳS/73~ël&ܜq?C&׼hA ^67Z_0M~v7]1VmkK^4h eWZba+6,#24 myl ><;M$.7~tǙJ_msb)WI6 t:J/tw&IJSvXdP\H !F7qb6աc0LHvW]'}nG1J^0DG cu񩍼 鶍Q!Rha w3A$fqH3(¼ m'5O%&uOGN\\wj_ő\l"+Pf_q5`*R6= FG)dRnm5DIF{<*o*#m{{Cuƈ)MSR !M;!B9*WM,nj=#m{gK=@5b9phaFNy4A$o YFhw,Fq@Hl,[P[| C,;>53M+8LbL6 J}?I(!1&oCm9`g"_HksJ\ 0g^-R ɧt'0c$k`\N@[#!AfGcioslvV<3I!9x(P>S2uQDRͷ0U2TUrv$)6dK9$IF^H*zxvMj"!ZWyVI@9i :1̳{FۮVhP{m'iDPrO(sLtrO3Z_^-k|cBZ=`ܧLBH 1b#wgP9Qpnbwcu>ނ@Noë`/yc.* ǹ\8ȣK$nn]-4B '9l= 8dn^c i2êaP+7A%UXP0siSg8T!7(itwVVrOsFUP/3Ҿ':'E>u8kM, ň'uΌsR -M-o2Y :: j-eXmUPB]NyIBGcoFL~VM@8ҷCfGpܭ*T8ThVOvqðvW2˪^xRh2+k+J4~v#.R aK )E1 Mu= yBbr =(R]ޚ3!;+5`S1}S*CrR9Eq9{l(Tp Cބ:yr1*к7LrƑǷNZ6},g\qI쫽qrGXȏ*ݦ; xGNGry@sFLW!McmFr^N (FRO%zߥ%\f2GL||wh?p@#˗ b B]#ټj%ӂn1~Nvf4XREp=LM99B*v*ߛA!RPQ"p#:HcUm}adkDH\+>HNt't#b*qET.g SzK_XnXg$%RWYlMHvadv3e,ܿYeH{pB\l=lVpuHؤc%jaQ`JÊpG(1wn֪rK m!2yJE,Z+Β,q 4!3Mh]\{ud>8b<Ad*r0_xZacof_T5Cp$j:`zzZcVl=JeP͜<"%0DCAAEY8Q)*0=g4keH>8;QZ =F)j,9]-8SE Q-nx?tNI?>fhvg{ AW4t< jJzdGz+/V<.mؐcTdyĉ8>ň)`%-뻨`oa8܍o@0OÅs!9XaʼnhqEj{!11qIrp3x.[Qv#Se< ':@22 ]Wx*& e,MoɿTX[+vP6eL;`Y^X{EY SInk mVZne]Ћh?6ctWe>߸WJ%#`^y4a1Ů ;ٕV/ hAf칏Yji~tWw'ˋNUռB`t7 f,x5M^Rǃv#t#E>Ĕy==I*Y@Ԍ^wҩ*rTD~+n+Mk 6\ ic uvW q%AdJ-:M5 Ӧf`s>b-W>Ը\/&sZ#/+* @r^Hgl"nLq2ۤŁiHi"xt7u4#-MGGt1 ڑv$jeL3L(yl;lIes]EKyegr2 zm2 |-4>g%= Wrj;*@}u ]i-$13+N7ܶШuSEZ5~˵P(os0ӹ̰P|%j&WRuNBشf`Kl6<~A#/.D`yyrhP.McEB 4[&fT1FD-鑆?P]VxpЫ0& KW\b/!Qas>m[(0Jۧk)|&PIquvojRM.'W猯d hVA;3Fi(:h䤛q+++`ďrg5_ެӳ <[ D\Kۃ%2ewcek;B\r.f*UpLG \&aHk6KlMzЕn/l,_vZA,e8/J/!ԇ/ T<>iB}yJb҅@ߝmrj|w945f!/9 .P.iŒ} k ϷXQU5h;(\P82eN84^“t9{T e:8ۛ7Ȍ@a4 C_P'8V=c2rErf$'WK M+ﬢ^%gc¦! zQ*x+vAP7/gW Kg1wK FmfBꋄ^d}hugh=xb¦dljqwY,G ɠ9`̲G; J˯ z2h/1o"W5#T l7[7!L|3F#OW)3Z[a)+ުoڙp%r wYK,]J  hoX k#3#'Ap6\[jʎ@EzՐ!jQ >"b< cGc]' GU[U#Y4{]b!+T_d59&C`YlR9+/\ULU6]jN0l"d8T=Ovsfvt&-8L^'{Cjs6  4n[@ϞUQRbč:hLLΌ2wcwO2 Q7Su;(w^p8tH,bD8BSB+w%A T.1wB]90Ή}g6Ĉo{A3&S$n D&{a50N,v8En.JRR]:_\a~蚺#$(Ģ@-pNTA[lֆK/EX=~x:'{24оs<#ϋ%i6,[[ȷ?&eY"ڻ9gs(?̩?lHb*!oo1l~`mElGHv?_ܔ-juOcQz۽\+)*g(_EoN?ff4s=,>A.l%K-X/5p/="D^6=8CE\~X/%m ;6(<vkO֠-oV Bi:nLM#a |guRF.š֌)LM4o} §3: ^F:7j;j.)h `.)s]\Fc- b+#D]fF0WO2O#L>=$W9§yD=%E*Bx}6 Z·^vv&iS5Q$o3W7q鸦g}嶽,_q"#Xbyl1QFrk;Rg5C[V^J\C7Z. 85r՟,C3^ɢ.M:Abo_SҎ_,$!p]DLAϨ˴:Dj>:bl.CmP/٬5GtIô"IZ@<.~eag ϴ]SI靓Yg%ѝ13]FAt̀Nxk~x*T~!<8DxL PU OwzvU\jX1kCc1f]hh l ;[aWVM?:N3άo)`f$,`54~=T&2UWO$Xz|+?XIU fP ,6ZmfZ'`N \((p;[vkB.DE|l(+E"C")p:kq.=ڣ)]4mkNJSk l)zcTԂ .8'IH6绨vkgXjr9 [`wW'yfĢQ;$ss߲_9{OJ.0` yT~> cvTd-{TQ!psIOsu_#b{B. hCy]>ڥ+1-ePe&rbUMr)pf]C{3|I&>rIc%^P#zd0fMh'}k{[;JD>{Vy`o?lxI.N.EL^MU<dd D֗[I[ /XNU<}n8{ (CÑ>8Y;lvv~}z^9^[΀ Fng Tf&qi,ɴw7(I MѹNↃCfG˙T/nqmw_<-(*c0y΋({ѡ1CH|{cӮ<`)m/)3PrT~|>~5th!(̪A3P K_R!1;ϓٸ.]'F3BbPb<.1kE =NZdOPeE "YIaqɞ;3aA%'FT>"(~92{qh/IH o5H݋:$^V{N\#-S1YZ7ƑXChWG׃4++x=BWHWqx7\mIn rرk T/(ږg"Hi*OI_ RkGoXthb  ;=a]l&!iQed"ԁES|ldUk9N֠˙Ʉg@"Rj>W]窝%~ě?׵]U%ïiA:,RIMUa>3ǣRJy{ĠA+ie9Q߅ yQfoI#]Ȗ [_1qvq*f~g ߴWy*WgenSKENzr7q]3G^gwt{~tCm k4Gu/5D9׉%_xI;!8&B|SiFZ0p?'`A:SQߐf8u1!-ߗP'u*L[ҺP#}?U gO*.l !T֝4̡f1(v72\^<-`b 1j{h>ٞ5!gCݣ,sv#k>a&u0ĆPEDʙ>ށ ~ d†LCX'/Îd" :V Dr$ƪ Eî6ٿ+W*fjͤda8z7U@=E:N?ۍS5U']f_-A m(⃓/~pGWN>DzMGFNP84 t?``s`Ј?;Rbڱv)ȉ~@v3P{kS|:tvhdEXvݷs} u˥]'0FNnjq.vIw.ǠRglhrL,Ldb]̆k8)1)Zuyw&Zv,(9q8`=Nn5Eup$-GS*cn̛  SrI3!S|""3Ãᆱ3N;AJx 3\sKYgy,tQ KyfRTaZc,1P( }TIcK#gI[ mxiW`h *,I/Zr@0_)_ŹETxRoZ^~BCռwRx&cX/:{r|Ӻ_YǺϝ##cm8?fq?*9$52xqwQ5 8@m1Nie#/L3;d|@Kybs5iw=ݑRUaKf_c|[w&Η@vQ 8To6Vx4 )lq\c0ö@u7KvfW1 Y.ؿPСOm7Q䢠_ԕ1?`I,XxFXQ̱߬F,Jwqu5pv>:JJkt#cT?~6q$j(VbKU$w$az ;G*boh@ y3))]04`Mg|q']bq@D8FXq<6NPo4l[EqTfP@NrLB95,V(L z˩mFf2JoJpQb񂵖|>yg 5AuRnV=be>"A)  ,Y%眦qȓQ'Xs{yr cAvbW46fyd vN %TR (QT8Lb=%輩1`G%t{#a%x]s4(U#1Ĝ ;r/pݒ#&pq:H3t{.ӪH9(7 \)H_}3jP8@onL<VưX){!ٖoڌd>rՇ(˯\{-ee8|#_W $JME-dˉܳ7nP .OߘoQ>'hAӭpMyA3-! iru;Oe{; : xy܂n3>N =kW6aH[gj{N*F_p)h}e]h0+o t1.dxc7fbCbވ1Z!o|LH HxE3xvwgBܔ/s젧?1vl=vn&-p===/ښMKY}4qڑ=iY&i ۮ`DSθ~81z\юm#o%puYW7ԱFI\J(Pٳ"3X&Vtx?q6?BBeg!_A?4x>W-I2$}'#Y YA΄V[̥ǻW2"{YD$fD{^l˅En#ųS>#(w\1|47^V/:2Pp'%ŽjoŧF2zXl:nrh Z+=NuB_>?m-BT\챿OLI]Uy4Ty6gΐq:I$w[veiGE3U5ۡq21!V,_n;ļ:۱XYGOL>9lq2r4<ҳ T[xLCsjŘeT,g0 h3@1>bc:ԛ1nx?C8FVʌd_yHUFMHoQW&J3&PSK%E0 oF*a$9Mxͮ/xM[RHaǐdS]A]cPIr6u{eii;b D<Μ1?&bHB^i-VF*wv~Uy(^kT>P=֪^V1S#馻Z9ZSb&03pEAW=&ad a2WO&;PvzMFU>Pp~ dGdkvUQ ֈ4q~Hoh9 iy쮘T5R-rp^1s!\Fm(G,yW:Eؾ>:gKCB=K| Ĩvf>f"h(C2Ճ')@Xd`xjXmn,r?u OY2rW|$.<ѷ t"n8;-Iqοε~R'%kY^! /H %xp4?bؤ]ds đo!Ik9>S2}s^jZn7` 6,7s.HԐ)ki,8nXZPeD'u-煱:[XG2RL{") gTDwnFA{F15-ʧ܌@ދu70 j-".H5Wx2s~[5ph%Q7ù@(yǰJ/r_ߡtW?L-0tG!6*v I)O-1CqPlN:~$?d T0Y-wG('(6T:s{m, ~<ŦJMzYpgru"nq$%.+cJ| 53b 1n+ekJxJN⌈Y)UPoHD$uB81<\w|m̠dS/C`s ?BRsMZW@.=*]GW!:Rmf'pk ^n3629x~w&| %-Cɹi +~H|rӮ,%'$xwtDyqԱd, aդ}f["|Z FnxlOcu7(GhRO(!oַ(33)4'+Lb.-_b΋8r8 YJA X|G M*at$!j+]3Dvl4}.w⠒E֋=}$b3iiZg`_~o6c<Ěni*MZ ,$ R$ }܍SѨ[Uq(Mi*z(Ҁrmx,qšڜW{5/dB/,Kn R D 跸rR Isd\:er,sm_!9Y2sLe狰^hj9{W{5 | 7G):r ];Ry y7sl09{ãIx]-Aձ!@,eo~uB5P_"*LQW;M)d7sΏNLv>>#9XYp@Wr ڪ[nɆ^#*]bz 유yY;]PZ2ُ4ÕWn~'g!@k)í˒7W9oq߿9ph*PE>F]9z7DNԥ|?KU|ͺaDVKwmcU+lqg6-#3uxF:1:d0X\:aL ʕk ʈ F\nw[W)<*jvkܻ<'>A+Z:p'Lm8Dh~5l}9/u.$,2jZo&^QR"(}i^Eّ׽ "ϻ"Q}Ja^t5#d4e&)S Az( hx<15 Ja\ {ofiBYu}V6r Y1@/F6O^$Hjlzfd6# - h- U9;e6>\yTH"Hvs'l\Mc =xnN?"k'}tH5(Z*mg 94%Eޗ-Q8.?=mo.};JZ /Hn'b{Uf.dtF kSxA<ueZ9(`#ufO&wo/k"v|.^sv,ϝHYi'50#yЖ%Œ^ J,QLK? l;U/$ osM&;!ԅB <nj+Y/HT[F|we yؓ'$ɿ)ӿҳY\;,yDՇmNJt}_kL׹ƥ_\Y_Yӥٮ֢̚UˌqV63g;JT>h5@qYCQ#?O^4|{(lX|vg4zN\zwzE76_g#DVH݇5b ŷ I^qυfZ)_^ҡ=g(+L5bio;옧rQZ $ݿ$n<1  7djK\#LcG#e&ax:@(yHιΛ>Zki̗yA|>1~Cx*̒#[}%wکa2[9B%OR4JJ6Fd`yTh,R*GtL]ܙI 339vZ/wBTfGVcy6wmv%qw3c5k3Z4$kiϥϴg ;'8bWuҥ4ӽ|RtNȋYﳔ]kL2.p.5~ o.6=81`[qaELED,rTW?G HAQׯ=ײz{ǒTɝG"D8TC}el?ae>,BzT^ys*EB"jڻQ"8zDwE*Gw+QV.0Ԩss$>,7$z5#5jaRE2Ds=.'7Nja) $i:C,9kRWܛUg)9L Ä(X` ub*ն:@x$;#*Lܜ^FX[kH(ĚY+"!諫zrHO9PlɋC\E[#=RXT:>Pp) n!żpU #qqxnY $ _KS@L}obC=q$>TM]o:a/z,D. sDQw %_وY>$suhIm8Y]t2?ņmYzz{+%|OymW'Roϝ/5Ox3> 3dl n "O?\Xy*q+>,!D>/ >}l:D aB)\agZ2\{PżZjz/^@̒V]ZU*t}Ɲp#̌?_V|>0 vZ([׺)~8hݤI&*|,~ e< _ym!KFMu1![0|GXuTrj4͑XBŌ f Ak"cɚ#|3tVگ}RYщH)rДM?h "PT$<y^q9KhvjyD)#|cgQIr#Q9T>")5 pk!%vC|~&*bV7-b?J0;7oI)Oy&EO5˂fgE">qƫ ۝ݠ[p1lۇ1.Brt FN]-tkECY C? "Urj]ccB1#]EvAuLܳ;x9 Oy6ԍ o\ڋn702u̴? ԏ# gquk[y1#j !u q#lF<4+=l'q|rTpCѓg4(=q6 mxq,XmZXxCqZhh2=_c[϶$/vm6Ly#DJnG=5Շ16Bx,PnMګxL=x)Zl2J`\A^Аf$rdx ?JԤ7 ۗČ .Vv8%|;H бOKDT-Ko 3ӺaFs- f/!uOx҃u*#. ërs`n?mRQ}K|y3/0UQ!mB4i@S_ Ty MF(9|Kw/ʘ]s|{~`,>YjhKyzs7s q#{ <~e1-[̄0>Y!rLkzau;("5AHoY_s#W$S+b2.A[WlcEG%Zz8;L]֖cksL ')&?cͨ^Ejk=M Ft~DzLVSꄘVv^qخ;LķZrۛJ]I HIORQ?^9k۔V66"%rp#T\Y<ƀHeN.b-vܴ!t' p[j;mcEbsq1',pNr,m"m \Jy@ yzUT0f >zYyl#}jG6gZk+ ߏ)Lj嶚\ G(t'sԋ>/q9Fs?RL& ȫA<ώXJ$}W$81Y`]s|Nq]IRAfY2@p겙#BQhHp.E[G WY;vuHeA*N(IؔX֪d%xG'J3lȷQ'Y-Yyo?Wa|P 릧8?rg_怹`nOWr|ض^Ǯ%K.ۿEg[FZwca&B}٢6Dm[.&t@)J]u,&0F || iN܇Het3uI|r /$ߴ&b6]腡7:fD`+%z̆}-$53w `rqY@c*X}OP(k=H#,cz 0Z+f\a!