libsamba-errors0-4.13.10+git.236.0517d0e6bdf-3.7.12 >  A ayv\p9|&(y-PMpZc#(ޑ4ڷ (uExW>u.DA?c ϧHa)yw@Pa཮|˗*׽y`T3ҕ LN,faNzxFr7Wj|Z乖fDy}?-teP b8B޲ ݉3f{`vz<#*! ?cA]s3ݞ'+8yp,.H(#DPn4`kWSBfdc127e5a0eb9c21f62c69728acea631e217ece54f131f6161d0bd2184a704be21280b8c75600a7be4d157282914b497cbcb3726Bdayv\p9|9ϨZKZTv|͆M}蝓>W4OF0R2dMPAeLi2{ǝz)nE#mh"2o <@}V)rBjTO% gTjuҧ!%,5V6eԜA9•:AԷU|oe>\Fܖ̊}J.ׇ7Y嗘 8hp@?|d/ 6 T "9?HL N P T  P |  (89D:r>`@oF~GߔHߘIߜXߠY߰\]^bcdFeKfNlPudvhwxyz,06xClibsamba-errors04.13.10+git.236.0517d0e6bdf3.7.12Samba errors handling libraryThis subpackage contains libraries to handle and translate NT error codes.aytJsheep19PSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Librarieshttps://www.samba.org/linuxx86_64Pays62007a1094e0eff5dc8ede18fe342972b05253dccb19f836a07ae5dd9ffc675erootrootsamba-4.13.10+git.236.0517d0e6bdf-3.7.12.src.rpmlibsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-errors0libsamba-errors0(x86-64)@@@@@    /sbin/ldconfig/sbin/ldconfiglibc.so.6()(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3a9@a`v@`a@`<@`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USascabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./sbin/ldconfig/sbin/ldconfigsheep19 16353495784.13.10+git.236.0517d0e6bdf-3.7.124.13.10+git.236.0517d0e6bdf-3.7.12libsamba-errors.so.1/usr/lib64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:21237/SUSE_SLE-15-SP3_Update/d2f98d8ef4313516f89dded66bd0b145-samba.SUSE_SLE-15-SP3_Updatecpioxz5x86_64-suse-linuxELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=7eab85a08968394bf21ad51433d2d9711c399bae, strippedPPRRRRRi;/~Ž+utf-8c824c62e6d3f17fdaba15e6ac0a4404bf0b4ecd44ee215428cd443774164e6b1?7zXZ !t/#] crv9w&qwKtA{h__5|Gy NI^/CFQ` O9JV|YW .`Fn}ivg7Q1W^^}!tCj*;!92UޖnwY`ºP`/ #v5S4JdB[-qd*(6ιXN/eJx n2˸ ޴yPbF"9$`O`2a >`}  -y'3՜rs0W/zk,4x.{$#˄jf7#YtݕZlnLgW9Yo_$uS\COF%WS; /3-AcxbfM<ަba*T3!G<*̳ѪX՗K0>.X0݀MK( YBsZ2+_ aoHc8ǦoR&$؜fߞh9Y<ڶlulѮgh#L@) ɰ1`0|{.cSNpC6ݗ.&Kө|ai/=_9x`&O=b%V JnYryW(RH[k-k6|s6d ڒ¹zQU [}ddftEgDpn'{7kW&5|ZLMC0N"fΫN /[y=m=*sp+\X 9ۿ9 XT-6aoqR#8oeFoLn:6N`cPC1\gG=3ˀ;68rDYt!(~g88З֌&j_7}L7Y#܁OvRH%,!|W1)CXgp\ZL?o%|Elߌ-wAz/>Sw(&5gR*G>eHqDeX߻t$jN FZw9=G Vhɏ뉖v=YC(EѲAwqL@rYfMnuȮp "Z[nfJE쩐~ɤ L \~ LT@j#K} 奔_aĪ0a%bB-XfUP2Kq31wvhj5\m!詩eZtO'r^&h?-~O Kax_gεܕ Kq}>ԷMP`lQ6*\U_wE&I?~̄ieWӐv8LnW I񣫝c{+c題VXRQMg{59(AsgMAo (PH{U:=\; O@_^a쭏k1'Tx^ҋNt^d"bP^e0o^8Q*6\`-pCaBE>B51QTU: f}7{f~c<`Gu{G uC_p4WU+Wf#(иuj*DhR/N ge`XdoUxL^(9\*ю^r"kxo㱣Dha;ECTN֭u5(2\tRZ%_J숗WxM9#_q7,RAa.rioI'4zUVFV>v'w]F%gI@SZ_ 0aӮ˭Aߗّ2\ HƳVoU.2K,hR&G 񦀈uulpT.Bޭh @:r![bKG[vdE2؂vvupPf9@J/3 mg_#Px9P ֍o“G1KY^G5E}'WV FQGx@?+5[xp[9CɋQc)OI*5_+Rw7KYB_,%0-;#m+Zp$֨kF ZCFڹXxf}!%)B o HW$&gImY$uՖJs'|#)*Hex3BWwzuUuVǑQ< f;;|Z!?P&e9O?G8(ft9wQ U0@%tG//=`? G1R7WB1&eo!ɰ)nqR{@e!ufgX2 nV_Vr|[M R Ӱ/qֳ6/r s6b16G k$Z]%zg69.[S.`  ur15{_ W-sy(ya^!F՗ S~9GF.wԶUg52|Z˧nN&mH&Ulv& z[spV(9^5o\pœ<e=:$ꉱ\V㢀pEbmG[gJ?%{(quB~7g6Xm>]wGEPdGE}Œ f%M1jaTOQҙs{7\ጀA5!XU-]3TQ;E@qA*L#Ag ?9HCsZu͜61 $z8_d_x\G(?r!:TEɑavcw`T$X^1]h؎k!u.kVys-J9Lhӗsǧq jgP̍#'rzF#R$Zn*P^v!gbAwP{@9i2Q3J΁ 5kAp &eQ=}VPPRyy;SBaU UL=INwEUHJ*1F7B"T5| ;(fk39aTp+5 o ΄/@󫞰Fxn zD+t2=w/yŦFQnGBDl,SjV5lj5c+ )VQA7˄#Ap;v #S;1E;SBwxD+D%Y0kQ{M3] Ici lkj1vPx3%Z @_-1 Zz׼eЄ}~MPVJA8v\w-nX5hZxFwHݷmcéO9ڣ,s?۬2>4_ LiK|2l7ŎA%b\p`1=VUT> G4.i0 -JGAצ5'bh* $+1}~-<+;V%a)˪޲PT^Mycə^ßl$1n+MD3k,,]eJ'1TWR?/щ.Gb[hƵꕑ1?ġL1]puDhxuߋӖ]]2ZLJ Z*l}kR ~~ /pl41 (!h pأ˕}1ג'jPIIK>]*I쳁9=, io94eVς((|^R KN8XB>?!a7%U{ldMލMLnF4L(Zo/Z e0X;Kq I';^С9͋ypB#0x~P_D^H%bJ4СTept#E~jf_YB iLt9ϖC4o{zveEd&#B BY $տ](XdHHTNu>|mhHVDUrͬMyBD % q)OL|h6Ϊ_sGf Q,M\&~ 1Rb?=#$ G~8shfa,_W%2($HzɷD Td.@,i ȦGQ/QH?+'w+,rD͹ze^xdطDg V ȒS%a(`YuՆKUA#~nm+2\ lab2DrYGG[e9fH-Sޥ@- MDxUFΛ?AQy߄|FvQ}w[Eho{WύR2?գc%,X/j&#_AsJwD4) yR!f:RuSG0/%CҹysepQRګ2΃)AsS|hj,~K2븵H9a(lI V01/t9g,`FrE!%QS" ;rGɗwJrq;;\iqL5SuY^U%*9ZD}$nxLȻ;Epȭ#-h&t2ςV1 D&c8n1e 2)ptT}̨(6s`ИF)kmgw#4NIA{S^^]i5Wk#f-–tou ޟ7:qW~"=Goh]Pz&79"CN< ~Ht%gy"$PaIq57"OEϹ 7B4ld@uN *2uDѳٓB<r_fًPog>OM,ZZt~?Eע)OF6 wBY%)-DLџw" Zúu$F OlНGͽ0f;j)xVL|wso76,vQ47q|tc+F5<:.Z-߹z"/|q,P?;.ӒVnAO95*" ,jO$^:L$W7ݶ7SV~e}^թ8'Ky Jk̖'18)vbb# *(:[- %%ox&5/$L/h!a M(R*]lOϭ.M0qH54a=qj[A@FKD>FBMXk?5TEm:/$djo͌Odͬu#@M+2Ӊ⢫_CѼ'a6~w$Vmξ9sY=LH ӈvٶ6H"ʼ`]K^ԏ]`(jMƈ FKH#_v7JŚ 'AzMRyl雡A|Ƅ9XxA(< 4r! &v]:Yg쨷݄mkE`c)}anYJ/O/wG>$ eUS "`Ä26hgSKt7 9a.lO 71S˰E6ةJXd#4lsn2`c4O9Z[; &(x/*^dgz|Ǘ/wỵcK>&t9m:Y}v=tH`GQ$ Cɠ+=b(%ktw.(٪졖W}de6t(~09CcH0uh,cmV1_ GtHE0+tHU%B 1# Ho_@lþdA#Zr ݫȰMr=}&}t3yZx`tjVE?ًiD̷󺱭vh75t*Zpz? gpƋt.3PkGtVͩGv9kLvEggRhYܨ D@[豈XiկxLj f]ꞙ$ %"ΝݟYFi;eHfYױ"F>q{-Dg¬ u1eEdD{ yH8 lcO"{QMk|)?%|oW:tbX !#:1.T/0@m 'D~ {AFZC錌 ʵ6*,D;Z QԯQk'ϛ.Xs8Q'$QY ~g|\gsl7UY>H_[AKT7$ kis0r +G%ʘ6A9?8y"U,oI.p+7F%k]ԵrN{oy+>Dz30@jw/pM"I@'[eYR*=G@iɐGOե=|Ocp dfG/)_!1 Hމ3uOFLtK.a75 ;ь5< +Is(CR!6{GF2Pٻq3&c"ꟽYv&?XWlurЗej囀ڹ5߾LL #;235. wdiUCA4lЭ 0n*ap\?c Qc?[!kwP}8@G'v!XXŀBd=P[ lM@5kd^-ω=y!u^ ebV:>J`9G037vQNSG9`!79yA>mC<s_' *^8P;~~310J $mIݟM)H*GUOS1"TŌcU+VGym{Sk2Sq} O!>I[Ťfꚨ"/^="08&r I'pR`ͽq /FOdU]ʩ:䱥SxT_@"F&p) /1N-븐 YoJ2 0 ÎE5r՚M陑[n w7Z`:ק9!iW| a;OE*md"=vE][ZMmlGK&!~g^o*ݷe+So"Mհ^_zW+0+喉—.Ih`Ă)K4F102O ,cYL$U@F/,Mn>E5rm4#ε!ԿZ.6[ mIEdY{'MEe~)e{(,| k/Z^  9y\[۽Q1Y-qGI4ֱUa}F MѰ&aQ>DP?:Fk5GvH$wix B{NȶSH='i"cH{+eGXkT?r$q "st^C+_Uj?g%lu^4X͂r6BYmGi/F͚d[r ǚ&|v&F0$\9C@_1q6AZ_! x =s4[gJjV6~ǦȔ=OЯkb:2M 7}00gYD9 (\PA֏;W3>{xWuCm<؟xNei0O=Vep(X=Ѳ.:}Ħsz1HG)ir{ ƀghR('+{= vD1o 1*P/@q+J VRޕy~v>])2p& 'EpbC#!k/2HOY1ӌ$vC[ L꧲g|٠UZE=[(dϣ/+g/[gyIG6s ߟ8X:9lT1Qɐ0`2V;hݤ1gjYMA[(#KE鐅ӥ/'sgx֍䜿oP>Q_.44,YÚ[Ғ`͹ t ڣN-̖D(/';N`jXS58>@ix5s(Sdh(v!'qy EBmx%",ΙO4+׻*!7ͪrmBѼ6U]lJq2UIWoIhrxV8sdعoytT{ӓ,ơSh {.K]n#RaQWSu>cp^a]5o1 F{<@ltu one]clBPkZstWP}r2[+y0օ[IVV! Ҡ"Ezzg=e7HOAEfT*2 ;A~Hu״TC+U1PC _)癠W;1D`ȉI)y>101{ۄJpR 69K)nl M}('E/D=uV!m٦3L9UuF?}Nx9IkXn> vMaL*/q'T F>(L3&}˹n4G0wKMZ0<&سZ eTwʐ݉+zr]~bz}r"=\̔Bj-:q0"XzQՁ=m\s&vB4e .Y L$#ґ}̑Ơ:{IyQT&ki&ey9hԽ9mOK4; Ʃcb^`w_ oCfh/߱^z(=KfSmT6 $w+21==ē*MUAshobd"@ֲ{^+d Vd,KJ9 'is(Qz?aVGjK~#^2inJ%^;ԡwy#ObR7Ӄg; l (yc7X`uhCre:~9@ӎ mx3&p ?uzP[r^W>"oc7*g0wVbjxCT؆ʎ` 3thElty#5Yf>1(^Wnq "6¨A{Pē3[8A`Qg9ʔyWWm:SkjCM*S(IC` ʟ_fym_G/6UB:ͮ+EFC|xZKfE15U<S2e֍cna+e6`f%o w9YV#*Q#k4 ?+8qq!}R"-ժ묇q? n96ڡ):X WyW>j,)gFDop\-[#krH͒/勪 ~Q)W 6 Y\ED)@eˀ_IۅD(5`*uWr'VaEIeE 僰f~K*Z8<FПdIτ@1<3Il11S7fXUljX׽A,Ɨ"yJn?.gfZi Т 6$h7r1&*Cl*T̘Ԉ6dJ/@bpWmPJGыCxEDuNL[w F+Ot%.+!|ąc)~9_g/hl2n=ybQz3q{x7p`3-A P'O*W ǃN:>*H&D!P)E,wdKB{YӄA @;lj۸GGSQ(W" -i_C!\Gj?s>HQ fɰA`?޲?#G)y7+e9lw|ХdwA,X wv8GW2?wɈޭኤ2he~3߉ h ʼnO; q#\B(TУ.w eg~fΪW2 Hq-3:O gȸaX>g6E滞ր7R=_ff78GiKɧ5u#\6.^RD̛]r'U)r8:"z^~ۅe$g-~h+i~H Kx󂲱Rcc*ELAXTh\zի(?MqEP>lIѥ"V 㓾{}4QKms[o.dLBO Tlh+?^Q;jVd$ߙHAX7{d+vv0 * #hمہ ]ZA_9W@چ AvKHppb0^BQYӮZ( -FZ297,VւU\!9U9i G v{@]P,;gTR:?ce!Pa<~f`IFHkfrIJOt4mT.cʣLf~Q/ό,1}9hztn@ 69KJx8S4MJP5:ƹGL.a"" 89dSXfz&dBdJBMc.s+tBʕܪhV)b) mYeQ0О},e]m#)W E'xh"U[a)gp!G-YS3 Չ`Dg;̲߱ Tf汨Z_3Lϰ`ּӋV[Rr 9~b.ڵ1D̷[j oU/ OPd4$!%3t.Tݙ3Φ!"w@rDبӲzXߝf[.C~-2 Q3ge+0Yف}; %$9+HS՞C*s V"p qb2vzf iDﵫ*wZBYby h"0spԥ?(@y4M,\L8fH.$X.^|8}6gu_c8&v*#7+:pɊ;7:+jY9_?GnW8ݱ74YK" ~yO5A5CL'{cr5ޞt XHK$Q,\hK[Gj4[f;zlխbE+s3&t9.%f }D79YJgiMqA,LEھbs)4=*8i =K5@Y8=a? p8d_KYškaDKmhpuc\JnIFWȐCj- 7MRX3~}'W܉þ o9%YKEU&_/VWQF)${(!Ɇsǟ 6nv2aj7%? 4˩zj/Ht-k0V*SJ?@AtIz`(vV5ڽB0WrU d}>oeXP`ENO3ЭG#w4RF"d;+%\6,NpXHTDpM߈8kѣA5LTb&>+=`Y 1C(̺gY4M ن6 ױ3Θ%׶-^JCkG g72LrP􋶤?K5-㮝½h7!,v72MI?3`<1^N  FS-tX{D0{|vwfOЯބp"uؽsC5nȅ[3l|=@8&W=aah0uIU[c4zSbȃJ[c/K|֧DkWQɎK(Jw8=M)5y[^)Qk?Ϗi憨4E52G1<}-kpQKJ(4FE>ǀ0/m{` TՃJj%*ڀP< ϋ!BcH7Q=/q>Abo*Հu*ݿijhsGE6lc7)-yY1f50¼MB;!I]|4@T4j@X j[ӯBllZ5.O'9R QKMs桄S{(wpk bd'|G8'#WU.HoB׉:&b*8f'H-Wө7Li0|~kN=.;p7(j;VO 2O64o;4zy@B ߜjC.ƴҡާr d#N|n|=:@H1rN{:g~᜻G_9~Kw_IWҶw|ވ)@,A~"IP9^>2SЋgZ9ѺѩYڥ LAMm3z"5#>*a'=%>ٛʫ]8I+G嚲R+ ۆ ގ{ BLR E٤sex OI8{f;9@)|Q-<r~TT-dc9%vZ̷;ؽXp|i.@mnUHSN-_oRjIl n~BPe.>ʪk'^a<<4X6n֡F02ňP'ci9,bRyfy8>eHcVIyITbSS*+i~C U,d*i{ ot5 ɃdSzh^z(:ZH b ž8oJǩk 3Z)_:i,D`Dvd$]WȢ۾BP8)K-#wV_-ul 2^$Kxw?Y#hS)] XA8͋ymyEMp>"`hp Ҫ[EV <w n8H1,w҃o݆%ѻXa6ײTtUS٧('h20Ү>4=Hw{x231ͣ4JLwm"`nR{1 q>d̈W;,xLFr)M[ڱQ' N*f3 vPp?w3N 3ݲ=^ߋ-:eMܤ/Waf33Y#`m*B^|֭{oTA {dVK9Hh=Od͆ rD ;{xl%kKMJC@.3~Al^X5]~wxwLjZ/1,)klHWvN3(XjyRiX a8RxV_ pIqN[/\CB1 s^)>V3;S}*CiS>` eG̰iD&$!٣T83g=~@5R1F2bg>$9H>DB<(3td6h8Ԑ^#;;\# fԮB;w:S}nڬF,4g$՝4A1ڀR:r-X&b3EX1kSǵGPc6) Jv$xnw.3#qi1n.+wEКv` h!c*^ibP7n'{"TQ/LzL~Cq zVl{A{˭W 1ò1ɭ͐nLG..hQAu{InONl:3{>#W]DR|]񇃀B߯J !!7O$c nhEڐ?gfmS)l-4(TP/ǭz9'H١dsa B w-1L0Vc@X?0Bb1J~w{8$UlrF4Q !Q/ !w0/'L Bv(fk1>f䐺Qxp~戙 1x;Vo2*_4'4UPSʫquUO?udςqh"CP`e`Sn=8OPo< \{>; kL#D\DY|˗H8>#vU(bVa_4@t:rB(Y=p s"674DF7/U2uoE@G튖 u3ЧEe*֪-|#~[Uf$=/m 4ȗꎌ߯e_fc8 nAdžC'3%"EO~iOLГ_ ۄG KuW#\1Gus9ocY_ᱴlMO6q,5 s{śqB+`UaZi܋SIM`kըn;eyu&P8ў3^(6^r쑅]^sfȆB"ۋ纵4x#]9y-j|9a{ĘF&sh]V:/ N\JˋxMf_؋wRHFJIX*t{X5O,VlX+NLVVBGe}㒡]BL-j҄J0Air[ԫhk r[(X*ublǀEv`S|Ғ]"eE쩐+oQc57*3!.Aе<7?"ŗ}*J?~x Wg& /%+F%Z -r" KܠxO ۥH cRSb
