libsamba-errors0-4.13.13+git.539.fdbc44a8598-3.20.2 >  A a,p9|֥6oO\=<+wZCU)ty'7K2߂k_@;72d}{d[:r$"KI,;3cD/㾅㈡9C ND1扙ǧ㟝o|^( ?5V; wWz{$U ~ϋ̌8e$o%a)^^ tON]),]Ղw`^A$g΅BV={7174186efa1e2824776f7394b7e85e9ab582eb403c5eb4253a448fcf6c6fc754a33d7927965945ed5d2d6790e9673d3a241ffa7ePLa,p9|=];FrNlҘ-! dg zKܧAaLw}x4ZH6D蕴;Ҵ-hȣmy4* u&j0q7bfoh44_X4SlퟟIw@L&-<)m`F0҈q )hC{; Io \FC56*ѶF:(!bPK_8&9StJd\>p@P?@d/ 6 T "9?HL N P T  P |  (89X:>$@3FBGXH\I`XdYt\]^bcd eflu(v,wxyz<Clibsamba-errors04.13.13+git.539.fdbc44a85983.20.2Samba errors handling libraryThis subpackage contains libraries to handle and translate NT error codes.a*sheep19PSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Librarieshttps://www.samba.org/linuxx86_64Pa)bc918c20022983e71c76f68a02f49ce6e33a70144a1aa8eadf6188c0e5957300rootrootsamba-4.13.13+git.539.fdbc44a8598-3.20.2.src.rpmlibsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-errors0libsamba-errors0(x86-64)@@@@@    /sbin/ldconfig/sbin/ldconfiglibc.so.6()(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3a@@a@a@a@a@a9@a`v@`a@`<@`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USanopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- The username map [script] advice from CVE-2020-25717 advisory note has undesired side effects for the local nt token. Fallback to a SID/UID based mapping if the name based lookup fails; (bsc#1192849); (bso#14901).- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899);- CVE-2020-25717: samba: A user on the domain can become root on domain members; (bsc#1192284); (bso#14556). - CVE-2020-25721: auth: Fill in the new HAS_SAM_NAME_AND_SID values; (bsc#1192505); (bso#14564). - CVE-2020-25718: An RODC can issue (forge) administrator tickets to other servers; (bsc#1192246);(bso#14558). - CVE-2020-25719: samba: AD DC Username based races when no PAC is given;(bsc#1192247);(bso#14561). - CVE-2020-25722: samba: AD DC UPN vs samAccountName not checked (top-level bug for AD DC validation issues);(bsc#1192283); (bso#14564). - CVE-2021-3738: samba: crash in dsdb stack;(bsc#1192215); (bso#14468). - CVE-2021-23192: samba: dcerpc requests don't check all fragments against the first auth_state;(bsc#1192214);(bso#14875).- CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos; (bsc#1014440); (bso#12444).