`Z&:$PHO^Z4CZ"ڭp)7^R`PIl>NWsEw~5` &my KSH$b$6`Bh;T^g7XЮ$]h@85/[$gd% Iff7%G:c50W.NcXBU:eVD(+O|3kӅԜ~&?A_x>$4X`I(XTwXLqdrĽjβ gVH1݂ *d~$'ca"3D"γih@iYh/ &谆 Q6//Q.eDڅIٖ}/v.:{q }ǶnY>P䷹һ>TU |V(V&oCܘMxA-]N=\]G#>tp[7'y :_SRjzgy_E&3粳KlOlD; x\Ҹ9&s K]»C=Ԁ;(ٔmFTt Pl2SE1 a'~yVW?J&s?$2]|CM>}wRݶ`de;FđXe@Ȃȋ ۰omU-|&2W/j&Աq= 6@(Ě%M-Ů u`LQwqHrμ㊲M; i`)+K.LgB;$L q"0)ĝf[p߂gSLW=̢f#YuN0zON8#d<. z^Pi!A刃-D<IQVVhz$m!2i#oIzT I1HS#)|=>&ZQWlrL\Qo Il;vMў{RY$v;C` V& ?*zuXSx _k6;m k^!7Fڊ eKYWKb5L$7*C"M݈K"**6:@2f;Zz{Fa*/5"5P f(z{ S\_3R}^Ssy9߬@pW%m)4Wc,J<֛!"4v|WNNPM Gv:J%M T%ݴB\LH|MK*`ѤK7͂\rĵ[{uF*l6t{Ɔ216"=70$#ФZd0P]Q郟8opMEJS&H%0y#(jz('fs7QBlUJhc-e[|U@@O2j*q6=yYRm)"|H3F_Y֤:O25"))vD0qH>ь׈רFueiq-gpW+H=,Z.Ց);_79#* c;  ײ/& iכoWM[:zs\5Asg7lmŪFu0Y ?M鷝s&bb * xH32[Pwx q}ñsݴccLc AЀ!} #vRxg :-M0k4E}@G`Sͼ)SfQ0g1c.:hzT 3 Qçj\rЦTpkgdo(pt#f+09F աXEX/?ω\\gΫB72mp9zitF+Pi)4\J7=35p]  Fkr+Ĵ9Av1{+,JRb:VD" ^ugf[y*"8M/?ֹwRӊͣ7MZ|sD h `䪥XJ'ٛG ,O%.p o3g_e=5c%'>ūqu/18U쁅u t9nza ?^J;@gTӚϹ[!W -9aW|Ǯc3xXj!UyFdޕ/Z 2k"Ut9ι*ӧAƆ{0lֈKZ.[ SM:FX0tHE= EqucΣ{k&F^xTdsNh9򗶉80\f+xeA"DB>i˰MZk:j-O&!QyO&ݼ|.P藤Yb" W8}Jo"@\Mc /G4!%ye ?}8+$[D>t0*ij%LozVlN@qPFlK2ga!H]b71W3KT# ک8@Xj,1(ܝ9i nX)멫?5L I.#_dVlp\_K>cõ0R!P6ҞiIAPIB yqkPA49_۪tSءybaay~w%h}+֩IlTҫ+MYtO~A+no~K5qE`-%}O%O~>Yʸґ ۰ JSbrlb<6;=Cu`/_1*BCߞwGBlR8wXJ.ZduY c7;iȼH#ID/ &bإcFyj q_IuķIJk{$C0QvF=UeI 3%Sʴn ^}(_ k?"j-)F7ҢfȤ{ sx"jŖLy1R"6wUYAl?Qyv`txYAlj&hGH8~Lbۆަ1>!݁VPw3oQ蒯V g-/S^,Z0aAF5e[=[r{Y6`wӬ [Af6)nnbj/u"/)hZ,K)y2cI?P9zQ$0Rۣ[y8{>ٰܒ{8Vu5੼$>{ppm`\xl~+ 篝 ]b 'gmhS=||<ɧJ%t4|uR&-N 5$e. /{NBW'ő 5gSvnEZ-xłZ6Kf'-\U7 ^yxJzo0סB%Y>^9&8P4 zuZ6|mzW LhV>dPO[mCeR%6@L+eBRq &.Bu,{ Ҧůix x^X1B\$ rh4hK$_YɽU}uxΞŬF࡭|YCNNϣMυޟ$HFz$&V#+F\fc3O%rv)%] :* HTϮ|WaDQKU22Te/]![ 8;x'{]A,yQ_Oj>l[iF.9( XA\\Q#E񻢭L.EBR9*UbLc fHw9ƹi5q6u FѴ#%@'ӛNt ~wRˉd߭PIX bjvϒ E\Ǽ>%ӟZCȋ*6xDRXj1 _u6]>FAC Z؆:G Ky^BpGUo:M8( Ue]5gfZ:"Uti5s<֨tl[ "{#R$e&=vnmKmuYR4gDHb_Iu|co`fTHʎϲ}R \270{R"`Ȟƻ ; k!2L4 AN5v3+E*<~~+YgASSZD@wR;9FJ&!t (O<眷wkBOW,s׃A|_RUk-ÅlkSOƖ5 JLJHGhΰ@NLP̪wlm[z1lM#  1 G`[rd} qק}oRUb‹prTt6!eD`&2OըyZo<^ܱB$4di„ r08k cضK;!^ޗ5.a0O]U`(HZڢy(#i7< C;pI/O|5k}KBvJ(Y/|<;t5WYVRW?LSC!\hN4cho?ٰN9?t (ZOOڝŶ#Efu3j^د woޓZˍb㋢6#Y.navЅ0 MڌnAIW(AwDspX8cp!? %B:>u҄`7_s}\*ᝅBz ^ey.G # @K1SEp.셺DCmj7"ҮC@SDb}N)(b+Tb\u! \ |t==:pSG{!O/}pIrƣ.;i}8`Em<}aճ2!©<(xS&V 5kpzU{/wݪtK=r|S;̼Ȇԟ`Vak[* E@L~u+:nTFCL=߯"Nj[c|@!桠IO`V(^"4]}XQ*( H7e>T܌/(unj#FgIeC&UT(w/QmDz.}vPb@6ԫ$&?U@L%HX1)'Lxlګ5O{%kuhaqe-,0xzpRZ(ݓZݦJ &ڜWbcׇp y "?v0.T֑c?OO4حuf GҀ;N<_W1O!U81(5NE"1!OƃqĊ{GOM'qZ ̔A(xO KnrPY*1X78'А=9,︺ V!8-`#$. _?hd,&騾`)Ӂ{_;nxtЈE>ߊD :wukٱP}.{Z~DNNxK}㟳-*Ƿ|[v;OyR25:YUd͐Ais̺* =3N0[KCHaaBf&%>cJQqG`S9Ag#f;A}ȚiuohwdrY]ac[_FЪe{|X+nS;f{J#^JY+y2Hܛk%s˙ 򩰼w>DV!ԩ.@obV#L J8%rN-`ؘ2Lpt .w"+uQa3ĹX2C8MF4LNEY|;*;rX'dÄyXۯI;J DG%|)i_ l\VgsŚgAZۉ}NJS{BёGs VS!In%-{X}]Lܑrۤ$@Jy)$~7 \< mV'+'Ry|HH^Uurny0x\_c' tV-㰙 RD. } "ז#[d  ʇiރO&SBJ0yHUIo%tis *,7"q#02 iF$Lr1éC57JELU[CRmإMQ5g<*P/aFwH%gz8od#- )<1VOk'bkzy[Al3]$BDe΄qmyx;K;f_dW֞C`.-=Xrg#śJ1W  c,fz+X-0[€o(mj+>oznRA*=KY2R7ju?TAڭ9xueBW2TҢS]=/oB 75 S0z*T+aNlW&D^#w>1R3U~Ω9mT[}V_bt҄+AJ}טѦ77b[Hؔ@kpr/YE@mk?3j䋥 q/g7ksS1fIQ^2~7,20b&6"N.A0G 1Tt): 2xWߑn;IW9@߿0ҤykSQA, ee ͵;Ȕ,(pErI Qh;%~ 6CA_KewiK9v1 [i* ͯ,-%Jlt:o?aA#GWes,}sMxVSՅja(Iܞ@p.M>&)[8S6dIhCW0mSCݺvm9e3&!C>h ;'C KPQebĜCl=9??TS$DN7HhEerx5[ ^)Rr~ acJD{R;dNn3 +6T vڙՁOQ=vޤIx*>l흔FRCm1w1 6p%I:۾d!R3-39y4 @+'=)᰸\ sʔ+=`蝲-H-u9.WE 49#6z2 Ә0no瘳ܹ'>a^`!斔dZDK8J癎h9a|.+ #tLL\ -ְ _|䕐UmOtppآ+%sڻ(LPNk=JY.݊bT:?F!Og3r܀ߜ'&g b*W/~ KEtt/ot +V#<^4B tl7TNEB:#F+)GDĩTYeyeGݭO}^Ǹ!B5NGگȅ' 2uBuLgi ݒaVmiCB&.rb[XrDxk*Gb(d$ >rCVwaҖ5Ȫ>XYQ܃q~GAƋuYYb±r<*T.o#ФYH-(5UM2srw= YKA Xu L OxpOוn-zxSKW:|#0Yrt'ޱ(;.1T9!wժa}ꗼ!azrյ&ƍ&tJf*ڌ2Bh=ې8'cHupO!szQ.6*ajޱp;?j<3+: ĺ^+pj-#2LoKDhUt$IFwBhr^P~\޸Z8IB$ 0}OVmnTP \n d"pPua\y-6L{%w`tWEXYp`U(ѩ/2Nx#pXTxswTͅtq]*jt" % KMh׋" d}-O,VE:2JB[WT"v c*agg(n[`VqmY {"c''QɌ(FE+S:O {ly%34M)aX4_в.t"J7@) '| z'u?]ט, Ad^5xǑ a6sãWJ(xu} .l۞)3c"~HNG)`!zm5eA{SB>Acw*dnKbRIM:៼ 65ܓ{o.> zF+To~qOˮ_>Kkor7 ]>x14k{L8D `j%֧\p3qxM΃jt_&CHN54ECX{}_);&)P/3]xA?tg 9Hoaˍ$fP|ꤽ9zT͓9 p ԰( {givJc(pL\X7*YoR5Q*LBo45,\D&XQLr+e~aLQԎޓG d=!~j=Ceab(*I*@} ZHDL,&ӹҲ-{f[L)h^WTTTIbgеP{SZ;` G ;dCAOrHS8R 8=ǰYHmWQ1T#8y2*a<xMBխC}%/f${{ϳ o&]4Y4g202yЗXƝ+WNYPuc@XĞfDtg u1O㪬Q ίxl,&ǝn07ﲥzeH"Kh$^"^?CPcb@b8l{^/R#*+57V/ CN5/O.0>2 D0 GlO?J~EwL<Ԛq8 )4+?{Ev7(uS?nbEzD96tn Bӎmy'@q*%g(DY?!׺g/\R ͭF߲DNފF*fWj7azPLaѾ!a3+(UPk1b0lprVbl`M)Ltq^p/rl'_RԾƟ)e:o`x >ǒds>?=w#Z8";$!5$QC? SwD.,Υ%DiLg7C:"xk=(Ǩi50,U~ ""DZd C'1cl0 ި]0$:~ʾ}o7y(͹J79\٘J1}ʉZPHt~*QcE=-Z Z 62UJ= G]L,vx(yETBZ2*ǃL"~gUwE߈alYao\ƕrsB࠺R.Q$S: stC**o\7X?[`3i~(Eoev$qÞ] oq KnL攧/9HT7 SWDތd6; 3V;jyMaܷB06:K`>38<7uغ_Cl;hO[vaG$O폾XesS1?$\ŋioLЦS6:DJm:Q@BŠ(Ax"\,o5{ E/\zL|ѡŞ2yC=FLE*?_+PA)^(%ܸz?zIB(BD@-p(0=6?Wr8,/TqP.ήg* ZAd8y l;TL;YbI}Ӣd~v&ÑONEjȈ}w蟢N7Jmd3Scoi>@?j3!}?u^T>|4$Lt}D|lpUJ(b,:IcwjqYgԃ`<ⲻVN$⨖씿DA .]Tфv7~^!JQQ9n(w/_ kP3݆Zd*UZNnCbGŔd fA"(_llܠT1 SJMgV+\xL)' irlIW i5pQs7cS25Uʯ6~k Ké*IKf8 LiEncC鼇 ]mċZߕBDzXt%Q sÔMQZ¤NZSa`.}Ois> W*rr Bh'zş3dj~[Ax7k|(@+7m ׺x3MVp#*8"~1(^X|Y+Jc|03D &gAk%%~n ڶ){A2P |EtBb/\hЄA a ;DQc )j7.ip8Ke {ťdȧ2>FFRcƅi+T)e󜪣 h+e@@? EUQ}>&]gHf+>Ә;qa&=1r?R,C1ws  )s%ғin\̎xᬗ2S^ :kb=smh u:,jk6$'zicǙӔDcB9$BS+R\ij֦WOl+&*(FV0ɑh@3v:#^?C 0o<؊uI jzYe_ܤ҄i!oIX}7]xVG^"=. ᒠVr@B;ƝI]þ"=a7lR(}cS?zBKRA.ɹUF|-n ͩ rVysӇ/bzswh!Ԣbr;D ( ?}i859|![ri_IU`9Eh7Re*V+)ƫO{v}c3hS! eI h}SlqI@F9?LRwbzU۲!̅5;QOon۔^8hUqwE${3?P)_wrv-3h,ׂ΀M6Ř'E2hc5S ú-mkûH(hi^p,j t+/?IHPr*`F Cٔ Ў\̷RUr05&_ .՛ ?i4ÎOiڹ=̹|rg<#,n]/j^R 56Mo%!\6袰@>* jdZ<D{ُt1U]Q~]7|lF?ˇg&Dc`ѦC8*ʦ/{a ՝^kwP FE+H&[i59K:<)xЎkA5xQ﫞צ@u~\j~8zq c0nGBe k9oS}q:2D\jqK#n|˛t q/,!@ O鸪_x+(RozyGin鬊x@0z#/\A-E|ό,C.7)ԇG {@CH+MOfK>y'X ߒUXvʜˊ K?/K{BZf0w("v>~ ?ϰM %l60D!M q+̏",#[;5h$^="ӊ`^ :аUKA kOv-axC;_Si^!1KI6gq|wb q f^ǚ ϓH fM3m7zL L3V5A4(V6e/w\abNVB6]5$ռnZh1įd k\I[S'[oq@W"UupΖZb<\T=fQdx~"X-Ho,n fQgږPE~3$pbNUCy\-seY4m%턤R ~FArdyll;a9ɕ6F96,ѥq hAU]}72i,$q?PxH"uM`%\ڿg`l%L3M |m4:"փ8y~լ(;6̦V Akϟj\kjP2b: <}g3WK@#l5M,s36: Rā9߈#JN'Kg)@XD/VM8 ۊ-p<'1aIJ4R:R+dF e\,g(rv a@t*cImy i9EPB"VVS/5zK+I_ꉫ2ػ?3Nh&뮉H'c3B U#{'@9;{_]NA0f_~s ohZn0 B&Skn/<DG ڙijLKxP"5TTՉqD50x-rž*5sVt_r |6GflH.QY,J,fGqAq.t~>{m~5bX;>qfJ.5ٹ!SAn^>x'^#=o{fuRO-yHFp8B"8jB 'Ȭ:X}~`|(6]s0y\A'#/yK'r/2%/ (#]Wo*&pc3+%䂻{nSb' 9;wXCیPY*嚑~:`NVmaԸҚ*v~_N.цOONw".[r/;r}d;.".}Du=}Ahg˼_f ߬*9 }J.5*jGqM\iRZoM/%zF5F`[?D"yP,;dUu4WnGqzh$@臊hpS >sf4NCSoR?ؑuӣ[n TB-CL^v!@Gn ؇ oȑZ<s }V&.R,d 5kh DmOׂg!qy9T83ϝ&e\9>{:i+ynpDC{x' ҠhkN DFuݻ[cEvSב!f9upز o%NL%82VGE\67g|FEH>cc P+_9! u .$Q 8"D:pUP,6Q/^=s9&y-iGnrQ@Ya bR4 GxQ^3nLl&EA a\{D{2X;1mV囮G_ OzMj32+yas1]ogrޱ'dZ ̟sjڝqa&Wt`Pޘo)_TBKTS0Rڠ?٧AvdiLnjfrnLoƣbh¥/lP7#CG A!~[ >$~Y ?vIU))7p5~˽X $^F7S4`Pt5D&kEE$}{~4ٞ tZ'6 H($ T~`xaCvti&Mp[mr$]3 Qfx #*6|Χ x/Q|rye;EӮ>mgҊ6if.*fHÌ,NY<}>$A9˱Kۗ,`k3<⫞uh&P:I`'̫L95 bʵį5+^K}+ ]#/bs 1 @?a],#$:f>ّ*dD~^pcicM#wQWIϵ7t0Ϥ~vΘ#dJ(3҃k}U`l0 .5Ж$tQkWՙZ?*Y ٞÙU-s^Jh$2u%r2YGe85>כr׭ ^Skc#dIzɿ mQbkA/} at> 'cK$YAoH4Mc(d.