n7-?hňἙS$_H ou!sV:Eć`Bh%[An T|{zŚ~9qr+[xamƦH㗺:r@Ga|GDOAFF!?֋@ =^vUsIB~eSz!@l Yu0ߪխiw"Fv4\D}ތ!vcFi P*6K/uCf T~qM%^":8ƃ>@ZYNnE"B![\mOHpor VP&$|mD3E`6+Qvao焬6RIf p BT./1z߶FJ X\3q$SyU)d euZ :4ɥ*^5xu ޞL{yofMN tIY'/ƥ~vPfSWfB|&Xơ=].X^$yLv#F|?rŻFjᫀb(0n"nӭ^3ƿ}[[8?ٔ dRx/n Z V׿ 1EeeR9eΙcR*ur\4#V%|qsrZ5QuvWSm nMSق^Fl 91ʿv]U d!^Rh67oo)Kt ebߐxeWfM4N4  {DfzX'":6+,m iƛ sȃFiN+*0 A֯)!rm0 yuqUJWNLq7'rU=zaR+E?R+1yw/J1"6RbG3?;JXWօ6xVl*bBR1lZ1a.sۏvy]DpbnW x״63RuC6f-cN7,FE|p𜰧Z"c, |-%SWlՋX~`)ގ_T[@f¸:vRPr Qc@`E -{)dkv処!<$Ux;QER `R7ç?~53'Q]}tU6*1i_xam 90nKMQ3rejk}1..I_ΑZAGZbxԞjn'Y3ʃn.lG"[&>i#yZh7@@nu:,kT3R{˿B'ֺ$/fWñ)TX!bWM5#!)fݡXxue]GǙZ2P_ۇmtUБc<+b}7ϗ'(]6a78ٿl \x)EcI>b2Ab3DYXTnkժՈ[{`7A: (lmZQydl:[xOݦH' "Le_ajzK 5ࡂ H_R{o.<X&\륔ZPU{eb*{ٽåIq# 6VB`dԞPG~fѠL;?q<]7 Ee)eiagj5? Hʝ:8tFQc.]Dq̞jx5(t2J@[\oE˻HFXl4GKCE=*ejs8&to Rg.=bTَ,_޵%{O Iƶ[\EEp5rcx[734@2\DOk]]~/)d-//$̌Ҍ2z@WG"z^wePOAϝL ʒ(=ik<9?/l%$MR~d#So1!WS]ܒj~}1@A-9PЇc]߯rmNq :o\FjJPd?l1z@~:QmigZD rUbh=rT)]{sBӭV6vR<&9t;%M,c}NJЊKY҈EO|dnZeڒ5ؖ=nH{v7Xw`<1q0 E N 8V!,р𺝻wq¤`x~st.o[cUOmkpm>`94C#4DŽ}1-3,ZxY8hɜYO$ӎAU'9 v2Wڀ3[Pв%;M{m#^- Na%)0l2/PȊ7PxUC>xv5Y1fl$mՒW;% SD!ǘ@2&i|;np~S-E犒wjf^aK! >'6~9k!):ܜwJ&]c*"?4.[y˩A`)^p8T!9!{BbjыDr_]0F#s ,jܹL5Rx|B'r9-ЗpԚnI{.o+VRw%@$Pݲ %.D ;Gr~ \)`὚0U8rzqVJ@7#p5wG'wٝo:q6kMQa,0j+>tof3%ޤlYV/5nQ(ǤcJbKգk ̓I0۵c%gcope(^ G&SK5?Uտ^_aY/פ?ݫ6k^,S2[Aԗ᫴ð8%܊QuĉP)kZ|Ѭ$he㠪(" qj|kn8ј45A7KJS uMheq%e0%uE7°WL/ǩ'8c6, LFUEH㒲 H| 'xlfsDZdt}&Ov~/saWݡWe`Cxw2&J1YJqEzhoTcwXwIhx3 ؐ#Aݏmhŏ\6NY4T;q;>}ust73 -ֶ ӏ\dL\J:z %u[r.l~s.?*>8e$]J.8ĦTE/l`:_*Ej@,~6saK`Q }憃2x>pXi[Pdlȴ]/T=s?GE+>WtS!qkI$0+hS p +|/(<ͦ$ {+¬˨ c"_ވ=;umetOr&|?79Ï:v?aǗp]kԙ6)1FʯFP<Ŵ{;11CzMx<5?z7o*" {8 M ]o8X9<}eQ>E'%"Rh`ur05ﱬ.H>ϩy7S4`0٤JLdġ}QSCˮ쁸-v]Ht/kd6i:f9Ƹ(q^Yr?jdO %}@c0 lB81akDY|D Y:䲫58XP:4ay/W}$8hkLKd;uf&?3h5qRj@`ǐx*2zYFpF]ŹYkZBʌg*[ث|?ϙ (5ӑj %qK X,ڨ MT5qMjE7i+0`-`+NNN,gI;h :+]|kuuL(,Cu:nef`369/_Y4_D ˳֬ ed)/X)3+|w!ð#eđZ.Pi++\l-MQ2 sq/=>MdlWQ0_m'vgM/=3@@J‘dIp!(;r3n BiZ?oTK>;9V^9@OJ~[rWpgph{N]e拗FY>Qb.|SɶiJM߰ ,:E!(ثɟz|SmDinݫNSѭTkU3& z8 #uNp7/2#/GF,O\j={ZH.K t\vcy,Pט6 CD@,R0%JD[ڼf>䲠$q0+Q+GmosF YEaW&JnH[a׋<4QcB\;L9+V-r0CLp9x6dPbmi;S(=u- 3>;/SZ5o9}##z&X3YGh%Ȟ}7u®co!>pSRހD*/oPQz.VC[+%#!!}~ -&.)2{FUkps -Χ6E(|!&5\xsqS /DcB8X{ fĮ<LJ٢xM z 5JT:?߻sN\5mb[Cbvd4i h5_qg޶` :KAsYDpLk\Iʹ:ڟ.'πoTF,^ٞӐ AUwSl9%ĩ<ۈ(]ѭAm!7>Fnl9~2[lcL"*z(^NmNTzrUt'lk(\;ы*WE^#:EW{y`|G8L@q7C>gg}8,O$gDS3~нDEL/r6fǧk-6?lB~=/Zd]+R d6": )SޙQbo46$O&-u9S+Ęt#t͞豴F(*i҈Ag=ߺNyu1O+Uh&!%^MH tKP@մO4&H=hVI%(ֽߍ:`L?pO%x)FAl P\饤C i>mk ?x |57 ySOբx3n +9"/Um44Nz IB>|<~rtۯBGj@duNzƮ}(!$^ -Pw̤oVH"/=ؾWSG{Ô-g8Qr"?XӸ߿Zr4.[Gi7><N:4l‚y`ld8uXd5gsw]1h%JOGje"[?Z3PI,'8_x,Z[6R<K^Dሸs#Ng.6iOg{Iف~h* P  i*,ym.]&{vP{#SӡudDM";VDއІ̓b>b-G,ʁb>| $hVqYYQ.+sO o7g̍@+S V=lY_,7ص ^ ;fՑ&G|\Ww"-ɗFݷ 3^Z;LN;E6L(1]R %;h:h[sJЋj:#[)@pD~NJ0f;K Tiǐy OL/Ƕd_Kyڝ."4j e?mz0!/'1ʮy l~ 1^$`MX~bj\eM,vuEe- p F9dq5r&y*?><|Ռ(T`,Xx%ͬ;ŘԏNWFfZ@ wAyȺg0MpKbEy`G9IP:**&CoF) .Ju0}(\V 9˲ k`nYJ5b~6 eF:8=~伏s+o;`օ7<읖WlT$$1jUls]&>eO!:_z_<"Io))}CrNnB9L,ɻA-$s|HLbDvǓq~ZYM@N\P"x4D Y ?|K}ۙw0zBp)}fư[kJCB "/f7 ̍?3@Y&Hܽd?-uHnSࡥO58Ex~\G4#ͪ=ѾUQ{{GYY1tSmØzZ1ivpWfl(}HQѡo6vI]pQkO |o*Rh5Eo!梜T \Ne+Ѡq0m։~!Ś sK S [hFova Zܐh:JUDP&K3)0;T}cWAsKmϏi_mqn~DdT9Qh{F'[NקM6%0^_ҪTT,[y5;syi*By,1 V l]ɮ3zW׈7a9̋w [ 6WLrc@y.}T;S(&п;Iϊ8,j{YMcE!n$bs6W@tp ρu# gp $D$cfW+:@k;C0s^q+;7'f<#A ׫qj]ª d+HӔ ܦ4eS#FJi1%DTՆwY)j ót$MZ͏o{Paoo.؟d>Fn'HDlN'ޅVD.ld6'. H(!ǖKo"i "X%(`Cʕ58cOb`~%|c֑J;uL<n{>節RD8hfI`ƁSaxPG K0W?l`_AAjfﱤ5_ÇGuL4?1Aevw:Ysjx7RkHlI.\|H`<׿✻lM֛yݶ^X);%ܙ+.J8a z?1oꏂZO,MP?fVSw鍖f\~-Ō)N;:HZ$ӍU[8xzrp:HbIo$@fc4FǞ*0AD}T0 ,JCnWe{w*Z1tM>&]]Q%QevڇT Z ¡2!>Jc J0zyŤ''NeW?Xz?0f8$?a3V .l0^ۇ2,>xA4w,;ZJE;uu}\S3b0|beS.p&!锊<;[GxTL9ȿ6'C麾n%Tp"/{~CcP M}F +ÂJbP`|9Yc ad$Jʍᭃ,pf58\,DKF[ɓR ~ [. R/.)ECѯqHGXЯ42GY Jm̬)7%ޘMke gy1iWyS,Ԅ\aӳ =ƽVѾ:;X?d-Xq uiDOvAۗ NJ4Uðbrދ؎6o$ևN4jY\si@[Qr"oaFw6ºZ NU/^hq+#H34+@4 zŬ S՜F+S<}_@&BeLM_hEG9J inB`1HZ7#VXŽ]EPftA+tf{C4 VJ)XJMdcQȗ3^OXge?KBۛ_;)k^' B=DVBlzuyȭ^3PTq.Jo!BX?5N!ϿJC~᧟|b*G PWI b>~ˉDpl~ĽtPwe>Zẁ=$ˤԛI%` 8?aXjq&&hcaH/ sF B E;`*s<#@Nr'xω6G$Ю}άt8V`טdjr<mƻ\<)~.5J4rƁk'{MM ʰ`]9ZƆE?pA"%9N(lYz8+Wj)3F[Lx"h2m.pkݫDQv0W,o js$^hF!lc25Vx J\PEJc,˒}ur9ǤVbrmVX'q1}J;:g'M50FˠIB@>'}JAL{Qx׻ 7Njb7'D.,5%!'b+D ٮE`.$qHK/73[H'b_@×`3~S,0O6b $Yh;O,gݔۯxzGuUԚ=?wM"Ƞ&Dž*}EP&鸿0@>/-@U]=ʟA"#fNIv2Etr&b@މ,?db64J(N'ώNES0^3q@@R^z,%F4%J`rZ)|N:&63֌xxh4rI8 /C&C }BLqKuG~z鑞^pDže:x> >G %jgU΋~$&O^<ıϣ*@=rJH͔Iَr ., ~CxmrxW\ ]O#Sc ZlZT!:GѶo_iːsͣmG<ZCW:Q'(D #TBS)R.g+s%pC.+݆nE]7'vtwz6%μu HUL+Ua)3l1\s0Pxq 5rN $*(zpFNNI ͺq?vvG֣]}E)<>"fCAndm7n U2EVKb1;?o^`2 t8 3;k[6>vq拗"%KSr].|,}o<\)^9M2abVC 9J|luŞk.ylg@<6/Qm"b&=%`Q(aͤ+".Ӌ&˻Dm}?* LprW!ܟ.HPdfoՃ2Y `tQ lpl0`adO"X,ao4.tY 66+zyk;GV~zИ4zH_xy-t.,[8~mfBʼn '{=d1aBBgb^H&zG2ReU߾C$;p 眮M <[f18+,P++TJVv~¦ď^R9=~ ~KVxsT) $y;vU^;0yąܼX iAspWBO3InoŦ_g.c*Vقiҵbĵ'Nn³2 åe}ߵ40ğrw8i2-Ux@N;q@Dq ™UB|-xU~b'MlSSzM*_ ؄B}]24=nU'獕M^Ny^߃7+Ŏvk͏;v"zT[8$ ڎXbx~3\aE7ľ9}ੳfN y4k{ޚ.@JU}L1>&"_r.ׅk4M+OJ/"@>^Y fˊ46, [ CPE'`J#0gAUco9sX7t<_jjJܴZxZ5n)b 7<js>4]jwu0! ]PvX|+X'&f14ګP 6!n}[C14?1Wi:r:x'5{j4=hӌ޵ʞ^g Pr{LԖ ]8'%A 9Ws McCK8o'=ίS= v ^3' GgÜ4Xs59*-_Prr%1r~ A q62#!_Jh2NSal -=ܱdFND\$0FTT,pA(Uj\"A3KZsH9q|a*u?"cRCbZEz[G"`JAHJo&pT4\ZS@BP[B J''ʑt?PRJy$ˡHYI <-3_vFH'>^XF3y`9Nvi] udbր)m#5 _D,r66c9/-?\~ (e?t`k=gw]ݍ1_^ >} xꍭ/C 'eU"/UΠv;qDQ1麀RhFy®%v͊M0kd4'pwƟH 6X|9 nfoHoj!"q%g Kj*ft;IbOj9`JIn6` ]-XmFﳎd~ *c‚ ''1-|Ms[Iu7+1D' %D?y! =wt/*ܸ= ڠVLQʯ\1 *EYO =LY7j*=1h}[0‹*~*'[E;̓I[*Pfv[%#AfzvO0jLEΆD툤Wߵ^HHҳYo쿆4k{1])B2~Ǟ/_Ca?(HzЖMБEQ_@L1SJ42Ӊ+Ea,:MKdX4aI(C"X-=U' m/I@R}_z ӋTW^fe 6ؕ9"rΔFk0ל.#N ?º)s}T?12C~@p_b%4Ur1 Ŭ"Eky`~z# ;Z kٷy&/=14>nЛ?=P\HRtմ3wo4Bz{oL !`P#|ТM_EZ-9 nOKS ?Y&lɒwEI 2GG`R6>Sº.ХӉZLs.#TL}5S$\N8ńWf*mc8WH_n5(>%ҢZ?'u s=0{&1^7.e|:&V~&ؾ%ueфJbW~-CǵC~X?w>$_2NԶH֡7tU| ̏({C kyL/NۙRJzL 8Wu{0o~WKa-qy2\: Ryn;`x~\o/7BTaU!5FNK ,W,(,~e:%;x5.9CqRS5 .9ud5g@01{OMTmR*ijQ 6˛F]6@3ˮ3 -1ZQ‹Ld2qNvf^J@.HEQQ58G02uY x;J1RgI>-ٙi4g(<#qĕޖ_WP0uq @[bWdJcnV؈T6e?:5P?oW^dEw2H%&kP\~X!p| @zK(F\ٸϾ1{+,,4:P(Wm]b( ;?:*=NoF~"gh梜$LLca-S]={PPD>#*\3$NPk{J@SGC1OPe%݌/B!qt@{g VU:=fp b/.?J gI#MxA ,D-RjU gg0{J\A>N݂,yo2Qhys+u,+ T3Pk+9MM r$bPb3yt'&Dd9m\u휩!CRI:E j0ߏm|屮 @tz H2?rSOj&&2%{΅1Q#I˯Du4@$elnwDtnr| >[WC3'@ nu +PM&/xǚ{xS۰gN?g m\@pbl(ccXNY 1$~;bʆ()tpY< & p' ,y0]Q$&q,qeZ1/^W #q磶gІ9 tBiآ#q's&z;[p<=O8>i* )sP37}cxPg9O2\P1TUfB{zض (ک-#{q0fy&XH_ Es\@:^}@\HO?_Mˁ4_A, 5oGTSduW]FI[K.rqA 㰯q ]NԷciqKtpآ HM8dC3޻AjZ?tC{aDctFF# _~ ^:kz@6E VuhՕ4hר%ߓN-Pq[:aeak,"w b''2+4hN*y9r~zBJ3D,|̓@m(y ^73fOiyNmx+-PLca82=F~ƹ{PgU3 bsv';Gh'vB9F;ci*9g1_ZPsX~^ZyՌ\`o-︌Az9@Xl\$ 1T uI}*ɻuZ\ߊtt-?/@0D U%"݊"w%a/dS#(o±^QH$g X2Ej|ܣ1y @fN#g?suC\2.o j|nS\|A"8}*hA9?s2W48Yz6Ugq59GUǑ'ЎӹqRWi!^guH vL4^1 'LZ;PXyE򚿥r1E T~e7(KY1M[cv 6?pЙ6ٓAmxmġ_ȄvODAh2θaGP"eK^jO>FEdܠ^,.OY yP<Е7xu/!U>vz H&02d(nRt` AyPx8hcgy+~#sxLS<@)˛5! c"Rjƃ5Z9[mڸ%I2W;2w<$߹hbaT``j-c~Crb=$p6^}qף f*Se{jhiJf#:Mk"E'{`5=]=+L[Qn.)mvkr!4lN:QYؠ qjN*gmJ{ډaXg3;{-\(@]#s Qgy+/,I8{woѭ\px-]Y% 1`TARhȏ:R{i= 8.|.f}I([u]ԩ5Zg:X tCVG$4&p<2| 7$'},g4pOv $aM mB9;o}&ƯH*F$$ߦ:˯dUV @=ۑ07k{2<%DL?1K._>qK=(ëm''ȿ&^ӥ..:Aʾ{}MUp,ޢ8,Xۢ9?n=_8$K970\%qVuڤ$~<Sy~LYHjLNts2J]^Ia -7æf)f ]ɱ]M9qْr;Xf4oJCeP5kiJ=GknK3^1E$&,Sڏ& ꊱ4SȊt=ss /qW29&4q lEPS;#4 ɉl,h+ ar9NcS<ʖVsQL$[Jja&6+ AΤ|3uCPRDR% w\ϻB86zZ+ڰ< Sf zMg.G.F`K V?$FK-BjލJ[R 9cw>-/yhGsl۩^{SVA Ě8T>o1z(.ka WIghԃQa{*}3=6%=nhk_ErN0;eA PO݇Oz1W7n>[W~)cCRuVAy&Kٲޒpó.zgHe3-\g] ;P-Ylm)R.6x TVY0czTabg/M9[Qo Q K9?SS gɚx;ApNoFP[u1ѧF a.);G_!]|Mڐ9~yToGŬxj E ݗIpgP~:Ň@G3bH$ހSifw}EPw7DOU?D Xb()Sc2=4$].3O~ 2;-Fx恌=2T^ȴ{$SW<0SFy*UUĺ]`pn6*$:N ewy׶!%7㸲<@9JceE4-Uu\+usvVW9d]mzu&A7 8(rK,!Q%E\5ԇa}(7fK״emWGTΚFb)` 4a}- ,k GAn<av0KŘoQm+&\FÇӤbJ98r8h<CnX TPbfn:z$xc!:ZZ<&ɶ;(4TᰱT birEO/^ E &x'eR7^ų=Z4:.0.1cQ#)9P*KX$dZJ/U w)Xɺ`,b^&& v15.{2t]\"oġ막}%RN*F-| 8B =7I_qQ:"! buĤ҉ .9d\QF|k5BR>c}2jˤQT~|-lIQWNů5:] #8b qzh,Uyv:~0P֕.g{J=dcD甡~B/sx*]vuȜpנ`Q|~F}PYŞkuϚ֒@xd͢P) `Zqb9m=eu&ù~5{ܥ=@Ѥ2tZ=]SZgFW?ahhЦ`ߏ,@7mƷJrI/cLw`ُgݏl#Q-M'Flya;;ʩ&)nM.L !@;$Ym7|357T)5LK"|70~Rg%)^go*oL=N>Kz}np$9Q\Ic$ܪ׽Y&Ϸns$N=>:#V|ܩ+EEm>(LD`$μᐄAFIEݩo<_lL*2+ OgsۋOn2i(F[S )5rcEe!fs)ѢHi@M=[k '^܋T Q W߿1m+[TcT\uHC^6bdu8ml0!he>Љ;].w{\3`wprG;R7{ ˫ly*"CP^0/!NR7W `l'┭'#±'+;-,=F$ o'BN%F E3g--. 1%Ē1 }Vk#w?Ro a8Pvst]%[+!J l ,j{=`HVޗ䣵8lAvysۖT!svM/IIt197S3(Ͷ̹^/,svjed QcFHUg+7jlCH"J"t,LBy9WvN3j u%]|P<$эȅQ0lSV"o !~}ۋ >~(h/W(tp< Y\J }w]iYhu4 *Cy9H!\!12g/9  @ld5^1P (hѲ-4,oV^Giԧz8&+Ձ&LuW={7#).)u)VYC*fTMUU:PIO&;p^;QG>U|ԞG5m c zLGr{R [j ? b?ivT#乣I$3c؝69Kpn^?ّB 9Mt$sF`͢5"yodyx6-Un84~)ԎXQK[9@-r*~hk e9 Wa jt*QLjj&ehOu؂78 k\2P/Djd>(_*|SG#31\R 8}9t)x7HV4lgM%ͽB+w%AD֕ífV80eU)2|.;lذvln#3{:L !FjK͸>ۑ [r¸ha5.We[NVv?.Kɶ\vҐխƎޫXgwo*tט!`KE2ytxY?vQYOInh}I2u'C@B}M ZVoE?n/Bbk'RvE Ү5SdRn)h?xDT v,xRLe}Л ㅰCkq3pV뚓K zBIzM<+8 qM6 t3]iVH#3 Xqt?Cu#B#*w7d ӶUZRL兆߉[1Z%!O_bԲS]ȍp:-GAA'O,3x8r[E;Xx?riemn=#}7xWUȥst oHI$Il:G}$vLq(֠&Yb E-B_rAA{:L+aG>MZNMtݰ=gOt/JR;'#XdvHk.tqm#`L8p?C}^CsGHF)Kn2nT$wn$GPJu8$Ÿ:B$1U/[}%Lj^ 4qkv πd,U/"73C;FЕ*2؊UI?KH7cm':>&2oys 4S:̩Le-#ԝz5C:Tt6!Y6!S {8!ocX0#YpWkDkD@VF.UE%/&?9A˜xAX=Njaߎ#vT[wS^>TgbΌ_&+ Sk!gO;eNcڽ3^dg>+z[1QhA2]g5NZrOsUT:t ;gBUl2*^n]z HYJ#wFլuM"(;Gh)M{忂w6+٫8 R+#Reݼ-Y/tdMj:6)3_MQv%0֥O o%k>0Ra>~Xr%LD;րբLM:*d^=9n&RrS=# Tȥ=N3V1}e}O*r01ti؛u8v-;[=*wm4}PyֺNƆx[n+j!*hik]׷]zbA]+G=b 痭^Y.