- Update to 4.13.13 * rodc_rwdc test flaps;(bso#14868). * Backport bronze bit fixes, tests, and selftest improvements; (bso#14881). * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal;(bso#14642). * Python ldb.msg_diff() memory handling failure;(bso#14836). * "in" operator on ldb.Message is case sensitive;(bso#14845). * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED;(bso#14871). * Allow special chars like "@" in samAccountName when generating the salt;(bso#14874). * Fix transit path validation;(bso#12998). * Prepare to operate with MIT krb5 >= 1.20;(bso#14870). * rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb;(bso#14645). * Python ldb.msg_diff() memory handling failure;(bso#14836). * Release LDB 2.3.1 for Samba 4.14.9;(bso#14848). - Update to 4.13.12 * Address a signifcant performance regression in database access in the AD DC since Samba 4.12;(bso#14806). * Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache; (bso#14807). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Address flapping samba_tool_drs_showrepl test;(bso#14818). * Address flapping dsdb_schema_attributes test;(bso#14819). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Fix CTDB flag/status update race conditions(bso#14784). - Update to 4.13.11 * smbd: panic on force-close share during offload write; (bso#14769). * Fix returned attributes on fake quota file handle and avoid hitting the VFS;(bso#14731). * smbd: "deadtime" parameter doesn't work anymore;(bso#14783). * net conf list crashes when run as normal user;(bso#14787). * Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7;(bso#14607). * Start the SMB encryption as soon as possible;(bso#14793). * Winbind should not start if the socket path for the privileged pipe is too long;(bso#14792).- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./sbin/ldconfig/sbin/ldconfigsheep19 16393938154.13.13+git.539.fdbc44a8598-3.20.24.13.13+git.539.fdbc44a8598-3.20.2libsamba-errors.so.1/usr/lib64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:22185/SUSE_SLE-15-SP3_Update/4b66e3fbb7cbca13c64e9209fc1a39d5-samba.SUSE_SLE-15-SP3_Updatecpioxz5x86_64-suse-linuxELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=fdc837a2b5557dbb88aa87a0e7d3e63716c8e965, strippedPPRRRRRgYQ>1*/utf-8aec8e7cda28cbf78a0362bd06d3ec0298cdee10a084d34867b0d06c014b3eef3?7zXZ !t/"] crv9w3cP#sbo|t='&e܃^O[C##D6&MmUv[P&ƒ@sMC 2dgs̯AftPi8D~Pp8 1Y_E(=x^f:0Ls ,GY³ĻS+ d y?rDט_px8ݧW͌aB lzu:7^uH3_H)r51aqƽ|5*ru $)Bj|cy48}CJ"@2 ]5õm@F[XyKXomZsi(-U`:54Dvݥ#P}=i%k+weqdQ|{W ?<Ģm(vG0',߀ݦeK_&{~̣CI?]Vh{">*pK+;Wp{Γ g'}BDJ~Y /2l FhhR ($:=Abk!:9f8О.XPhEMDJ39ءE1[yO7i6"|%|YHXp983 VFKk "}7l-`ώzf]_vqnTڏf@Uxf˴j5\s?ǚB^Yު$2 0q{ DٔGV 4e^} Cw:#8#o׬0*\$ ;!ʑM- ڧ%6ʜOYVq)bH{;VNc )':g=gQk+jeD( ;8(2j">.-YiFg-LN#V `m# \zBD&Ʉ$z20WY<ޒ+7m^E^~Y軟n.