+pzWn}ܡ%k&imIDE֥)K#a&%lhRdt %R wP>};z}39y*qQLg%t"gҚ_ssAQ#uE60k4:Ps;.Bw*0 msJN؟1a.Z&J_O#m_tyK尝fFFCSkF:mzmJڰ *!͜ ZQM~$#=gaant4?<:P½swoWIBxf*D1J,\c )T^լy*2PDJȫZHa?W<.w=}*w4FԷBv s=#A|ɛR}ܹ Qg`CM}M!|CyJ[6|౿pGyU!%h7$Nc]ai mURw,!'v%.nBi^uvm30Wwԧ2*Q~&&CƭzTV`Yo# 2o3\aeݡH vTcțB+# T:x-e2ܹZ ^.ѯJ$.d`ĘhE`}^ZdS& y+hVNwhR+$h@ECFn>P!txӎ(lDOāVg4V߂Ɍew&C^wvӀfN] g{ٗ[\)A"5u 䶘0]|žNMRʟXw+/brAJjϡi8dLx)O7[Z: ^ X)=V{$I2Q}?j0o֎z|6ad~R<Dz᢬s/vyH FF\WS3F^< )ʖa5 ԧ ”#?cldᰧRʳ5>faNGָaupx~)ZLBӌLlı {#si<<nP#'$jGCIk20_kN .Jp 8WŘv*ìE'8T|qfbؒiuó0t%f8?Dr\>7U~8M1(mƝiQZBdGzEl$Y:k\`SOujThֿ< >}7^(VUӪp(te3$mqy4nwc L|qC43Ӕ.Z ->Z<պ^GGp\1wF#+zi oLI)FT%kB%P͛45H}Y}*E# K=h`fryl,xMX}79hHf#IM=UQg:{oa8}Q1M\"X(,PBO 5ѵ,lU^ueu~/#QcFIeW/]䢍H-,r%fZO?;K*a5Wb{S8N-P\hoX3Y a'm|F? Efgoɵ:;Jr2 t>z&4OjKf*A = )ʬG$EZ:{eWw-qϳN2}J)~]Qʉ6!Gi_F>InjG>!];l,i7O%}k~Nz)22"]vYRLgXC.ݴ2&}/ɫ ^\Ut<2puc$kRn{߮ DIvneD]5xz'$! .yͮ|Sd'*%y[K9)+Ygnĵ S:Up&,BuS`׎Jm„YkmH(M|\CϝX{5>U n{ӆV_-gW7?z'FWWqX^t]MFt̑,_yOԨ͐F0r79W5t6Š =1'&ʦ{ LJɇc/yr%8  sֻ= HڵUҮ&ЎTZl>[n,9lfb[kxݟtL\ '>Ӥ*kQp |3~z gRnppXSh;@_yu!"3߳H 4oITaZM>[ieFyS(IW ᵨiIq7a lL}G b:?Gőtz㋔JzhX(^)%(~MG; =˙HG# $/z)yBJ-{崱s^0UU?*ĊFFN =b<%ai\nwGV$m2䀟axIW5a OS"YUj:P;#>T<ȼ,NFL{5oI%,Y#aw5:~  c՜Pbܿ),jPgyAASlya6]YڡjkԸyGh9bYhċ" ZYtQ8KR:iԧ1TVö.9(ᘟ=7*^M('Ǽ'u(Ŵ}[s΂g'z`P%pۃ 1~}ST4ؙ}@Nun;kjޝ3Jެ>B`-v:8Z(ddݺW)6junS6z&8i7sIvnVG}K+T< IΔ٘s9pVwKK14'P1*z?Eσ/TN{] Z}Pm׳>?Ȅr[wuXmV'{l<?A/s^8&Z qh&t*ĊGI-o{I'K!^( T{ 6+֦m >4(̉JWfc-1C-`j`Y6UZlRX}YD4G@RN]__ثn`^]P5 AdJAdRd,yep`DBVLOCunɈ[\&및]u=qQJwaM⬖ M`V96Ly所 -wl5~,Ϊ.y Сa]S@?̊\%%Jܲ \eWiSeRՔFzW6IcdAԆmbKsMÅ[:@s&A_$9̓?O3o$4 kViqX{aY*M %"etIs"wmln5L5gi?T}3Uz" v,m($-hA?9hHBF Kܭ1] A0b7CB, [dH:pyG߾Ppb>&ֹ/☗* ơ,^q c I88R~+~dst PR#':i?K-j~#l5}څ$V9\^hu38צQ"e]i_gltܡe8ij[qbiE}GL[ÒW3V(}y af l{f02Ds+-X@'%j@&D#r{DafYBy"'jho, l#]KXZp~5lnչ'3zM)1U򵷋s]57=BR%ً;z0ܽtg6ebykdz2UZfskjwISmk7mh&k7 wq'n;FP( @5OMxi߬fߺw]@45V3oI~'{PBGF^[GD[/4e23;?M,Di՝ .<^leC-[ۗ*"$>dt% bI)l.#eƚkEX#R F/Ic1)f,~z/ЇtnΒɜY5*+5LZ $tSE.!cNj.<C% rkP_6``26^tPb+"]C>Hjq6nkt6։j(o= v.Ү0%\!b ,1u`[k#l r'hvŵrxiY3ƃ=~{NsB /RB`%䈳&Ǡ}䡃#/vo/o-M-a.t3 ڭwQiњAC_iH1N[>]I-yƞW O,!ʰ>yd<7IJdr7EC7JHD.T^=ݳZM,cKpaYM}#Sd"'2NS2|F|m5'{1XG7eA]N TRtT-ݙn>b鐞&r5^%I'Wl,d9I70X\GEKVwpfަeX-- S;Y~fm>#k0qQƔ棥09H(H|aXmՃ˚BuE؁4ٽ P`VbE#Z"̗bI_}e]2/vfڨ2r,FH4U$Ҵ Vh@p^l[4c`}OQPR߯+%[ _)Ap[Iޕ%8=nеdcϑ,V<肪 'W!ʭP&٧)SIiNW&oMY.+f~Fi;9v#306A4L'2"WL^ S4|c=1'&T+\Ie Ɩ~]1&WԚ\@٧1AﮗMdr:]MF@ kpq3R]6^3mA8^5"#y aǺI3}n׸+-'%V}A+š:+,U#EDh-DVЇw&rsBQ޴ @\\>MУ[nOaV=9"&N\ ZQ h]v`+4 +0WzaD@rO{U O Ni%y v/EZ5 h[56 Ȗ}$0}eDc~܀fLeaBLR~%.1%Vi* rpx9ぎ}`P n H2Q5jEq'"%|z}(EWy0l?:9ܭjW-_"> SN҇x{FU]A-Šq`ɟ.\Sxm04g:1ʉS~oxy+(qK^^Iqvom,pyhm/\9K3D/sc#GѢ* 6\L1}Ed z sYƁ-q6n^" J`BKɁ!\0'eB畇]fL΀S'ӣα w+LK44i))zbt!E#KIBc2y$ScD}h =F9B/qKOcK& ĵ=|>a}deA {tbh BC5;Cf?Fw{Ku}i%2׆LV2-A/W;[0 fc|K5{mN90r,tYEq f3 cX'"%VFjh'U1xwfʌZִkÄFZ~M&QRWmZ4Jh~@h@j|̙q17VzؽzwV/ x3j#T0umr !ґa<69\aݒ`9 ۾-`fsz_w%U!D<3\3E~#EywQFgU&1+dVyiPIOD?lVmωG/ (F) ՞?pS TVBrtQuj+)8މcODK&[&GP7D^ɀcjVɊIaa۶ iXצ_M+qM1ep]!]Ge,WQ"zіL>:bI-YN[#YSP/U3`倱2R걇HGX{{wN:Ӭ acEOm9t]*EîT++Y{zE}.\l5~ Ҁȗlp m(:{hG0yT$NK7Nv#}1 > -[Ow*=bbǹ))$5'Kc=]= (p`s@ ,.Xug$M( -Ҝ#ξW nsA/lEp$ae8YqPB.?((o5V ~&(n "X7l1&|.#`Xq_:~C'EVB3, S:ghK#(^;Ϳ\$erb8e"pyNݛH OC} 2b :`iEcMhCP$-Yz(gBf2 "bRGۡ] UpM!Ϋ gG@pxWŧ˜ *(N?(`3`uc OeЄ+2ڜR|Ԉ&=,)wSLL'];t\1񦽜gfmUP,[YO<,N|B)5|E{ClV~㧟@uk4是ἒkQpW ՠFZMYk]eFP;nufؘyoH(beS> OǩĈN;iip` )D~fDd(?5A0QKW͟ugk 9BU!n]c>Rn)^$`iXY",3n>n ]\hQXpg> {!#vxpMصL[-@UvI 6&,r=ǿs+B(z)$ȴ c7Q9@"s 2y2%~) O}5b) .3|)_$JKQ]JvCQzP~z[ݸ>O\!U<( :G|r(JծUf&$Hq`n//ez Z2Gg~OLC4jK5n+<_0{er#{/]1'HYa3S.:߶ݚhÈݟ8vhy7Av^:oUO[q?g6]Q/dC6طpN~j#G 9ϙى +[|(.3['=ԫXёŋutgy 2yGy( #[] ٿ;@I A/jq+k4W?[6ս$ GmkX )>^D$R?U[Kʱ 6W>k^EV}ϲV8էRCN5[!TbZ.䃪$OA џݨ$}t ίԔOH |UR7Co4 aQ;{ހ?fL*$I2ނϮ`Ev"<`JZbgMϚ $z2u|4ߵ~hpb EuQ+bA6=I9.WkuA}I/}OD#Zkd *g jޅXR55*9fg|Esq[BQhk@㼘xkM4ƚss2w32RRl]-0ϙ`ȇLݸwElS\3wtY, 5 gLNs{VAC ߰(0Bgm<>VFE6c?Glw)3/;e1 "jֻ?j9P%nT߸pQ!#C X(Y9d\,S%*3WM'h&i{mZ[-ut|\jweyj V\#0+-!jy7]dy#ҝzLpv7W87Cu_q'ÛS8pͣ1?RxDlZrΌ\O;Ӑ L(b#RLfi}_=Uo7/>{+I,C=eP _=O~Wӓ`| 03VBv7ɟ=#]s+Fc?X :%U JOc RP# S17K!Ec涤_0d"E}":PzymUiߟ 7%7Paf3 -a:$sqH;2=ԣ-PV ^Zﳕr$)b~$v,ӄPB;sw|Kݍq:QF)\/~hCN`Λ=`{R&^ 8TU,Elذp(O.imHiAe\gXl Rķsk ,heaBV"UٿIGq/!"Sx2%+Ox4K}ݪJF8 НrU>%BcItYDz2ھI\6Z3yxU8 b! S}*@Z#4[}ihF *>rb,wq3*|eyN'HGBm'w +WcMDae(sx  Q 1دϋsli2";9nYIx3 \ Kr3|rmQ`Qhd׍-@f57fQ`Dl0ӣa[h ṫr)%"[vvڕIm&QO0N0"[P#be'zOXDGL@8dx$2R*^J: Qヱ:J:{!.,!I8ka%Q}Hݔ2PGvO*ǐVB7v}hr2ԃ.j6D2]dGxefO:ym)Ʒ#Ung:[`*`_DC2oш[zF2nưKT?6c(՚p3S.[!ٰkQIA)JxsxXĔ|%8wrAJ$3!i'i72^@Z@fCu9uwޡ3.)Fs bS|22>x+ZaudCy" ~?fЍ *o?o*8Ժ$A:`̎:.WBo'Xl2"gO}#[R /@O8v yPXoenϵ% c4N(ܿlwә@3-}0 #³~/n7A/ }^"ƊiLՇ1PڢlDtI_ZzA],F27vb3k,nc2hUN}H;K20п츉p+3O5J@rQsfsE E_ߎ^\ ؓc13!?D̟xj:/mΥ8 BN\E00Oz^9^@cQcdx=o8qL<'Ҏ%S j!įɁRNjRBP2^;dHҩ^H2Vc˧j"B*;ZywDvȧ;#\HǫV ym@Zl}=M܏q'M/'4S?6ѬkURmH WuZ%Q38"w_`Oҳopm$Bp.2ؤNomSS^n>L7|8,+HN6<(=>)sd^ z?oRl|H/0h؟ml?9u~6C5^ŋ oR"x0 n"6B?q;QƟ<Ѡw`k/k_"wMn]QQ$`$T b9pZ;8I;Se`>+bO:e7Ƅiz)O4jud\ފa7E&GY*yYy[27oc n^ـM2w^Bw()C]@7|^i94ղ-H !r*CvvO -BMmՒ@xjXdRKcDu *`@RoH>>fuJ&p f'm5:w[xPԶձLh៊1W²$MkjG6<^.gr %'!6c9ව5?؛7]b~X5K,| /K듹miX:@*Xxmѥ%:fng}E -Xm.tK慑*߻>*ېFwpnO Ӳ d/x))ibJn{s|(KbB zKf^]bDB d*)š1~$ bL$`DM 7{72x4T;-$|jI}`c0GSuh3ړ[=5<n*㠈X!y}ׄ,~%ANE6K&>Z8-ۢ> C,#XAr K '_xQ&lwb GҹWHob#TV:iAd_^{RY$e3 q2A9C%d*JK$@]ؒa \հz34D-.x*&X[.Ldvw [G̤[`81!q هj=dIVHO$LϚ#A)G;8U.vd+ha=*<90_a C kJJc |ޱ!6 &!!L8U_jAldp'#}433*I~G{b/箣GDv:?^fC9 }vCΙEEVi0ilk UR\’y{O%SR䲳Ke5^^K<ID9w{|)Pջ_K󼡞3AP~y O>T {{(*MӭKS1Zpw7#H_Qvp[R\䲸@O^a08&7AZ.0G \WT ZWK[x2T*qn#U{@)39XV61}}qnÑdVA9sL> h+ O +uILENHc A0U)Wj9uK&T9R ŮB[Xz:H ].%g|wga8tlQf'ZMGdN/!h߫;^? '7#ta֎Ӟ j XN(& BE΢saSa =)=_S#yd2Zm(/E>NIϝp6M_l}"mA[igZqQ57 ~um 3Y%0"L768T#A6^}֝Ra%۫1ߏ݆^l%I.yW%6XddtOT0"|_"(hsAEwZ3O탢ka>QIV6[p$P ?o7y31@33ƒ!+za)DІ%naȓlUܿ uK"fgkut,afۅn2ZpG& ͟I8V8 W9[F<.lLbxYŸv$_§0|tN7I;cWN]@eEʁ_ӷ.`9ǍZظMHʹ&EJrč+.ۄ7vjfg306#1m#EzGkNpNtZѧF^ʕB P3v@ujC=冊ӂ2ԥ* P"G , 9ݧg0H><ɨ0uEЁΩL`DŽbf:gr06Jc]?-c.Ƚ:Fmf'?3Δirj3qJ5T˿D*G=Q jܧ4|(cejv}OtJO( @ngk {.Ȓ\?E],%2tTN[+]q)ZգXC3N ~3& ^~M*`5^:Zyc:@vȔŔ,jYfk k%ݨZ5(+Msjo!A|M4 Qe~ȍ-ܪ )+O8vzs—׋jklNxmw|\r'i ?D Yj{U*]ڢ%'Jԉ/pK_[5imݾ`u>QtTFaDJԍE;SyY_~0CWۇ눢q5nMk:xss/,;%.R*\tg$VLth+VmTfҢV ls)^=4W |\Vkz~3PUV9Y[c䳐ы.9a_SVӡx6K%UCW/P@!w SHe񚷴 5#I]?:2 3<<Lt^ i Til*-j#R{y19-+jX`X dژ>(O~@AiY;~3<҄܆S*`ct\u!bؽs鍃,N*mc'VM)yj7Mť#/d0)/ _w/R|`ca%ɿf\=&f"xLz(oF̶^ qto.mo&=Rwr*:{ulk) D{nU%,!hdŊC/Qڹ+,b{ 0w lx!]US A,:)Q!TPR i)t/\xL #uà0iAj_ERc}BcW}+GGC45(u߽k 7ez'? (<6N:OzT|T62LX.OD-⍍1vQXvgDR+4(8t,&NfZ[%D0|࿖re㶍&T>uoρ2{ \7;V~-䏵_%nd8W3ˋ&O(m f=WYX-fE(cTQ44g pee IuVZHPwQ%;ؠ2Fɓ=kS˪{o)-;wqL>ppLxhCؔs,q{ gKnHE_؏1ףJC0(s5Ҽ?HKBV84/ qy˧Q<`_E5C lʃժR(!_p2M:\1ur -&k=>j3%5_t)=8VE(Udifg5-B!H-:Sn/M..N;h~m2pC?t|F 'F#%'F'ǡ/]G"+b X>\~0byJbR\G]Υ2cz,1$FEdJwضו|S bLl );ԋh`?k8#Sϴ1Gh`WonA@rCU6N7#g ^~$}@Z]zaZ&dw=9qr,(YDŃ#sȹ3K?3=kzW#S(׋?