˲ O3Ȏ^{JC1̾=^Ai[S }..UjjYU2"QChU;s8L&x#C*Kfh.!M CnYDL>ߴF=dl%_blK 8 3M_Z~ˎgoxAFWo?+:5fh]FK^.i)-!ȕp$JR"$ ]"BQ<2 %}mU<\c(7'e?*ajP6Q T#Ega-bZPC[{ΙWYerof2k@]%e5},= E( ]XU':hiWƓjZQ=g~]>DXD}6Z>ɚ7"&, K#X)zRuiֳCSū6{K |hdܤ>>7(ɪ"Tg#.aJtR+=j(fcAb<h)XӬw*٭O-H~ ( sbo58םoKI[thl~QjXb˪k҄{uAZ 4yM׵V)I ?sҋ|ELyFĻIl.v653 (%I f}BkA0q 68b%90wC z/f}A;yMeOM2kq8{JJ0ֲS0fʿU~!Is;c3x’I.MʔO4n͖x|Dmk&+}D#.z3Aǒs&Bن_MEqE1&w LP ˲;Uʲ$.`oA~7oGsC9ٚ.3 e/$h-۲<&P/k"NIjk]U<]5P$ʗ~R +|st0 -;wXt{ƙRYe toȡ&<"rߣm9yw"܃!42E-0ZcW/OU`]P)jL}0(A;=Be7{K_(0кd;*loچBnCea R o6*+FTǕut.LB}NgnՓ!8`u{1;7iq;IE@@ 2yX> ?eZ<I=/:(}TX CkFp?]eq}|tN]jn &zϫ?{$æa c<Կa0|i58ij':ɑ~ &-}ࡿ6 %drIr[wjZ1\i7B1N()Z+p/?Ӝ9 .,R  ӭkm2Ҫ{٣-mGoާV i?^;L7_2^P)X{-.Kƈ(nBdD tQ2.~r6ԂZP$U@lOzBT3gKuЇpļX/*c櫓d(γ#7EzQ"T- Q#WmZ'&L|/|>mvǏ ZnDk1Dj9Wق pRS&]=)DoVxQQ({O~%`D,#%~]q@kBTl`֤k@ %s>Q@ GD.>5kߨ2>lvǽ@m5GYk'=¼[!ٻYELF"[<z]' ]θ}U`)w͜eD,Ry`ΧPSALuO2`@q<n]O%s 1V $yMBIYx Od`n%JҮ~6N}Juj0Ädf}8{EgvYEREأY2Rl*W i>M~њDmfCr"Jc?G*IU%{asCCi}AȤLghtp%Kӵflf+ qҫv* [eyŢLmURuP=i_|$hR9,~(8D.m򭭪FP9sb1;ٓJ!roO :~qO`*#!-+=VƁC򠈛^kG7Pv{'rqÇb6Ξb6kTNa[xM 2 S^X875pFVk>kJu0X/u04' bD+Ĕ-!=jSѥfRB؍--ƻyϕ E*Jy5ʂ*7u [08JT7B,齵j"^ ]|j3ir 5 ^t FC|׀SS&lRg5!89iSC'msM +zu|`.`<~~e]`Rm0KeuI::Ԑ`xl:MrE]%=Xc@z3;mѼew0Q [|WpI P7B~_VY7\əь;bVI-Gr8jYUV|:C;pTgx ٲe.N4#NAkwVv)hրLl>$8i _[G-+p}BY 7~hmsngDkS,8bޜj=JL VB3PN7_ad̻HOȫS|#%~@A>|=q0Q1Қ=e+u͝+R@3{mi K(-"(L &T|ցm=fT*Wv ~%R|yDȊ5^OӎUUDܭVw㠪zڎQ&}d2-'3c{hZB#'ýid?ւ?m>. L7-&O@i+ fN1qazzѺ ݭd0Ll))v7chȮ|i\b47.n<5:p"˟_;4T3yumM'>n w F6vX2F!#TvN e,,^3 ݚCt>_G1,IrdϨɬ,:Er /4dLhT߆gl<X #tdAt-\(oou1EeCrJ.bjGd6R ˯iNjk^9(%KNQNdB:SP]Lދ Jr vw`,ZBqˍol: 7DS&;v_Џ/j&ۤ?U/ٶ|I^BǍ/  /^"ӊ[ko!xU չ~fhUzT(ՙj1altbPFX#y3ɂ2Pg0ݞX,.wXYK 35ᐌmB0LH ˪Gv17j M?DI]_"1( -&UjDsoTd1@2suů,-CXxPƔr4?|Nhֵʢ. 5TbfVr^ M#_ެ"?N#&G;[yT3kyKFfp(_=c&[XYsVޭ t(n4O qI[hKUV!sQ 2lػ,"Equ:Gd(+/|.ObR =RI4𳵨K]OORxΉ3x_DZ(3_忲O;sdıLh.AY]I|@i,/&$髢̔g6G[&h:bO.PNcro/4Gʵ\j;Kӻ̣'C-0 |̏z>fVk5n8:U//&i}c KͼUt/tq\9`zIHzH&wdˌ)˃``o9sBc[=Tv:#Pm0\`_sr,]Pӭ\!e 0toz5'u=[b$ADΒkl͆vő |N(Ćv m ۖw,ѽyB"Sjq54vV֙nLAp/wў +?Mϣ4j'74 ߺzQnsR>6R+'Q0z|=j4!&:kfU9g"gpM!/ Hs+ThdЈLRU1Sh%9k _1UDzyO '%PJ~VZw?x i҂XN"H>|Sfr⭗}ZvkGEҀ󮨖3vgA+.3r󷻀X!\ 4*{]\N4lAnG=חm +,,yV#qvo5ţӕ&_]æJm.n"\NپuMjW0,Zѕ5sHXsLGZ f2{j9} A88!YYikRKT#ÄOLd܊kt.L72$h~;8Ѽh%?W"wc s0WҨ4#crDr.,fgL?\Xj1[;La3eAr(wW#1w}W<ذfe#5dne[ >_6.yZ}e#r63;bա DuFo^Y-1˻h2Z:x= w^<6=:k <Wp_#Dd:!j_64&^@pLS1v2hvu=zx:+Kޣ'Ή] e7Q}!fcp>'˧%?ۆacePX0'Fu8O ~.!p i;nAz8 wW7'Pk1fa%" /Hsp`lAV}+$  P 94LTKgc^*-Q}Jtه"^ ZHΨ^rp{qƯm}]mlDPzd|>ᣯrǴ]2Ҿ-)yo_y'E6G[b͂'f])w`K~@$;GSЁre4|6NnYu) »4@R_rr7ϭ+/!;, \׃Go펔5;fBхmu4nX.5{3ۥd;) לvda2qwtg/+ޢ{BL'@]D!$"%ۤd"xUk5(^'bmEFՕj^ƾМv6;ݐҁ=Q':s_T؋v3?o#UsDl~z5 &ƛ Jco'(y4\+*WX橳[XDHL;Ћļ̡ؽj|t8O$Jpkqπ߸"FCtXSkB/o)?rm+=LXﳥKRM.@Pnx84Q8(es7 U޾p'TOȤôđ%vՋPdWa)XF٫$JҞ$0N+= \ikUHʡM傔1oj"0i,δ]K !Mv^TUl[9]i֘ߏND[Lp3|=ghA{NzE8Ɲwm=G' KπbjF3݅go |Ȯ,e#g9܊(^@dRZ18}l1ϊb\k1VqhwnaZ7dX9 DҢhS]qLaeN4f+[QcTb%AdΩ^N쎃Jo\~#D^w,CWYQO2dxBDE| h -KN 1FZ H[+Ol8UH >4Yl^VE pWBPE,ޥWcO> v+8 ESH#8QGWHhPAr\'yU<]( A f }^LOBu! dv}ǭ<Ar|)m~M/;KAK9N<\fF3YS6P s(lt(9-IA?!lW^8 ~ n`tJ)$za`By5oѝl*t.Ғ>B%'$gTJb (:sq+ =P x*FQ,?X:M@:?%v]J9^\3, 51*5nĂ;O܇!qnPP6qڡE{  &xj0TJ Uy?auvijA0y@e䨠Lm@pS@1@-:TծTw  =RA(chI;ΆL!(Ӆz>ʉ=)yj<獐s~S`B׾TK?f2LPh던s>G"Qaxft^_q;&TL!!{nIJb7i5eO^94  C iiA9zlg gzkLJŀ6IϖHWbwѼ(*7焽n s !Pa}¾ݏ^o,kL'Z_rD?B^1Ѽ=lT=H+|78jlF6~(z/zTs)Ö&*RF7Jp}B+,XxI JF^q4>nؙYv|˯L6yh~ũ:GAײwyqN,*ei!nݤ8~0_H#lGB|t!RCjV(9Efiԅ GoxFX{lÅH@w^{s4;OبI4EXaYֿ>+ppX:_E6%ܦоj 9ܽft߻ 㿽 z0IoK`S˷\O7IЖ0hXןP͡޼T>2WڐͬM\Z:X:VRlwbґe49Gcnb="g޿,5BPX>g5^*V }$جG ;[O&BŢV7@oHhKZRS Myc"LS*+?HQ[l$/L!?tCG.&T< <1|-?]MƤsr.M :ʚL3gsp;Pƕw&|} /10žʏ KynGi}D}fV>:cRc{*2Aw577!)lyt\|  {V_yκ>ηcα!7['񕾾`WKB>Ť;qҰed0NDz|1 |ɴJ(|L2[g*$( 3"kazqasӭ?1sGF5z>gc!44d{xl<#R%1ql=YlS,IvgY[d1zi ISCisH@z|GA('VgFS>M =G|EC݇4,]"Oސ \\yޫ :PFª͞|xu9$S|Oi 3}̋LcCi0&&ϼvQBi]B"\NyDKp" $ohF=+Vn".RGZxTS ! 4s'6|GT uw8?[uNi BB"ݵ-ǙmI[7埴 yJ\" :ju%El¸[;UXb M{/"xxɈemߓBh[b;HdzS},P4|d̋Vfzek{}#pa(\t;TɘOsţjn,t3D0͏d*l?$`lj QlD WXdMONtji:=Q6T I?XQKVH gl&݂,wMR/%,6suTЫ3L00Bmf5xEgN=PAkZc Rb0Y"b ȠJs NW4\6ϴaQ%UjuD`)F-W|Q?k ڠd %>9Ny1 -Fa ŐErb #%@qۺy[ ezA{߿=cz8k<ːÉ^21K ꘆi"@P06)A )zdGߋ)nX%aņHM͚Kؓ$ӏꎆ1zNaE"j|!WT 8,ؾP=m / Blg`v:"ɗi. ‘@kGF5\+2 7z4X:'=wkE@ϔϯ ^VЖ;` NJ=(a1Kɕtsppt[KH%lLnVӫ_mwEpZ!z*^àW1}C%\' O dGbtfhqj`M~G2:lxZ:# _m17 "Y|a ?>RP_rD޹ux\ԇ%A cGjL %Yy(+̠ YJ!=Cː$idg8mA&wBҶW' Qg̅]w~k0t!& m$xjv50#GL=ʛ#w @~b#f lȩn!l2ATIMAc-G,uv6jjvO Zl[l~>ã Ҁx讳F,A}̍ 8SI.${Y͍5<],A{8ӹ#4]tUCÔ ED&3U^P}(+"^He\&*r,9'(փî]ٍ{+du;$@Ge8u);3;hT&̘17`аʴHcTރDp-3e G#=O$nBnٺIP Cܓ:*V0h@,~/w 5  ^q2 T9 ;! y& KsGR?&:WAݦ&8”#0** IhL7wtJ\R~OaG B [V\y P< G pApo4C"y1(2{3Cr@y:JhsJ`YaPqU*>mw|*,H2%%aXBի}f>OSwXZ jz7V|egyJ D{Ör=pCճ뽞&R̰4 %Lbg=~,VZy:K^1oE-5OnǀCxr{W4uرw~e&Fy#qOѾ!ijӧAuFv9. ʗ?E|DphiM|DTg@M5, 7L}76E1vL~5dزیOL9 h'n@؍6_scx{."~Oa=3%LI.]kk(@h n= #$WHFqdף-mVWU!IF2x0d!ވ'I$5>qVhZI W |ڪxg {i17U8+U;( ‹>hsFF:RzIQVaL{)3F{QI`O/;,YijoZN )aQNL5?i39HQK _g¶;=+S+a~AsN:݇w.'DnVX|bC, H|ensnR 8h!f{^8疎e)$T?GOkҀnI镸4m?e3nl3ć5̐;AyNƗ 2E{T@jcz,XD{~ 6h%/c,/Uͪw_j l.6TOHAUgT %NRA}eMhIUq[F4Y^hpivz! b3zxʦi< !x4nlId~}vL,,`gίF=3Έ :_t4 xDeޔr.Q3 _b/a~) AESXL4U\c>۝Jm= Hm0a\Qଡ:{Y8-YQwfuըf!Zޢ Q0YsoZW6]-ҙ@ _ucsĀNg wWj=}or-c 8قTCF>y莩R3dK?ňzp]\,EBÙ4S&HfRTJG,=zW ۍQ:Q5wĻCZ>'ĕXd,noX> _7^$R~K˺sI7X ӫB)X)\Diz\u%wŞjai;=K3dm=T_֍^ԛ2⪱^`6诗Qr _$R i ?عqӑd*1U c)ICu>} 5NB ?or# StQ8U9QZ1w;w>?w>:5+ɶITqVqHZըV ^#?-5CHz9e8?xSx285\ſoݡBb["Rvvx:o6i`ߩA\?B05,Y87B)[㗱9ow?O-eϠ#"FEjB- VFռA!u c{QQXk* b:?wIҭ?!M&g4>qP3D^)Q ޛY gd%մ-tܒK @U$mMt@UȥT3tAxC a:3Iq|7:mS?B`Z"@,.,`hF\nIj>d?|3R$=vMGmz˓z} :լhݠ$ 7ҬRrl#ľgwrW?ZTQJ!fqD6s&wK", {lKzl\ooA8VRu*ҧ^ . ,^X&:FOـ%Ľ8n.'I<; I31Ri1p@do8 H8n0jvFJ5 8GKM*fXkCObx2rP^ף'&~yBXNʻ;\`.Q = b.94õ)?r,)_fP}ws(IEK1K <?WDx,N8m(3}C*LҡSdLgYa(HL*|vHg|{ H}ezae8Bz{<-и@Es ,3HQ|@L '>/J\wĒ<+JjlM4yzOmTL7mä L,UJjQjoۺHTs]ArG\Hg!x]ޢ&tAhV6 m)!<%ً&Y%3ʰbX]#|$V M WhIH){p/+;y,Xx >j;R0Է&*l%$_; 's8p'{ 4c4x=V O,+=Xx'Yg[ r)7K|Z !c"߂@cb>\8pi~5Ca VH 8:p4Ԫu,hZh`m3b#*o>B}3ۣ<갿' $wl& GnA?m9й˸2[z" lsdk~I  6'Y#i_mp-"E-l9)C9T<~ E]Cق5QiV[9y! o 0i>Olx|n>H&Ƭ'/yq /fx/$|0mW+|h,9z_%EIuUU)Hwc#ZV,| _[韡:bfӀu{䫖t::xXQ|;n$6s>.W9]MdXz(*PIүoetv갖J: n{\;'.0ђifdTUJ=;Eu{`;F\d\[YoMxޑw̬^o"m=:'rL0xi o|CJ?Am TyxJCa\^))/X`pt AU< t_@%v?O#5.d|Ǒ SyJ C³68йDSmN;BPRN__ 53xƮf7Ϙ'ː9_x;[Fe&2֗Qf eU_BZsY۫$?IsZau-wbDxtYR HnֽcV؅d'@s-rWMչ_9@[\6zIGHiaiG󴵡zu Mu>j]J? DH<3 z3tXW* /PWR*K}d(΋ sif|sXuwNyŸ]p*ɧ % N^ I#w-N|TinP-#'pkq^Wěkqwᤒ. v[ c7> ?X^pdUS2+O d 'ITA0"/9Z}1jtOXtU -ʞVJOA2ZHp>J5i';-Vn˸I/G)ӄA4cCa3 :?2wd8 hoآTR; .NrTk{ެc`VUGBWBt`CA:?İM]}mbb6&%f'k\#'P^=  d\-|pV 4G:\'_ w( Ӻg,Lc\);-4B?Ɣdr PDcϛN5Yo{۟9- mhlFOPqf$;7\z; PP )eU0a mBđt&|^KE;ZZ9=Y:0ۨ *TS< (пtο7ܱ QaT6^{ukH8P 2r P}0kw~qeRx *ebh,3z9}{"&uՔRNK1iVGYJZ8`Qxxrɲ[Ynf6Fp,I7 efO0DQhI]q*iu '|>?\+ +0`5PLIF!w\,uWa<ܴۗV.מ%/P➪^GJkyW,[!%ɞ)ʙ5@LՠpC/]?"$枊-iT{;)+Brtf8([Q)mepTBE"jf*-4 y ,k,J3!WeaM` gZqyģAV-ZYqAxyp@LF#:`M jh\Y޳ 5`Zl,sy6qVPֹr 7!ݝvp,iWw,^^JlF%}@'MdYOኘMLH@dC=4Dsicab▏mVp9U%_ig~a o<'iS\3lU 'v5z/USC6f SK#hxui{E#XI*긑﷯ם7ߨ2e濶=٨.QDņ+V >NPT6*؇]Ql+|Q[JJA!1HWڴ}#`d($Ԅ*ͺ, ` aYV4eUDٰF\֮O-@Ts( U(HJ r1_!aD4mn51}3{q1yZ3d\7†-yY ]wGy%-?s-4xiDA̡J-9ܦ&!Rkex(U+1TjKU2\a[9P܁ZRfHi<2(0Մ,:cWׂ9T뜯"՘5Xy~u#43:X^gzOq2_㫒f͈D6 X@~4)v+P䦈csg4nJ:s&rlAY b!B7{.S|Dcc|Hz16mq%🫯!͂ij$40جպ'@@m87!nF=Dv\W%T0*o?c^=#@r- mx7zUN镱_Ueݬ]'A@/HAmj_#zE;qu ך KXc&q,_I׌p7S:s[lNE-䋑p$WpHW^#6s5v+&[_+1ɳ r\|v$R-7ndfl41Ozz()F#NeM hwzMă/*9$9G%09AQ4ùvM Wuw5uZK]S4 LQ5ъxTQ)!n, Lq u?NlS>6POEftVtP 綂Þ:lkS|y;ouD&'Ʋ&ܘL0z7!g-Tង|O߲\"1:l%kc%V]ds[XޙSE<)j1ڦi]$Y]):>Qn[Blqs: U#ku1Be̘%d apV{z&y黜L@rY(?.L%tؙf?WeOLtO Lnn-{!Mīc@[`18zV.<,}**(7/$,6Nz V$i6C2޽_XevBjqwL3~)>h-SkE ;Wי3u~;l;'~_nU,*V81͍8^8L#~68Tl2SA?앷R[DQ́Cƫ~np³v%AqtڵPaԝ̬!hlV O\7;m౳f;j@*r?˴Ͻq԰θB"YmET0)%T)Lub -g\uuw D5os_ΕXL)?1լ{ 㑹+˥,^tiDO*k"J`30m)[٭iƄf;|gף. Mi7O_'GֱəKTV3Xe+< k#S—G$#dTXeg͢\o^mrpoqL%".$6ww0 Dz7/@q*iR}QSEe3iʅƃ/λsDtADwhЙiVVRu7D A,1d:q$ֽc0 ;&>HJlA6yBfK7#kϧ%Qq|1%59` l_)a)K"Ue$e&CEo,:t1GFYl뇗 YOuzo"N}CabxTsKCaPz%Qٻfuq]#q oj2O_79ܮIvLX4umM?&>AEψwD(g!ZH2P;=&!u՛)~Q Rm$a4~ql!'F8|Bz\z I3s`fh9lU?1iKw\F60VO:}l+F9\к8J RL~9 5`l/0s r)r}ߕ(4V0W).;xij:s@9kL{Uُ!?_7m\U YOiVT!=܎p<Łnc4C/:ٶ6%WZ }P`FE$jH.AWCU9"ҳtV4y7JP"r8]VQ7`?c E474@W U4gE^vSVCf+(Bb?"rTejiBE /ivrdedΖ}3 "w+T?f<p.%ml[OGkJsTbID2` p~”_?{&Q!kU*eex݀ѯs(8h_=p,EBH4|G2jfV4:>@:eІG=+ͭzy)wazb ^#J// ;!#]"DA4XǠ(EC=]!9pDٺNz4Q.l6;O{Oi–8 NG5F+ǝD.3e'G5OQP,ƌ;3B<;:T?5qB~/ČYtjJ+[Cffvӧ`wXD윛wwJy5fhgp(t7tlnǜ+m,Bz|iP?*p=+"L4;{#=BX\%9UDh#WH}t1DL4 1F;Q*RȭwvKgNy|~~5|Y"Y~a0ZE $twl e 4\SHܲ<sq[T&LQmHeΕ$6(܌ހapd^=1Ė `ζV!|/AbUr7cKEy5oX[n=#Gl0-QK ?*+1à8Cx}ǸEnжQv FI8ֶ }{_~g0]>XjX] OI i4և#T*O;=9F'^+.9Qun.ʀ.VW'XAb Gǽ.DYO%LybJS<(V&+U!9CEˏ|m~y GP-Sm@@}vNŠKS/Qqn5rWU$LHZ-(+ReA庮8ҋT;")+?G԰ׄBڍr^[L N)ezaL665 ; ¶KrHAUA1PգF*]l\)I,ǵƱy G &ƢDkZݹ0˜BQ3B;$uJ6zلɦc82uX O rA8Gu9!!8GY%XDvt`k2FssڞGVYЙwOav'F7:]ܐ\-̱{8i\,d2:8<cx1n8Vg'54o⽚@6"QA2`Hk%vJAd$1h1@`k$u>_T_1*J^¢<_iO'n#F!d:f!(Ct݉l}ȕaNI%ͫOkd~pvEgZ}֒*q#xHN@YŇл:Vl g=hnNT2W,:ސ+$(RiO=S9*~ʴ:$7D6/&l=W>}͙W^D>pj7jlgФ6'23WRiF};m>rR1g }x]䘉fzw 4N47j >",6tUP&A{dN  t4YvYd8&H>#uwy(!UUOEl.NY˲RucyS5Jt.