̶b5W呶#2x0Zeu֞ k$;ԸU!U+x['ju]zKBS[A(av7PYyhBQ9CW%62 \$*tx볌J8T# 2E.fhu/(/b_㷗=4\K-\l7yxN|X"vvD T;1s2Hx͎$PxħGlSAP:;jX8Ba4N+kd|{Av4MLG"CsJj m% cF=6oƓŮ ~ZB$-b֗Z !Oiה.|u+0qiW)hȉ $2 i"gi[*Θ ZMk3aSwMel}^O%(KcF&9[)5רw,7)B RԸY 9ovUp8IJY/G2fK5F%/ͮ9I_=$p[21*L}(+)gŹ5=b)^b Nb\oθڣxIpmmu̚(}Qmvd8~dϛp}weᴭ*hJ A`s#'vv`itwd_||0&EqwuMɕԪE $G`~1AﭛWym)"A]9Bގ 'wR {4B'KC뎒3Kv &z)dJ-Rph'}] v\ן( 2q~?"En K?57;白\sΝ@@'aU1g_62r>$JCRx@,' p`tP 06H5eN.^M5 )'X1C# 7At>7!L=/ԁr'gf8^4n9xo*]}\smBE SaC|M<0t̐=hGjdѢ/,mj):ܾ&6&|JI!\z|@% +;|g8gk_VgP4B|!*9/\K M rX9VhJSjr=eͥC[𴐇"FTT>O6PQK<żq' #9酣*%0GhĖMs|.>0Tʻ0BrwZPށ sֈwX!ߙ+9`2o1Pu Q'HYB'flZŻ Fy*FJKf #RppUR#Fq 0)X4pu iuArXF4rolj 3jt#LY5(momtY"GU ##`a9/if _:txbRջQz Bފe'w T")p1 $8V >od՞ǘ`ywK9[ .BCiste 9pe:=DC5P3]lk`ib|{#M"?]2P鮆n=2K GIxV{F[?/X+\3p34r%UWp8R㪞j>xy3Rvw3^s`vХ8Nݲ͒u ˉܱN h+XtjӖC=nKX$}1a!pcʓue3;kǜm@]7UwUo+bc߼ `w+[ sfNӏUFEu@ "pvãM]4%1IP@ppc[^F J !])/Sr#JMWub5 9@C0#lKO7m |&PwtvBur]^p,3LJ")$UnGnU^rHO7?Lu3+YH0')%֐Xr{zߡ4ms i};R<ᙋs _B?͌ZRҕs<Ɉ)'cTH1P`h6k3 Kb#D2-+du14^2a9膞55v˾r:/B*mm(vsSL-Cƨ8RҸ )D.]~n)UH\Qm ?]CVI:".Z Kh뚯1}s4Ψ.0݌чr*\0֐!\T&J$7VM)DI D-ޓqM֢qjiÅ3+[1^SJ}q"Qc ҵQ6 > e9g{@+aCq[\LuJm'ѳbF00G_/PO(%lP߳z=CLAUSQHܙmpN{iOjx5-S^2$OYPNIlH{h ;ڐy_tA8/dZʰrj*v=`Srb1v}:afq%鱜XMG'q6L,w(E",A!XΥ `H#T?XnoU›:'6->9řo ڝ&5?vOpI$qˠ 'ǯ:`'MWIňkYFW90Zzo6YNWNnc<_7CrgjFf1M"0Ø 6pU@PsЋc.4c#[n=Иm"oպCuexYD:L}C ^"e̖&E1ӫS&B=.Ԩ(x, j;!lJa(N)ײ*| i!ٸyމ]RXnǼ4Q0U!ɢzqc<-cLW@$+uYhA/zo*|o6)"-UyCk0`h,),[Tۄ5 A7$ЇK CrQ ;]unuAp!WV+&&{)r\e퀱J~f nÓ3HTPUU3͠7z~&-۪H"]eBv{a'NWuޔMR]G`Tq9اuE$&7qvuXd=o3}-a/GMAQ E³4+@,(`7; yx~2lz__tL^~\bj R1Z_nۢ|v2NGiН fb2D08lrW3a 6{ڄ7W۶c,9G/33q.jqa:ӑ2tNgBD7(-@ewJ+} %y/FXmbu]1oSowJ~v;{W"L&-hHeeCV-M̔*8O~؏U[yU^?f/ON _ ޫJ!8HyW!vήѼHo&#|0mq$/{0 tvÚ nb-E:xQb$B +8 }˼BKË*ij$y1A a}z6 ]FUx:}OƝ7ؒzc9Ϫ*)fSs |,؞7\ⳇUp91rjҬxzP%<0xjy/NaA9b ҕKGH8^,tK o,c^Cknx ̦Ii=IR|o`<rғP6Fx i n 7'(4k hӂ8qbvs}SGQuv5P;%׫nj_O#c*iX勧Au)dpاy6QpfYx(O]Vi4LV MR⇌d}y0}heE OK!Sp8lkqbEBvarRcvلF2ʐ^zzIՁ@+SkELP,Ui3jQM*n=kڟSVKet݁ZHPVn#6HڳPvzC3CDHס`P lPWTySB69^誠}qtǴ"fJ;̩-w1bc dʱf[ɯbdZFg=քrۣӞ(x(2r/b.NolD8ͿOˆ/T/Cz{5wC,|\*N+9B^ 4yeȇS'*MKYEٖj9$0$!OI|]g#;X|\eɀNOۿ;D?<͜;U"MRȩlo4ɇWN.SѬ!S.FSx /̿b…RD`%R9FYcJEsMnkR{e%qk@#XwMP$%l`ʄh1zK$B 9m AwaWqؔj'C_E@#ڱN3{?sC'>[ 5v4+ δNgȿ)L]wZƠZy¬HF9_hkv,u9~  pj9nm7ĩt{5Px!:닗ϰSh*vE&7@z% a酹lsU3' m*(>'@=IwD֗M9/c字`rWRk8\}EG c|\ȇuAH X2-KnFRsσl5pc'L'%m+3e+_`\-­3=#>؆/]c<<"젅:}TA$N8!kLjۙQwXkcJ't"q0+)l1gcK>CZApO>hT\<Ծ6 k)˲^&kF|+7Ph>)yZB @YkM^yKuR"߄O8 ) v#] N0T% תRwb:,<.<ƥ+a~A0?^beD/^E媬Çx\4~X|L}1ۇ[ \)Id`Sb 5vT_z\r _!8;HzoLVCz]ޙ2d%k`in. мA"D.f֎.ޗH%+q 9h'[hՏL  kvnM /q~9A1fd0 K#e8t;s,"r`EA㪱!X4`#5yEB}k(x{nVG넺]0W5B 1J2r ;},MN &߃*AONxM^oT¼bR)F3DQ78i㠉1ưkkdWU`PҗP V!