瑃syxu_BpXfJ>:O^ 0QM 58{fj]Ll G; ]*(Rt5ώܭyl&O)5"$g/}uaKKm@2qܣ,=f㣂bj읗z7]@-[x7* % %{sMsfT!*G<0RW Yw#QZ_{|Lsuwt $Rd(8=u슥ASnS2gݯ*^au:ŝ}ͩ$*sv4pxGQ-dY=*9x:@Zu6]E[A;X]i>|I>Q,0jbpABЅM cnp?)b-n$90F DQ]kw}1iM9ČS{P![ ReaoXWrrXPYL8zz^qY`}wR*[{dYt&^CBˢ+B՘DKoDt|YlJmSR&-Qh7b:@V3I]9頦3? /q~`mf9d}buҊ CeBݏ8Qe:GQđ]bƈ ky+o o2ee% .REe\[AKc cԚR`c)UV K< j:hz(k".$ZHVu[J;IȒMoeQ1Ho0@ S:z$`&5߫1L9)h7?6֮K4*k϶m+>YRہwVo=-`5R]']m#hRjx\#$/?۵wbq%dXڢj$M$@$[20LvlgilFXE:Bے!+a8DHy[KV٬06 [R*Fʀ7?zSV댋Z.|Y4hb 00!0P')YEQ@|2pV(Wəws<-Q"eAGp/33+څByAj.gIx~F7G5U7dل ҳr} i_LN}sZK(H!nVĕGc0P!֋*)\.[-n[xכ 0BFn5{.3SlmU ~q>ށ $_U IR5䃾ø6=H+p(>]\\E!tbAg:#'RC#xhȍ()r^^ʊs 1)}?~08MrBŲzD=*yTPsCJd{eOurU\a wҐ;Go9=Lo?4J1p8sD-gКpPPG_7yeͦ0 md;vŤ &Mj @NZxjnSf~p``+Dˆ?gYNT"u0+vN9> +>Yz>6~a׌^hmp#Yֱ9{,5ƍ2UeCjm.3ٮݥ=O<׾2g0ZF3>縷`beOCĞx8ek*: qM./a? w<Heҫb%G'dE*:T%uoc0ng,!N4NtX+;5:.D6W>UxMζQ_0U7zDr^MonKtn1U=78r\ +2f^WUref-Dkdߑ}s` _6^DjҬG&SRU'"i'}mesArqT/NbY>e-hWWcn]Z- u(QMdc·|юBAw_I<@ZkHR3kZ%NL$WlcT%<4;EAyww,{ԏ]qI7OlUƿWC'=ץ^fEebAujBw٤E[sT RW[=^ZDV~)e2'4a'|>ŌX +k4h$N_ !21s5ߋ_ P)t,;" MR*!W,昋(n]g"a17ṛ`p. X& dvU C@+ 3)@*'Nl-kF wO<X9]+jWb%ضݱY|f-A'vw# -XJ^ /@X+\#4l5eRb\(.O =0xތԾ>PЮ@8.Ua4dg` |p'\$|IBRKu'o_un\b$ͫ?zYO iq(":*k*޶+f,UEM9y춷oQ]hF D!SxW߰0IQ;-}+E;G4*~\ZL/ Gu$$ ]2 Rc:p+NN$IYe Y! mkAhxfPS]AϞp&uB Np r\ c+ʥ,yFeI_$3D7w`CL=HE{Ï!=G% S!f9CP|Τ UVHŁ' *:9^I/K%&;~4>dD@%[ҧƇUF*>/1tu2u!]u;{is؎6DXz {(6Q]:XĶLS|j1Y8G&WNeкUnTŽܭ^"kߌã_f8z!^g4mO8&K#f@w3p|Mf¤FPX?-+ vi_r+ՃbQs;ڹZj.h?d eDًK)F``0,sĆ 82jeC8ްQK~I$_@7t$pEf 6kzu!mZ5M zQO+Cy~ٻm]ZvJ;5$oG?˟( GİeAon# Vpt_GF_ )~gk쥺ԄHd\ TD_,}O@#ݑ 0>\H)H38_ /fe.\5 ryZН#jg/fbj L>hwӥ3/yNj%N5' L"Lx_ `:΅:+;|6i qx;lp\FL!E-y|zR+ *d"b\\e,i )2GCA:f2=`#?2b*8֙yGM2i \1X"k@4r8fB4yO$!HCsZ`ApvO^R(d_5L1Dˈ-nJbyDa!kU^b;]tTyy3p s?򍤉b5r* jk체YtwX۟<0S얧Nx5v$}X5<˂r !!*ҽ_=TLՀgO8S3E R qc+ZɛUl5rCy3G\ eС-G|;R҄椿{1gz*䋣Z k?̲7@aXsF2o.6%UgrǀXڠ*°ē1|YY JJ2xFTk]Ua)c NM]sn!}g0ŐFz`ylqd,ھ5 YC)+e\`8bշSmp;9x07pW޳xUH`NQ 4|v~;[gy_\&H#5^I0K(𳸧 3/9 KeV=diM?qp.! Ʊ#up%EnC[zͣ2q_pQ-,}d53JL3my GB8n;2"&VUUN(=:s^.s Wg}BKvkPꎙdi.VBrzSFWB34Lj:VosvٛH(-2XȄ o5Q$iqmɇv4L:g[ uŞ`5WPeGlG$P*E}_daG]IKL[8^#Wb172іn8L _=RCYNJ zc*B@)ZiAZfP3$% 3>PđoY*- 5(@~bM~WZhwhDI{`ZP2.ү cߊ_ϖTK)8Sf 7x(Vb2$C;V Җ8:E,gr!T$xn}h` "?2ܤb;G$ b齲eQlQ_+qzY ,U`4/ y΃i$s9F{ W>T{cU "-"B&*$6Z~[gvD8RXY#qPVj tgmxm4xrd ?iϒRh\9s)˦3Ueط;+"&mc‹|Pաeي͐`퀞3lЩ?H8Ŋ@0|` Pf:I;Wޓ u Į*ZYm )Yr ~0W:b*0-Fmd-o떡2}U0_kz7btnUyGppHUgZ5Qcyp*eT}H1s_$$)Dw1yf|ߗsOqyJ<ˋG3bևYΚDiS>8}ͨL.øz<-;Z1ӏpj!ŜW6iz[I_h0W0$0uH QICM{UnQ!qeKAo&Ũ0)˼S3ECI#"f8.u^h"=Kڻ0SJ Gb溜|zL# y;,'x]YkM-|rqtlIuO8is ~VesN1Rknv^nC锦nGp\6d0v2>ZEv۴$)P-=a/@BxEH~T%ez3">%b?AE= d8/!S\Dij?b Hjls\Ws>sa~mZzݯGa,h$)] Z!v/M6)r ޴lY>k³t pv[럤 kF5n,MYi-6/iEBv*ީk?Yԩdazf:ҁT%vOIz8O&ҬUgfZUQP845r23bBo%GtML}*Xcl Zz*ۆԭ]mε!Q \pUZ9{ N6)MK<|xna [-d+ 7 9Lm>KkJEƞ#܄|ޯ>ӟV`uwpGZ\Hi܁ ~ar& |qx d:9pE 9.T(tyH4WEЫKc% q`dxSQ+LK$0r(B!CTτI!u_N+۵Z!["?~#cKۆus @_ T)UB~$yIowNs (Q%#z6nq>x 2R`5Ђ RxOFma3]_lfqo6Z嶘 ADWz*y;UMͭLGx[Z -_ݏeE5zd)Bbv<{Y=ixZf9%ct'"*`%ZnZ۵-FCzQq3)z ԟ[`: D>]֔UE'N(nTURC^ d݋UDKx N'$> xXj\xğ]ex'>붎ݠuؘ(L d q5ƆCtAX3TuT7Ѕv˔7w$i1K?TSqMq" s֭XYq'ӌb&wQIyJ6:~p`߀c:C8k&U7^1@thJMW(ƨVrG^Q&K:֯nxfϕ,9>>2dKeV%\d@[)a}Y)[Aƙ2WDrn UܪclM#mɚ,C^ Smٵ57C;SD>"aɋ@dGnJ脬lb?_Ni^=*V!!L@q$ qѸ9'RLtmI; H fEo*;j7Ahx7y#qAeƴv;?4SI+~Q~v1$q *>z䈩k5\T[XdM7M+ 15*5B07|̐OWFeK>OSNa]jr]+ DY*YQK<#1jBB^w OeV6go8ڷд{Ѭ3[~M!2il;WZ{[˕!#M8<ŋ.IQuQqNJ~D>Ug7 L2Hw[D℣"673E/LSsqm~c:h~u2k&+[4ijDm#'j[y2G[a-Y0Tp܊!vTj Atts~\gZfMvCv̼yBFuQVĢѠJkr634Giasћ\86nYjq CJd\4i֙"<{QERhގ;/>gt;\l(OYl@+k^ |^j<`,9a_ڹx6J#Zyf}yT3*il}3 .o&q"&Z)7֋}%*Yoq%:&:/)uhtewF]/BAj "i%ht]ZF +}+YXM߃Ҽ}L,.}HslU: "1cX-.QJ?V=T(y~-2܂0ՙIE_Ӕrtr\E˰T #: bQhhFdgЧߣ>8PFʶ@ l8 '7篞i$PoL 휭8#x4:c7lJO&ܟBM{C ! "֡l||zŖ~ػH+eeb:p43ߘ qV#.4~l-GE%(trY Zɓ8[yN9!7KQ# JDO dH)rKbNzO+M4-Xu/I=>XX㤙ؓw<;Q 6'bd2\5iY8 o|[p&y싍[Oiqj']33FN厮;d/~h7%elB&ύ ޻"j y0lX< +-2 Մ_}JgC% msRl}/kD82p^)+EZB㬷ʧ0n RCl`N vnca5oC~l!ڊn_jpNT 4ˮj7%< V2I7јRDHtyy?|Sħc.v$%żuLM;sҎg$#/T7 %*k#?0Ep"1cZZ' HУ5;n;0yj/hrd[R&6o;yr|U~(F6jn˟6/%A5U\z~d>,O]a+Z!V0Y]ׯҎN6]ƆJ2=.ZR h]>g(ކ>&*K^c@p6C,9ZW>4SCH5}},X< {;}{A2T=S^.7(L*#ɋq:ErWk+.0[!UUneJkmXn"R8Ơ4;"_[٧:At,䰵|:#7u/<^NJ6D,74. Pz/DYNer yHߘ2[#l$'.Lv9b?WN D%]+a])$E`ͬ:?e䦼 z?AMIjkpRTc2⬬J܄a. p‡&Ioޢv7[TvY&ipD֋mT:'9 %5pT<a- ;g部؂̯ibuwq񺦔 V E iZu"۪  B ?Y{5}C#?lBq 0dS\ԅ  ;\ }d;ًF3UVt l"]^O1Cu?k5 vÅy*Su(bX~l>RGt `JDkomU6TPO?1紓}2NDU-b$1ѯM4vF z҄h8 [#+HźTUSib]̿q"T:Jˑ Я㷛MP:BتFed]!V}-T u <wUWY,85`qf&QN0>v j,sZqNr3S-z#[|Y}:/8JAkoZXGY^V|fFD(eRSoAK;i^Aakf{!ాxGlYHE_}ȇ(Sts)g*+P>)isNx& UHKĮutWW q / -ɱ!t,o*dW/]\t8"d5-+^4ת!mz'm$b}(29| YDJog{Zh|~O–Dn[lF_hڮI_97s8}wlO?e)KČM[2A˵"`ꀧf(ovW V^kz/K̓}jā„u}`k`qx9}LaƼAr#8J*/|bk&l͏Fzv#k qr,<2i3*U[\ZzNlmGSS,`lQJ djm "Z㬎P55c?Vft\9cX#҉U BD"R) OVM-\+PD>bX?9<b,TZ3XA[%\:u =o& Cc?҅EEAl#3 }2/MoeK:=/ɞ/ OvۤAdMD *jM[~Gf/`u8>~Y5&r{jS?'";g2"!; xg"%$GN_> ʟSv?qUbt@y)AQ|Tݸ=.cӓҠw7Քi8$\v>mE$M< T|ba6_ij+)CF~OP`1\1-@7VBU®(6ʐM_jc9qjF EA\b3E!<&j ١tw}}(0K9"ϔ8}FKH3Mݺ=@k|Ll^ _ ͅh@6Vv?.E܄y/:ҝLƑ!wK*Gio˟ZU|[#g}L?!|~W {XJ֣#iW;?7Ҏ x;pgA^#'d5[/_,y"mGRSЄ~)5n#:99j:g^a޸L!{s}>YF(Q=)y"͈nMUݶ#`X%}$)amS ʷ!ȝ,@4tS%y)5Ok5VTNvx I*M-70j30pRuM2|/ygޠ ;LUa^!p$ ?Y 7a eǟ [c0]1xuj5Fƹ1-.w(zrf0'֭c,ԉv:tgC17: H "d&Xxswef@ŖŚ0ϸ%bPVAm寄(/!;+Kb?N7پc:\nl16iBme&Ffe< ٴL(ӵo sQ>Eaf%,;Vs$P_!YVUk- bt6. 2<O*OOaEC*DA`L8rbI Ze]l@=jSnp0p,DNׂ2} 8RO\fcY&m4JlAZ0aӄړ_/ȓE\}2 I_z[(;(Iwji<]nC`e8ۧ*d-%?fam'{ێ~ˡG ;x15~K ۩63/h{Н2F<>24m5)üS2[RrKVXO'w#KI8o,y쀱[7ܼD4ů[3\I[wR`݃ jWpML k_0]=y9 \Y؆Gg3=&4A*^ҀaM Ct `J= [уD|]Ok2>1pg Y*;qxa*d92X]+ZtI H Y++:mğc )g G (1!eI85$= u7ZoNG4OP ΢"UU-5%CPwuGK)7{IF7հ홛 ,W0FWU2RmIU+i\ 8&u2(b3MNAb aoc~995)I~%F]bDQR񙖦_\Ϧӎ#RR.p'?86R۽3NM[UFY/ct%jS.ţ|2z-cue oa=Ʃ73#VSs~P Lۆ~ۤYRxwf%x9VhhF_yz|g)pk{Jih5uK زkXČuQ^Hrh6 ")y  XQͤ1$Dֶ0yf,M,j )qi:xYG XJtw璍c+p5MYJO|e,b;Ciʅ]4I>rv 8%) V2U uUf]N/P*HsǴ-Ҍ6Ertd!  D)!?TopK2D vĘÀ=1K”5J6l*z:T~5"0@YT87JS.}1 0fBgE zF H:LikM2C7a8o0i:>^CJ> _WCS_zņ`eD6kAx%fcnjl~\`&>;X(55'Pq>)*uh}J^7MP9)^3SOU"rڃiCT5EFs7VnBO~ßezI(fa`zsp^v#MYoIOd}AB)Gc!4QU/-Sm{wwu{Xŵ!lmLBkWh8e֙T@DIlv5x ;`MG"r燣+z}^T΅vOO@֐ &s>oHzD Q{xӕc$wkEn[Q CIr49)R+Tn dDO>Tc'\6_֛'dn$76҇ꥐH@LV:M$[Om%QtMOa/ytZ9wP_+LgROi2VgTmnr_ċ`Zw+Lgk/3B1@Q^vtvxӹ-RQе+{xdV .;%5%T~Eus7n~+8$<3CLXP nHӫ2 0 ;XBEUANȹj*T|+/KyR4QxMerN<,X :)# m>7ƒ!x=U&}{{)y 8표O5B=T˖ƌc$^ˋ7uYWE"} Ȕm PP]ig ? wJ\JLZy3_7sS=Fհ@A\X OK i#"JыP[PE=#\x|IM0HDLx-FY̚fGFD4+Ss%Tb*Bwd !] َ*(e&WGа6Zbz.8Wj7*00^`ݴEC:Vx2m X+(?DyGtgAA~ӐQ:pN w%CZiH7[Kv\|+)jrH[2bݾ+6 ^'AKјlʺ= ,2[BsS?<ևڞTT (eSu8FOY/x{"qdam*p܉9:G") k1-^-8 `lVCaT`pot分8<0k*LXݲ4"F\KrK4#^(?/j4vX@rL86vJAN| ZhYˢ}bz8nyV MP}$:`c2&؂Qޫnh\-MPߠl,5' Y)3T/RZXJ*65$@Ȼz{$R4n ͓sH*6IJTMKOL=+.y|M9 &.//utj%o<UjCaLr/iˇMz7&|lhtr[<'&<Ml"yBk2uF\(y@-<` z%UuY:.(;RqlЕ'_lP_nd(6$ylC X.;5Tt*":mb^ՏY<ҤȵCA]8;4ԭ0˘wzw e^\-c㾄 h#sl0I%5H 65"?f&8GDvu"Km8aP'|(;Ή*:rɭ$)ExB,l`u wPg yn:'$Jl ݽuN,=mYH0>J0o}?ZsEI9Կ. ( 6F5Y/e/\ت`RA| 3ڎ$׼la8O4 sB-S^ Q"ۇa\ H'Za'ꠐ9%ZS}?0 |]:Z\uѹ "Jv Y2Z.