ԡT cxW; ۸`Ի=Gx"E0a6X<*)ԨoѲh}hz/mk_~wʚ0k P㶇uY GU;.?:Xz@TIi |9z\b ;"(7@Y ?˫:z G 2.v [p<'H?$ZחۘSaoh}۶|\9 2hN o0u)%rNU4μOX>h ަw x\wd6Fd@pEϼV%ՙ(.2}8y Mkۈ &Լ[U8H5w <5-t˯P~[K\-q6ޕGOnRGBfkO?BXP|:E!&4NC4̞j^w[ڜJ~-+0?@NPcB.ӛ?\+E|q rB]I, ŀĂ\3g/.}m gXEĢnòt].͸|%6qN;~ե9!( ?թO5qWZ;x- #.=±Pu*1a`4)m=X }i U鿈ՠ|S|G K%RϷDJ* |mY eP)#^`K!SMM=%H3l%>|d|B6ڈ :F߰~aol8 +I {j2Ά玜' ddy*=Ch]9f fZ05Z{ mml= $1 ]Iqɒ??2IqW͖0XȠlh^iV# rAE $`ʟ*#U_qexbןr#\$ʞ׸<'k0%"U|h@a4 JK%+u_w:V ۈHχ!64i,`E(l3wrtTRR5-:DBf8LkUcS2NYU ,GE S~Tc/'{N$lB(cއVHܴVBgbw%"B`"|;:%T X)Qi~| y+!Jq8Z,^S+;iZ3X[V_)9vY[@dqN_u5ԇ"!>oLG$@VcC".q I _1 75)ËKWJ|-B ؃l rᠱ Fub۩^Xus& s@57KӰ3VǿϤVU<ito=- oY!:i/ 1gDtL>L  tszḾhʫ h~Lf AEBU|ߙq#(r^^6TU$ Rw菋I 8'{s#Uv y׶4'Kя"].|0B[Fc$t8`/6 ~@hBWgo n/M1m+CbdRyO]]mT<.m[J簝 Ʀ)C;[^M)nOUKgb<@vvڰ'FrR瞿(KwNDմgװ 4ͥc<ǢCA7ז3MʉNHB³y B6SeA'W/XPE??8Ba2R_썁3@d<OG^9cqPJ@[y򯤙u۟FMZ{, YP3LJWy-)eʱgZ4G,E\hs_bƉ`r%F-YXۤڐ`"DVp_&0gi׀?qm%,=7Q`‰9*7ģ8xTwܒBȴ %KQ25~YѹDg5mz>l;@O, 3oh꺂6𼍽Z /e"Xk θuPpfR-]=Q]Dcu8Gej-H0S_iu^f&=7B-q4KC8YsR?U,eS6Rb QaC3II޵"֟QeO_Odc@p*ͬZ)s5K ,0$tW)zŜbo3mOF ,@썵TΜz-(zqxYw-%m?=`~*Q Q6*5.7),R?sĒ)^10Ȕ[|Uav~#0q(/Un: 9 -m:G86Zlse5Tݏ: & )S0_oIo /Gfo.&v*kH4D,dMqD1/f9U:/QE*2I'Odw#;bC %^ݧdY[[.2$"k0M[s%Fbג٘@cՐ36@$T<-Ҳq[/ ֊q_C}ܒ)cՐp_N ej*!~Rj% xN<]^ti,gCshhqiQ_q{jM7@(,q?GGi'VA>aD' ,!##[~u«{Z-BkKc#^oxn {2IG$xrq9W8!z)0>B"/u-KNt% TO?b­S\R2d Q6Jc@X}wo.hc$.[~L2Ԉ,CZrP;0hh4+ xtU}i%F5 'npN aNu)%*~M2Zt@WZ,o+-Oiko0/72exQ#ߊD ˰;iki1N%Ѿp|ڀTڎPjQ,HJRDL md@6+c:83oOn<@(0ZzW8;BC^+nwUP#%D֙ 5nm/"0.Q)8PRv5lIE3 @|"ίuk{1-jΏDb|S$D I.qbJ2zӵ>3?:okFPVcC{p?H$P ļA7L_0+]QqEqEL̃:ֈF&n*1' aļ\Y+U$^=>S!G!jQ*G2f+%K(>SQrZQRccϿ@V|A*{o3LbM|q0OFdM)sY:I2,/fOTV'3ԼpP\,NۿQ$6lB/9_lAc J(AEB4Z o0[yvBy@xa宐]r#s ;TOU5%ޅzG3Q}F3l4.tKc]7Yz{VUBH̖Dl|PF056KI[L鮂mJ'k3&b]JI>l;,Od5%=q,^ʍ\f`+_~h3XHtzP ?dJ:y@ 5 U-ƈA(Ϲotk4W+x< Ⱥ@zTxoGJ4\碹<uJTRت:NSNRp_YBY+u9p_p\lۂ,UQ8כS\ɑ,:ϯtFrs fO v !6<GtIC,ι@3ҖNYlbL6;9|!y:uY d-&B //K`}@)/bT yY`c̈́'9L7g2P1yPC^3krh5nV?M qz+}}$QWi=6"EcDH[&+zô;-*Q5}2$FCiwMtFV#LelII1-S)RÒ̾0ƙ_XCD# 1ڕF="w[B$D;5 bN8/(h 7ϪW yò i+#|maX` ԹeG$C)ْ/q\ZG"nqaC !lb "{ #ϽMW_;Ib[D@"n' [By@SXG_:{(}k{3iB:&/B 2d9C|;{(uPSgB\#PUkvbpF} 8XMSY#8.} 2Dc<RdOmP 7XM yڟ?yEeJcrzr". jB 1W=:Y "a\E0;swR8;C?NV_wB_[:n}Ǻ YƪpU_6c{ռjdprl38JgA mgVf՛ONL8VЧ:o`:(t&2=) !}x1+`g`{ ~1 n"揑~(*g/]DDQ$a߽9/mvNւPY9st 01nTSl$|G 2 &VCb\̈́ò4ɀ:Ե[;s 9qм^{ȾEBOku>(hR/vQ,W@LPEr:cS9:yw׽#J3KmP+J ?sQ5$1n=̬AzLX5 #vEud)&kMw_9YpRTò?f&,PD7k~p#pX{!OhpdA =EB G[/yqK*w(ڳcUkeqRq{y1X1'=)u0S' OҸƧ"#}lDVJ=Uc5 OzGt䀳E/8Wu>:1eΚ} :H% nό QhRf_zlm<+%MD1{jTwMyyh(hb{\W-I(K]|W(xUs;~ą1Duoԋ4^ynq?v6U R f*%ҕd,#F=;mXWA(E; l:֬ 5NC;q#A{Ġ[ءW5K/1I qLT}$t=>.Ġ36~| />DO *08Mz-y%F#p!}M>O,V-O%DrP֛qWsUy\a:Ԙxp7>ӜaMgE'-q qL:w_&0D+@kov ~5Ot70:\&J֖vU0B=]ޒnYX:N\>9NUNs%\eJSĴv"MP)f@;m(Q2bY )mpIysTXŵ^!lEd+]<լeHu _%ٝO 0+*#DtKq+^>Sn*PZV0 {KW \ÝYIf`Ŧޢ!fD,:! G~ V[\鰨DRSv!9 3 d||n}-'7D &7sƩLs}ej7K)lc\꧗8oA2rLi^L [汛`6~ww71u9E!g[MP$2ip4".gBNG?ˮb6-~Ւ0l5j\] Huq`Yin*T}5Qm[-ɷ!5(lW)ETyn,U/y^+-~!|ԕm5xsU~=o!eC4Wx0ChRv;qxzOuDR(:3IY[lCk`J.*sVֳym 11k1o(Yި<ɯ$9%΅]Yީۄ|dz<iM!B>7JW 7Iv8@Sd4L[(+flϝrdV4jla:X Y&/OkX} F61iJ]4cYg\nj2ReF9V(r]d;䨍&J Cݘ=|KȀbߖ^d, ӿ.jg?|hmm{:HCM0C/jS5~wgG!woڛ/!Zł1R6&cZ>s U=t(Wd/lTXfg4kP <ж1X]ey W{$ˋXas\Xyo`E/z~φ^"߾lv;p^~y=0_7V#F7{fAv :Rꛎ@+;8M4;>ٸw+mv$@rt M]ҲsJgA?XGYhO*AIKXyhrKJBtJ2˰1ԭLx[D;)գMw+~b Ab)+ӉێasnjOj,r_O%{t\! oXoG ӌl`l,k ljZ:Kj)[h228<@W/ V] g<(;@6셆 h uT< )q5DT&G*vݿ@o}ȫX-* ǛWc4hNu? N ~%r3tI])|bt`8(CםBV [=y E/ryƼ 4!|qè :zIF^QWnX>DV@QKFU7iȠGq۶Уw1M-}{ܰ;'tcX-WG7̮f|&v7V&4%!tz GoN6\%!F 6M%~:[S #-6ac +]Rz튪W- aeZ8:oYut=c]&H{!ln;!%eE0X2ƐOga] G$OwuXF_Y|3=:7NGl߆f 9w Ƚ@Xd!֩,DN(4ũD.A!ԩsz9}Y8hHl?50!2Lɭ#U UlƤ!`|0 iPvī26+qa[ iLGenj#4Gͭ]P]=/$m* p".\%us ֭څqg߭h5x~mj_|9u<.N&kO$<5bA lٚ¹&jUv\7 s (]Uqdvm38Mdnׯ 9td\"LlրA l"+Ւ?\~IXGnr9_<>y臲2i)+rrm]1t tz2_d?`0 {lAqnQxa!lޫ. fm_l^7-FnRft*郞tܹE-3`wrhHӬn,8+L/Cp$mtSHn!" y] ݹz{/on0xy|hn(#ݭٝ02S~a_Qō ?;—>—,@pwx}ǒ;ex8 nL\4H2"$'{q۱#by_171g:lx Q #9,y'?KhݰnjތrXx}xAViYD5euR#>FJĮ;2ĺ>&tZ)F7(X{F/AiZWG~C6棡Ȳ@ miB=$.M%*4Xro/8F\FmnnuϦL~ec'0SbQ[fTOT*̻Qp27#<=4 rU F]!4^A+#̖q#h@GfE+Yf,X>tEG˜<-0!9UYNukxZVy)C8Qx_0/1ԗb!Q;59="b運/&_H=dc9 +dn;oC5u N1F7_j sXDBH- \ É /SΙ*j]EBW.En..S+"^4q?ap{-p:t}?ZCoY[G郟 :h-t&D#pAlG61-n 6'Ws6LrdA]%cٙ\/BԽt6Q-KI{&ۥG 5lLXfƭwQc{Ϋ^ͱ"Be j (o:%NJ/vX1MV:9}Z\0%vrQ͌Ӆq'G@#j0yHTPi|ҡF瘻* J^:ZD|vvICԠphltȎqݮ LQXxo7 ` opGyѱV}޷ sD ڡ$[[Ek/ЍqLwvfǚE&^=4 zf+#'(ϭÑpaZvM;)C:G])kSa$"E"> |/e&d$]\yJQmBMd'&'ĵ{!ޢA}}yx/QDPzu, 0E=F%(@r+Jsv=t;P%gL7rK^ZJ$teςV1FqG667\K|=_+azPTH~+{U-O+-u܍$6@`'xܞD =K91`ݑrXhg׊62g:(qk4,G~Њ (Ʃ:8Wb*;\÷N!frG LբAsP])5Y"A={"F%'6/ 1zPYJ.Vjmjs;m1^L,"G3CYCh\kvYflTX=tH%#*q$R3 {D_{(Fe-zEmDx:|CxJ{O&>#U.& Dp hWgK/[d /9hg/!X rW{v4 Hu Dl9Y `0 o|Z6`AOKrOv8q,4ŷѺX=;(bҭu6jsV艍я@ \n us[; b%3*p|R =#=_U!mF.[}X gFƧԎ\?`?MezS~ɃT~(4]ƪBxv Z.$b d/k),dk~oI(tؗH2ҾG}[kx”BF op-h9硝a(_T7pD^[5F2∺~5iBljgguHI$Tl} r^`,)io&mUM od{tѝsL()~Ðդhdk.&_獑 K +^kj0F~ViRQxNՁZ%uרQ nUu}$|ǐs<ȜPws+W//`.M&9C*) d"LI?z~'S!O+u%H?Db堣`lU#*!'ua"-(F qu7^!4-rE#гbW"f4'&qA$Rm?㄂~;JĜu@z'h#ܓiآ=~ӱie!yOo]i!CA{mW5U lLI){<\su&hhGvYGΑ+naeM+W "\Ȋ+>V4J5_ oJ(]Dz8Y ,dD5ltT4JBb ~^J~xpڮ0Z>zš;HXf&sL<;d -UVY((%XgG|ԲDó[gCmTQT GN 0RFw @$|ܝ6 GS\uE.zoa>JĨu&bgҡzv&&tL14P-#ϲr8l!oQK,'5r ;(ny^ rxx) =jAZeb؜=q!~4@Tky* omk!5%\QNXёw6C n a 7-T* =㡍l]W/AOx#C ` !TyE\k :ﲻ! 2nXt6OTZznq Vd|HrOqJ*곹`+zɒ)9FI՗o&ygEp9i@&t$1h(CnU&c&Jݳ? Zl _ؚv(׮ \ԖP [ Ǭle:ΆiŌ`@гo`Nv' t-ŰGIpO9PR,:볻ȡVGO(ıV@dvlS;;'`RTB|nm\ u^cւGa. / p:V݇-솊.[}U$QeRX0kT8wT1 vh$DM’' ZP`![.0ºhnÛW1/r1P~̈n;[?FҒCCxPbO(ȕk9mҀAw| dniLր%6P\in7Y{h8&)$eNbct[iaRHM* pbf8ä Ƕ pa{C4O1ħ@77σ??G(:n3r- EaO`ąTo.X4C-~zZ9Ƣٛˍlܔ#>ڬ<:%T{ޮк{XaPLS+[ep@V𻠊:q5{|^kk?@{mr뵙χj~;CD+hoEHfLHr܈"N%-L/oȣ]>41EZɵ \0Ě8& )F8L//kO]ЬN?:p0О~$7j»pJ` .t$D(/tGx(@F8~T||m{sZxFxv^O=mlbMǢc:+GHiD ߖ # Ŏ!ߕifl- Fý20q,5}ʪa_a1<| ]4Pnp)a2VԶ`bQ tpDBx1 {dO|"!ǚ CUj?^58oA73NAjݴ,0FOuRsϯN Xw쒞ca"\ Jvg:#Cq3ZZRd"}5Crf=4crftT$z^L(Sr1bJ7l_JV#b ZW.lWs Қj,:kh'")ƖHEK> ۲0 ^/b!O|AF SVl;-[B_T iUً>'fT8%l|zU|5~qzs[It8)?+5@xh|DSX.*?BA\!g7DkM'MdYlN8Iu`{\!v\AUH;PX`GnH,Ww˶<_㏼A~;Hc8N۪q>J6 ]o]&!8~we>.-FBN 8$Or]2/!|bzt=kij[ÿ7Ӯ)g 7BtXRwһ9{ԴHtDe8cOUPz^⣰FSq V uf#"YJ0TI\Y/riv6u.qkTF4cA6)Tq8A)|/LM8z$xFЍ_Lc qMrFlXXݔtKgƟ, S嫳G?t*#d+ ,ȊT; DwXXa2 ♔.w )ȏE mX$IΜ"^#\E@@p Gc8tf DТ&&^v<b0&S}s31 JDB9A2#k7ǑFXQwޓil>b`,%ywx@ n`[9 pJ -yP/c"k{0N6A I6^g^#Q)?{naކ D 0:Ӎ)xp7s\>J/9^'B`]0]4@oN94DՅ3U-β%a5u9-_IOk(>2i#)lж0[Ԃ)騷6\Ip c"(.M[\j"P3d[7f'6ILz!/w*tNCbh KafwHO42wh7y_L'r:ZQޠa)M@K-KU0,7*[ZՊ?D'Т#C <s_*͊.F frJO$ix.&14ź]`7vs15t? M\qy^=})&  ),@ FG{ ֜-,^əsɆ,JZ#d':JaEq!}xYgd7KɿHτ'ImRkj435D6o6A.J+C.#5}6N1*Â2q IG×t9‹6gq)(Z|ΚtJKŻx"tz8H0as/M8M.!9`ي9GU)RM$sFW:n? `lmX`֏+֧1 ڀOr+ECd= j4JBOt89*,+*o ,ڮ5&1UXIEӺiad]RÇ6'ds;mB@ٌitu` d>R%&(h!pTԺ%0f`ǴZWyi"6STo2p2]FY]HvFEeBz; =oKbp}a{_z#\6`Woo]Բƌº9 6%-ڃAAV#-)qa2Pֲ: 1=_S\ьƇsݱyocwTQ84 v ;4x <9Oz)1\kۼx~oI"QYg^KQy}Mn_a-fCY Q7R0%Ġq{4m… ( 堅S{S,>3/Jg@vr@P>5&U ˖"H/U7ˁi)H{d˧0 3weKCT-OL)i(ʦfb/i^ޓ~@u՜e=Pn=zZz#IGjwy9$P?wMBy.̦&0x%$i ?jr_ysH1f-T3gSl7 cJvJt1rw>0S`}T ٲxKBz*B’ H吡Q$yKS-W5P8< :,G&nqE- a(MɄyGH_%&V- 2;OPdFX )}^9ߚwXZB9Y/1+ 8qhUeHi6!ޕ?F/?D(4p.l:fќ, ˮQMzPPB&1@419#~dl–>(Xm W*sUx5$)TYH/evdwc#rF4ޮhb`%TWj4}WbrUE/ގW@0I4z)wSb blo$%#F3-TTX?iG5>bW@DrOTzԻZy^X oVK<^5 8V7N '.?.Wi<AKQGXsBV}X3$yBe`oTb> Q()lDɌN Kma*taF\Z.N=x}7hye\n916YzGp,udVJW#rr4?jW~Ά]CF YU5>`cZq8%ګz-FK: P0d%[gcfM>JN8. ʢ}w0AՋ?2Sk\& ⃲B8j~[Y6 LSW4(i@q 21ZzYd f/)B12 4S7}\COD.⁛ÈN)w;(/7K7ROVSoS פ!+gNhkBOR՚e3Yq{y1l7=:2lXQr1OT׀y F)l-?oO6h35p<3=Zj#z)$&A!ɾi[TwxPHRfC ]IhmPkLl CzNU-ĤwƇ.$tt~X$/yu7[fi*s2X|0{xW8i]nvB%n:-6~$hBp%4R/F3p*!Y/d>^1UJV4iIr; Wَ[vV׳yPRu@@ur#;V{!C}d;f8bC9&ڈ`@Ŭ|CpWHo_S@2Ԍ֜hyz)<^+mpj@\ ]KitK^)}be|sNVrs!v^}F([{ó[ܙY;,a{AtKGzQ *"^+C\-ȟ GZ5(iUݏ|14*@ϗ9uz!LTUk0z\"ٹp2thl|S†_ hU.7rE(L:ڪH ,Oa ׇ0Y ֺ:6e1_/vZSM 71~ĐK&i"V+gQe*q_ eB F 燒p##p e]a4;5]B][K8쪎3R3mEh琋?߁{vAZ{'ዦQl,':}X++;N=1%׾6mvIQI:oI^$/Q{@7WYY?%c$7ٞKs#J_TmR*AHiǝ6Z+CD|$;w(ɥghz 幜ֽ*i'qGW??x|؟7xG!n&%@5H:٪%veb,8bQhiN:V>#"Y&8&֛],HU~yl!<4ϩݛIhh }QXxy遲U !gQX8ƿ˽ch@xIZ!%6>};.7BNbBT<wZ*cgJD*V`fI7l ) !0"}aԼ_E̅&Nv%(9$).)gDN-@/886l@b56x.8F’S N9wX IX~A.FBWe 6n= 癯i@ZV tbnJk~Oq !*z]u̙݋gU6 n~vp[{,obTyywi;PPBTp\`\`f$3{iҕsL%aƵ^+ns/I-3wԉL$b!nX?L|8l3Js@thZ{ø?F;`$_ GrǑOG˰!bA{,ٲΙ\A"G^iܮ4ά.c>ۣ/?,ide*~ߐ0xh*o1N!?%Y +7n8,'D-8/ }Ri Hi>t\cM(Al,duM+ ,6տ vΟ#gcHV[uZnkwhOUlf-Kbt^[zDi} +,Aʾ~3"0Iʩ Bx| K#&FLB0Ԭ>D 1odaj" 'd$jۛZWTw!h ۓ_g~teq$Fni}fw*0)E&r7iEzy8)m(˜HV0_@YDI\}|`&g$CҼevzP7SO/*p9AnֆƖzvS0$ۗb[4HEp+7JƇ?,!ĘTkUb5{? Iuv6VeZ5"J2-p׽ȴ)r@L/熤w?(+ SA+cy*7Z=g>ߚ(o&H mu hko̢+x|MIJZ I̦/eq]wvo{=c۶".IQ45K A@PFwOkl7EVУ=_@j"bc6?ׯ^*.KW5'2]יM5@K1f^/Oauw~@vSs=rtӞ9-K}rN# If$)ͰpyuIQmXż{&] * ]g%|  kъvȿN E/vڡXPQ'I\a!I :Gz!qY5Q7u-ȡIK=6j+J2Rwi*[1&I8AH` h8)RY${>#H&^ vk J}vgjiJBͿ8dDl /7v::rԁMn2i~92 mԣI|u`/ޡ{hsWs8r(֧Mߋ-GHX5& R!/08<֢LA&P!K%R'-M҅%X38']`qHf[RYkܻx~09 ˰U~s( 7,E)- iW-!jPR٬eq iX># (&eNPZj`StWhp?>UҷU-pp@R8\et,ZzA␄Z2 'xAPOOpLͺ{}.F9n8_w=fw+&?sG)b4,nM|muQ?KX笳cV~OyApDx ssPi&3b65oA>% N\?bJo ;zQ3/ŷC"uYZC ` I$~5;N(BDo`xS ^b<,4~)gHkx|Nǵ}*VDEYf܈X/EJܭ)5r{<;ñ}u 4O NPeM$솭ӏ nB,QqYMGj՗;&y <6͇P_ơ<?