~\!;\r^!)mҤ2MЅT2 B0^j_蜖"ğoHjJv<ׄޒ"9v&'3& +XoO[tg;CJ[ w$B+븧HϮƍQ 85§fVE(V " 4gyx @;YWHq fʽﱆvνgXsr෮1c&&7 rvcͱ4Lv}%hTI鷁;;D2>qA'O\+`gOOD.*Ȼ£%*49pzF&:%CU)NgD,ݺ6mcŐ&f/%9*}\x'-jn2і9(R 1!H(V/o"ȂSPVL֔wiT<#,u (NI|LP.18I1z2ţ-#a VϔA̩;Gm$Im#n"' kYO]!f o젏wUqk1!Γ(w; Dh"kW'?HLK6?!1t KBB%/'20O1Rtl2T/T;#N/F~; ?d+a)+2Gm8v8oH4XoO*To `[=OU91˻rj~_S}xԕH_hH%"0Yn dj¹iڙ@ Txix~TSZQ;i/]Zq$"*JJ[<tkP'[9vȽsbR18wv+Ԯu0 H}JUn5xKx L$ݢgx~o E .Xob5Op1Kɐ=E}G("d:S̨u=%xm7q t2B9n0pV!}k5Bc$!tbc,ݦ`]RXcшw.*+݅&V @|nMܔ׿~F_&g)͡kj'rXʻ|~%) ؀64XT9}Hܭ1.6iÉQȾˋ_6x*4|d:FrpFUƹ{asiYw}܃PHP9zm`Hdm[Xӻ+ʵ<+t{ K!*پtV@0MO0 3xg|*Ci3и4ԃ__`Q=;QQٸd3Zy %MKX4coA/؂/dE3bK̞nQ%\m=ܽBX2'5L.,>8ft[- $S՞"<=_kq8ͺ?\3مB/5cB۬GwKDG4j;!c9p+黡9e&~vJ\/hwX:"O}fLJ6W]ke1[YVGaYfHG"pi%0<\:X/> uΟh 3+D÷b^ߟ,&{+̓}cbOe/η w~ `k8 h wYN5 f^{R\4GҟR%HIZ\[g ymvTcz=./[F4zs9o]Sn?;Ȼ\KY1;nֿ Ӡxl8pck?B՜*Ea+m]"~C& ?WG-olC:CrWjjD_76ڤnVL 57! =MSIf p.*VP4wRIs9F ;W}չ1x DCKQ{Bzt>踉3g:<3ʝbDUO7Mku5 r8gp'\ n$&~-5Or/Hym=I{cЖcWmawi=Ac:4o~L< l7e`kY7M.)8>QCK<A"A%yGT5U^ 0m #(7b]n1*8j/JĭblÔM [xxlۜuUK [0ŹAaTsFSL H+}fnlɑXi]6~Mݛ7_#T,@@Tǽ#Jc,< I,Ox>w%sSbv'IjZb {Ǧ臒A)uwT&VfTLD`UJO˿$nIֵ B \m3 57'`vVBmgX.+욏|]29QDUQu^9 x@UdzYjN srє,G^1deM5vV4>~zVO̔'dD`7A ɮ]*Ip*>S1c09OZ&HA&_xa7l [mu2;5"8 {u ڌJ$Mԋc(#}u:$|*j\~1.7RFRZ_ȔI?ݰcffnjǝO쐼`}eZb:zeߟ̮]AcʩM;S$}s{*klP? -`*ĎMO904aRώ'z̎=sPb㰵&x))oF_ 1إTcNߊu"]P,7*=/c|; r`RgWL0?-,7EPVl<ƽS) 5x_D?ݷ`gڠӐ#}Mz-qNuM{]6̬xXa ͍Å$ i/ۤߤ&W?Xqq<!f˧jD&T2 2IU$f%aGqD])}%ʾ4ڱݪ ZC<Rm{oEt}Cڌa肍&uE- 9* w}4qce _0b)Wkܯ; C6k3ڎ `0>6 k tC\Ra=╙[]qNdc"USA0ɧo.kީ!~:9;2zcx$@x;* V.$>v~p -ǭAԀE7  t\[q2kPֳ5 |08 S1NlܻE/85өX(ұ]!] h+s1?ٵJ҈Kaý4#Sd] H^F{|f&DTe2^\F (LnzLml6:M#Rx85Bt<;Z<&nEyrr/1cl<"m{mrX,?!hQyáDg\UH:[]Q'uͨM'BpQ︟/굖j 4{r0D!RMaYf-BP 9 ~o/D7hM` FMӂ|Q¦ӐGIָAoew>V{X>+.51\e>  9* r gFfPaeh ƢwInշB#dWy>H6ߥ3Et* t 𴴄~Ae6.Or}j(XTCQ=`>/ŽRNjvrԩ*{u1c&pHSz5Qz[%mow+#U(=0Ƙ-yUF2+Z\~ t`g(R q?Kɡ(s몃^kzZ t#g8%x RF3|)ʓ\p,V;ggAqO(嬴g=yfZRZ2 -NI"$4=jBjpA:m:@cXz /Z&ŏ?k+Y 4X3 MmHţ)uM3cPyj!o2O9FNg*cf;3aQ<_8)%¿ggsȸ<5(5IE@m"VE8-~cO, ʪyHȖ,u+X0@m3(392 *,x"[v),N,9jɂS31¯IIgH0WQ}?#5[ό#eey- (QnvQor qag0? Y.59{zaLD+edk8wdMW '݉v VtYB8 =p Vꂦ:BJ*YXS~PoY&Cx&/riuIq,Zk"ْl'{]7Fs ʯؠ?u}θzїa7*QG=`mIk/ߴMg>E.=5n780(br(Zj@Ѐx(P/y)!<#]i^@2utPsPfꡂ59~"ZR toV7= s|ʦM QN ȥOk7Db|H 漊*ý;%7tiIص"! g-`"TL:[>a~0xT3b"+9QV KC%_{ClSAE hIo=^Po`U: lkQe I;V$P /Ph@-C~\<ջŵi#^A})s`7PXBdز ,|1.dWٴ4Tvryŷk9V!N8$!ud7Յ`47$PAd;NOf1E w-TNYIOM r]+/3vdUĿ^~0 WihXT{Q31LĐ W{LV!|?I?8kΓif<=^W4]/&u>!Y^: bܶݗVބtn30|F hAx⡣`{B"cƹIù)*4{'`<H[^vD^C|LBߌ^I^|0HJ) [@E y#ܤxogSV'F:)+8]aik{ΗNpisd!H5K9Vd:FDg8>Dp: B ?gd^ޜI; Yu}n7%F=ȟ@}E_S ~4Θ UNUS$_C,=8H0E'E/ajMU{?