#b^CZC=+ b,Qq)] S"癸x hkp-\oЊ>Ʌ)O^\x%l޴S(%mNސ:CtUu'G܂$jD`폣"[\/ iT4p ߾_3D89a!"_Wl%>Xh2kghe>"5Dl=ڇқx ],/c0ňykX\*ԧ 7pX@@fuԉfRXz+]T>e x0eC pF?RU~^,: ط3q~@t!u@1N̖ͽCgC7QjHPkrDn^:Y8RL޲\TavW2߫]koQ (e83@kejm=ݢP,B"'vo8xB {ri7}#1;O rDV%xS$qwD0WR v8'MklB}AȄig9G$I$bH ܲ%ѩKFW=>lLG7A(;֕aN[/i!T.&cxlbmZ$佈㐬>"4Y{rat-k_8y}(,¤J ȥ/18jNe[Q(%õzFw_u*>-'f@%)=-9yJ(0l$dBˑ &FζV[ښhISSh.f2?fҫsT%!Kȧ?\<-))<C}2_;x6w?36]j"pt7E>u(!4>9 wDnd]p;/6k.:;\*r4ӗ=bKy[fTx|N'p+LrpN]ƥجuGԉMc{y)fݬMFt3pÍ}ޗ]eV;%T;k)` B33؟(7~Ӵm= O%b&t+;N r rJq$R7#3ћRMY]DhWCyOk<yP|s"3,(mJOGQ-!.~K <,P 5w7\Y>4MH"׮'1l$y ˎ|FSH~XrW'\ .{5MƜ^*椃I#f$/\úl!5#kR[8Xn fy8LC[5#vxQ'NI"BSn枙v^z/`gPR\4#~`(;)p/GT7}}Y?S Jz\I(Kn YS.h\M) if32/Wt>`\BB6狇}eH ̽Zjj|zH'TCZ4<˲˻*ۿSwR4xBܰRxn>x.aÒOT!-⟣3K LQ+xUaߣStP_k]y&F>[*Jߞ2F-4T?wZM _=cD9qk,BP*qGÚJU`}@B&D-,dXGq5}mbkLrSi,ÝyZ[lHUpUNfI;1@ 5R])K"aQJ\5tANZA=>RT_L6=Vk(vlYrp+cf0}.8NԠ%`CIoN=+O#%f|<#Zk\>e;IRIW-& [;&`^An- |Źև@9lQ>P4 R!h Qt : BS`3,.w7-Cb$,y?Z*o5>:c_vJ-]$ͷeP9ԑuԗف㪑NgN@Zi{i6&m =FiC&*-֩$![mIz:\8dݛTU:.XxWDA6c$MXp0CVMGY6';) XcrS>(+dKNPٻ^ӮaVez `1ޞ Yd@8v/\M:(xNrl̘agP3^w(Ju~1 8!,oWEp \p+%o%^0~A^G:5uu9Alo{Y#$Wӄ9L߫m>U u%DMEK~nKOoQs{i;bUD{;Yt7 >L&MH-Lz˚9m޻* o#D6zssܴ B{\(I{f՜/5eLܬ(gJ.9Uq׻ ,3+2/33' %b}T2yf}dA`F8n_B>1zxQLԢV{"Ln͟*=+تz'U9GnM ]Λf/ʑ=%UҸW&_5<PtFFiʥ s$ev}*$_T$.5"gwDg5] bj[HLM y%͋wQRYffE Cp@g/tӔzbW9~ a&e P&5UVf3q9)`)W5m_EC;lƳ6و zfJi9r%W4r!fG|MJ҃nX]'%TSbW/)v^#]%պqmv Ě[$DZJ^k <6͛o…@Z"}4s{VHZ.}drg3 M4;=cD6m2x}~SfߡlP5'2 }9;P\q_Ղ[EW+;ڠ(Tt#+=uj "߷/'/Dg E: tX |t¹4;sm,i# k8-8'Ckܬ,';F6;(0`^yvg'Y>W"*n .9Søic}8Ǵ(ث!Sd2UTi U(E2̤I~}$iV/Lx X#MkR6g_NT.@yj {BpH ;RT`+GB4S:շrQye UPW  F(S[M^/0n@ ׶ܚcA.=( ?|MA$|2mphiB&Ar$\-z^+ls{@H)xW|ufh_6|B)) Kΐm׎r 3Z h+>ςRoDgj|vLffƎC@LX+_ǟ9j6ș;1s.Zuf'}zaLe+Pۏ59޽H+2L+ DU(qL oD~%ɽ)O;SoAE.ȶ-40~I_ :Wo fXMoӨ鄬JPC봂: f#":v{tDSpGDK@MP4bd"pa: KLO/,e[5!% e* 06VmLW!x\Y{ g}P =Bu/?$ui*ktDX Ae5+UC33-: lrpr0 sQ1-zҚaT"5)abWo %*u!NJn4kS3q븙IN_ =* :1ф](̵&d§' sf@Z4p1]Zx<̠~8 0a 8fʼ?A} TF`kUQyzR:_}u"e8/R; ;? CݏLd0\->V*2z)(ThdP>x7ov= z<|$3L`ln[+pjAw2ac˷1Uэ$DNfіƝb"5C3u[ U=q+ކ?-ɍ!wp\{LdasBd+(}hO֎Aாx#M\rԸH~X:ZE(.(Űa>w$J_]K,LaS=]Y{<$苓ҿ #+ ^F 5U7U aନew;3(܇&2NBN6ڳġ+#8z)Y@ߤ%=1N#MI5q'~1ZpjD}dySeNN鰐S)QU zXM9JIۓvb o<'U} %ҨKqܣZO ٿ6vNM7OOU:@$v2ᒶ-T.ztnˌPR<+=MsNϓ[k٥]츤: )]ÑK舎擄K<\qHhL77.UK;R r쪔Ѥn<7_Jd"׌цTLOgbdWt+"}ξXiXu(TiS~8BW,fAvkړ0ԕ} kе|Gsj]iBW L#L,QÕ/MKʹ Iꢣ@%.zMh$;# E]e3 "胛{ ל-?)f)egFuꩅg| .+TnR.n"ZwԼjN}n:+vh{YTW!qz;v}_@ӈ02gLll-H+ '5[%+`@G ]1Lr )d3 ተ捅 f3\> 546փe2ϩG`[rفYxDG3FC=cD+:5{Re6Y[u`n&,ܘǮRe)<х0 m2tζH[X>ԖRݩ)AU0x']Q!o Ǵj.'?rN5Xԟ/eÛV[v>miy6Kb>=U0DjեL$EZRXҟs)0V6n=9f:m䯼qbГu_m(!: poŎ"svlC`߅&og+&ID{FaF#~%+u<.$6%I 3 yhX)fנReP}@n@WzEӨ96y,BZIG^]&du\>b(/L~{fWbEdPf B[G5G$(d}<Mި&/p*y=ó"#e,~I&¤nxV$Zv9M܃k J$k]e`kq%\ɒ< 8 OLt@zt3yYib@1s!{x}ޚڗܰ-W!OIbԫ{0#0, ৲%)|rScP&.lD€|=jUOġV9cYc`-+Bf>13#`w-J=lyr1jTLL6 *WfV IIag*9LQvce/3P~,gisPbȅX۳@A8 JFTK;M]S&B/j<ƑOm~ 6*)%ڔ׍u3ҝ.ږ~4b3g+護7RMf!䭇$J0N#` &8 f[zW󗏃³c,vt੡zt,og8 }a(QUI` G O;;@<8mN\j9 dE5<ߢ f}Pr-"aW$B,diSCr<=3Q#ҩE6lמjO)0\gfK)Lv~p!Ne~ wm>Әx]V+E7YyblIjZe"Q'k&2)a* G㶽]#.n1Ab_AKUp*[\l<)[؟ǎ~śr8[ m0>),2k-(m <#GCz8%:Z =<֙đ}d\};cPo/#c}턣+9t:8taӈ#egu{}+ Sh${1,d4k̓<08"7Fc_!$x % GS OE$9ڪ31S.~4*!KfTe0I֜[}@a}hSef A' 7b1(Kfܵ5@r٢q}Bmk>U_{ገuJ4\NfA.*!(;5{4f rp%a kN1 ᾛ-KQl ?::h-NN;"_n)uA"F-ޔAvC_TivSńwJh|g~5= +rhKBMep S??,yC\Iw$>쯸a/FV6n9:`!eMZĘxK }UMx{ 9=t5v*YYݔBCƊ2]߬3`y)&2Cf7T#`/_CMڝrA\ E%n"J e>,1AвAfR5%uT5wלp]W^6@7={z=C9 0}H_M  8 =ϑJa\2`ŏVφI.#LNqNn%O4Ȃؚ:I/g_˪PemֹyFSi!w%g.zSH(6b%['zՑ)oDҀ1U:(nQg .yO}.-ᒪ)ٛhcnܷ..c3=E^@`&8S!G(:fct{?iF1rS\A@{w̎m^OA0LTH eZ*Lxd2f3M oXvknEk=2@{)}J!d8b Z檰5VY!RI}@`U?`]8r; 1w"҇P݊]m%SHlO O1<2Xk½~q\MB"{d%2f,  v>\_olch*gHi -3Di 6UG®K8ɂELFփW;GhGy! nt_k* RW߸tjO_8kZW.dz+M n޻~KSBQym3䗳"An$FYeI[1=ҡc"eÃ^V{6ؘv^:6.Ǵ0 MZ&cgNb n{KRP5utj}:O5὆=tb-`4u_>1// =A$ɗj<3iJR8u|'t,>8bIW5phAuȮDv@S̶tL.ngI??)X} ຩ{喔{"ê IĤ%yo,F`%Xq@8HUw[XI0@ @ RW#%*[ܫl8cswqI=Nūs{&sn-i\\698z肢U4? Վla+%$D+zi/9Dn,<$0ocƑ,ŠܾM_}{k~aRj7y+oNjixew 8?`"PX  G7UDZ(?!}rK E%cd`5{'*gC=jA<.MOXVKn}&C᠟ЅFk9 ;z- Yԗh_$TX/"^1ڦv..qpU*q+z}F#d;>Sd<,u^=S3Ф _և Yܗ`sf0@PL;tM$ ,-Jtlgr;dΧ]C`訪;V+ J36;^y~sdT>r"Ӧ7 %zVf4-Y憄QQ\}ʞ^v?6U*9Tr\{dn`HQAt=kzr^9i?^N 0Ŕ5ɲn_DUe/A>2eF[bKTԴ :կ̊#[G%p]a`f* rcPMT%Xem4bnn{beیYS*F;t`خ+6Q@ yf{ +#kȟYv/kt]2ˣk=Te|ʦA$+9KZڤCb$܆ꥉ=~~!wJGXrE6ًnj)R~CkGO=,6$JXŹcz& ʼn]0<,vUK:hOrx&(_BZ|d0:LJEp:: `Q@ ư p, X*FWQ5ĩ1w#2ŷo:OTk p wvj*`v2e_bv:<9"l_WY]L=DCeTu7|b5xD=9J.2eڢѯ'n$ VCK0?8ra2%+ŊK-="?EBᙧJIP<5@&gЍ=$pgovjlJ컰m/~XMBkK4:7~D{P|\ $!8--87,ծ-(<doGBD,r>b|O5#yţi %C#dNGTE}WيwԬAaM(p͒6bQV36 i/9)c:}۶c"Sy)>_C/4<^CҋjqrQX8y/ji=c Fp vC?9EBt]8?z0Xm;XZL 65Vfa"6 pWq7mk̼-Ƒ 8׏e*ρOrtS[A;V c̾*p4NJwر]ߘ=+zȤ1ý92j6zR>̃ Y3m"z^tz )tj ?yo$]P=O䓙v/H0edk! 1{GsDG 1Å՝:ۼ$_€L"GxrkBxW#G';bS:Xa,b#qm7Fhk -ځ؜fzto(EOd1_TdbOъ؋g|$T0ڈ.{w-B uŘi)Wx6 0`(p:nH at430MtE㱲qzaczO= .DGgB&//+Gf!Ȭ }-7 Ħ8PR`bdQ*QqS wonbѲȚ y <6瘏֦gȇ9'nGœx ·").h\OOڎm!9ܹEע7OK9 'Dl5g*l⭁F6DQój(uAO>71]zL4'+ގK5qvcuCs`o #s2(=w+ӂ^!@ PA<&^_8zD̛Ւ4V hA@C[]1[/>l[=+8ՏWM-27 8`& MN D[U%2*oX7 GUMUҐTň6"!albXbG/eJApZoR2bԍ󦎈׹MF-H$#X{xjdQ)e~ -Gò n g,ub gq;5 n7!ͯ:0"| yk)N\.a0l!i"()̛ыޛ,Hk!=x2Uۦ$3UV)s$Oxu_\eLUz S{@s+:W;F$1V~*3bҜ݅,UZSgfd1I,(_4Q {#/kҶ ABo:ǭ[,(3`C!h,*d}#kO9&o{rUzXGnq?rf=~GD} ;",Ux?ɣ;AU Iu"{bx( zi淓Omvyr4`d>Iscm`vBaIX46Mwkׯ `m-tTH_#]ؐDڀ ylt`}\e ZZIg9]m=1ilٖ #SxG{geN˽3Gt9֮* AQ<xo(xQO1nx}c^,tir&qS)QY\rTnmB͍+nvxbZFY@?K4?lYJK3&qW z3iAϾ9Y: bOuō{ZƜde9|,dqwExXPw[PaKO AY+%]xbʵ۩;GwGg!G Qŝa?CEq?zm>zZ)TEGFwL}ei:}m.'E/!Q/S~ ޅ::7&%ˏ,l?,Ԃhd.C ^E;(@~v|[vA@.DDɹD ѽa_42D^ټJo~G/. \5w3@JClTzd7Ȝ8 ~"L*Uc^V`!i 3l7zMxTĥsME]%P]tknBn>,6vǀi+yF_ B 3`^?\/D*@U .<0RDkCf7@B^1|wl6gܨ꽛һ换1 \Ef $A9T:ԁ:o?4# 8`/3Y+JUㄡ~Ti 0xO 3Ob8ozaBjSXc e(ff۪ qc6x3Cdby =3<뺭pK'pˮ4Ӷy`_L0(F:)>с` n :@-;蹪h`Ӻ@gsŤ )ڥrJ6Ъs6{^(HteMa)i"5Pv`qUrf˲ꒃ}6;=]E5Yu |sDB%Џ˯,yp:P%K*!ʉmCA#CFg e' 蒤e7rĉX$J9]#(l6 'VCy*V$&^BE:!Ҋ -&W0fIw$Uv=<;kEJG͗ -y>+YI[ RPuM_}qV;`k~Ke! 6 oƭЬo>~%"P4k\'6GɳWL)䌳J=9ә7wݥg 훤h~ܰc! iZT)ݚ0MMᄑI~b/i(hQ#]6{'m9 \:,7Q?Z |DL4@ps\~AVZt6Sw`FQijY k<2y;sE8vIWde $vlyƌ5b.4@m|9.m6Vreb39B5^RS ɌvtUl"|T22܋N*6_>il~>|gN-ޛqjEq{ j5eE4MiOoϜC`Kb$ bȖ2]͹LvdOPQ,G_Q:}Y$~'U]jʀ/qΓ$@YD.+3޿1~ĀWzpDg?=(+%~ENTT]ǡEы<.r_N- q|D;fLcNN2-I .FQ"kfW7O0k>'z̪P$5Mrٷ`݅+͇ЁI}N\!WS9ߜuP C;zmWo/a~1T&;nO2%{ʀhU R6w#oKބ]鵘A8ў5v] ^TTZb8+dA[7^{1NU8"#$ nÈ+y"g+6CՓVdO̍J[l$>>O0.kc2ְ鶁oLbI VBb>؂ZQ>Htક|[hCq'Ly/ߕlHiBw'}<gw~C&uI'B77[h 0Xcsߖ~V!$B/'H=O>IP:jo x@&ys1/,LB_/q{&I76bdX,pQ/fDo}dA hcZgʞ oOg/ jkfYGW6ZXeA@j3U@Fc)`s"F(ۗ65K7ԔN냰E+zB.>&l@tāH@~r4)tCGާAvFbK=`?Y}3ZD`FI%Hr,<ߋb^ǵEy-)_w,!ܝl*DAf5^ҷs*šQ :Ռ#\TVuRI zW\l$CS2L.93eT"y.tTIHD .7[Mf(V{R ? d;JŪ mz)xDniisH%B~NjT9Q-1ʛCk*rer9PJ/Id"ƿC&Ǧ衪nQ% swF؟!"r|fd1 +ԫdlAr͒9/Ѩs9T>|~$[M 9Kyٴȡ>oPM=쯳7k%A"jcg5ȳտ}K#+[3I gw%%fj v>ם8g_%PnQ%>Jy#ޛ-yM7;ZVvgd56;ͻ3WF@̣pj=يvW^_B̔efQ|Ic9w? .lY!*=d= uzW +\B {MD!_-j.7i %`kQyMorbvDtV5x')Mp.xso;\>qӟeφ{D?