\{>q#X7w5h-_QzVt) *!E*J̒qA Fz14QlNl+H6⦭2C4ɱy.TYc$bq O΂&=V2A@n:T\t5ޭdՁǚA_o`/ޏtH$6WzX,nXi^"xhA45Gg$ef)iI!oT]\[9g$"oywT9-vNN&f~~i?,YK>ab 9嘡\^Uiǂ=eyدG.T\}xAfhX⸕ˊ8zS@@Pkz 1'EExnl: #HqEp2%[xE<@QM#5|ǂϴDtI@ki!JTcGĬI!_! Q ˬpYgmYWH2޿m1 EPgz߁Ȟ[^V !?侬6Qj"3+L&V3 -zgo Rȭљ+討’Al}Vl1رӉOn܁QZՎš^T뚓j`d .nY{Ҿr ~59e緝t:<&[''-$|3iY|#mf"5WlC1T烾F_GXCC0a_Kf{řU )}PJ l>ߦ3,߻/`1ux{ V:xq!I.;򜀍4^w'U33N0fY=&lYН@ Jj{Hk'›3;U| + D pvװ!@AF21mNbBx?d(=ރE /DG @+AhDMPTpv?%w6;fVG$T85w)KnaOP&D'\XͮQ^ڢe(Ǧ^ĦrU["3~jH[Ad>Ղ͝V\5Zz^Q3YY;tUM X[Tؘ,Pi*,i8KdOO U ńdoJZkA t* l: E;W?w(3睻$څ\zPcXl8*pΓ7U3UIkO ޛ_8\#"+eõt_ }6ΰU r-ҳz?)qlH@;Zh/E.KysV nzZPETl[;Ou, R뵪Pn範+)PwLY)Eu#xٽ65T-_ːy*+F/n3VbHf 8Ğ50BB Z⊮ YD-VZ%k:!!zcgf `\V*PHż-D<} c sUF3 X ''Qu2{wCY-WTXOiY]~g[ O&2 2tmDr#8ym4]Oxh 2W!}VHɓ?* V *q)j ~iW4K;-?uXRm}y!?& `)) xTడzO&g{Xp/)c˩&Xzܲ! \;Hĸ%eMp,& Xd(a傩5PoAt-.hf&5>mrѧli%gA%È߇9^q|V+*tr 9dYwjK|?=R,R}lQIZwDz֭btM2JO5SC'EF5Xxh{/3٧}fՠ5(űGAܝrm i5=HkS\HO ѐIIxYLfyU?s6eN1:㇟0T]SE@y>M GX;aG"lB2}a[F: !iBrgt%x-]_:mVCxΪhG=505ğ}'\`ON9aQ)`ïtm%¹i囧GT@*#42qTH7%s,bp h(`"ݎ6ZZ @q^U`(}O7σV,Xt+_)3eNd:C0M3y*JdzFQfPVTܚT]*ٞW `yLwθ߰.b%šTǩn8 @*pez.rcTZTb~lz*17ɌDWf*cwQ*dy??se@ԻU{](+'lxg*"Ete4iڹ*?bt0+TB6{{"Q>ɼwt;q]0\9:vF0z-gXS/ef8DC9WLXC<"{oY^mW__ j1"sXsK3n z<qq (GR7@6]%1qrO~1ڒB+ܩ1@T|N'z8Z3 Υ@d@J_Wܤ[r;|||@B7rLk8d֢`%_7ĖIiCa76Ƶy?`jC=< _sBWDuiԡXqbF!<djb%Ө*m !!F +3>Ļ_xxh_}w ̻Ӑ+`Ƴ^n)יJm$J& ++fʖ}Ue+? s=ЩiBw.#c)&#̖rNJf#"ɑ#^ gm}k%p)?4E7cCфˈ5Y8A wU2J<@`k9R\fP skGV{^ 2-7˒*-X3Vsފ0.s:X|&0zz1VRIߘjZ/<7]sA%>TF:I!_W ZtO@Ҹ%_ _cvwX~nmlYw - =D討sgo2:+}@ ilV Ҁ_P[g+zu+_-v#B 2r)瑐d<.w@?wLfUC{.JIǎP9B $x\6H+`{@.㔣9JɺyUy̍x]u'3bE;6]hHLRõIНVY{aZe jQZWM~qTO~3(l|KkuUnQewV ۫A/ 8GkbyJNJ!}k'f♭ҘU=B7_'-A[6 N,Xs"ߓ(E,=H*-an=ʲrrGW@dQ8/ 3kCP5^p*veFz@$ӝ*_Wr8HKtee I踫;_5Y3BZI<}YusS鎘+ؿ2Da,mvM4+d`f%lxk໌ C]QH8Ŋp̋m@ S[R.vD۸`H{s W5C}o>.wu`169w Ty/Gi]Oձ?BxSjqӨ{Ŕ/dT{jsތF-&Ej8D0EA'(QHJ>0h{RSG0d'Ջg&}_Eh)mh1 GNe>͉WF+/ޯgAdj+ dJ 2Y6*|ypсI2'0U,9袎$Al喋܏ vg$\䊛5`jl @Dn6LZŘ}rOk7%o*=n%i>I}HQz|J[_(V2nVss@O׾ل[vVB1JN 1nr|Wry8P?*3`"Mm!]7T '[4ѕzf&'1DMw+z(̝}Hp i !ӼB6/I|똺v d9n &PJK+V"ihwsRvp*[Ztx/LN7B\iT~MO6m+-X Y0LJu1Բu+/ 1mM`Si!.I?V })f-RRT&F_j{{DwyrGw՝ķNS#a\# ~IpbYJ&ze-r깢˗d^&o48/xoT_a:k"LkdyYu=8ঽ3*" +\9Rd)hv:{X=,򾲴V4Esog|Y"w^M28-gHQwS6He+tۙuCAD 6.fc8j?sml+ 滫STR 3?ƴߌFFA'^C|cf)?WC:h;рȿjBV|0%>.%(qL.7BfAMt.v3'c+II2}fC'iZG?g} x~;!jм]C9f'e=.[t4nf׌tTm}."NZޟNcdp"m{UcżC^#Aqg e&]ޏ'41.ZLynrwDf]cC49rg`^XΌ `}xk |*\6$Ѫ' E`7RM+qj4ht5& dа3{lA$ g _a.\v-9X$A}ՠ3Y ]$ttg/;@y~9~ɍ11ϲkBz d1*di\g;*dKx路|%PI< 6[@sކm" {Jt`jifA_O3fGMs2ٖ*GBdARLI.kwr|FdQ]I9@"WN: kF\{)>^ТzL?0{Wښ{Cc1ER|GbO\KPO{W ij\"aw^o2I q\ )idop ge[4~ ĭe| 򁧧 dʒn XSInYy'F΍ލ967ƻT r}<<`3)} [/W0:TC7?/$<(l⥺f>&1c`d!;a\3#i^בPaF{{c?t\W-go=Gk5*[L^ qHxIrv_hyP!`:w+^DThj֞t6=J`(!Z܅c3Js$C:Đ^)( ]3N~'<FHpzvC #;&C F©u/Y@Hv;@v*pHkY@ BOATՁ,+Yժҥd*eQ;@ x+U#n= 9vZ̷ ONJ鰋"m״TXy*dEB9~OtgG#.nl(򵼧+dߐ|Ctz@ZpRqG9GC5*)_AvF+&­3-[OGUJM0gcS.?z0$t:x0UrG0řoFr^1ݼ{ٔ.YD SMW&C,٨xH|C•h_3GOU2T/D:$ǷTIcwIݸBNmv6X= x%YÏ2U rZe%”yްE>Dk ǖYAȰPqb;w5M؂?e( VO|Yr`0|w+lۜy- FLUڅ_3?}y,+6'wq3;>(ᴶxO͟SSEmK0vAh6f,FS^ˤzkZ0Ai0̮)ւ)N7_#XMjKH+ Ꞗ.9 m2fZ1ǭ }bi(c˵d`?B@'5]7*ֳ8ˏCZbt52$%zT\ =z_s̟UVrJIȮ)p,5|LcѻlwuZ|i`M)pt0( alXL5~HyaX CXߌOwL!ҍt$~hB2ۗj٫o I^>_it> GDٌF 2kک49}PqvI̠gͅJ68\6G>kO2ɓӡI*@^m.0y~=_}%1]P \D ħ$C<5[R%*5@r#s5$ tkHNZAXHإ8|)mYyGǧȋQr| X#"]E\qDZ".i/t? 1m Pr P{g9Dzʏ+9'mV /r-VdtUZ~ b+˨GSG[HaGJ[K7rpEdd.yI FI1ߥo0O8n}nJ'MxG%K;$nce\MD-..i5d5FX$TnV+U6|OsTJ._L {`+/Vaە_0㓌P+5|(ʨg" .'?,#{;*Dg\H;H`f?R5:/iTޯN(I܇bUǚ\.K% T`GhcNnaU"^kdjj [H\{=eg_D7{үݖRC7žr1kn:bί0Be7@Z\Yj!wHX^L4߾v&f)+̻pa :%TEh˺#dD=ZE7rn=tP\{:i`^6vݱ=.wʻ\lp܃ IT"_q7uz9Ybu< c'JFY'G)$YeҖԃWGhØnm/r_D=]1BJ<̩GB o60UG9}g Bwɤ[V+lH#ZI-dh,!$1t<!\agC4PrǀNz[lfO}:e$etҽ,/OlKa8xƒFgz<v7:`kAM Z "&p9ؒs< -ߨ+X,3@F4i3T"A'n4>+N<@gS>@:ZB{$* 5MYNv>Ƌfy>mmHSCozQk{O6g翌b;4~ܶMNi3oTp S=m(}>lgm O7*GOk>( fds"(_Ai'`';DY3I~^wTg+4 t23⿮jX- (F2Č.rI=¶! |_?uiO--LdT? 7韌dbo)m)ׇb<:{YթxRں3).^'L`Rsm B6jò@$Xaf4Bb762Wj5H< -S93@OZ,WQ sO ̑jڏH8+Aud׽?t" v@ f5kyS3xLX1Z3޴@='1ӲZ<ϛ:z^zϢwȝo+]2*oJ-n;l~hQ7"[Sh#K)1M'46j{ʴkj`.Ǖ"Z@~y羴@:Wh?@|1߼8\<(!G]MUD O 1فṯ%V%/\ۘҝ&['_YrI "-\GdZ|%?F2b*Y1>CxhxMBVWQmprgM x eq!pN%;a|}3 J fG}+h9UH<$uOz\LV;r:P*0Yv^Kw|rt{W쏄g5X nla`9Ŕٯbq\捪z&΢Ze\ԫN:zJ#jnOS鲁5ϸDX/D)j:0wHi|NܱDeTdfrj;l%?\=tEA҅Bj'T aȭ>/u"eUlꙪfD߃Q,}`0}r {?a-6EjWyS~=W_QdhU7$]=gD|dn~Їsq'OQł .*EDR=|+FJzx;cYu n=AaR6۵eK"#(\]sA^?4A+QUL4TtR6 7+V}"e½r,J2G[T|3d%}!l 4xW B}NT?)l @U7CPIL$4FV&7D{:G7iF~~@j <;(I@`k:-Q 32lt_`V $5qM=4C^f(ivOG!]q7IVe@RaCd措h.y< rZ,I;R9OË}]ʅJ&I7 -5nū ){;h}LT|TL$Ẃd!!^(6T*nKXo*_W[ݍQ p"/ ;›+Ylxc{?KD#7L$>d|9k-u`DәC ;yX+tsyR*N|kJI Ye?{MXHGxB fkh4#|ٵp'D$a\!gs~Y 'FI,V U9]M,:ه=o̤tN'j"M_>"`°6s{*rö:_,ՁBQ8#XT]2 κ04/ĥ l>%I*7)7ĠRcα'T|@~h~kH?:X'竣Rş$."Aª!xtΑz{oůNH"  Lp'eR}+ҥBmG7KD=7::J ٧dA-OkHG'zt3 s G#?2R-cE<ձiI{n[ҘZF)H_0)ؤҙJ1H86_ ᱣ! FYw!A|#bJ h~`i2K'KWXjGfqޥ [ZZaH5^?SJ2X ؞YLNOW7O<`D?" G-,]DpLX|>τf3{g ![yzN 4îG!dAR.3`gcO 44)B'4V76}+ ZZ"i UE;H,'2b?*;߄r:Y!`+|KJS"4j_ᵅFy(G-oO4z~ ׿8̛=,$TB4!k8wP9وVBL`Wrh7:  zze-ؿs#zE %6J}tp䀕%_vXh`"powq'E3d+єΪŨzN7^uxNuԘ6'E%|jİε{V k$ܜ"1t k֬kD lr9`ҖgMxq'EnmYC'QM^3;ߨ4N.-LYj{_U 'js#2Р3_}op0~&֏T^Oz+P]Uo`'-]2y^ω|#ČT"0]ܘ`LqDUte,#_Sטp)&eP)9Ԭ^V!*8x E&\$/n_V=&EKt&ljYk R:2:c lE–ljL‡ŌvZdN^v%8P9o~t Rf5_%]aUrfU{Gs RԌtӖq}S(Ekb'8PAa^?>K@*E.aX jRZjfE0A8o|SŸGIuAL%\S2|aNUOeJͱdKvh|K=T_x(Hߐ(}x݁|Fk;Xl]oqY9*WTg,޾:j?/\TD\[򺋉Nər-,ާuLLKXpWEi|=Eh̒9z= v&ulʴxsz3TYҨ*xm- { yw X#e g8 űO>,)FlBp9F hl?b8Kd69zB<  Y4zRiFJļ셫|$5K!V5=t3*e+:*/5P&$S0* )ZZYL]WkV-)FR.4v:^l.lgU`@4H_0cXBVO%Uq8W:w[ǘzh7!%}3w0X>,"|##s(VDԫ4ɸ:d̘kRe ٧@NaXTDAkdO43=6PGjI׽N#AcTēuA4!ўDzu~gϢjs}~Lwz39!vnɲ𖩁/7chpt"c6ڲ㔑ȿLCi  ωµ@_7cjɶz%~O ˉAX$±pK V x5[nqa=ȘZ54վ wޛ&Ąt0hh`/M" ěx$@ÙJG '-z'd1Äׇ7'/QǾ1^^$0H-?jr=;vtⳔ-mQcpT9R4ls02 3+=Ss8ߋ5MsѬ_= WIkE .uZH¨DH+ *zY(IK7`W^qv(&4B >`%]Z6@ 7Zۀ̍Iwq-ܽV&,4F3v4 (Z4'sDr8qAY_ۮoFaL5$73qNf 7mk96E*z) kXn}C\=ڨ |vc.\œXbw.IV3k8fl˲s6$/SSJ וWTJEЦTC6s_Igk̩]g߉"bp3@ՍEq5-eYi&6K퉛⇹(q\ eEf0qu F0n#pft/Zq1p^mhq1VUZ #N#x:  V{jK%@EYs9ym%aX)#nB87=H@y'-6:YSPdIv+;?)!`7B g1#'MN\϶*7t 1$;$dxۤ7 cNFm˶&_6DׁEGT!YGab81?L"!yM*YsgmnX'pCF11ީFaUs[Ik:٭:ͻldEI$(H>&5LIZzd4IFANqd/4Gv8kB)?LM/ ^¡wns+; s6'͍er,# 3b޵,!lXa@= ߷6'(4$齐df^B@"dt?jO)`x]( #M)% r .;G= O{P&xPUi,m%DN \[,SF2%/EQiJ>R5Z͆pS8T~!k:L*?^\# C@\#i2a=Y*ff,- l%PB S{ HYL:bc.~ 6X t>A _ m9ޑ:;p`Eɋ/0+׫9f(SIi`)y{l2mpsohhh:RWb 5&r/r|5Au E 9"'fcmyQK I=2ǂaM`iF.`GL`a<"m zԎuEڶ~6# @+ZsYۃCnѡ_)4VxqS9m;Es7 6>#g~17qˀm9&6,`CA.&%pAY\s~ q%0 +T94G'AFP٘j0Z?o{VKIpx(r_]pueEKUV#4ni`*y0vkxF}=" GT10Ɨm[ _L5xړlT@1^Ӂq 8쑍"o#a&83o<8TG\+R"ᐜ78I"[1)|y,:{N8Suـ`B1Zz%< ZBhnQ.X@!RB/} (XCf)y${U90UFG"ՔoM:%n%μ+$lKFLƹz˵,7|)>F56nDž.74Tӫvix5!<%ފ9BFbw>.^k\{A$yvl6+J7R]4+]ȳ l]p4~/Ȣh72C& ov>\3ϡ9%i:mia\7kR6 ve }?~uܪrAƍmM&Zcй 0|'n=@ wW(Ko!q7<)l6pISVxקVy $/3gdpnI#%"/HOD;/ sjݸWY)d'}SlM/%i~4E!%"~:Ƚ !jHzs2ȋӎxa5W_p[;tCuQv6tsFzr$KZQb2&\Z= &l]"qy7 7F3]63qf}JdH%Ta.ޣ)bfcY?dIiL`xٍxl6eNq`%0^`WtW=ֶR76ՄN1n-O sF'W93{Kܪd'SS QˣZ>0E 43Gmsy<3+3Q::8'F5a3}HiOf!T$w> @׆T[ *?,:<̆-9_VO÷zX]xxJk5T["o5,n-ku58Hx ҹGa3-|{f@VGti- Ȣu\hRuϵa&HܙOFӠv=P;fI7^#0<<߭˂'$6u ܫPQ"1A+.nw7N}J|pkn*Ƌܮ))v'V`'UBu;|foF ߺM>(p0nD( #ٰEn6y~S[77h4@rmdk3+n9駶]]T?yO ET` !~ y5>LH#WOt㲉ǪK MZ*<< ,|rV%H6?xg"p ӂ]Zzw҉c+>ӊ@)׏&PK3b@[TƖhA6^lٚx=hVdAJnѴ;N$q r` By}paѰiXv=v}AFqD_IA"Dl+:kˀAgQr@TLb9ڶݼdSTx#/!O'"&|!c%'ؒ>wbsw0Ԉuߡa!"`!.ݜ1ʀs P;MA1d`y_?< D#AhG: F"| ,*n::R9kHsnomAU:̨?;q-rqQbFAv+HAl+Wͼ1OC1 ?AfkSt>ؿ}B8x 32EO&};&[EsfH\`q $d({'f$Jgi,*1|>Μ^&gz*`oL8 |HK\޾ '>'N(K7L(t;*_^cWP_7 rTqݑQ*υp\zБǔYu=i]X& 7KG6źCexA`k>(?(ȶh4_`3#j!kt=aCorW+`*LbgoE weye5@+]b#`C7D*R`EݜC(Z&ʋ |}7vl:µuG}eA1M}=+5'%2*!S bkQ+2j#ݷHz pa)&R1] OV^L-=hKϤތwߺ'[+M"n7AB:hC5M<[r^*SklvqI}j)#N4=eo"MteukCy/@MZ]F,-#B/L3giҠgޔ"a 8h$`+ d?tN 9n6.zUkj@Z($;wߍq T+2deKGDf; ԏL1C=%TTU Nڨw?%qDy}֦!7Im\#NSۻMֲNbdSpGy4HxOIk}1wz]dK-0^4CSE-d 48rصd Rnfk07J,޳n육Ơ8H)$aC}w0Ƀ)9oK> Ia \>Ǹ-B5,O./7{{\S?|+z1DBB ^OL5-*ȪE'obsދ)8i\H0S$Hvs _*kK.!`4H)@we5v*"ԇ,*,;HU2Vm՘{# c^j. b*Z[)oMG? wIlT ޼4T/s eRY6si.stF#Inabx2Mח>60%0mKyu7ANK@y~BтX:, V?#xAX_|7$jMd.MOlOF-CMwѬΥ՚LLKwQGyHjUdI_e2HM43jFIP+\O//b*  wQ^€ #<(tfCemHF2,?`=6m2BUzI=|}#?k6wh^휧!Eזq *SxmcEN…VJ4WX)_x,WpY7:-?&1)L=MAV"lʦ[/ɽz86ʓh1L 7 ?]ت&L.m`RPZ5'e"[lCv1ʬ' >!%T1h ̓;gz>KVX[%ryP E{9 ϨuJ'JYب ප+&SJsTcu@٘`-_+sD,܂&ŅR"@.S2H 9c(%gBp3Xd" [T h&]a}.k7;A8k3ZL9N6R!> ↻,M"^)zzUžX ?,Kh.*&eԈٰ .m\5ư2b#77$$T#FVޒy bed] )gMC SgE^V=Sz* Z|4>#x)٤^ΡcπsS_쏰 T,O_:SRm;f;(]\qfZJ P&8;yD&r&E1XR.?: >g)#i6)i!+ H/$/π-=T 8}!3Y{YW^S^ˁ.{&ˌuB}NZ~sIvcx}ޢF;PȵG ~A5n SHEe cU;eq)C1 }$L Bv+=Ar*@&lh[cReViӠH֨ *eucZ00tێJlԙ70b ׳bG-mR+ 1]Эi`v1UNN0ic%@s'Ҧr ZH___^}kSr\?0=jRҚ`AYIc uL$CE83}sD$ڦIc%+g[Ī덪l^AT݋HJNy&+wm Ƣ&EثlVcƤN.^a1Ԭ)v& \J WPL9T`(*'JÔUͳ IYE(Li%mb/h)wjn}W;Kzkʶzm.(nO%[i6Q2OҰa<sCJZԤ6eY@[XT -!pBMA2LsG^tUyK+Q0q<(6uN`OMr(]gZ#:U`zX?-6_M깮H}ږRxMW4#Qٷn㙤>7a55|zԥՅ5Fz]؟Q &Qdz)3֔/w^Cݩ)QK*#Âܯyq碮2y[m$#-~'$xLNfۨ#V,D/IƄ#U - <  6Wp*YnCDԛ&$9#J+b0XmsHd;7X\3(ߔq%^MX+TIVOB~ V5 q^{MNnP(~)!ƐC>-&[eKH Y/!YbЊ}a Bv*:ֹ7(촰61!ixTɨՎQZZ Zۉkc{9$rH\'FNcpMwcXb7lgH_,aX4TP"{͠? &:vϽrG.%.P(?*F.Hѝsék΂qp#Fg LZ{vA)g:-ِ HbwXj3+b`u#Ak᭸0"`l7/JBιI ?Db+h,ɍ`H6ZM!2Kء`7xVw10*WK\/}[J[?ˎ*=wr.[>Hyg^cL?