+}:&3W2nQC|FNSei3D_lЖnG][ŗAoP?64ߐ^anVL9hɞ0C-glhˏeBݽ/J{Ē}I4gPj2-C+TPe˄bލ-Rfy$wl^BRXB'3T "=ci D!vKmKmnlc_.Ų@50~$_%y*=*-&ckSҀ44D߬ a$^!!cKIF B(PD|Y0tDZ ʫAZ[00xw~ ?οض!_^NQk,2axYnu&+D 2^RԉI> Zv:r@<~5.`e>a7R~JȜmR\gƥ(Vؐ7cB*F s#S =as}jHMp;dOOq,zl2EQQՠ!V&t1OP#P8k;Gv+V-`TQI <O;sc^@cwAKY؆Ibkٶ,D]2^lB"-#'TkՔ:0Z_ ɜ@ {,GMiOn m¯?wmKƦH#* >l]s/UvQQ ǝԮ鄤υiM1ix 'ho?49-y^P7T#U lܺ$ H?7u_ ΐ { 78SEG2o1.A^젒`#o6 w&:1_#A6|[i8CO8 vmN$.gW/Qcahjp:qШ -o2*ha0 B$<]n^5z| 9A>Ǡj[H9i-FY*ZH9^R;dzP CcދOxP%M>"\TA5]}`3[WAje:Dx2\iF?ſ HJL+͔L8^Ǟ) ~]jk-rz`w Ap!>j<Ђ9\ `wA{kF(wF/ڗ(+qDoxjh彔KlKȸ˝C5^1]+d*^`b5Ӥ;:0w̮A~ن_dt]RV]0w'.PfЉ?{sc-K>H[w'z{uf-4d3Uy\8" \pxEqk1bVPF[dPOR20Nhã֟ʘ:Nd?Y7(|9܎ 2oa{Κ955{9MJ!?xp2zBOdZ dP,⫭0 H<,Ժ&ɹ iYS0L#k*US-kIBx~ƋIjNEz(x3wgDq7]J5oַBT'vQg2f.T8ʪ6؀q%6Zm{3bQ* %8W=Tۗl^oFS</d /4Yir=c?V׭ eے*Xٝ?*8y=/=qD XC_1 0rd~XzHrh |4}ˍycrpkI3T(HQx取]v*FIw^>:5+{M?Xȫx몕͝YW;$RncҸw,fZy?\vhŠc w=vAD! 蕕:څ[6@g>T+p9;c)Q\ x R*ZfCq ,ŋk|4 QUʀBPGt<ECKk\Ui7U( ޴m K=LXmbYg+pjI-!%,V.K@8 hFwύj<9_w"1| ̩~!QHQÝG&yث馻VcRd(N5:-Pl):5: JJ:VL`x>i\pg4 O$A ]qkDRөym p7\O/Ń{r1Z= s&I8RQ%35vT*щ "3_V⋐ցT+@tEz ɏKn gJ,x>UnQKt.EanFža {wa^aRLJoxZFgF+b<^IҌW)C3O4 j6 `; V2 [؍>n &gwڵ:9_rШ (E,-T8 aGO#'{"tJ:}N !#,KEU=\]W%;pQNnHWMWDяZ (L%< "80Bcen+ 2w ]j[X%K㪨1{85whbY"K}YK93/HJȀOPՅ1(ʱj1(=*2" c' ᄼ^8hFdjNI Q)"}'K,*j/1w'8)yay[hk~a\2mFS (z -ps\*ZhbixBb嶸I>Z 5D sܓPƝYFk@<[pmʗl鏋^\ D=s !Y4 P{=Q$6_䶽 yG2ˍ?7p>l6A؋4>‘~~` pTmRWZ7{'DwX!2J*{D:kj*= MI9yo}L!CŌJqntfj`&rRXH'́X Wk" 2yt y=,AߚQ@쿀&Z0cg [6j7_RO =/g)kj{$,}! Ta$ )Dн&2!ij5 WzX >D*p# ϑlIIచq:$2b+xSO-Cr Zp%m㋡n5xi !z FYj#dB?atu{ZsOa2uaĖ[\#=hE1fA4kt4g qG۱3^عm:ZbAϬTj4F6p|ړRZN: _]O]Ղ1Ԝ0t̿Ni`r\`gc ,/Cyiv`'t\ڬ$xךdyR `k '!b~g.ڂtPoZFAoH]{p($՗ׂO0`k:R4bA!dÐlla3 0Z$B8ښZ+@H '"jou̱]He{3DOP3/؜ܹXѠ|1H@ufO&WLfSTI \?ؙYWJ=`ވ]bc"jh6ݩ=!I-,K.ɳuFG!0Y$I~oAs*M'W"^4!#qv/{V#ߣ©eI1ݍGi^ȣ&iܑr h+ol.;{J} ~ތ&ͷ!{ku|ZܠEm j*>^9[zan_GWkxP0ڬ J jґϙo*C,D^a ok*ځ Gvv\+Qn?Ϸ!FDɿrלn®kЮ wvu}8j.] zdm.BA dF@(j;lzEfTpALYcʆbiـfrME@G:$IȘP O腡 =c ofzuG!GKܫƹdc.̳RlMǒLS&I/f. Y|ǁ ,d"Om/jby.&5N[`B# -% {H\5[7wP`੎9r9W4G:%\S'>JŊpF.p 籩PjP㳶G2BeZ_i"eKJFO13ö ޽'ЁTmlj>pY<ڇPfD{OuZ{ӈJE\]@Ht_3QܷIΠ Tʳu.h?LbWs0j#MW]OتΧvQ4c=1i lrTh'I%Te')z` ;3 A'!C@g[!E~vA195pjV:S*l% L`w'-";l_j-t ,6Ĉ[T^c52QGؖ0`IJ7؇HEsl{k6aXe5B˭ G ?ooʋti^k+EYJRH;J!~9y:m,HZcxxnCNf$n+ 2 7mPw@-t _rp%ncF)O7CZT[vSCPQR5=%_!GYoS"Lj^ HH"7X\oQ}u " EYS̋/w%}jG% J1A^uV_gKw6/3/&p`!]e*25rw09r(l8,^7G R J0 p`KI. ~MŲId]9!}$)MymXݐ8эf (-}FFj7x\pHjQ)դLޒʫR=:( [IYMŻ *bmԘ#/Nϸ_К?v}àv=剷IƂGjzqtjͯD gb) jRO.Ye:٧'YS0-VG<^d c_d~p>7-ҷerx=/OT IH¸eP1fXXvKai{ .