مgnX8 -u7mrAM*NH K12/V?V!yo ++Eb)ɥlsqgLbFس> :Z ճs"]ݙp>wmh(f@m;u2Mt)d6^t,-09 L]f T"+Xa\qmPJĪW[RӝN#4 GcΪY>z F %*wo&ݲ"6/9-z2U2 ֕-(u]BN"MuIaAJ|_YLfj!~' q4yL^nolǘ5xH25+z#l@w<^+:)<p8jfl},f}/_$/c A ջDS?~T[尜vLbMtRĭfs¬+ Y1TR%7,^!jF*!ROө&1e3AnQt!5:>rLouvv,s&ggaƑ (qŲ CfE"SxKufL.u쿦t8 WVo($gq+ y8My„Qvg% SLjLXG@ʟC&ĎodA. dJ! wKL#_J?i"c~O Nk}dߔh?2nɴ2S)Jދ_yK.BF@<D31Et` fdM 0jS#Tb$XBtjQ# @! cj!#U]̊bB VJe3j oНoB󄒛2qirweW>ɝsic|! 0r/MYwєa,)Umud;ͤlU!{[cL>VfSN]R̓ծ=ZH 94+5=/' [)Xz)x'F]H"@YM9de,Sj{l9-GWJ AmͳFe:6=wr0[#&}tm)iGL笷l-]7}|t xDt??,W4+6 BxJ*[]0y{kj' h|ޏ~R| F *z>8Ҁ5 as@\y5빧@aۯ|ٝa7 t'r2)jK9]rC lay#~PnKhL9Kb1D]Q֛{&{X_te/{k(~ "4!MAd|e?q'_ $HHfEYc!sV=UHU1n섳ΜM[^J, Kd[-anU\?!k 7>uðK wGMăۢgeD,b Nٔ /]u~( ɤˤfiH(|]͝_ֺL?+cUq7Zxqa*Π)W%1!mU2W",6-s9pOax#lH sήr`X>`'#@UR߮SJa\E4ʊmiGo>qCǘML%05so}yH y Rze xMAx> k-@rt$۸"^8wVݚ#D[a3n{1Yn6!G\9mҥ[};I1JHҧO;u5kӂ/JLψgW.ВhEP]1Wu4 \Nځ\iq+EWVҚ_ɻ}:;)]YbIgga ~ $#@=@VFΪovi[8|lrS?P# \ Hz&7y&e Ʌ{kv {;A?O{ey04 VŇF3H0nP㣼4^GA*g|$+(M b] &X:̻/M X򅠌EIpL UYcy9#m1 lHu&XLw#&TLG[3B)4JUMPu` 5b? w"ի紂yl΢D0b,ţB} 9~z у'4׉ i;Ίup+U :;suʯ?NߧIѣ5O^5jK.nʖ{wy ]<pvR吝I}s|CdaI]Z:Me>{&Dž炢*VsVL$Ʌ"cV 2k^5W6xcApU~e7+6hT18*f)h rׯe-3O(Yk<ɘ*;F-)yvGMh7/q{~5%NM's5iD}:-DnS8_ TڙZq88 F`>l£L<$"l7P#z,#}5SOI%"4.nZ)5f"-dSYƻIvj/p mQ"e{"!_VQ #$&Kuu\ 2|TsYgMWp–(du※8 BB7)= &ژ`H7>uP5Q<#lX 57Kt+5# >ȴ.SHP}q|["dM=~LyJj>V?Ny *RwK2{!?Z ao6!̅$z Ib΅AYa[#]Z?Z)ƞe?ve8FNF2խС wQIb-aF|elY=*Bp9L; 8Op3\ʸb(g<hUjf~+)Rd#&+\oI9sBf'%7{;!E@\;RY_=?'ft[B92qvͺ|(U5.4٣Bªّ]j-~U0kȵ'9,]lnYȂn.$ ܈xn3p6|4^;tzF3lǂ;#YJ,@ƺ33@괎+]:͚I9_k Ɍv/>ڄ3&- dHnK(vZhǼܶDNb9z&4JZQ2~tQq*WH SWGK^ 7G µ<11$S~0αz]O$F$Nᨬ H*0IptITU NNs%t~]wBA=ɐuП}-olԷ3LuCm4wVPt2mчDǴz^qߩv$3H܈IY-Z!C N.Mgz?cS2re~5L>4;,̗{X9W肏bP< A^ޜ{zwAnW jW;|ЍpB1_[R[ݺt^Yߤ>}P)r m*sƃ4ˇtR\Ctchnщ ڞr qD(@̩*}cӭm)9a8̄3g3Eb2. ,cc =ؽp,bn >zEKlsW~% 6D${b-`vwc,$wZ kX@"eӲ<~mUT7&Uv&Ƭ^ N]:-gy48\dq#XSyaAk>O16<7=+ ˹HcE( |Er=@Li / IesDWC z6+򥉢FKţ=Uݢ-&1Q(^^L{ؿTaPmZv!\NIIv+L s8`Ľu1Ìh&G=^ Ρ%wk:wݏ*Eߙ+M}s@.ssd5BFkԒ kfDrA J̲"22Rh/ѣVNg[G]{gsK~J6vPP_Mj?eY.^ǍM|30nCإ(>#P[$|ςoN|ZQ] RQï+XIh 3.F0}BX/Awq&iQ&3 qh%Te#VҔ>nr%^3CÜ$yPtc$S;f~6Sw&o, PagdUE\ΔF2}B!1/`H|qWnܴ{=7g\aTPA!(cP Dq(<:8Dx`ޱ}w~lO@sW=wS٫?CCPJކ|y13ICV_^f¾Y6HOa|[496/Zhq>xWXN=OTR5GԟϞp 49A%=)lka?z"w@5u6)3wxqqc~M O0Ntݮ)V-gi'EUӲ!ҏJw9:G3׌:I'xnaώUۏ9XjYZnH Z'k|nJ܅賫n֬/‚'/}LͻhCqی(x{ _>NZˮ3o{Q*Z\VK~Uyi =m3k /W63_ [a9vL*7:U*/=qs5Z…$E8`Qmm0*%F_F1ezc^LidhM=ߝ5aSJo lU^kZ7 H'b䐢E)ad4['r|xT3`t=5k^0bEoK-32{ O <}iI_5aȄ*XX*ĭ=koI ЉQrJh40l/{m?yQcDrLSXCVuXD}נkϩӂ>:6 zQF3m'[y3.%\lku`9mf8l??!w|Ni+cߋn?R3j9+#:Ԟ;^ yY m/JXR9(~8reK ]dat~\=~"wqG||xij_,Q]V d!ckR91[C#>`dmߑZy"FI1]?0ζ{Y$!t@4*DR+&Y`ہ;ʠG~pY2V@ ͮMFZ-Ʒ_;1SB?F{jaKb 10ҧ0s+ \bsřuWx$Qf\*lֲT퀡z{ckiaTc:^L+זIz̔Fi^)R͇ۼt=01w#5;٬-<0Ԅn kT۪)ᘮh9 \O%&+S`o#PUtX1lťmu)n$k)Ngz|"!řȿ}H1Fb]%є,55D@b|])"aQ ^r2O`YT ~)_? Ij*zijT tӉz!jrS#'|!LSPtiW+>L[;Բ%Ԍ} b߻۸ {nŬyQҚucl (3,SEv͔XėfcuhQ`$ccbj:rI ;ɦKwF*7Cȸʒ ":C@D:M_#29L?',7Yq{'(s'iImwT @6B2. 57# fZؖ!I D 4ǪqRNdnI'v&_GbkfΧsV6' 2vB)X!6%m۝.^MEP^-0P9WjRQCQBИS'BӋ. #,[@w,JaDL,1#gZD)B9le%ҙ͘X*Ži)t ݟm(?S:}wnx_}9W}cUHR6TG*lNaK|* dzj 0e(U ]\@+*;1,"'cgi:x5fN Jup -o+ iZ[I|p‰T6u2 #RX uVucbwUZ,Mf֝d|S$lyr}7ӵj|Jl0lW?}f] D{g!pI^־Tu6a+t<7p앖( -\@;N6GѪ 1:2,JRJ m^*E/(5~4GsmS)Fp+ F{]:CPǢׇ7Є ɹ>nsq++dLx̭-`T8t] h["Q޲d* FB;Pwt޳ELz"AS[G=/]U.'mk\w`E % Ua {M뤲/'w IFwQֿ$6 L̤Kng2:%pΧ#8[WwIVtvͧEΧ@:l7oWdKW)\u3RL%`A|!Q(oH\hiG-dԪ4ψJ;x) r|wfp ;j>L/S$w*WE1g2UJX x}^}K2L̔M͈WYs^3SSFd)"P&7~@Hdk"IҨf6Ut_Ww2;>j~5VNνUO&Nܛ@Kg,DCe>Mvx6*/Lg/II8{%aG۠jҿ}R O,1g*/!dO/5WN(֜%n1WP:(jf=C{7HP]*8yN:_q=r"AMcF O` ?MR;!}qt+` f I1A‘N<X@h :ˊP\v;EZ؈utU@0 -Fx$ iHBS&d8>2>YI1JJڲӜVx0.z,ΡIMGjAWdN9ix*j33#U%]KKs8"ǺyW##䱣TXl!ot1P4 'Wif۵ڡʑ?8UR 'YwRJ-嶼ΙNV¼sGWu넗`{`5 X ox !Ce+t٤IGL-)=#P!@m"XcB. ̫b- ss#Ҙ-|8FwUnUKj* ;DL;PSEz,5Bܣ0F988o]ǨJmQiEdF.0%zrqاI'_2k[voxH0Ϸ3$܉t; Y"h>3E#:#\c XH\m{,'n[͚9Ҹ"P$8R (u;0Ǽ!Ƣ+7q|yAـ'~ܶrݚ]n^9>1xi\;߆[$nHX3 % nRln_rB昹).(YWcj0نE7aq^zj};}IŶGop"?})@*$#W}B+zvtuR|Uhj3֋(mQT@L`Hfg4nř:7 c‚d{STWfLy9 S{7 yDc `9\ڵ>1mp`.Cټf(U@e[3ohbVIdO{MוNC]ǜ4Ljޡe^Mb oI{Z:>3E}Օ[p\7wT/zWC=ևUQc,*%+^O3 >ÆeЃ}N@\ƥ"( 8M"՟5\i>ٿT[&su)25 .l=23ჟɁR,?[vN<)m~B8aTc񯎇ޔn.! R>K$40I&R)&[gs}!82]OdEGu>>(+uy02jWG8d:0,C% unm<HBHwjV1}6Xjz:w7g/9_ƱnXጀPz}=K}/;>OR,nO7{:̔O||r]כI'AN86 "Fq=&!.V8;p}.Ex}{EVmۋ N!@=TBhThHE,t_cr-[$ژVhW_n`I_(&iDv2Փ>u5By[:]fy1XNp^*~km{c\xzxHT?7yx s Ȭ}Xm#hu|2COG^PJ5lYcXdyNTFqҒ2Y9;7^IU ɐ}:'H9%6< XfWu݁aIT425ѵ]Y28kkEКj:ʐ4Kж(jJ{2_[huj%i~kmm(a_lm豣(-do. m a8V@OW>or<ɋ(~ ^[|5*a[tbl'|ʱng>+X&ju~qm$:~+x6YC*}}djD:W>luI'I#5`i ;P(pj7% ^gr͉P n8ֈ vj B`ߚ1|ֱv*}LUX6ól ZЇ.m0?u]vG-CO#EQWȓTQ\F8 IPdYp3R (lp׺iuuv ^浬 t(ˀH1M%0a}0czj[M&SO3s O6VȢ"b>NSB\y巋GG/] ;V5TI{Kf&G1OJpq1?H߬!%Ԃ>ů9tpa{dG54|8M^J lw/З$Rt,[ j*C0%oJg0F?GrGPol |o>d-6rc!zCM% cQRzψN(ܤqۜ]8}]KNjN4R a6DDm?D2)b< gK _-ҝ^ǽ}_tՐOħ.w,ٰ2K82D<.5@~@DSLޙxĄїN8.6Sg@Ѭ{t?lT '__Eeߚc IW v5nsA*aÕY2hd ʝA:ӑXwٽ?7)]]z[w¡t+1f\`u̚'ەn=]>T`by:T]#n-Z{3LLやOR}m֗^*`0_a'^9{*,hT1Hw[JrAתq؍Lr: SL.7ߤ_y6}`BzflB=$EYzgóC-!vm+tBdq?rPU™4xwʵ;UzF%IQl#pz枳A![\00bBhWݥ"ᖆ΍mdz^XpF؎MQ'P=73 Mܮ/T!.n4=KWV+ھ3 1U' *~a8xK0{Ycz G +|AvdFgzY ADR\X Z;}v9_K ~abj]R5fZTBhS,r>\z,f"@JO<Ś%OS=V7ǣV6" CTՖdJViq39!{?f)OjٸQ^@,{Iq#n8|P zGt?tiMȯe5 C`SzbhTl=6=z*l]&xZ~'##Z*B$._(ho9/1 FN'ߟmC#).GrM 8\"wW*Җ:=+esYkHTUHGm0c4z4Lߴ5>ud8D7Ѧ-V [lN)9ή̄&wߣ-E<{+5 GٽR| 1PnѨ[d VbcOm,^iy9cSD miWWf$tpd}=GH>wd,! Zd(KtR-Q0 *,g߷+ A d@y)Ly(R3>Ώ O`4Ld5:Bt[v~NУu -S8,- =G*ܸkSp_ 0{69YfĔMw>yD:mL" "ٿqb9"݌kɔɤ1HUAw"(~X"T\nzz'>1g=D`|J%^T |MxB:+Yq|{dCu/sX#.ZpgosiTd|샶p84oIUƝr H_~Ɔy%1top=&e&vى3w8/ ]V~`qOh`*::eyz .AaW@0INF!?0n6'.Nym V򍻸֬-`D#_%hoɱX!N(P@Chl%]bc/ L(D_$(`FRU[yY*@Zţ ԶzwQR'=qmR8= L'cn)C6Gs+O[4ܙLd_aQ}[i|UCKc Hc~{#\5v 7O?71_յu4[9؍{{L"$ysk2ģ9K:~S[N؛F:/Y,)yu!uCqPG۸iʔFfe Xko:F{5r^2OHa/,ͲN.To ߬4>Qά8BR̛ nG`. R.rsJkdP"O<"FM2!^֕&3\%ʯzIgrI=*xbMRجnR2X鎴DM#xx=L]3x`n7M{zObe ]:@X70F]v?XIHue@G'(Γ`S.6؏Yqw_TZڦ67|:'+q_L=-d] zlӜe, @d4 7慻L>; +4I+3ݓ\.qC~6,QSf}ƍs,:s.kUi=ƺn_HH L 20:*U\ 4By   L[,:sIv[= RqBq6 Xj5=^D Q5WK!4Oj]BV͘O*yGXCK_kR߇E_iEʢbPg2b_wiDz4+>"1+:UOޛ fRPEL;kHe!R6PT*y&<3ݞUdZ]brUױq.U$< Ol #څuo\7JzKM:xrPjZIW LN uR&ﭞu&&S eI.XtE8( dFDzwaFNm$y-.'.Z5R4V:U).\>yQCp^qM$1teel8!hY>\̭i?PZ90ژ{?eWh-7n+Y/Trc` I 5+t?SOZۡf'5e^CI@w+ mS lKQn^}Q3%/O@̒wNУ$$sd L?r K]õ2Ǘn)ƭ$Gp򜻲F'TP0Cqh ɦ(sڿ:NI5^qey>w#ǯ{_&p_?z֞<Pqg667clf19v0D|4H(Hb\ܔvTCe!A6+ N@H:_Ns`>~*hd SP׸МvJIl6nf=XuvqLJ[G&;nk6N/$%ZeOÚ[tVSl2M6 ZwO6KʼǩMlnsDn%ClrfM05"oFfUa#*K!og#ؼ%M*dVIQMQ1*g 6"U#rz2 `l.,؏ZF7!D?"FaԠE¹or!N„=EnxY{kuxJPHXͧ粑 db|w2&G܏\=F/$Дn/`A5Xgn=64VXh܈LpW@;@ΕrkQ %њ%75Dͳdco]q{>3^ip)7~`f}x+s~FdMQ6 5B^؜d #yzÔc",(.,,wԲ3@{^# e/9 FA3vS|5R:'wni+%k42lkq!e3C_\B;4Յc+q>}9%ّ@~Nog|O|עX4[D@\Z[.Y'NƸ%,Cٱ dg>iP6Ҍ.xK~[j9hp4^R'b֠Zւg7y;В,*EHbm;H@kd7aaǫ@󝷈ЊU&I11X."zvDhj6ń 2!kD qvѻ/0m;nF̋܆zeKV}⦬]2wջ@[tYlB^{aR4G4aܵFS`|Ҝ<AH SWm7!z6U5{ț\}7&P=`mf}ZpaO^^^94L,]p!Dr z\T'qWJVn.lFq0E;ldQ# ]Xwl͑$z 6ylg._a(#?,<)xԟKM]Ȯ!t3xtAđC!QblA$EhU8+B:2KZ8 Z#&VУҡW V<$]b:7j Y%o{V%C!AJoWdIP4fn ߵYUZ[LM!SChKxӁ(/k Qvb--P D~#8Nn;X8<=&3\S_S$2Yst8Mf {>1'w:CDBbC̓petxޗm.