$ `rhߛ:Dm) k,CKB x6s,1QqɃ+E[/Z(OG-\6;}d"'2/Lս٣&.7@CmBr@h/D7qf-mF3Lkہ&h '(z2pMx`M)w X{|¿yD?B㴐[>aȘް| Ʉ5}op P+n_R, ]KU?CH'_u˾M꼐HVQ JK{&P^jH#jcG"ʊ(x $S }IQU\5N i~װpg_G:քUU^&->SSU?,_MJmK.Dj3 vż*a(7ujA/'tcG)acN7b]qxWEK"]aWIzyRti ۝!_S+yK⊿*60>D(̴ʥ>7 u^Έ|hFOQx"Kj=? ;*23{ӮJfC7tz^(lsz=aJx~t"6L*թ1}%ԒHr_q`Z8nR hleqХ\Rמ0&˛w90qH!T4μp vMSyNOԎce8L<(,")-@ؿ|>fw ͺaV<^ @8Љ6gw|<rQ}Zfj̪ o9HxUUP43G$﯅Lؾ-VG-n׃5|fQݞ q ZX/n/9a `04DPF0+Œ#BXz9vk[x4;ǒ`Q]%o /q>%ihQ$Q/ ҿ$QZ(GeR+:;bAwMRm!lk\a$R}ƤUqMʁ/ϕr#,k_enaJT߭`̆^ʼnj` ?WX^4oPR(c{gݿ((1Y_kyisXi`;VԤ":c%'T ͔=\M^[Ev] cоUJ*T"˼dH ! `p -!/]R BͲ{I6S %ѩL[MoA{U{%J3'޺;?* LQF(޴\v3ydQ"oC{3@?ixŝ_ʍCKSK# _Z٦eLe țo>PHuN|'^O0hp0 " f]ӕ:.̳a188JO|vr ZN,(eөb@K[&V}~˜JU*M߬Njq%Uj/Uk$+5X%-ӜpA9ىC jH&4sgzkG2"mJd7i|96å[SrB:ӹ )OԲK):K <)^p=`5=kj.<',({gv[i7X+B[ɨ7zi:($|q󃰻fY75$73JP&3\ًT9TbW>fz)AF~|jWVy/7 hq9cvfHX<"/.Ojgk#^Y'{#*%iԆ{%E-~WQqu8 Fbo|Q:1vX$WEǁ~O&ΨE @St}PdXOjJynĿD3(}#gf" ]~&E.$VPx\}:}SfCkJP[.v׍Q)rG)DV!PvIB a ?Z\]PʭSfђ@˶FY:Yjy(p9^(7).*|\xOxIXCPh9}Y(m>?`B: .uvx\x{u4̭q2!rq,5~4OHhцLNNbQas Q߫;|u 0DDqAF.Rl,@3[YQw%K[)8m8#ܩm<7*I=JNRGm 癠O#5}4oߗ0۠mut;>ֆ9 %1^i%9ޜK'nj0#!.*lt:ڞ~Cc(«j  犧]kry u'@ğn]ei^Ѫ9g.[mjUxL*gTOOoӘmeaH2'Ctn=0[9&ojX+oMe`Fڨ̾~Ѷ&F盗 x!y|bǙxnoY=}8`e8>p 8LbNRNFM9xh<dqd<;m.r^  1?Icd41[~:EC]*æmĵ/`K8̥!3MHBx3~zH!i, ;i4+vP#1@MX=9#8}fG,Bt" 8i<)7{V RxSȗkc-: e_9G?S(5_π sm.eqbs`~ډ+,̏ 6i#Ȟ5)3?U smsC.87*Xy}aĎ@D`sl޾gʃSԴ! ֫dXղG~p?QuYS>MV88ڲm %CԬlߍcXdOoP}` ,1u <\ڛZV|d`7!&@f9'GƏ=`$OLЫz#`lLֵzR;EK>(:8iҴRIQԊA@W 4п[vm2sӥ8izi/T#XgUY;mYjok˾,vi(8*\3uۣYk `]G@|P넬}=7K,4#`hMc*4LkO`O#U:u( BDmܜZDHvK*M0W $@ _sQG[dxQNR *^č9BCUn )]!װbwWՂrl̋'Y6?.Ƿe􇆆JWݣ&rvX#;(Dcy_rZWlH-PP˥c9M?y3#Ru+}@S25{L?T,'lȁ#$| d;GV(VN?* r^midWgrz:\!4Q=4bmH}sr;Q_y~ EY<缞-n٣Hq褟>Tjrwz{jXϓ8f^8ey";ʨ1%+ (S?T:MB'"xY[{}'JDw;}hg۞$S}<S?ݿ'J'XX`]n_="9L/Iz\ ##zmcټK~^D=TB \S)\> ~DrOk­ڮ#8Zm"F#"{jUh1W@vẚ  Ӷv$}⿞gom W2r;kX7QRwi2qιmH0cHmqU]8YHuM$GSչck ePjxM1vPa#z\xhDuUʡ5qx؜G`͉  7&6xUĩʬFep={&ISzIa3(ǝ\JÙݨ9yN(@/THa+nƲk%]3L$u[B g{Ato\uH&Z"^zӎت]4 Pzh,:.VSDH dž  S J-{- , K3DYOw_|s{>ɭN?ll)ջ|8fRX棾FesKzW Dza{Wh'@P]vJ=qFk[hHc`(5kL.M(!rYTc?oGC*_/&7ѿGPR߾Eś>O5YVA"A<y0R@h6њ1)G12kbiϨ@"fˣGbB4 ! yRtRo%X0JB`ݛ+ɍϓv I=o1T/i&B'G3UڧݴU}of*aK{yilyWF!ώMjg]ʦ ̋ѩ5 fbД!([5.s?Ch?^?tQ] 1$0"ffl7PU҂;DwYӥҲ{ʴsKq'QQ]moS*7=Y;>=cv埮qThсޜ'3]bZ/$G{oL!}yYP a| K][-P%OaMGaEbcMv9<;o6 1 O΍^JjsC&}GC.OI0fnbE iv9haiE Ph\Og Wzտ7mw&[2JFvIQS~y" QLeB12^`Sۯl e8 fmM(GtA0g~_!++-N2T|;zxQ 70jin)u^+,_!j[W3mV0_%Q=u)"$ [YY9SN]cсdb&)ȶAtE&~SU6/Hy2&%:ieX^hգOaNDxxQed/Txh<;7kKA2?%g)t>wAn["MbFkݍKű&c$Cc`=.x%!=nNq1,'>4zM'BD5pYJzPL[#6ש8Y,-%X.JqȄCHv#׻l_T6b2a&,Ks4'%;zw*"@2?SQKϬorq9xNJ1([md<-=yDr!WtIuHVÔӵUDP>-C\ZJ]uPWOG ^u}gԤk ?^v>zyMOD.b}Sf0XJG.K\YN7Ul]$Ң*LT.FE/WنfvDwFĢ*dW: 8/p"A݂ Y^1ٱK`^MY\=J:]i}r`[$q] UDP+/#,8_e1o~*p SY3HvX-&j5bV. Ha4}Z@G*I+1Ы15.^|[l5UQS5cڞkw 9CYC'dO؀+- O/yo*x\g=?,PާS@+8D5gwWK G/BEeR!YJ4˷C]FV .u.X ag]ٮ)8n՗C3fK۝/ m&(KD$hcT&6TL8n|ݯF %Y'אv& lK1ȳ3$Jl1Qɸ)n6vkCv 빱iԦ4S$x9V\[ѧQyE`'Q:۶Xe:p,lY'0g(k 9 mx#q9CY2;!࢙WܕWv:Vz__>B+9)y]hL  NCHyy-9Tڟk$^2Q: ZRBjE{@32S4F)#& KZՋd]QC!Bt<# ;ɬ;J9p5>#u Yy\eo"PgJzf 篛4V̑J0ILG@?){PFfG?;gJ^'u9NT[]usAy9?S =;=Kk ,y4mY&0bB$,1..KnDtD*P)*N*{j !fc,_M S&Axҏi99GT, 1CU9i῅1?Vpgr!ؠ$!5 ZABp.1nCB&VdP~f21TX>5_z@La ojFfS'oǼaF::s5&j '\XtQ_H{kS)Pkaך;>S[WV @*,=¥[g$ZNwdG>{E'k=-iDtrq>һyx˪Æ>2L/u\@դE{Roڦ>EE3s9vE` <=bĕ$h_0׵dႿixKcLa$\EʩQw7 )c!ޝǃzæpVzLYG"&0$=ȁLZ0]yրC*%tx XJcaX/!}k%c5X64>#1c g_L (2oîV>*/R=YO<+QK<vJ漨DHMUA#߬ISO`.Ac|EQ.U8Z-EsJ kOƙeL F *NR\B۴+JM=\1% .€!hcRY2ؼtε?A~dV%B))>5v:Gbt-mv(CA ɳT+MRU4 V-QMyqrsKBAxs~Gk%urhJ< A:0ܥa:6F_d9P!*C%;ڮlp*%G=ƐDu9 x@%X6w eAVlO>  UdKc`ܧ8?˖I5q;t=m9sD Dg, D9r&= +}QB)GsB6sx_Zrʄַs+TGHJ}a5n4]Ǩ ;IBkYKř4x`NX%;e砒 A;OvtBcB Va>\'TA[x$!kTD(pe 7yn W*|r"Q\Ki j9E|8mhcAeR7iɡjZ38߉Xb&}>L@}jd"εI9h Q yMU~ځ[VWa6"w~h(I@<&fe(Jd;_YKM+ɴ#}N*vI%saqlV AE6(ʏф+ix:ׇ`Aþ-PХw>Z3CsLvEADf0EQl]V!~(n3tз\9w#mɎNŭjX$/)E@ ]s}"y pڝDIk:"o\"C9s]hڈ6g4 WK kѪ<3l71y93a>jG3NASh>tA3owUdoNU1? |-c棷b6\9ipۓ 7ޒG[tU+9'df.ܤaĮL”3۔HQ&i{>=(b[:n^("ė{''JW >ֵ T@b/"`S ;=24?ALNXUNTJRxg8saؒ ?\{孿 -1FT<׉68>;4 ޯ"9kmq&Rn96qd Eþ&OK(o (hEb(MPfb"UI9Q jɼ-wW:LtݜfFKo-&BVp *0PzA 9ӊ@MQk'[mʏXo򧪬3&У!U?7JjY V#ۨ:)А\8֘#V1 - vhڝ ?nbP<>}kq0Y~7~) ;T:㫸>?{Bf*;mj͇y)q!A0jP.K*Aң6v9-=,e:*%9JpNncf 6aN@xQ@F{UX۰h~L GHwS )n=}DQ#|QV#Q 4ʔt9O/XO{1@@%i^bCc>fuEvc5CʪʾΦ]Ѓ鎲 )Xb&Ƅݑm1DQ{rl׶]TJJ,S 3mp5ӜG=]exg;O3\Kc^y޶bŻn/cv+ =o :/XȄ&ʒ= ^jW6q[4tO!W6JّY~\VmΑޣnM.\s'M~y`_Lo>Cu!Oa :RZo<, 3URmAi^TW (x X'F2ɨXGL6$d<_Q65y0lS:WQk [5y>j~ӞÜ"}LVQv`biN }΅0P4EVo}IL]HDڢepn>6Da \5eSQ=SZe9DFGO$+ د  xinH4N݈Fϻhzރ!T(sjaXkt;c]f0;#svsEmtYRoB+L`B!-ɽg܌} +{G%>)=Th׈hjEj/̈:Dr`D E!NL sxH!r`ނl"R?J/f`*NUks?*E g*w[|_苡ʬB-p9OaYP=ӧr϶:~oC9(zQ6^4_`% Yi-jy[i $T\9 ,QpȃQi&@ 6w\1s_Fb/tn}㥮C9 h!5 䜶ʊ,UHV'f* aZ߈?~!%s?и00 k׺jQ^DmMrvB ΨA;k/C;BӣvG(t2YC2XEdPV'S>?玊K,Zg@06dj潁SŒÖ…X"ats_N0+I.1pL뽵cCM$THU?͆jm} mƣiۮG7-2aMli%ΧXa%Hۥ'eE ,2^+T0Ot<Yҭq|͢fXGvL<E$%#Oza%Gmt^ / HD򧝧sQz뗫>+aڸ;Ŧ+9KE:rͤ683'+dsZMGH,aM lXPw"k-w KI[Jƨ ApR{ysu" bryyD߰NY1jvbC˖;hҖjQdB~΋mej.=IX(Gb?Kha,3HUlw0lĚ=+/5bTT9H7ɝM B-A("/q\u  VP<|p:,/PX*ڷR#~l# |ր %}|%cbԞ-ۑ!{\64xنvY&1y@~ Y'6*6]r`2 @IG-rj=%<7JcZmI*d6k>4ֈ_>l5H ;wK`^tEC] `a.M sHOyn챮IRg%[jɸ+ U=N3~wHހ4,XYZi :Dv~{/lPͱ@yܥSRnC&oM6±Q>Q-?$C|֞[Xї7[/{'^ϢJ>ɒ==ՠazu$9]yE]{~}Dkj=lR4wIR {OUkVLCLjOAr6 .F4S܍(}Vq1Γ}zb"R>0c&k[#`9RTQ_ a3:lGvkv#rS>mdpqw;Ho+{,,}UBP9ź,6"A 4=vǣϽ[P~YOT9pT*]6iƕX0 =Yr(ת=dîs3$OH}gĴƠDžz@iN7:Q&S`ciuIy7l7iҕf>iɳ)5ӜǩGA/>cTμY>W$`eʞhHyͷhk<tv+|֯ hc j0<.56"5 %}-45 ń=!J-,3/_qw }O=g-8a4'mF,4IZP2 lP~4hV[5g>qs-'ABR)Ss7OCi 1/ ?gow?#p!1"%0KOS@Z:mDN RN{^s^7Oq).J{d -#yRf/fIG_U; dŌ.dGI(x ֙AC}\t|^LvwԤe Xb/4f%9~s窡3g9T>Wv^W3pC)t[jCӗe"k*S"ƾfX3ZCGo, z{vOJCB8fv*m~TĻ0lxu)nxzLf?ot0|雽F23+8@h}.;P&S6^HNVhCwl9#w>#wyٳȃCTChկ~6nhyrwICz'ޛBB\ƘSڱN;%`IExҷ 2E DɦTI!u.HXugCF'k knj񄯚RŶ.IL0PA ¾$KgzZq,ެo11JJiAuLL=\G~IB~bv9DLQ Mad}1 k^k{# xuuc0@%v`+==@v>gB4ϛP&7vQy-j-HRPPk8_),ُLB8ê̇&,>mG`;# kU%|ӉԬ"@-) PO}P|>~9Jއ AFw $Xҥ1E35;Kt"Tj}uݱpdV~%"54"7/wUPI?#-uEQ]Y x}*İZ9iY2%-7WSD_lg N27 l>q+kE ie<˞Z!{O۴=t29RCp wL& |wIi#] GI滦Oʾk9i'!E2Pe~`ze÷' ćDO'?AMM;x0 }`Bdդg{s ]tPhSNZNy)i-؏͛>,DFƠQ! vJM?Sy6Aע| ˄Lk*[s(ŭC @99 UAbj#M#[R8jǗ/>{Myʑ849y,TEy2ݸg:+W4__(5 :tW QNS"H9@{dT|jpJQq:S'Asv9I*ǖoad3${u`dZIaC̏&ɧ`eNuQ*|Fh\g9P@jzk)o(sF-\!s#jlŘm6LoݦS/ԆyVsڷ^ڬGאEU DJV4kGcUFRjf0k'$>l%RoD&"Ϊq-$mUob\Hn\fa1C6} zTDԿ-־tp80#[CE#,&';?5F0s`u~Wsl(zU _ RPTd=ŸyI.!D7BW-qMΪ@ 'JKqJ<^+;y8GYtDmC쌨iEFu؎-:C冧o͋ぐ g =xa:9eŤHq io}",[!S^a1;eL00,aBؕnjh'Ƶ7msF"_{2E5\*PO͋ O4 x+rv~vYrVF"tp0) Y)㛟(Qt7'754Фpg"SZ"mLK3 ~MЌm#'5ڮ()8yǃKLvp$>z?/Ԉ)t‰]xS(l5o$8L2 _,$"qmyi\z&$U"; g*| 壗&GnY#_׌VH* +81?8fA_v"c_'ϳ(jy%l ܲNu=.207AS˘ԬB`!Z^B)3ɬQЄAPzi- WyYRA$ 3Givr֪"YByhG!u ɞg1FV cCɈnFcR!Ŋ 'lƣjLF5[K-LjVr/~ Y'n,HH<c:Va2.7;wxT1Nn8dUKCGA MʪQJ9ST[U }sJM?:)r- "%Ynс*=XbE}KDy{[ET/!6)D?rI7\,њE*_-B0ֻ§Rrp*)?B|,:b0j,Ǜiw-1h$ ),('GK〴T"`,n\ -mxH:'\$ Xo4ܙU=.ݔ{*Fx< 6@mAЯ'#>J,t*ȅO?H[p2JEMzsUV\U5칉veL5;9 aa>/,fUI`-)T/QVQH>׍[К{K%8uP\46,Pfn*X݋7q?u{8aW^-(+\xӸ.{bM//iEl+b\BdϱXb@*"?Ay!`b_vz: |4GˁXw 7e"t#)3fuQ&wG$,)Ţw+B,o&g&Ů*3qn}0&ۡ>.U|u̞׏o(KL?e'g8O_%gw>xa{ ܁\<"3JhcH>-;<~Rw(OU+d3=́qCƓpJ6:Xbs8}8zj84 ,ܺfJN#h}-bHX?twl~ NiT@*+N+-ÆMV)lP* .HQݶ'ze(G041_(udw"YQM!ZWh?NgJ˪ܞuY AB''9|ty%Fr $Xcown"6Vyv 6DL&Ĵ"w?cN=D{DXh6\wH/6~[G<рjC"n)o[TKo9NP3ur4e;$⥂tFQtvn aԨRI;Zp3}퇧K[@"@zh\fbZ戮ҷ7QƋ#c"-b[PS-aߑtr['ݦQF6Ӭ[!-V6Wm+wZ{i];݈U+a.qMP >90>&x&9f8t^t*sUI{w]h z!hYr!s4+_'\#Mi F-))\9u7PhR.^V2cIםH i:ז3ET ¸-zz>"k(e6uKy{Vf7`gQ;PiC{N3d5V}3e"(#Զ#ll}q$Ge/x0^5h"|5V2ģoW 8O\tʻ2 ] |ic)8KGvDu> /?@:"tgpeL3Q9Ձrln( ;-5)"H8BJ[Y*f'C}36IN> EOL1^mA9[9s<Y|鰂%P1+rѡ{44 iQl ,4RiMh~",8|mS'Nxԕ@`U918 7پ~qcNݎuc4 & YBؐf߮˵L>źP2SS}0@sgNOtsL`=!^3kȅC~(/"},JPQ&-7(Ѕலr7H SxkqBVtLo1Gy\M%' nI) 1W5*T h E_XD:r1gbFpEqR; >"<7 =MB~G,o4]rr7JrOUaZ ~f;&*eDR$hd7D,l=X ۙw=5,T hE .OD J =@$ˏ`:YL³ ({,ZQ@_ R-c/lxʔJ"fv>Kb\Z+2Նu~3ۣZR DR˜Yd{鱎.aBaɷnxxoH #a /8"c OAB&h]rkJКqmA})H{9j_̀=]$ cvrS_caDA^)BË=Y% ''OmZ s^'"H93,0#KO*ᕇcۨ I sEAivZzB,qJS )dCd[tt3:f/XrCjCoADm'z.!B?bXan؉« )23_jYO(uEZ\tg"y'-3$/0_ӣҮdRB22V/ıWO?'B){s¡[%Bĝg;g gp.'Y'1tuwSH>( q#&6L{{"i9Sa=,F O=Hݪ<˛u_}!v^~r?6wjB_\I=~t;OZrXOJl4 DXYn_\^xk#Ҹ0w')I {q?jssps9>F7}EsBK2goL5| Nˆw]')|:s;rFk5@uId=e;q:lp lr[vhVѽ\* tZ94/XPN9Q2i,yK'un)R Xs1p )WHBab:92/:q{ ^['ؘ1U /XA/dAFy,QK8[ =g4|H;;/L1kcoNk g%X,Ts\*oe讱̷HWb0ϐ"4T~2i2{ghp)PM]d&pnbmOC/üT_ ',J6X@ U 2m=%j^>mf+̪x]P_'F*);;ΚXq%zjk}^Lz$8 '٬ZUn}Щ+:_d!cߟ @} kȲ#r[@rwj4 *`/ XrorVBiH:!Z!"&C~أmϰֈiWe/g8n{دwlLRH+މh= 01US$6*Čp%Kũ>JkZ(#[>z!Et“?ی=9GQ~qzHgAC.os&G=;wE*O1FZ_,U:-OV3c0 oR /!.8|*(Z;XJ}1Ռc7Y\ Khf㗴\7,Xҡ]m!!*6֖젪{ㅾ+o2"Z\EȠ^x"RTnնn~]疕4+=0Ir001ߝlȸT?fiu#ܤjnM |*yW0%ޖø|T4AoL6NM827oƝ X%~[HZ3ug/Uފf^ ):נyhZ- ^UK'9'䒒A5\Zw?U/[P$_')94)v[rM ,z, ^gZvtq}{dtjcޘ'&I<ϧ.nP6mEq,wd\jS9K]* xFiy$4IwVȇXhx٭W &NC/&mٳ$Y[w` I:1\7ͧ{.W]I{4>X4p߃nGPzSvf1tH<"W]PRQeN{I k1mU71iajw6%(_ct*m29BsAk9HçGFŨ}-Oɩtm;Uup`f¨1*3mf65S ɻ}rMMك1JH4Ӑz҉Tk;btaFC[nuSqSYOl ~J3j? ^@S Q.UB1h]@jm ߡP[jI!r1U=5$/5@,q%n1W1>z\JV襅9/n7#!č?TQ uŎePnҏqF!udAl3ɥ'jCzO3̔qK 3c9mh..M &V"FWyRMS:J䳶Tj Pω-u5/2ˠH yGHsğ S(d (yR3 8lh'oۇ=@Zp=mk~ٛA Mo1 %p)QF)_-"5ڑ]'ڋDOx ZlHFh1?%kJ(<hDۃF,&z}g_ d-{ΏpV>V̘JJ#@{:ب6Z^QLf:8@&W&-lKIDS&OGN}n61{nJKAO/];!a}اBxDXgY{T$vfW@]io%-bX7̵}?ldnl8Qz@H8p݇o^dRH4BpyW_DTБTƌ8b.cSK.