#UU&wW%3c*S0hO*fW'eTX׫fp r*- qq'v.pQrzW;"Νӵɏc"v +ܹxΒVbJMZrLlę'P3f5̱^`Ϋ 1sS A/au"ZOy:Teb1aй8=]l)(T ]Nwf;,C99ɁIPܝOVPIaV;pTz\6QJUlVEXY^$ro[ 6TUrnM@Kɷ^֌Dglq_#og~0 Qdjl2,b"B[݅}",э EHo45Repvg1ε7ʱt CwUx"5Jb2vV L.0"VXs-E)ѦIo6t # PjP9?MDQxØm'$6IJ,(tSiʦI9< {w{ bx_GufD]V1nϔS`~7DMPX`C~B!gPRXklgW-/(̸丨`cDHDJ3= Y.NQS G̱,иdyxal(#ڄ?gW_P&&;u/ƐjX uzK)ldVd׫X#:O\R(=(4+n:ky_Y ${_0ݧ2dc.`̤<+4]+6n>9ʘyK$~ uH|dn#{'l%S4 ujM͚M 6Y}&NLÄT*q\x_QV;K1 U#w!(tYR8Ez >~2f"Tl} @n/9vD,y<^S!X.q`͉5 >"#v4ťD6 Hѕ7qh5s057 zK 0J]kxȉ۔aY+8Y=VScO=Cx9ҴZr4-zt7'V-Qv.;GR h], g+UL<4>\uw߰[6u35F]=đ Ejynk@ |&l. Qİ̮Z0L Z8krƄa,46(S̜[-?*ቸZTv?ٖ./n 4038l,~,)oajl.Rkl?CBA$o_--l/ 3-ʝNuq MTJ?q 1N[f$Sr7pK f(fi3.Dia1W *PB rI<)NXWȞ&;~]P0^@7={}Д P0աuK-K$宧h &/2ps Υ)(Jco^sX]FW[V4/Z4eP:J08MχPD*5ɴR̪"dEruNHtEi MeƖWBX(o+tzGӓeŨ @iŎ$.3JW`E9>0y<|oК{>K?k>Ted6|?aC ;^N Jq.6L'YL~D=%SڈJb_,8#\n*ElI|$oOL[@K \]qXW1 ђf\vx ^ƴii9}&89 Ў6W=4XE؃ͺfZH<¨#ne'\&"3\K߼xm%e\wzm4zkaeZA>6ԫ*(Q\슯J;󚸕.Z? ;8AmcWRQe>4wH3t_@G2TCd[D@Olqǯae.GssT<,TRgrB^]4fH1 n eɗnC 1Q¦ۗ]Q:;6àb4/:oI9Zcq rKDTO E)f#A:g:y%@D!ّ{R7zcL߂eupp`i/~)\XdSBBy zNP ڼ%EA+h8CZY6vf n]wU;(ZHdeCoOʥbup.V|ZZYMOI 4Rz]SQ}Ԗ-sw\m@}\S_r[ ̖F_YlsP~5CrOS2njV݇Ķ2[X{y kȮ,h'sX#Z%b9ys%W$gΈ [yB=?2f\b^֤HseӰ6sv,/_^->[9c>U |w5+mo[18r&fP r:؃w"e9K6.lDsL=X̅FXY?"˔s 4}+uFq2O.fji\/oQ*E#?'#z]oBU<)R P$#[ 2?@p}B8WjaݩcSIj7yY#l%1jeS#9Buշ f_dZTzki4UuɠL НR9uDF|ሌ1X\=(w`zCCKf 6Ki#sg'tE!c$6Ptan_`b]̀=4,Im{x9Ⱦ]2O!zG\?Emr 5* 7x1= cFSV-kN/pMΥ`0O`"áĥ}aـ[Vh -0tĺꋞ;*>a3sL ޔo#Ȃ>=˯;U'^ͥf, Ǖ7j}OAbIl gDi<6aV Q'CkׁȺ&KzLy`}PT"`NETIa=0T2\(lj\R4R2} dɮHS`om@oIhj~ ): ?ٚ3%ZbGʫ(eJA*C} cug<;i=i(\ Pw2QؖF 7[_ 9-G0As*'EҦ1',ocqd׽nu{||[tcձȗ|=NWG3`<;m< "Mc_Q08@tgA tVޥtoG\ӁSc Qu<8/ε!Li]{J6[ QL܋Fb6Sǥ*8[e*eViD~INigZ&knao5#+-?O4T[ 8uӍq( JɤhHv^:z)NWQx><努|y'`{]Νn^w,.L,*؇bnD{|M%6ӻ w "EΌT(6> )~]DiGvQ_3X="͏`Wo{BDA7AA܏/5ojB/LVabzX'F"QHAfjuL9Dy@9OSCw.rz:G/.61q4? crPx:,_O}Dgq(y/CNI.kh?`F*K^Rxc:cm? wXZO'RJe>1BdA[PO>~'XCb-/ .%8XDw`O6b42f#&ާ뎭Wl_s̖Co5v|R-tֿ{[h.[_SVjM{lQRO4@'cd"ˢH[Ct{aa^iTx2b8GP 49>S\9{~|q3LN9?- u5#خIfn0L hjqAud1c&cF ġ/oψ%e? Ee}s9z\cFa7"/j xwYq6^ďq_e.VXa>duwcha\NBPݜ^d_Jx8_ "?O:[x e7Imp&nj&㶣}NXVXi&K X!*BA25qCG4W?ƹX,"Eҵ >ؐW ㈕i]DXCY(MfܧQ '6zbض5X83$gVY[<ҥo׵סxTA؋`[!-)P_ؒVbH_)Q]Xtd)߬tN5t`H.GZl)b <g IN[_P\>W膃5',]i?('py?bJlFc)d|[n,jvCř=Rx+!fg) ";(OqqCNԼ9A 3xa"WDªBUҌ熾&2 FBQ6|+pP%&~:{o7F0*~ H˷+QGY~n}5Mp2ވC9e2њ-%~TB8,"ŵw+S}j{& Gv)us˛--`A{Ar3y4HmD9IJ 1yVwWP/'!9 #$'ۯJ[|y4'o|TI23.OEٌS83jmw,@8Ri Sk"Hg׳\QT9w40Z?y9b#?>G?Y윝9 E:cґw>>]59=O0ۧGyO6+3M'hvQZ=UQ%/H=qY<%mҕ_ׯ~zycAa8@g's*EL#I&8ٿj6i]dVb!'!W Axf_i͊\qqtЗe}4o+h2mȕAP$,X(VwPf>@v%}4Ȅ_ s8d{ -\VC؆>&CcvdIH۾&VtՎaj ZmΫb]l)n\80 nG\4la^}Ll3>-&mٴTVjCG?O<Տd㥾dxsF"QYng%CAp@b{ %u׼uߜ"N+].cF&+҃Jxa|C Q _dN V[bb#:`A0c!?E% uxyV*MlZZ0'qvAMwqs-$?DjDe+@g1Vx*o[dT㜋iVhF6ˬv&rg%CP:쀝}zYgS!?i+B(?Bn^V >~⺵\I7NU8'X| 7Z7X⹜~y<նUu"t-%wN4Yc7p&msxYͦԪV31@Lӛ>)3 xws=^HW]< **ʡ6ˤoe)G瞊-FO2Hj6x}9qܰFMtCQdpxb0Fk{S%:ҍ0:SRsSJ/fݏ4d"(*:kJ@.0ZȨkK2/ͥI̲al ]69V!Qqܝ0|M-eW^ ʠ ŪQjT %8^2=YD>?y~ZN )Oylo8#J|xֱO**+T}Px5X,wQ/Bp+Г..T oLj-o 9eS3k1'^kM"=@_#.E̋F"DDL`C{qʄ/݄pP/ Ui2J=@.s.9١|\.