©%-f׮)gm2 D:ц!g5$;+f3аA6l. d^Mթͯ.{x--x1i]BLY)~v#klCHPXZgRg vFrV"n*YjFU{ @8DsUSTkLb#O F,Zd*, v=O;IJ.VadԠκfZZ.FUșo_;T(dvp?H귰e~ٰ"41άhۥior#$U0ő^UsL]&f%ݨnjdcd|֗!"=vW@&׼aQ ?V%韊mxb( `ХN#EѰ< :NsFGm)S~1^X%*qwL?N9e -_uq}:F%GҾʜ_Nl ! 2{|Q$#o@nU`E4w %/aߣqay $o,/d[_)FZXpu˯gSDSq1Tc& bsdH" N TLh>{yE*䆡\_y(j7!6+2@W)[\mt\p$>w47M,*p\$ #Jˇ2L}$A<=r:]*qmZ1FQXnAaD~JNzIFZ"•j 5˰ލt"o,; s@۳;Xܬ 2i*)U=oU$LVנ?:g@ցQ5?X4.j푍vAlX멑voz$U Fgiuw<RѪx1mt)?_ ,j·vrfzvƞ3M; ?LuW . ˸N2[8ç>O8"n[np-4[ ٴK00pN߲ %S|b/drknO&W H_4n4-I 4YteIC x҉JgCHȯ"Jh oU{`#giH6$͵A. ցuGfnAe| Oa m}u]qye9ɱdS'5PJц_ =|#-+to0)f>L)2wvLd9i6p9--bA Ն9b,@qv_?? PG gzԨ+ťH@0t&WbD (riZO 6K+ƚHQS\{*_.j^U cD+apg͆\Y9/gd`9ٝhS^MYd9N٨JRALeuPtpW?1Q (Jo:ڬt|IDtj|xSՃ©b7lk둥zhӺdڅ)N"ynD)Q\5ѣ>lKh}'E>>p`~g# ky:Ff)E-pmj,jDľZh1]g_jf᳼ZH=`!bՁgcS1j<Ыl5;ӆ^,pU0f 慿Iքx[f4e5Ԋ LymT:Ws\LYKrHo pXΝM:D Uʅۗ;Qb"!;_[XP}u2n%!~8;'E(`~ fk/ m( k$F ލ@OW6Y⧉`}ϟyqdH9b` q4YiJTY:N {/*OK}6ޯF:p=8)o9<}}T4Ҩ)=sqihXsZ_gW:M782W+-XY<:rؤ}>^jTTpnGӼuE`i`lBVxb}7 6wuK ݪmHUME@% ]{ U3-)y,ƎHK@h*H}K5ST| *4ҀeFPz#.j+bL]&N@dr4" HP`jVF$f:k[|x\=) ZިHД[u$eQzGC4.*tFVFGOy(:]{e5'7~q$rp*pz9gcʕ~4*6+h X [ b !  i]8_]V8NYcSӟ&Pwɭhةt&wE-&-3[[3)9lI&mȳJ] vO 4a-o}5=9+9{&#(j+TSQ0%t qGBoY}(pNUFK$ (:0 te%m񂍂T(' M@*u5+e&j"Tf)'#dm'#Gea?utB }YT;Y: zeA@X&tDnͱu @UAwt>O]4ty>@/W?<ݹjN:ߝ&XT[trՉ$:֟$7w}WFHP{/JƎ!+}Io0jڦ4[" DQmj!g#n&إ鸅6ݎBGفc^9}$SĐAP"‰q镏qru^n~e#ĿcSoR=z􌓸`"*vMܞ41n`.6#9(!D貱7h`:U,RtNgTPвw:0R"oWL64rI I* ߌYPp6km.E' z̛!Mz!lIN S:38u:Dm{M;FS4^|'vaUC<;J,D|xZnQ^9WA孓̸H@G-$T(XNsыLP;tek8_RH_5P=^l-A*g,Gq/T̈́şֶu8oCIe~ĆpU6 %PV.BQ.dAGYv+tw/(8I[X⨜x_cрD[s8t[f:PB"nW^'ka-X\\3QThUGG/qo5$m? aƸ@q(||N[oj4zC̀êѯh["]PvOi9d`H_vPĕE-1 g}3NPY3ϯ EA^M=8.s5|@=N:Omd扅~315 b/MT+%oV+tѕ@k827Ǒ۞ 5YUX?dlmAՂR\bFZW`O"oD!29`Jk2SՒK D%O/SHkfu x]':mcc>13J jFwvMz6ux DĨLlh]"߼7+Lf}K*{N&gkn8.MB4O!R_?Obb(F`= p  ^= ɻ&;w4bc{?{g7E~*NRO/M)qD2)?"n*wӐ!i64_eK17ĘHN6{a2Qnl9Thb+gAj*v&F bt:kޞy:#75x*0 6uϹە6ƉNPH|[hSqkfnPN`َkkfs_Ua컝))qBQUi@ߖ(K%gԭ.3_~\[i#(Q!|1 Q`~֏ڲ9ݎ6R"!!oKޖiL%t3]áJa-,țHGP,C"Oh}7''*qwKpx NW\ΫhC-&oGHD~+ו,i;8ts:r0?Epu1SK̩ă. ܅k wbC5eߴaRL(ܤXXzse\T2z LRWwl70Ǻ"dži*;ΔZ\[ԜsTZf'~}N[O#u)BmE!߶qM4` X#.BX+9f!ᙺ_+F:rĪOgBODYGjpZ3pf7SuDJUq}Ө,$2b[!`. t9=^no}1"s+,F>'q,g zmbnXh vz vV X_?e뵨,w].*ZMBȣO1r\7TW=N8ۑPF0ueM%)Ɑl~! Vkp6?E!nԜEZ@rU:DCw:Q ]KCZK ž& [|\v4m[E š1vrK Қ3Gə[s⸮5ԅ"C肖'|]L\\b}<l,^xb$ pM !'VtABlM7XK5 ϩݜϪBLF8wwj.yDL㼍3 BeM"NYzƱUP}#Q2B'_.8A-V{V_?T 01֕::+;N7i=w}:8SZh>&_dqƍ:5I%F g_9_WrX1UOb f.XC9;^k`hm /4eဩU~L;7N\G(GBeA#5R.5)RDHy9 rU7P_S<.nf eO"|?mhT™ jC~/~=sl8IpzJ t$pK T| =P*JuK&kC9\% R3:h\aňe9N[4-G S*KwEwҪ');LA5Zg*;,S @rKtf4vqiW1`zQ&L}Y5?(htЪOona '^pL^.'[kF6?/'i58 Ey]n◲(5*BgG;~pp fiwghv%5ěNk,}=mpAAK)ڳwm8Zv WE-lbW5MW!kT߻OUJBl9T*2@'UGK2ޏCM_?Ç%I^pf7VXZ Hg`]͏KWggф9 'Z#B;uE9GD #xYζчJxbvGҷkcԩA{ e(D j94w/*yj5G/` '҅@Qw]vJ$)#_<|`9QP*+F屦*J(qPVwo d8sC|J0imuC:_+H$fc#|6}3MO1Z#rVFIxW"TovީiCT_lcs%_Baڨ+е. hg,#-^UsfIYqn{/Bw19?Z᛬2€.{p2}xӝJ$PoR xU 14P= @46bt(k e%yBZ*{*_?_%x]K1g?X,OhY8%37_1>)*+6Is;ǗDPWDU*Wrn^c녜LAOFE&ݙ43ppj']\3:9M٘gcŇ{ *[Y`w1DzFeKlFRx)/`pi"m;P=H2#7@0b9dpY4̰!0Y4vɇ/o|FSؙ鑨JݟT<!^b0½!#ժb11 lᗯɆ/QD4_3.B%d>+_ĿLQCә`Ik܇"&i?jh5Q#JIͭkґHvX°DI>OX;Eu""[9Hޚ/-t q0o|}uǖxL!- η3&ŴLgL76/ޮT 9LdbX2\=9IFeie7ul1Qtc$"HREny;1'{EE)5Q DTE/2E(jϰ&W <pe| S-ɨӪUbU<&7 S'q1+bYܛ%Cd=wd[1pj2Sz͟!5ZqVU?~i~SJļC£?g.p)'PvnXH(tzБLU/h,\G833FuFH aѠkTEM]̂I%tCW-=]29 4%:fVYd~m9;.:jjnt)f92Nxv'mtR(̋.9Ɵ>76e]\ߎcz}V`RȜ 5Mԛ IeY˞!\-)V9Xا\[>=|zSEKUɡ[EY (!.3@,,UI|K.r]o2:2hN5܀6r_ XrPsMRWl 8qVWk# ,OkǏ%Xf& zf;7qD1dr KX nm1Ud&E,8="5h{0B4T#&oB^>YNjŰHwkk}Fey"93/Gn,z}1yimKRwG=&$-,' evWu5RN@uR|jز$gd&|Gm_ú<(j;@K Čܺ1fg7%Z|Ò@9"!Xv{։*q4?iew' 9`+q\4YL%%&\!o!Hb9}!,~2o_4dOW,ebMQIPDu,5},>um d/p"J%_hNb{UiD>rp\l #BW,LCpqX{&VP6:CGt9LKbW{t!kS^,@&iɜ ׏̡,^v&Hr 7+@o,܍Vz3Y&ux]UDsvوwV*>{,qJb|J٘%D\2e+Z++lu)`AޢڛM ,(MKm)k)嵷b&~DUq~SַW/2`q"M_ewVu[qXj!մaI4 d +n+Ms{& Yt8O4ٰ,Õj>~Bht"^IQXFz sG_<2]i6[]/~\&m|IvǤ6zEHXCE_eO_waW!YXC49$:3/kWolԥj涃3)O?*tiFujVu.ݱtʌƈsp6qW(g-!=l2 νҋ#`]4eeVtwiNhZa{5N:[gjYtVheqIwV,kĵ)"tdoIbP] \,FTk{h:ypODi Z`e<3 rwse~u'#a2B<]4$t@%VNC<&#=`YiGF]n䵮 ByǑpsK/Hw?/l芮Iwe}AݺxޱZ8Lt Wn6`eRj]2Z(# P~XH.Pxzu|KB+b d}867koVk a8w#xT!@-26(nC',Z!Ҿ-+u%&buWy/R CkjȞmP lb5- 4[m dہϋ:# 3^1_΍mi@ -w_9 X$P3+@5X1$ο<+Nn$<Պ|| ,k;l)N^0/ 6:fnθC+SUqw N1#fE?|Gi3S;#zF\)^^_ 7yic9?"k^m^1"#/..n j[űX/h;\wp;{AGӍn\\Rs U7A_|*UWyު;x'5'?F<B<YXPS.*Buf0ICnMݚM;Otfo]\4) $*."Gy-1F%Rr"с$(XKrO?|z$ W91ƝeJoFA]Ta2Lk_wsŒu./`uN?1ōtiM;j % 4}p]?>Kغ8FI4]R4@e|>!&YRw-ԉGS_{8 G hbΪEܽe9yg~0p}]ry+\ ,*MM5Nܓ k(X1,]i+Wouϋ";e_= T%C8P|XĪGR'u]+Szu%'Y<"蟧h1U\w#`4AHf}Z١/oVKv:mvBMm1vP{s Ut*O˧Ah#_f6d %8L%UC6189TְsӵY?O<_8<2iPtLWBm0 * Ɉ; rHp)߮HLbHGHMN>?r58?C`Ki# R>}Er%+ B~:;\Uh̠2Ea=l׊@yHQ {W,Yf4[f3EƲ1 OBC1hY<=M Z(e%Cƒ,GXJu==P{"B3=e^LO8g9.D;%hb*j#95ОWӫӾPH^\UcMwQ5r8ȒIWX_>irnB F' s$|{3Ynz6c@If i >s;uUF痦UfAQL?muLmvzaͥU(sH?3ވbRp͵JAHL q97]:,L_ʝoqF77AC¡jx:=]"?Z?r7fa#oZk_P]*VK}>OӇpuo=/H\Xc-z7*u87@"tV([<Y%,\-XNSf a:0b rېbV ܭ/caBȡjH`9a5֙J $pb U+GTg4e >ifLV߇jZK٥w|2 t;LLU/ n˓(.,uo$5{IuR"zzmrkbǗO mM`G@yT>gYEo\?Uѫdnμo/D3xZT(] q2HU44Mz$-o2Lf|5H{P4C hϔw$)Ngs E&Ή\Hd>(j8m$>ՒQ!o+N-`o",>LcQHJ?e1a  rKD?vI7`7aʽ;^NZ{F"%;SriT$䐀q/ ]DQm0A3NХS+)lܟ ,tq =Fo K\e_XAq=޾W-G,bPL@g0OG{Ng*ݨ|HbD3SGT@G|s(2dž#? q)%, ɫÚ}A/7 (3̧P ziMxؿJ1#ɚ}x2Onqc`sb@}g#$e|5**TD Tx]ʰx)R,=ۭ)S𻍊?sk(o^3G64?!4a֭m@ǸLz<{3JT޸+Q$[_yPs&!7c3>3OHMםыgL0Sa+]i<6nM0W~pTT~H% 6U1n2x{{H;aob"8 c藅i`ߥf A:R+^otb0Q 6 b7G ِtǘЋbf}D6y^k0vjRMZUJ뉋y<\-jƥFc`Zq<^!].jL5+ar㓆{Jkb&7h<]Y0WgRSB]u|]oT طb\Ffh~J=Y调 JM\OccE$ZnYU0,zi9Rش&: XD4:Hs>adbs)5GݳNhCkJ:Y)YyE᳹ԋH/x> FÖ,>dl6@@64w')4af\/'AE!JTMCv| 3'tGA;;pwPSi!rͫJW٤H܀u©+Zk3 :)%iqt}R90UT|r~^A!rh,/+6K}h?qV͟1op!UmV'7gBsr1 )9-iBe;w n< %׽I Sl(w;I@"@dƗIOb O &ScGTvP_`(肠BmًOnI~^k\v5Ʈg{ZI[^f|ߴ 6X>@9c(-%ԛ԰^&4 Ùt&`s+̥E,8'𩠆FHHO_}/n~h1N9k/Eձm p`Er+F19=UJY%LH8^+_ -UF|wzLdpg{yQT]^es`Ω>pZo/T#]: ezJ}U"0[eR:8yhK"($ny8Ӎar3 3ac}:/YPp9(߻FUi.uԼwP;F'QpꜢtP1MDb~7ftQIbڳBﰐ#HEMݑ[ n Ò% eW﮹ lLR2 u)9 =S}_]HW H)4.H[3TS'?%8X^}*ȇsiH<]@wTtw{}pDꡌ_pJw_П`Gӟdǡ=$rtг1\xəћzٷ$ΪRIIvtivnFNIX|řWыE)=M R 6W%EXݕ$q|ls!2({&:*=֕lv`1 >{|k2&zbuVUB,\&? \h'ܥ81t] .{~51q^ER)o3uXD7m܌`8]ZM,a~dTa0rҰY7 $#I'61@$a&"Pij!`5fC9c(wkѡ>q}bڜ0.Pmvv+EZ0t:eX -HѰXK`O&L{ 5`EL 0fD鬪9x6wHJBrP^~P PPoqXj-0WA̗13ȫV04 5t;=0m٪o"way<X)$ H)zrhԼ׉0ce׺[D 6,۪?U|ܑM|{`j$:dD7xM"sI@wȥ XwD5'W|mNڀ2S b_ ilXT,=dYQ [ 12$N?[v$hf;\ωg$( ϡ$OijQ#G^:~bN.}V*`$M#wa^|Cu z^mӝ5 <]d:w[F2fΟ}gT3?fzd%+lHpwelwAa+x#k} 3]6F%6jp;W:\>ר;qn=M$/1۴cMo؀:qQ+Da)&2U@pjP,p8hH͈fA9rDAjePafNs9 p@AK-j*M Nog ɑGu\Ǭ!Z#\m(M~)dvNk f_Lm3.Sd5Ž%TxYpI,) `[; ٷlCkEm-Йst,HNd?f_m>jTU7RTxG[DJ1&/}iɳaj {A5kŘ=olf_P\ͤ)91S\"uʻ5mi $B4u2 Sq/{([moƨR$eF2AFnڇ:9DewIvN-NC/wͨkWͅ 7KL$FBZK`|u!'ϟ*Jፉc ,R?f𘊗gn5hr hhH]w)> sԜ|a޻gCAUa!(9`'ri󊰈l(F+SIf"$O?˫D>D}a`t>>pcz|Ӡ&˕~@wsbsbWTF_f0jUJ*5QN9qlyzd?T'W[dWTǜ6p|3Zreu5ƚ^t'|PKtI "/gft$y:'বiFN2}R&>c gr}!