[L>w&ǮU# ɪG.5 \*k):0)ܣ ;{ʣXvyF~IL>]DB9R{N}D"DuQ4{ӘCZT`bq].AJ>N(kK#c(޺7m; }} m#N '$RfN{h&I )o,;Pd l 9 }q륰*f-1-:@>fji*=9 ܥ9jDmY+uu_NQoN̬֩Qv<+]A=[rSEsEe! 0^#/Ic r N^`A DOJ.goaG>όҜ$sP RSz8ҹ "|ڔgD~Ȕ_87anbs.3>9:^m-cY=F>'#T!4J6mZbIj.襉;+߮h:m6$=Pj.-Xuĉۮ.T+vyZ@`JwD% }>JRkϹ ;%6k^'rkPNM jTE@qqyCb0ۓ>T6jn' r(-yYp #"P8Lh…@x b&ⶍ|6rP+;FTFk4B}n[/7jwrTJ21kNaUo&q8c?zQo}IΐMw529·ߓ^ʪ|LnIa;儣W1BTu- DnQcd$jkG›7w?R!szxEhUPe ]nL{}ߘgb'PspUCsqB)Q%z"wVY|u '/W"o!|A k Ys=F 9٧VfO 'mb},`#^d/$1C>\S Mg92xXL ?3v9AJu yW(' [GU{\R` kip6p5G6!" {I"2XUR{m ~Gxk*C%laX ==ƃ >)\X2 \l바K & B*ИS djkͿlX}ɠ+ &-LjK}6%SG(R T^dܣ^$LZJTNΦcO3GsonǒϔPZGT晋$(/T֙R5``[[T;-So\;{?ϛe-Fd ٥S?drCSrH".A  }htDzѨ%&0]tMN "%r ԴoS$WZ4E1VODb=0TC+´Z~龐Hoy /&SJB{$ʉyzrJi"÷}o=/u<xhTV G u$@lbA" *jFS"i82z?ߜmT,N<^uTN, EX6Odx12t}ġZʈkܫsz@ƅbsQJq^Q),Wջ{.؏^ʑYY RjՆ{!8>D@#9zuȦV 83A˪ǠI-+!2gSHrHo}==ϭj*H 3 e UOpQ+%_s瓫eog 9R:l?Ҙ J>0˺jP sҶS: E0duEwqZpʠYo2!WtXvDvݼTj讂6Kv@[Xs0ʕ 硖>|Q*'nqĦG D{Pu FWISơM_: EpYɏZ#RclŲ<}^ɤ -f7"$(k}-xHYЭS@anJ(kk\{=ڣC^0Fk bUpEb́S/KV/Gea5 'Gbr|/_DON?,c 1*3[Y%gxA~EAI6ب/+U>&TXWĒ3=uF>)q!z23@8Dž.^1woS؟e"^ +0z̫Ӕ7x^if`– ]MXg.)3nb?^\D.t,"} $}3plJ\aw2]h@,))0cJB0)xen / ؓܢz[|ȗ'!!0X+mLɕFP@R0l u&CNeGHt"ҕX7Ж;vi=rjAnK\2JTwǍT0{gTqM(e=AaI(qLiOBuF& .E}cÉPa,-m(ϺAU8UXTFO J[ű!R@25cav -S 굩R>NJQ3\v';*mS*(p|$4i PÁultukw\)E+DN06xU8CϱC)h  hf!*w7:Jw}FC֙3J0f2p"ךY(ѫN )/~,&@c mOyn\LgE-4ԥƸVUpðO"|8#̣tW\0]SG(eGbUnБPYfeC2d{O*vTKS=Ѷ__ 6`Sމ~gaavo5dˈuײ/VQCi? lu~IίvLə $; }jnOb(]k ;hbm.u~7.QlTe E\wwyzJ@SwAf {یH$=3,7!^g'UknULT}> pa 8؏)3Rhfb5߮CQrc-,AwX*`xLJiS=jZ *SQ1US Zh~V-8Syh~0 drTٸWը~[A\1ȹwۂ"/5{h)ך̛,1_ѫz!31ԃ8Yuj0ّwj!0.;FlC!hV.Srq ,JP>Qk'2erP+[н 7ᘔpWBl.=H4WTW_] '&|,%.8 @c!2] I|X gN$mP7jKncfy SQ11_ c" Hlm{".<{=/ POrPq憆45Nnlo#Z54' Dc3:6͵9@ J6fO /E= 9;&NVT}IJ]!-QedaB;K*1[̆!븷ANo-nገ`9E**/yns+ZQx5BqkZRNH#vye%UʩkRm׎$3F]u(~C݅+J| ħk) VD2BTO\Ec}qƕH4 No$n| #^52o!IG8l"N19O&\#r"%}V-j؅8Cׄ9ma߂!S-{S{ 6;Bѹ"X 9ILXE_tmգˣqj\_@r: /YF_㕆4:hx$' PC ^5~BwިE1@pUx*`/QKzK5ͯ`F.hzT|!-pd&W b)#N:#QD;3!z#O }1k``[t"()" +;S)ƺcEROg|\9aǮ/=uӡk;[q~췔"H :uq} ʪgˈJ" e'A7DMO-1ڎ} != kJ_Hi-_% # ^ ֠)ʫgKPhyڷ5>P;xٚ+(kU{~wfdMGp 0PM8b3Ukd@N!"mr2ALo!}]:u{i&&[9dN/:b[! 4ܜ)u)RxcT GS uڅ՗En.eP6_%O!;JOsD|w$e/Yv,0d[ׂ+hYzN苵ttlgG:iF-)0nhI'KEO!m.~95lYmp@"PFC'4&Ocv}N.DR% #ǰl9@kdX 󅭨J}^:${W[Y!u4Zݒ'4>ɇEX?JBD(ythJueKǾPv b"s@k6wNs f~ MFB8ӈ f jnO;+pjGn7xmg+X/f'=%Byu7+[xtO= z=gMcpKMR.w<}CPpں!3DSARd9ESZRj/7b/"]tǝ9C|1LJШ~E@1As+e5J9Q}zG֜녁)!MH|^!j-b0f$,K~^%c4.XiPëlPby4t'*Cn|D)Xu(J#;ޱgl+'VeWҼn,jT1x]uvZ\XSjE  r^1;!3=߶*W GRߌ07jq ~&ʧ+<9m \VteɋٻP(,L@7@wf_11ƛQE3߶\;\ t~ص Tu lɫ #}_pM^둸e[%_ Xwʬ&xOq'aE7"32pbuꌩL -1ЭD~ydJm8 s*2"GyxePOneñ|82O[cZKջ&+lt܌CePF2)xϼ5v?w :ɶ;"Y{\;F*jE:9%8HU!$ ALM YNj-&s5$So Уw)ӴJwcv> v,SSC9q9M*' xqIf*MD'VG_i('@bj?3.bf& mkRc>o NT!^##z4 Up y}pM]mh~yUiW$upEŭCm'GS>_g ">+D_-5yɁQ3}sg@Z-%?۠Io=X~j:ZxIW`.ort)@ {6^>a[baί "a![ j YvZڦwx$U|/ wx*OHuɳ#鈠ɄiRv>O3Uf "ϕѾj&Z+r?4^3_368Qk!풩^~b7aÏ}=P"g&wÄ <4i##f4$.)q|`Y3FJ5J-hIuࡀ1u˚!gxrPI[T>Lc"E3|)p t`ȹIy0Ę* cf.bzKd經Rstj鷴s@Iŵ@65$emQq;(86K]6 0^, ߕ[wQxr"0Kx^+gz2nV]ܶ?4ba>o8lL|?ccҁz?k4hgDn>P*:E,Xq 9 n0MM sArFoS`Ij Xy4ؕz!i:)!J^]{F.Ğ  5u%W$}ɮ1Q :fлm:9.uW;vJT-oVHFكXh(Z'+ ML'_ Es'acPl5.E LW>nq7ϔ:Ň^ХN?։9<42$e—vv&- S+ O 2`oK ̎[,}!t?]fepNḡA.MiX>Hz6@O6(ȼ0Rx;GqCM"{~_,9ʜ ːZeXF9C+=abɽVhyh;WZiw-a] 7_}6@[+X\o6NTs%۸Acw[B~% ~[+˘CۦÛgW{ݭk7yX9jcP74oZgdP}@@=}-5 MrBdB"&zïT7߄_*6yT5"{%D! ƑkwX@8VϛP^Hc'nU3VF/2DŽ_CFdY4,iSdCaD 5m,̸rt趃eWx޹pqoPЗ;Z{I4?N'|卵&srSse j@&5|V"YI#Wszg ,N;KshR'Pt+|mZEXPq]S*g$[em)<\ "mS 40}Q?gpĪ";N!ߥ훫PYrf0S фGR\["Gc_*+u40BDwJy,w^fşl'52qXL2.;sƍi)3t),x@Ӱ-ۢn{6({/~Ie.DLU硾m)4h3?4~pz 1.QU 3\ILWĉL/ ^8\ XJ}UDR/,mOcҁ݀ Vtrqך)BcaQ%7~d PWaky; ;ೂ2e/)mvrbL!O3>*q2q OP9"TӨEa`?>nqK Z?=[>3?/}uA3f\0ae[ eo@H 812*eAtHeG)5.1LXBdf6 y['&MSw*/%BgrhtZt#vT\Av7b܉Ov* wrΓO |2`Er/CT*^/FMV@x"^{3 iTl]0<,w(%0aO\[ޟfGQ`EYO)6t57y -s3}p^W_IRqQ b'gZBD6v |;~#z^& 'wu秞}l ԀXٚ˚iA23l i{>.vt!k5DE)Tӫ~z @cF+PLw.xg`Wxsdn;"Ϥ_]kgǩ`D,̭Ii{/` ?gȅ/Nn?vwd܎(HJMOd(n⽕ A#{RݩK$jn#nqh^s@qX:srS8hztLi'?Q fO>RGJ? ?Ǯ|$ (IThv%K*U؈ ְ+.?VѲ+-eswJfͣ7SP?cZ;|~-}Lpv1g #ژirw'y"Q=N?3zUYO"פ#Z2HJ1R '(O!W78fHgpB_!-忑uͤ/tSxii2]Xǖ՟dLK5s+/ʵQ}.k7]Jsn fӀp r*;=1R>TC?ƄU8!963 y PΏ;6[uo8H=tt d' (#L?zPi ɿN&*YF^S$vqC>ۙu[ ^'BԜ]9ex>@ty3IuHss;}>MxDlœooUeD N]Vڼyk7L0T3%UB3+NˠXoe1pކ(c¤GEKH_(y2@֩:C27RJ`D%_t*t\6v4rI4f(rD&3xŽ>r j!7oT;,³p&Pö )h1ޠcuߧB$I7C߁_ɲ괶^m019wc815)~#~gG",{n3u6Eukv\Jǯ3Ik^;rp+o."6s'1'#8!A):H1 IM%#o8QZIɐTĺZ< YMt*Ocw+KPOer._O~X v%43aFzk̴dq+lsAU<ߟVs EI" LAhTVMh̖Hu7Jnc1[/e]ۇPE@B.tGB,?܋WYQ_e֜ ?Kb 2/W$+ PNEK3˛0L?r H=MlW@c"EegFM2=X CS W91Uc’ݘ Fl_2c+y cWI>~gtNv'' &͵͟8U78+dwu%jp aeYrLPΎg0\N%;sm7 As*LCrPxm,BlNSoW~P+RAI4|\VNX;!jfo3W mx|R νcqS2 :쀊ɻ/,>l 069?SXs!Y-w <_sNq*ߣB50 [: R5f'DCd:nF5fTP^&dYZ:~پYTMGiq$X׿m=#ud]B;vZ|W,i-!%w7L}D 4?Hߌ G ?pPqdlۚ($ћ  d}SGrVL^Vj5ۑMKЖXRp桌vxm&r@ǐQ*e~ s˩7t[%"xqP;AȂKQ.۳< H9@ Uܷ,.a|)Z4~eEdKm:N6fP .Rm ? 3Bzɢ=zdǟ خmXW4\}ĸNȤVid'f@+75NC`lqR%7]URڏF" AvOfg_*S=#o?~ ʎv^;U_MJ\pDbFD-ԻϤh -y7 B~ c1'i {z3"/`?CU"x\ e]M~yT"S^pYda/Qdj~JUEĚG 6Њwgb8Ȕ &I9l2 lV-# f,!HP.} FkBio(ŚxS+Tg&{A,Z0i*R)rP{w>qdyOu -Bcn 9Z“p>vr > <@q;,٣[;4޴\]xR_<D&3ߩp+ aTtm4rԋA(pϠM~QA=a++\yxJKf./'&\!;ΈR76dFKsvXZu?mCoQ@י2#AL'W?eGYn|N8ρLxTֽUpv*Y?6v.=h>'~vRZOX[ykQ?^œ5HDiusU\ڠ*d3iƔfWk֨UF]|;Qr쉖DNCBQZ)j8-&\ Wb3֒`=ps g~l j܈ZgJ\{qpyÙF~??w㈬*i!/T|J˚H  Seܜh4X`gA%/eWzp-oH?VpmhDs@{wqV9{32Ӊ3L پdLtefrޝYfH@W赧bٳ V-{givY)#ܷdѶ%k%s&ظrş2صo)*0SR"W _ڥ6v0܆q_@= : krl" Πe+V|k,]aAB;-'hiS :XO-Okx#t܎2ɠ!o +^N&mcqA@$1e1N˹)V5NRk%U'1S1/*ͱðƝcKx#^CR>ss!?<@$B| q.p7 h:}ڶVFDhw~Q5JsPa!+F`Cplr1e5>V033Lp5{7eB+aDeuP4>>%;|@W$!9UN(](d x.%TCOnὑT-d_f}(?h,[/Uj!\vwk4΍g X=JS"rOWHaKp< л`N5Gѵ[<_=>$VGmק\)}s yai5H9F 5^GyJk^>b\o  أϭcjiS42F{7t~K_=Rf`judr.쎟jHb4F@`p;w 71T'ťKRfl?P~ͭ҇Rs~/x}Z(xrm0Ou > ']ma}&1q.' 9pomލq5$?Fa_\c$Gco9zwAv?^ ^P*aEΡ:l!,%sΫ aZK"Q *_)^tc1isaE0A0I6,1+7_zNJ+7ˎfpŽ?MXKgW/঑kw)jh&iL(P*Z?a͏^%r2EeCHͰvS[{]SYlgRA+(2+OCZD/̟N;c_;J+nxHG*7ۭFۢ7oz@x='~(C/aїAQ׊59u"j"wPP"~5x4 $)BfW2Kl>ϤadqAEgy"kL Sb4 {_5 dn"B59N(]4LsA zem4Y˰{)4> 4qj|In*A 䝼dV3%$d[I0(3 E+JQCi8vԇzMďGEx0كϬ/ls.mԭ5Ȃ2̹PF=>8ow(jX2~C`PA^je ND@Ζ9BQl8CԻ _)*!8YNXQ"`_޶K r9%ֽKK9/'Y24O~T&}\P}KhD6\Qp_(`!qIͻ)-BJ|qcw⢓Ҁu2wy\;}"pB6: (^ ^u?Pt#2hKyMO/Y`"+o䆭U>?͑ӷXSq5p>_XA#|e۵R?`,JrUm*&[=izge11>$pOV5a{׌|{+qwv@īG9afPPOXO%K/Ж}h*?RdY@둷F➵YgU܌VEhtKxZ!WHqUciĝ3ex|O >NZRyõIBVS@R绰8^]-٫p9JXư|Gr&hz`yK "_N(vK2ēpe ZH=ߊsŚy`fSAʙN RZodN?nYOCvoPZTO1vԩ(`e=Iswl􂒂DpOa]`;aNXfnjoX=5Ο20 8صH }dx!}0F$ܨNUmexw u&4} C>'tȑB犑MX/LbUDaO BXo\.H0^ǹ-*2+) J]mC4l iaƀ-Gkh;L3BF6,S'@t470jN&YҗR5Ȏl ##@4 -.胠O?XJ[ ]YmMQ6^ W틊o&^0W0Jء "@8)u-q=ַi( KOSn2iuiH+t2^픺H-ʇlI>Vd2{ [r;`:&0ȒcWQ*1HMkqyS~$H`X>Sa0ql+9|ZFCrHaƄ = 9S2@k7TQ\)QL:qxaM(BwKq &ҩ&aR-q2'dSb ҳ84&!ՈMP8g 0^ Xkygٗ[T/ գã`V Q+\Q9wCh"Q!ՠx|W$A\*6p I#W6>`\\Qm3 ]gJ/z!h |ѡ M e'Fh66o{ZXZسhQ&1zbck?aj/띃ؒk5,HWJMk_>ȳ@2x@2IeOYM[ƾWZJ7 Rg&k1KnP`H]s "|ًK uA2;F!Dwr)巏bWq@eȨH*s;23!Tb*'{BS%f:/TpRdCIdwPl{o[c"7Zlbrޭ\"kT::q}Q6m\OzXܟCõ+!raE0m>gMр8}ᄘQ} שxXbM),DžFELU+ט86dVWk`R7HJ8ۢq!W1;ݚSCQלp*Th]y9:nE* j}wl+LE_ h&ׁ<xW<"gY$ˇI5 5jds}Z;2—]@_> 4|H+oҌJT̓jgwk +OCAZۈ0dyxz`ZٿZE-? 9m<'i<ץN( nAһr>*Ȏvۜl[!(t9}Nyhb4Dm$fCO8E?sȉU&_C8^y+{8 kg .j.**B$,JbŇ3@AVI*SJSPZTXEV͓Jw_AxY%\vJX'͝XfBQɑDwP:Oh}66/{0o~#"9|HOWG? ,Q(3?Z}c i"4&B_e~&̎ax;# :zv$Vcَ_ ټSqaf}PQWqVљCC`mCeT1EE~G-pyuNܿ_UGP 8N|@N"tSADF\J@Rܩ*9C&AxDݖz!hLĦ0b^L`W{))녭bxم0w&9<8 Ij@9% U9)iF: a\H<_7GOBAYʗ1:_KC̸&V uzRJ_d]1ɽ#^3-֤&>@:76a_Xj}: q)UD[52_M-Cv|-#Mf|[_oٽYA~r E+(VIKEHw3 ~}W;" Fd sCo蓼`B `!Fw1@7rh#g@[>eqZ͜4W-s\}ڎC1FVkDb[yg,~X{sO2~@&*5.*GuZЗ=Y}83k̫z;^^,^'/$X#^7 PY+%+entȃEscRcWI>n͔aX?n}*y.]~c/J)Y=HTG$Ҟ G  X;nOvq&^ nZKoľCq@BB.9O .^_d 6 _^[TζX#pIjQfe1Iyj䝣x8QdY9z&6: =F6)t i2IXa|XTT.to 1& &Ĺ3=C5Qϼed82*e#c;M.ؤ =-Q2ybDQhgV!GKg3nHJMcRUJ keZ `A]U\/~hbfnA97 g\ [V !a _KᆉՓ&9;;jE!5NKS /9Rp %X|(tsfZe{WʑYP*PӑA.|k&Eo)ʃ>4|I 7#g\T4Kd0{˵{KvACcZtpe}z!~A§A@XF1&ip?]u3)8u{'ɮTn~Bmq̡c/uA6'_N6U=gQe>K_֞ѽ .Yg0TCa]j"_OMsqUf)[RҥcQ Lz=uhV3vdnr_V;@Ek%csY ZAY7# 5,xfؿ^N`u;,Am]cOrB^dpN&0UʓpI}LˎjܝeygJpжIВ||i$!K+{6fb?c@^RD{Y\| m@~ܓU::b۳Ԅ8d4f?#vH_PyΎF ٣:$H]OX +DB۲- SY0fd;\~ 'B3O;_ٍ3+h*d]ݎw"8tcrY*gߗ xˏlj /F 9-[a)|1׎ALh`D탘,a)b]ɧ:4N#n!0 (1 x% x:[jk+Q SJ$:kxɤUKLv([mྌ/6hK=rO Z'muvźc"wg~y'1eLO!,GM4`:[%un X\kߤ-/8?X|?3LM~PJR71;9 :wQ K;`/އf)P ?8YUmUq W'FE@Ssc"DI!BBT teV/嫈TX?^ tcI1_,0vz u5 $Y{-'7K kRPxC0<]M7dܚ\G(%sadlVU2WHHGmշP5<$TjV Z<єzGYnA !W0/Slg (nm឴FDJr|x%a ^y#?kxm#xI*sNrR?~+.h水^"f6QBȖ'[lHɯЅCV.%d[VRBhBUMacI3 M6K+ØDϋ8<;FtE$<*mJ~명JQ `Xӹ瀹M)1"/1-P +!owK=7T92^# ZIv^DzRsD/aLJ=.,UDV߽ʾ&W,\6r¨0;w݃7AȉGĩ2ewzշjjv!Cb)X$R4eЪ" _ݭP+w@mFߤ8~EOk&Xv~\l,Ф"/twqo] J4$g7, $90rV`=TT 9 ѓŸ3LjȨղg%xEJUWN1umoOHH-e4u q$;652Lc==Y}%קs^j19"B4X}"j)MWquDt)οrXy©a8U:"TE"@@5i6ۗȈ?ڎ&T΢Cpc% Ld2r{fy&[!ܹR6&3;xBbzn@ަLױKۏmc"fϸPX1)ۊnŜ#NX}nn߆(hf%4iͫF2C0Q'7zN.^Ҧ 7/_]@0R²&V1(]{5e TO>N _T?s&PJ0-G1/0}g s:5ISymGu8e^x^ doZhtvx.$-VCG7X~/֢l2b71StV;ͭQV'%dT~ Ѧ􃓠Ue1НnZHj gGѧsZʁ%wZr@p6cqb8V\z_D89ʻ` SKHny!N\$<%TZymK Ӹ %XJ -RUpQLRB疥W+ĎDz*,t1E5$Atz $ժ#fx3Y\37xɫUM/,~ h%5b?9`6^WM"z5Mx’S5I-?-ʺ~0u;}zllgڱ5;ix*/҃JB J|n_ /LQTqWW붓;ЎYԵoWQ̂ZRlK{w2m0ByP 6$J Zs92Mऴ)$/+~3 MRkB-o"v޹8Ҝ^WZO9,/MJ'~3fU'0A^X#ʷ׃6-0h1 c :,^R q%afq{D莅/UnB\1OFK o/k';$QKn7HS] dlZ7:veZcĂϯVJIϜpAߋR]Φ z-"p :j+꒳ݑtpʂ;IG `)hFV %0ZRm4hpS_FiSEǛ[|]"X6ji81<'n"@ 8E.