*܇Bj=x *i^+Nuh]2>1)T* p>tI@a!!F{(*-y*X] kvV3Z#W;3&~*HBY@2ɑ}́k%b![bn;EEߦ}vN$wlYosFۅv(6FM2gBw2ƞceGI-ٟ<5j`1i~-Y2y(c+Cp+EP\QchJ1bPxXL;3ې'QEA<%@aiF2;nx0G6CqlN9_c(6CI(]RRxmś~jx#M:@Y`NS}vcvpr})lpmӃhy-*G',#k|;UH%MtUJ7vVJF~BJ 58#?Ḑ ~&Xo r?Y~-B#%*hŖm?skl[qB6-+훆JT\sCj`$ػH:-'O 3}:[! ܡ,Zk-8> 6, Q! Evyv =prKݼ[oD nJ Ӳu zzrnܚ:n)Akg]|ơwDLatH3eѪLl;M<ͷN<I*tB(ɹe}ԪAݺMtѳ.)iMP+Ԁzb!eVfq#"9|nPِ"x AϓqTs<`ϭlbӼƟEeʮAp1;o]b˻`;*\:ipkc>Ÿpah~W#@ cO1pB-_r:I'{e%2#Ga쿊XN@ϵˡ"nNUc&,YuGiKeŽ([LI%eAme~Rg߹\", J,4GX: -&QCp%:Ǟ/a$Q/25=$' xi\uTfI hӂK.;&=(FCh%}u< Oz#vCVW*qvi 3~Coha'CJһt}ͮnuJlA6sgJRn<S4iSi\e_M_Z\>R]!! 0lثRX0 ,euՏR4B(AU46TljccZ𭿠65M45ҲOviH1k (3K=`t1:bl0c!EV6iKB2aXDŹɼ ϶d(]F鑿?]?rTo:x:Tt" \U0;>Ŷn#w $6oNkZsW8.˄ὺX~%M^v~I|j7bD [Ppջ4߲Ol~(A9d~R.'=#E7p.^4xCqFlBqAt;6eKiUԹ8B' ~M y%,* XdBMY|-yŠ,ѹ(*m҆&uJCҼ!ޭD޼Oqnx8Ar23#Qw$49ZYæɍl_h K&-pREf˗wK^ү4ݧoT=Whd_HGt˟z0Vմ ˠ ` t)2Uی7<|G=lK2&fRgo2E;Ks ec^y>Js*[]Kʽf:^I #ɸ$4`֤1D݊FwHgB8SDp4o &`idB{}sgc,HFֳ]NIjϿAJn} D4 p~¢5y3%/,gӃ<^N~rk0W7"+h$zNpSi3!t%=+־1^ʼn .R;>o2$x@R yNjк_)M# nnpH5{rخQ썭T!6ͺm][ H1"WM/UcsOb"n1nPmdzX\7pݥ'o= e^LFWma@Iw3Vz֮Jr>M629|"`7f.H`w]ZЂGgbJ2 .BxܧvF 4< <لh:.`Q%隃6 X |Yˁ?_zA!_JM4?w>g|tUeײOFO~I+s:vˑTEJ2[G1`q1rm[, @]Xzek\D/u5UNRMAq:Y LZ;n ~;JHC]5i{*m_'$ Rnwf[*<;|@BIr!?ɑï= jv6s(s.b:WUa]52<gg)N!s|$wBBStTo\G % lL^ YՋkm `\uT\S9l\2iUX?}L ߹[H}@0aIB]K~rFypx+e.`^5 7gY ziץש6QXɋʭh_`84:g+cN]V)ѵ3RF_sJ9?2aq`6.CafrW0&o__kU0ț~ Z9> ;8m`~8 dG%S&ϓ. @T5&Oܘ|enQ$tO;vv7`cTY54_b_d:.ɗXr?5bEr4MP } jpnby\v0UK8.+ܑHޜ#ֽ/LꓚxM.:ʮIîkz<`>X #9Ŵɗ ̀!i3i vP%}-BO kpv\NpBOtajTru3T8$52 9<ӕ.)Eu,1(F7 ze2+48cܟ;2͇β.MogyriB&2ξ'smLF>gsjETn~W~n/O*bGekA]mӫ5eo^a D^cQzJrmo4M? kGe0îUA`wZC<\L-3amt;?%@-7Ǝ8=*/i ;ZWdmǩU:yuۍڌ O3n} pϢmxp5rI$]EET7by_U8 q#\bNmwS"$]@ f=$˭׌BX}S{Xͮd V#aΣ|kO)an!/`uDX+Ǥ\p *\! `η+iSK33E\3M7w&N cJ #k1yq(GZCb6&x8(oܩ=b&qbv* LlPl\lQ½bij;5ߗCq¥|mǸvn#oȓPa\)f}\urJNb$뵠)aeqw׿J5٣GŴbٗ, 5; Vɰ:W D]?\rtǷlG(I}K2MxH\EP?n214@Re+ wNw?-kQDS=i7;tx4d# Z4hCuTqlVŐ _7OHG.mBZ4x5"\K;Dﭨ@/ˀs@Iyſ3 DHghyR85B_) X| ⵣC_#Mk;6gt5B}I%)E9S+-価醗vȩ̰-8An|Wv@nX$ ]]=MÆ)E0 9~z/ZlTcɂ$ 2OU78$7kHOSzE-iQnWϝ?.g^[o@wm B[4>ӦFEtkZzj ĽiA u7N3@ يeb[RL`v\:G(‚.!k,zG&eo |a4̼j^JKJ5bdc>ss9(F&`Darʰy\4?FdM^2;2oV2-}^޲8ěB K^m"~@])fWQL|="(L 'aq!Ch?)3 @pf=|cѯ^TonpV<+JDAf I}XjKwVŢuc;3yLJz0퀶8FKܡeA4Uq}rތ>㋒mK-k68* ;7 G]e s;JmK"5 /~:j>eG.S>n0–ND'ǒY~HCٷmUd5ťՄS1ګRdSoA׫aFSpSEھĻ=^iVbO&uaZg#x"*iZJ(-W m)O8oa<2U̮8ZeM?z+LNSa {RuPut ;ElN~bYq 1[ C&, (Xtҹ 0B~d 0l|u~q\ 9[>gWzL%ܶO)e@Rٟ5{, _r3)&B.