(havre>)Zxf>:x>ʾQp~B{Y_kj;Vx&/Y*0!s#. n+0gq-gJ0رۭ ygbhyQx4=lYPd8 6n٩=غYi7W*kxy)R##[JE<톛>p>^-*%R-myTS\`UCW?}QL{a/ gcÛ4Z]W蠱zsInԃVm=063_=H,#mc(RiŅ O.tޛl.Nn;Yr9fG,pjDIxe1c9x|,XҮ0pd=J~rՐuO̔R2#T>%JIy8rc0 oB>eWknR Waw "c_"WVV4r!c& :86,!ʹ:OZ ԁү$38G`􄡣[6NsGgI'GfvfM(f=0ZcpXT#ˠfLJ狲XպQ* ,f[YC^AӺCΛQ#c+ j6i}Őe +UT7vj[;y%tڗ-h Naqu&z ֑ 9+%͂Lr#C+p@m4^rg~c i7u}h\ H&.8OPEtMEbgBqJ' OA~F,y6cz_ρ Z4Q8/EsX'5\Ǽtα_:mSY^B¦l# wow 餧Fg}{šk+jV}h&S w^ՕF"rtOrgnAR] uA0t[r{D e9"\bBi2D;ږ]l3ѧ|pm!yנt77U?Rfɍ;`. ed<3W}l=V-9.F276wU9IPdޠ!ӨMdL(Hݒ[@ݜnRTCD\?rtšW6Cq`\h){"XzcF(G" 3"?s v)HahI0/ZŽՌ]6Vs |$@x7n=YsZlWI{&l:mgC?Q~xN p3 z@q 3 ^ZTCH&5ͨ^B",)U iu77,HZscf{CE%Zܗ35`{ zHĐ/nF#uvU^2['{#q*~Pf1c2qK !I7y%I?HiÅ΃u*8{aR~e` : L\`2JX= %mwF^9 lF69AѢg(wƴze mg}-)2iHY{RjJN%AĎ-͞{=}A:ojPԿ]Kfޗe :sl<(e)BOln@r b*ZdVUZnńy\Қ;޿zN ԑ92orl4] ,3L h'PJ܁$,/DWAKghB [ ތufWIpCSW&UMX.fpoMj Z'-wi:9U,xk[QW Y# o{[5M57zX} 4oJη  VT %k0.7=pWOT"Տۗ5OUE{0 qL*[Tf(߽!jثzjjɾoD(w.[ 'y~*L ?hAn~^c”HaⳋԠGsp?ȽK}:|ebdz2HaQKGXMmJ5{$g*h|V~rz,4 0T$<  1cڢ>nΚIhoDwO4qْd:71o&L;8ϥSC:hXEe3$IX)vr234ۯ|Z<8EeHn A|E4%14I])ZLNQ*S6}/^Y]޾NW?bt H]X#Æh [R =fS8=eag J ؓ4&+7U:ܚBM`bhun3Ke<4#;d6\U|)kAܨiG XQsmS6nG!?,TS,WVQVp+\47( 7ʣUY9>^ڽ%W٠U}ھM Et`bZt#u [CYZ/i&3CdIp#sC|am? ά*KN~iG2+gP8b&_Rl>Ն^/ 8:g}U3Q㥀N[m@ {hӣn9f#ZEy=^{ȗt3&ә&PYDi5QdGVSt~>΂S% K]^D?uzz73pVyS rO!Uoဃ%{  X3>FdY7u+6gyT\Aܦ%knڇ预qY#VTDi)[.R^U:(6fU)H ]D:r= şY9t3JAd=_Üͫp1fq`ŘrS?X;tW-e)2 ʸW #9$fS{p#A +p={#+{B2Q#qV~RS232ne4T;] 頋',z:-5 QqfkQzFPI4gTIz6A/19"gk4izdZEؽ ,FxG'ѥ܃Gφz:b*C6owJh\B]ҩ=vf-K-鄠G ,}ļ+fzuP%/h_pgdd"VRQu֏GEX_ 1ma`٦rȳOwUhOJu~81?*?}Y 5Fvu/)8*WGo\b 6Y)(]#߀c).}LOw`܀ l f͢R'p.3`1 l6>D7P@O/*EFUє- %T5TBmwm/#,`brXޒxe#J9)nzJZjd_fŠvțrV6X6mP$#Ծ5_'WIeI 9GFY^?  ֒UIF8r5@xk7TiI6_ZOiiv" 5gN>h1ZңK ?&_y]d(0 瓋${>ν(63ʄwJյZu*Kl7߁ f놊nZ͑[H/ܲsv^FQlvlc l{O‘iySBu?ܯHpwmR(l{+raGlj}ٿH2M_ȷ(M#)>̪⋎V7 .uX59\9Ѓg`4

1:+ws_/C0F-oZP~!Tr  .+.%( aEܥb'Bto1 3]B}@%<=S.'5~\A(Upw1![KwlW~t̬VELUl޹a4Y \O"/.%E]AѸ6;<܎ZWGZh(⧜4T[ 0bwe tE2aMFNLSa$rD) pE1NOܭ;w(1!A6:W_ 4;ݸ۲)/,Xz [_ěԏVnte|M#/Yz-_6ݘ ͕V2a'"f\|$gŷ( mr7Dт~J+MAj)nkwĞCK :pXZKOpCo5b$:t%.FFD#wfvH*`q_$lA燴==-9?ԀtE6 eecAzϨ۾&T9 @C/  a8H+.qQh Ej_Ƚ@_6xN7EcMxG +DaG꤮@ZR uA G6eU[Y|J)EDMWA\mZWk\P N()M<ncvdR4Tc̽]Q!nة(/?ˍ%-L@tْ1`g_UA:?Nw\c^cj '!;:0uٍb,dB;{Jh́{A#sY1:Ik$±K>B3.qC K2⢟oڍecH;U[̉|!M7-Ɛ6u7nv*Fwօ $X="6)c 6#3 XOOnPˮycS4[ ,Adh4h_F]QF =1J:y r nO寯q^=}>1Lb 0N1M;6癒GsZKR~ӵNO_hO#zHǀ9zqj"5vD#Vup'=jot2s>:60 F e|ofq* h_L<\֝O$Okk>n}zF1nyySbAnSb7[:b3<h#^I.v`O/uOcה-3±bIC2ɶ\'O( 3G#()}ҕE*<1t(q3~ !UFP C-tO;_#N+Ƽ[^\bL^NWg|2 H(iӰ=ʬ_ @m ·9J!,V _aiAN7F=Q85$ïNqKѩD++!AёuO&ɫU.Cx5d^'}ZE\c5&ŭ߁IR|0-"蠱<^MaG.#;^$I>uj}0Tf=Y0Ԝ(PJDEK,`!)J2 #TŪ+YE~1csQ:ok[#uՏv ]鏂*焂c:' !cQ1 юOSo/0S;Km39`⻰H=b4.%#yL;W+ԃN9(kSMOd(`EA2L 0iD)ʢ)VKK8i_]85(4,; kh%N9BU 1ϵ\1 t)~U@z1(? Wdp'Fy E<+w4|R6rRLPb+7!uRljcFaQIzMb֭M+ր条-uB$#dj W`,c{V5砆 +ۤ,3r//|><6 D{ʥ ѮfZRS >S›gz0БHucÔ Kg1udX$q2qVY ̫^7Re-&vLbiՖ5^DA{8J'k lWa]S`tԷ;%j7'RCM¸V+;ȪE`NY!]  _STI7(|(Қ0$"=oSgU ܧ3긋dxƤ`}l̛̤[!+ }9)l&S ΜkN?߬$+L4.>~ -S' ӳV}wԪ}E`mhNFyWg7W%~"Q K x^\ӧ"@yPUtOUF؀= $ iH3J%{{{dKbELB]$}#3cd4 Vq%os_a֯O=(1j'Ӑ)nr G+1v7JC𫩓:0u"?k_P@tDKl!]|^sIqԈ8%b)7:6+{K=cECZ9?Y5G`V;AOWk7]OZ {XVPr9*&W?hML"fUiRQ$zӭ*n͏㎨Zv=~&ŸxX}E̙c'7o)s͍ |a_'G6R&=#Gt6߳^ *f+ ]u4tfZ}טL(OSicGp ڿoj5q](ϰ\%#qXPJ%iƸW>}*}HpAi U ;f< X0BLE2|>R ji)>֩|yP'FV/$tzXFrz_ZGYg@['gxyH dI6=`}@JNNSyI"Y[гDMPPꔐ+9Xy^|jygLa@5HKVvf(qx3O :p2˿~6[Q.!шf3]}T`/U>qEED EN+9|5{O 5" $t"80^ٷ!3~?fuF2n-/C-/p_k;`hv>kꇩwxX{Lש qlA:)2P-s78%;R1iBJOQE]t+5v;23JؐdI%x!1%^fosL )c?/j1 U 1'_'}>`ސbro#0fQ{nY^%o1D4/ b2gd˯C)pN@W?/OcQ*AC29THSjYp?i&VD ?4ǧ5Y0YY}| `|t_PNcרyTREaek\^Y7JU k÷\gM`+[Le9C0[ p LϮ9_':ӚgB ed5KXJ,u^ F 51尻/{iB *lΎk־EK\A#JExN }Civ-|=o2$ۼjB UFZ5i:Ö>MFìkcw ^]!t9lV { ^{c@YàVgESgm0r+&2 ۸HKӇAܒ-&-KR79H$ep&$6 BptvV _I,ZٱCb{=z$d,t!%bfhz˂9ۦ5R2]e'C}Ω  iZoa=n})^#'k!ms5RU2%*ulg`Ɏ`iQ 5C2t#C7y3|S|S`ޚUP~R2j4٠@'k[;i6@vK' !,Cx8|$:$Wrm_7I]b gycU/q?u]}&rKt {/;E/=2Vyd'j tKsOym%yD,^#'QK֟%~:mG/Tr/s.ZFPԮAb=\`p|Lω<6:Iċw$ԜrgntX)oݮrxjX:Tp۞^ '2(5>+ _)lp %WT\G & ;昀H Tߢ?U"֝tcshTb&pLv@7'>٨HZo[w䗪cLCnLO?>(.CHI'`|j+f.`IY[).#:9瀱5p 3-YJBb|ɓז︹bTt}πJt6ƁS4Ap-iͶ7יc[( ,rEQSN<@:D$ͤ <>xQ3dG:jZ:.,MG9T%A^(wE Vw˝Q\2V;o6;4`d$퇴$ZXQ_|b})^ø:ylw $ #'aJ8a p0EA[Ez}32j.#u.]vr$Fw9̑Қt5G(WX.RBo` Q$sT. BGkO8KePU"㭲޷H3'e7$[lE8Fy|''kcS'ZGXLCL;ԞK!m?_sۂlxQPsؙs"Vxu&yWsѕwg)pLcEi[ʯX]uܚj8W81_YPnh^/d%irASf칞w13/UwZ~]6،%j} ؤ[)d څ#kZ ]`yEgE#R`E~]*.'vs%.x4(b"̎miw&x#R*%Aͥ6qL R.),t]TaNG 6N3XMl˫'qTl|ek,,`w@KDfA6V'k*S(n׋'ΟwMeC7@i]N_TQp]nMUfkT: +T)qO\EĔ"h.O6KIk+EȦ: (+X sw5R~>aXD=[ lNeɳ4*N$QG q b}Щ|n.Ctu}8aī/6=Q~yRaD4QO~mf|WY;^xciC!ξqi}CrN{fU/rd%P^AL*蟌XЀ*CJnb\Y@#(橞|E,t;AO #5α< R *91by˔f#_Le6,;uOgc92ւ #||FM.vk! }|;Cfq#BVsc7 pVdM~Ƣ|ONj=;%Az]?/,7/P [eٻR|U;2e4P ɅўW^!]uPecఇ/6BLD&?uQa+c(X=)8 o{*/+O# ė:4`0v-Jl)Dfs Ǻ)"!|we?9Sqg,~(׎Huu?Bd#ϱsM\"SU~/h_|G&f VOjmD|'L/ u/cmic5wb;(V2 sN-LjNO\[ ЗB뤆?KfoMUq|/[3$KI ;Ŏv&qoӺ:8 FrDCЖH^Dyv> koCYzjdڱeH,Tps_d? SGc=!񂱺 zyZzTYxHY/˳ L(ЪjfYrp:K UMQ_M@t $gu|G;0lXӰ|Pn6PC7AH6,P /b(E{{x3|[ݨ6Dna<.K-_;D4M%rFSJnu}B3ba4N^ɛ#,֣Ľv8|!FH5Q@ bUisAcbmYe G,fOR3ER|\∈ (H*$?43L^'p yqšԄz.k;x|Fuy767Q2\ 26D~sj)6AJnQ^*YBOí?l,"#S r!(N `Pj pncV69  84w젼r8aq+ߒ4٨f>v)lEu |צGݒrE9i:x*5`R.vAJa9F*+MAΣw@6{-3ޖaTCA=+bϓ5tׇn/X]e+ш*\"eg{6V+ $h:N8XzcVO^XU,%NMv6­M4Y\Vsk"d-I Dž]t#dV69*ΕLA ͑ѭړG==A/>-Ф3QEe8";ץ3s$!E:14nyi78AeWF~KG%4Փ-{TzК_ ̂R!b `X¸;\RIm2SBP(J[FhT`Nw+>U+=P?pAΛcyrK?]T)\;޹J'<8:U_bnBZGx_9bTnjS^M0V")AR;dtfhƎNj;rINF,lRy"K^} A6 UB6{`߾3BGU5л$L3tWzSK@hs.:͊E1NںWڹBE?nTK}KKB &ġzNJ<5YZ>*.UG;sEKQp9:__\Ӹ1qsl0⵫reZpJ.,Ui^3T/G305XR7RR9; p3@TёgO6i(0,fV{UuG5nn)w"rI}'?HayP5S + L-9 ]tq웙B~\߸sБ<żM&~PvU`㲆Oru2wp{@,Y }PYĝi%ej^ݞKR,0(vS9 #mn]dseSBZd$V#lB͝"%T<4]"B(m/p=,3! ĥ C,Uz4h3(VtbgeKQ#~i'ۇ] nE}MfUD7c1?H^LՊ3I0YUX:zuj '5nNYC5ŒRb-sf"Hy"zi%|3H/`:~ Ԡ eh\g]iPhI!0fЦS9=)m P IJm'?NA4i ƠO(;jq%-|DIn!}>/LBS Yـ</?#H6l43kpEm@W:+-l YhKHM"5f NnZݘ]Ʊc XϼuRu Bd^6Wc*kk~qx%y7z݌'WKb;xEq>i0 ]N”5G;`N*Mlj{0eSҌȂd7Xpol ߪ=ˆ8RjDŽZi2zqb3BhAw ۄRrt,x!§Nw cF2VH;$H64˾=Ş& r2 :)7 r~"?!fg(u D)@!Qk$VDX-jkWrNrHcf1X[GԻ6J}u9YznD_^,u+~g:q0C˟<%q7 )%_`hFFcH ^ ; d72R@ƒ"//j6ؤ';O~?rʬRh5Y&.7o84~/Fiwp\H|q3{\`%'8V`T2=;&.=&%REkGj33FGy6td\m/{>IE{gW[HBϣDotMu E7d8;&V /Vp-o(m#; %òqc >CַMI[Ԧ\nXQPf\ H'v*Z5_[93w]"Zعknݻ2 RB˻(mс6n> ׸#d 3 ]X+ EA)f%fF4y}l/kIz VߩMjЪ9Ih ;Hi_/QO 297ڂ=غ#b"v[.Ԇt͟a<^j q]wg^DӕMOܰV>H9˪ -:3|Xdk̽.ߒ66Aٛ r,k{؟vD_u4AJӞsZfPIlӋF{w?Xߞv]-gf7{|adЮCQrS V#ܬ'ʥr˜e}fPqyq)gi 7_SEЅBK.*=w ,]>;+v0K^%oS#yV,IsTBKE$e;| FXK]YjH ߅ fgA$n:U1IȅuY/G񒊋k3H ݥ>҇v"{:N;of y贃!9;9?RfE s-KԆ }c=<դ ϗTrM]u> V/r 'lR.7>uy/Aj=`/iQi; gb-MP@)hpK<%5_=L1e"O?k8>0?  ̜\6g7nH0>\dΛ@e׹,"-yïd;{sjx}U>}3icB_5 GXMjM.+5 ]%~2{cx/G,`h0yø%ȫ玪C64(dÎ&:0&|~ Kp޵tk)FP|)QW 'IrC٬h6pkrp{ĸ7`mP8*9D ۓ 9ܨ\e[]5>lPoU?p|ڹe1x:L4.Z's`Kvjqe2dCd'bv$1t4$@su6R%е!gwR 8A-\@Y —er^qX^`t-01r%dI(3o $oU#f\& j: .mi9Mɡ`708iEQ8bG&Or|* ,ãO}Z}rޖR\@e,6 3[dah{d(:n<~FَFZ_?Q%u6\hGitdX"gQF/a$*tX&_?a~H3v~4p"T^)IQx`8>.FԈ}IV9