Ĕb%~R$q?A+qt(yIbF-mA'yx:U{s&\ k"l&ж҉)gs֡)@jke@6bd*j7k:%3bKpaƃڟ?Eaxi/[|*]'~2T'7^M ]j0bv{~I?'qPm [qQKto8v~:"}Y+xMqˁ# ppv?&s=K N‰^~n4:g q|?ba[ף#}27[8R~N%abެsR }'tjby|G=r:,QW U~&;dK8sT+{PFHY)dI8x/(p}iO'`Ү~4\6X>,jod1qGPn[-01eUjrx(Gev {,*b-R|f?j&X-WjJr%}RxT=/s{:U>nvNjov[x~+t  ]q]Wzl@Z"`0O]؃A{`x%TH+8'g*ڎ%"0;KtDom' QS7 E a |Sr?mhgpšZ .s{J3aS݉k1 k޷ FA ^iDFR|~.h4b/iOt5.cy Ѥ_zӺ1[C7hM×jvH =)7 &r}>t5OB!̫=a&~^rj }.ef윸؆"_됄 -J(} iM( =^Hn܆JN]Q!TVW|U[ͥGY.V9-L},ϊޢ,^4ruA:v(ºHhƨRr)G.'_j1gmQiuWk֜`)cƁғ x%84"jM?Vˡ>CvQ1yZg1803cV>պA }v҅3Y.%oہP>I?_.e%X!H8Ծuf_#UmLA-Ȣjw jb}DlTkj>fR.f-^x@~ofSuB־X' [s9f\ןᅳ50D0  D{hJ<èmRIHçx籢 Vdy )ynr;kyӛM8DS Qr463zPl9%Hꤒ DTu<7虶 :5xl:^RE)t:kcv2_g,al2c'h[oVtA}RKƼ;Dl"Unt˝κO_b~뵌O7- ]F3vΌȑ2Z/&I//>Z>$I>x}*h\6\`%A,ޫ#xNՋij|] -9K)қ)u'!fmwZ6d7kߒ=0˔8Tw }Fd^I2aעjYzi* ͕9觨 {uT$9o4-dA!- o*˚#%M?*:pu2Mw,wԸ9C\֐"F2Y5@Q M#g_53|~V);D|2q ڑ lp04nΧ[Lc/{\۳')~>xĞ9ґe}GͿX@bƒ.t A nA&*8N)d^J8 F1= % Y `LH~Ӎ=&#Yk7MbU Ynkprڧ"`&&X#(n n2 BV#h ^pE*&*2A,AK@;$,։8Hb6Qh۩&fMܞk{J*N?rGmFiW,Wpx}=>`kif߸#};R8k^Xn>S9z7RQ)&pvCp9Y*d&٢KNMAA+(҅|-H|qlDlY1SR/uR@e[KD?3?m +t_U{%TXQb=U.dMnu{ U9G;["EZYVvsyK^ n`I Wjn2)I,T 3quZЩ]JS _UMU+Ŏ6LCX9)i`Ws|`~9ҧx4f_ג57$o'·\vͷ8=')0͆'m#Ga6p) {/ |FĦ+9tLa. .. vz &,=vᮨiPG.'[u K(2JJ:qE!/ ]QROY/u<Ƀ]3qJ,j`Bo BS+5ͳ1yυ~Ҁ:j_s+;3lbCJ柰oIQ_9@U˴lU8}sַ>}ͧ,S_pGl^^@fgEUQZ1>t2aGd7%Lnǯxd/F$6֮K_D+]+Lڕe<{ڝ =fV]kBQ$2kܣc@aOT{ ,|յ>9%>HUQ^&# -Դהr GBNir¯!3$0k&GB̒7yS- ԩNsis'v/t}{Z8@SڨW|䫊;o*}Uy1ڹoى|X% Fw,vj2[K%d9WݎmyĿ@ 6~Ec jď혯1~^t*12rq1tv>صVĄiwDo@">Н~>> xˇu=O 99,|'nTxJX[bޛmK# Pyxy+lM?ٟŽeA}~eM # ip$C4 (6蓼L~a^G'I|2@EZu4>ebB^LHrZ$crA"Mh ^1g?g1ڲ!J-&Nf6+E92_Nv퀵m_֠y~~%+ǻ֯bn.{ajHXm: 8M]|E_E"N(j$yZi޺ aOG&YPX&MߊRe@c4F ?Xz{ERJ& EA "(!X|W ]dPf%͏6_$^%㪯jíuӃSkܒ! Da˫ qZ_sκq# NGGX0 /?jLL~G0 ?ˀhrMhz_Xįհ2JI \'`C *[GhXO-Q$]ۮ#,x7F)ҾKɦ)Spl37c>%9r`fLfg)$NY %koS:㾰h[K\C`CƊ$xVElE5W`Mű_`$5QޱMph ~6[$6nsĂZ)Bha/-0YѺprВ=~a$)M"brYZ rUX'%wA_E^AE=iƸXV!mm쬊%[Qc!!(ZUIZsﴧIVX˥m?ioNH@-*$,d*Łď3D$wZq!r鈂Rr利_"ft4)4r~95ᮅSxu 2_,U?Ȉ# Wt.riD%!~=`(5Z0U?Ηc/䩗eg߭_E8,ָB$lo_”av`FR*3HlyGRA% K ;LTsk+sb^b5FQd%Y\gMNA͊8kF2p֐ ,Tex45vlOKj#Rm}+T$-wo,xO붲ۃ*=桱"ڿ-"Qg2jQLmk)lmpWF Y&Z!ߗ8ZДf<]j$LFsrč"Wy؇\|XN\L xadD+l j"׊[aȤ"g0W̡Jn2h|"]D}g%WZ:gEA[M!9Ԋ]лG e[t|k!yQ t T/B*Cc.ߐ@, vc{v8J}EA/;a5(Y[8Berh[9ɽl&HKe=}uNI2]0ӑ'M-:pM^N;*1&aď5+ M7pL]H /.H͞^,%P3|cǞ4-g4vLyEe)ZzF8^ZۅǦ.%5EF7^-=܇uڷ8ݘAA#XX'ϊi]zi=75HX@׷_㋌Rw|3!h'M-OH)i-)8T4T@^LtUj=IF˼g純]CaR.T-SICt`Wdg_p5t8v_g*eYU,d֗ @Ud3*-ӜSkxjޏ*5m2 Zpk"ZƋJmf02l>4xrU`W_In[L#Lp@g؎޹jq9t*.fpv̼(5LY kN@m(; ؽA'>2Ti[txnr䱆JQW=b+f`m[%_kہאƣ(h)RnPY3;/ZQG\jROfPHJns54|^pCwly=)9BXM*wyfT!WN,qO{$-K$tu|y;y)|3>G<Ү YЏy#3@蝭K$IlJ,g lO.bA~:sYq! >+ dAu lA0r #ZՂC$t~*`%ˇ&r S {Jd܎vtV,c>Tfϭ1XePnnҭ:QD\7bYj=?@]h=Gzd[bi ] &`ʈg .%hK#&Y`hDފMԧ;ѸŔFrrVjO̟u2? |]>*d(̹ohCEFZcPG6j-fԉH#|\$Y;xD^`l*W2_uWgm; oimv L(>߭%Ev:Nh1#ID;_刀KFXӣQZF)`%)#{S/YYkMբ}tʉ9qqd[(L$B?_X 5JAa :z#ᷙ?k&&~hi`c̭xաSިHcؿL"h-کc:֔ӏWCd&k r>˸b5#x#L'E0!|0qx5+ihI J06z8R HB.γFg/ ysn|yM|?'wgH~_ zA0I5og5Yn|UcߵV;e8 axα'ݥ0זz_F&I/۰ HL稟Oߛl4IΌ zxA5ۃ]t: &Y-cu۲|VGWAk5+ dG8Gn1]c801 y?&,c ԑ&gdn;?Zvp#F]`c {ogkӝ,@P$GI.d4:GL n`Xːލƶm1,+ȣ+1)= %FEŜN|YnN}TG.9ޱwr…A(CirV4sfs`ޟ8I(Ƞf.=OeҜHA p A<;!f?PNP~%#ÎB}k=uyP'UXf&tSg] j%[Tn)*($Fa1b`a[>/o#-|҄5E 6\)@vn~nøN=Ѳɫ>H*$pI}g{KW5HAjcy]ABB_w=nX6eBW0T=ӛ߬QB'4AK_r]o~`PZyڹƓ5CͥrCD&s7,xxm(S]&1u/nȒ9c0nk!5-ﰸ1=:誟v\GdF =od{+-txh p-l`>'ݑO y5eãM[a]91fځo'-5n 68ukB@H2F7J ?V.w?Dea>ϝhyM$,[ga+vJU9o[ωP4_wW⾤jgsf7uטA!70>N|F[2ޮu--ɬ=+~O#Tn~BLۨ!Tu>ݓzՍZ[- l|Du eل-PS6 RPҺĵ&NmκHMԣ1bC1;ΏPJ?ڣnv*)t`C`TuxU05 V(2XR]Mʮd *-Si> _.*O<޴l`'p @SSII!Ra+pA>u(3ud^PW0^}vHO(ھwvӂ+ .g{1=^lT8EiJ"a({#U!+g͋"bM/ey3dmTs=:5s;,v$:NYI Ò)mD6J^V!͈96什7\5E6{X%sp= 7  L Jd+-Y4K)k=4|HsXg]õ8K]E:TvA\R i/:^A@m?Xlnk*I:ϻV߶NNrKDyҀ$1n> iB)?>Ad6IwmRPE?I<"RQt5oLv_7oLHˌ 2%S쁹t:k{|mcEsBw :F5KLaf;Hyrj׶>v׽mO'mouf:;,G De&ZMXDնK #S[j!S$mo}:ɢ]= Lk[2b23/x n"$3a8Sw>h[Y.}*6TC+yn$\՘INC:x() boqpFGk0YN G~Q{[];Յ!{e,GY*XXS¼>@<$[K+l6q&lH * S?z&.jՙGfnG ->Pcqo4|qkd'0ʔ\jף?Ӆ=1:ta3R"tQS%p;QCm7_"\ Ik?:B0@//d!%~x1=J,W?j&}!x&Sp%LqRa 7Ocqoaf] .!79|"rzJzULJG=W36۝k42VnzѨ(-3,5*11 }'W j6'kYMzgc SEew7'?҆V? ~hVopK|'\olhg:ߜبiq5^~>势S7 9=Z(7)\LkE{cc ރk,%j0ZxFarvn@wN%_ Jp '`Z!_b_ Dnq݉^xkcU1j9lBq}W F/Yuz!9{7F! f Q,,CUҺw^W$LyAF7tnQ_ZD1HJ~Id(`$1:a?cS jF܈1Q݊axb${^IIoBݻ,0='BCܩJtu*]/ @I18m qq:JBLNrω*1#WL_aTzXjo[E&Z gx8o,(H D H:_?It^iRŷYU!: )t́CВAxLj785zvb#m}t͑" fgkS+b$Ѷi @/?iԞ5zDT`s҃ItڎdDiYNηu P)ef/տj6SQ+m~;yB\F9̘gwGEu"t%j'k*A$RXED795צ h;cǢDXw-LGb܂ϋ tLl){( 5RO|S.lln`u3|=B1nwIGH$ծghҁ]cuixGi٧rs3OD[&xR񲜐 ݾR̈}RfۘɌrϨH*adlbf̈́qѱ{{屟#EW= ߱ųɷ P!򠳥p[u(!,LxAlq}`yZ/3kZt,#EnLN6C&/+A~ywBO)K3@U6:Rt#0#CUژt,@kSVhN`9 }B|bC]4?s%:AibX;ȵ+v\6GU%7yB Pb|ß丐)J{B2 ]P{tE70c@^:v"x&$j8EQ]ھIvWnD1*%<)W=GK_928a/8n*}ucsXvVwT1QL Qm ibFMI Ɗ ې}ʟLl4y%&Va/|DG& t ?'\h^U:Pw^|Xia߼LwҮv= izJU'IoVo4;5Wy¯9ʧ{̈踀mv:}GJ Sl[q4B[( χ78Z6Fk`89S0Y$8jSܙg">6s7W[q#@yA]U=rZ񔏡J?F)Y ~u!O b @:5ֲ.0Z0=*JkxS @ʐ[xh鄃4fJ5΁N24y6Sax$w 9WM"/!ƒDSr[ӔHr)L\nDw (@kuaW{B{ D>2KPkrȜk^GGšl4\=n54iP9<쫒ħ'Kb5hTnݵ,6ikde" t2sӱ>'n8>p@|o$ PO(4h'6%:0iݹv4hK|9 y9ɓX8kagl]b$r A*=ӽ΄'ga{5tP!MӝZl +uD ɜ|6&ХoR>tF i}-l30!?vw Çw]tN|5'*b"If]C (!  KJݭr;:-D {ؚm: UVÃI;<ONQ_.~EOmP25uh-JC+H b7 ,:lS3))>ݫ詊;j-GW-Ŗ=RzrO'n$v$d&9[ޣӍܫ+|vYZ*[#Ag*8-Af[Zќ^.15R Id u@:Jʲ7W5yT=,q479=gOTnLӿ1¯\44e*^R1L *60U{oR'jV|3'HwzK!8k(Lp˳tSM~[&X=ʔ$20}\3?jƇ<Kd8ۜqRSi-^YqAڍ =|^z\ /"E;@aoX/l#j*Om~-!r#¬~9gIu[.1 "Zqv32sɕ%>$<&Mp$gKK>FZL]u Y{"eD@ _(#5P6f@Z*Rܱ X%<$azQj$XWck<--x_:I)$F=7kL|jUm;bMAXe p5l䵘h_;cɼGVn%$G bWe8X0խ1-skIT>S$hrCAA!0U)08NM=7%V5"w m4 J؀UkNf|! CB=:_Cn+kpY].qf=8g/Z/r2)\=TZѹty̡YC0^:bajnHZd~Zl^M~@yw\۰jqpwkD|2TsX{FCq'+cJ4 `M-ss.|⧚_ՙW[lA|6B_nrYU—̒ E1Y}ܒoxA:_*R6nZvG4K}p$hj ҇!o!X2{}AO/|3lH>qQH$_n"5~DYKYnE`zHj'70'vUǪ:# \mgr;> NGtlkPL1tr]z?ef :W?½;IL@t6EKySa͂QP1;b}QǎZPyUqyKWf>(-/.5@UL s`[=xޫBǠGy`N3gOWȴX ?h:QZ86p<QAT[ؼ^[e S Zs񙉝m.,Jʢq#N(>`77.P?n-MboPa@@y-=AZ~)GUl^꼽L!`2IORo,_R);łQ>XnFn*n[s ܐ9̓գk;$ww4")$$"ebFG|6Kqd}s*XeJHNVfK_DM ӄմ%Ӝ:1P p W{ \u$M%.} lȧ -dNi2*')$7њׁ{J=f=H݂sY2>/ WNi9UG?SQa̫ SeOԕ09kD!lt WV45L~L^_9_EIw̃e=|\tS:-nπ> EQ9]#ᅓV={\SE0]N "py^d]XJ~L6*VcX vً9ılg:O5ĝy6r!2))i,N S}|ɯWGF.e4pHE2T9K06'<z Kka̟8b 6j 01 4kN 0Q'Y]_ԗIzNeΓ{Po^ɰ; dCBA!3ƞk߸Zwۘa?|?L'X׃KÐ (ml;͇D>Z0x5!ҴH* ohT5A,Vek5cT3ټ]v5k=-;˫m{N_G 8aj[0ڂT8`,cqt[GUO^ts.s !IȺ#4>8\3g3.b[;Dp`~dEŮGmи[T2y/}p(QL@flCI[Z#rD߯)5#~!Ra).խ'p/"4]6nT1O>:9xb]tdPO*&\ eud.kO0P z[{oqβW>$'O,QPȚN@3 IO1@|o-&phKMuXTU'Y(1B)JLt@D}O(HPޚlK #< aex `Dp[M`KC2t6a?E<#o'SVVWֹ^,xT 5;UWxGG>F f9~PM8Bd`[_M,tp`2~х:cvafxT %ifհ֫S90Ezw4Jl>({w; K%m!q-]\: ƢMwlLponmN= J2:nD@%T:̪EIaſ+QSQn>c 8< iQ;ൿ MH[@,N)Rx0V}$5 |[ѯ "C[0^;odwM,D3#7,*}e"պÑy^n*ޕ|S>mʵ0-j}]ʲ(cgdeO&%27_q])}|A3߾ȼ UǷU݅~h$4oӿ1 8d,$^9 rHCZ/g2ێ(A0qnge1@!,!OmrIQ$:Rv>'ŕ[v qhƻ f#cEEܑ_8eR/}ki6Aj_#%큥h!~oEIЦMt"B_%%ta@ЏѺDkM'? 6tt:B)1'н*38U~mJs GjS$twy@VZ>TMVX//7P*Q  A'Bͼ=j+6v ߗkr3꘮(LH47l3]1phn;+ǫ-c! &k_Q* x<mNP`*Xn h)$KCߙ)͆AxtF{ M$+0_(w2FBՉv̗p6?`˲aբO5&&QtgStZB_,^&T>~.W՜Rޗ J]iܯZ>T[זhgP̉M$R$UgqI#,3&Le4-'i+ϊ1ad{>k]'b= ͭ $y½a"yšwC/]}=o hcMgrR80`aЎR"cxZcq L{wLA|!k0f@ D!]vw wb]Lj697c ) k<1?FhɎ_#BpCJLԯ_4-8Z_?b={ 㮵IAkjy$3&]Fo%KH"G4 ܧ܊y~Ï,F'B;a bFKdF 0á]2I#B/n貧5ɝU$QP`#|WoY,BvɊhg>s.aE π6Eu4y 7BWe/mkQY}֑y2'ЏŠ .Nڥ_ڡk&ASzOwWi<Z$hRuc.Z?cHâNVXA3كx_w QFI᥽Kޟ"L f]֭@B39Ī`e-zۏЄ*Ctkc"qma3mD]ј BOÌ:2CIX}k&`z8XSbˌ+0c Y.pb:`Lrl#k@TA- V(d>rA|ˮ2/7]hØmL :&mu"*$J$K7!glZJĖ=dm߀d])ey;R =ɦ_\s9\7 !W4Yjzjc0'Qf1>OSL/>vh Wʃ0N8l^Gwz:Ѭ7?C0V_#GOZc~>E0 \EߓyPQ\'³(p&oXT? N^#HEHK I-pܧr8wA30dZu(D-gw^wd5Le3T ԷVZOC"_._K` O67]{.c)bts&=; ,|VY`̛ttӠ6Qt3cllc;Exa+BRU6 @ڄVk2T;2">7j[]/Z-4$2$Lx]_bû/$ Ǒ H=e#MJ o[nvXMʟӼ",S.!!xi8d:+i6UeL3p`#_(]MJxѬCX;(US`Y$WS(vznCz-iBڪ2HU p!#Lf>y;n6M$-oF'O`G=,bdj9MpÌvdU޿duQ*~iFVUUzn_Ng qO=@~&mrc8, p]/CF!xer+/. "g:S%Ats{SoEY-G~oc)?>.'eeu,:+LV)Cvz,d&*z{ro>Rv\]AA>SX$}b׾0fYa+F89R7$KovN-mp5J5.OWf:HٺmH){P}pAEGƑr`Ϯ|hqQl/P/ mˎ:v- ߐLJ,$wY+Էv{@JR(,Fl RmF?(.2x+NDWhPB*?C~J~kGB\ zzfF3!\ӴR.!CYrek'maLC 5&xb{ ;LW䁬fZ^2646i| hȦ-WA!c%,(Ʊ}m޺@A3Xw-t[xӛJz FI! MFI7cRtNljO_qp#+*+g5pmNQT4V-r/fxozUЏ>r<[.]ٶ\pu՝YF5M!yYjF;@ZC.ݷc," BPqU_(K 11X%W@hn+mAfP~bxܥ T?~^P&|w9LZ1$_n䖟λpUқq{e,^u99ARlk(; X=fGQF:as>B6֗a_sk<XCბP0k\ _e ҳ)ƣggjk8#L$!5>ձܐ?EJ~$,4oK-'zQgo;5+e0ch|aELqgV$ĺ+ȧC坂+ Lu" J3V?7YOAwgw?&x/+=DHܺGQr|= !}T..6=oTCOoK[?= AH[k)w.v_$>#}6FPN@.6.9ܡNdž?DfzK&cKLB"..8؈DAoȁZo)V70SK8'{& SoZ`R[GlgaRԜazCP$KD ~t?[*06&FJ9L's 2=k{w+k)\k<%KDv'H½K "f բ9)Г9ΡD]3IB4zlo;ncF<` ;~*K@ҁ VR?$wӵoWk([5?qm䨫O$Q]f_?=yrLaI!{JgCYRC֍XPtqd=RލU[J 5%G4"{&5p|R.ba;A1^!C0cͻ?q+x(/NS _^5g2'?ؑ7hVR@$TAg{q"#7h㉅l ^>[.әVfRXjsR♠-ZzLʊ`Iٿ`oDgWJ>tٯxCIMxJW1sBhIM(;Çkю=@.8Ǎy7!t-mTtta=<,B:A/V*zAXWxbuv OZڵEYQn*oޣɱՄJ3]5]XʛX7м) ee}3(yi׮תsy|ǀ(vVU% _1 j>Z: P50X ֯VljBo [.VStvStH_;+f#0(N~:LD^T:ȄU'hMIޤ.iIJ8s"Fz5$MHzgx&'DY%8JeL?}fi'0B+` 4 W>δѼ 7_qHEUdw/:ݤu}zfw}7vrBŰtpopxI1*;gZ!hrRrjbu翯LŶNۚKTiڃ3=0Q0xq ad) 6QFZ;KF0#BdHT{Nxâ&nXpO<%l2g\>$j^:Zw` 7^2y,&4Ut )%/LSGc8[G'\t:{\L:f&t?+?v.bӣS?ccub .2/ZaKC͊!SmK<-U5T`kL8:E~_c`p"Eޥ,E(XЖ_+(nm_BAlSrR1N@u.?gӫ̎b(VL8EA!h(@ie#=FQʤ `y˾yzHۓ/v Wg1 ]mN Oآ=ċZ9RUt00Vd4"hYu7yUJZZlDئP.)^^ymĜâ ܲRWX  YZ