翔|7]nR]4B"^WZ*D3[N }+)hfP]IjWiߦLʰ (;s+T]+&}Kݓ_$ ,!=PsSzN4"hTDUƄL>.->UK}q*{>sh 27 c课Lw&bF@' d5ױ}H_;+W:lP&׃583)j^Z1XWf3 JIWU{l7p& dٍ?$c|w}OAg0{-w)Xځ}A%O#V+.{ .WSwBB H{CO).€{]r* њwF܈ |l\oFbP4^ޜɉW$ky(ÐٛC^T!YDa6yI5O2DIWZ'rEׁ߶V‚ toyW*}sXrQ[uUu.ӒdlGo6`)M( I:@ܼZh=B287k_-Bn-!x9XWʹYaȽj@w 2Nu f|$Ё!53ݼ5˱U#͉sT"x(?\Hְ#^נȜaeۜ:Q!C(+*$}F#D{$T|n)'.stm@gE0ak/b8=K1HY#ͅ!,W  ]- h?-XJ8~el8|fqT^ :{RTI~i+)X9ɤ&_QvÀK+]hMh(r6[U5 ~b1no-a`FjriAXc`F!Y}R xcYU~5(gbCV[ǂp.71[™܍&^DYq}xtC;JR/}r&2&d>Ț 'zOƎaUjo1&2tC;k =;ܷ;C#rH*ߙ1'`ښLw-ewɞq8j;yUpkŔ; |_B +74bi+>d.m$u4BB-EX8⫎*S# ' I/6fbRwR8m?c,7a a7jx_(s .Żp30-LmbryzN8;!J ?Byeij;nFDX)[Sd1;KqZenUPWWn};ui;ܒ- [ΌץAMWXh^̳~`^e=7f$N5a(ګ/siH-Y0КT__OX HHS菺6BkId afJsVh~|!/abP Xl{\/^ӓcS8!Ŝ![-+"I>ثLa)4ltK^$uşl;+G7ܓ~Ul[;"ZV+eq͈5,Bx$QZnilZ4t*`[3v[![?@JLӖ%"}yWH۠ڃB^47cZAEvP ]X;-QjdZOz%FFoH[RIZIFKH9e75p럶V6DJ=_9eX~NGe3З/ ķƓ8 HɖL%bFq }\0>C:_^RډCi|yLl"ۀ2 d퓪|[vXP_hpb=e'͑IuɓM9҉"czَ; >ytm15N 5LZSCk[[jٴҶ]6G#Ӝ'|8Do{ZЕ oOLzJC7>'hZxEݦ42`Jװ`(Jy?Lé4{#[zBgNjBVHi=ۊuyd0"}0n#٬شݙ2xĝ #D$l#"Dt4ҖsZ6g+K6Tk&p0u̅TfZaR3c<>JUD4\PڟћpL>ULx[ˈo2B&N? )MzwzV$;f #B_%oOc+8HV'y6d(t-)0$oJ%9NSMVβɃx2X ϑOQyv";Ȑ"rE%BCБtOL_sPrI?bFE9u֌LsP25՛`n@{_EXay硍!郛}g~0q5 8aw g4x|Tyhz'q `N817񏔕f`ye=܁Vq%wF>EUk.Jk䤨j3MὈ18i|eyS؊ޠsqQ=mX]|*rH&7 AU2|gܘrZFvxqgm`L\+sb)z ^m./7á_wz #wS[7t .tn $%lT$Z{Ӟ FF}#Ѡ!o\/ܢ'X 'T}:uYm9?m2%ME(FٳE|'4Ty; 6Utg\ EbZLSHrK17T /o-P:to5/mǺ)IPÚ\f@tI TDR4|]#y9qIF#Ok tD8/`J zT{R^ m}5jO@ALYsv}ڀU$qTNuqG?׆+IdB62Or6Wj[5%xXN3Sa= tryas!~ zg2sWWPnw>JM];Ԥ/˚KJ7LWw~φ4 %f.Kʏeboxw0Rw+CrE4~ ,`+(fy:BC]2zq_܀\FY^٦ z3) KRc .[.iHS)OW}oks,Lffb} Rv\ w!Uf*Zw@?E_#ĶM|p Fe-}v=z: ̚J|G&mO⠬Z-+U#/MtKm\Rp6f?Qb46uF33@LS `茚B%bŎݺ۹W;^=G߮3_DGfSWHᜥo^sr<٣#,% ǂ*7>sBI Eghx)$+8t%0G/_l=D"l[2 χݏZNٯYd+F߁#Q|KKtnzy`GPNljVQCǸmE?.E{}Ԕi9 3s(4#CCL0©xJW/8sy3 XE]4Dec U !ci31jAjMuS}^o9Q+j%ohʌCMT*Bk4w"LQuW0 bJ$]PGp<{=Ue9[K˛I Mq6xZt'K&iB3bU"\ɄS-P:2Oa'6/{g7%|+cj9ݎ>ȅMZVV ?[3dax!s7CW=ϸ:R?aĆ/lh|z8#b@|gC)lD5?TASѵ_pO܁3?U]\]Eө M^ߣuTR*gtv#7jqxEZc`+pRl! }- J=1s܇Lg=0UoDBKN6z[9 qoLW8. 7 ^#q]7=Xƌ @߷e[=SWQTLu71(4 uv\n=4jKE' 9j_BIAtvS# C{ZKO՚cj㕖/Bxl:9&4ܣ`ǐi_O7·5BPzx}B_׾R5a޷Hz<53W!Ӊ7zP-Ҍ3H' /pih˹ה ![ C`-n+JB轎RcKLHkսl[}#nREd='!!ks3cPe 0p:F %L`.gc5'aD @=ɉ&,#k3Kˣ#du&Ou' $78pTL6XP26 zR:d0ʎD3"s-o@-$ƽ1L4 D8FoR;z#rˏ$9 2Pl> ' /&.u X:_6@{٥ߛ 'w#;9Hj9k{A OuR=[uKƴބf/I$ (k_}|ڑ}Nk㫞cgҜ}V\]$vy(E9l9 bvO@BUiL%ԈQ0*|]h0lX -"ΎPym8{=6pݛYq낀2q8~u}M7ٱOqIJ) Ƴ~-M ש9./jlL&ǽdm=",^*.(l?m|Pdu*Uzg+UGuU<,$>.f[M{k/\g(U5䐖<rx~jM iPNO#>:)F9X"~@:ƻ7x%\ ;&SiZ[L%B}#iM2tij1l9ho`P ;Žb >坧!^hEiTOv̋ľiQk__0wtu,31MsR6}3DsM|p3B,zv$c.\c>B"wAoٷ2i[{% Q=/gףXOWkPfTeo\P/X9L r eΚ.YfrďsBu0/s]TtȘ^뜃,j8Ņlc,~Ü=|&,q%.Ҫc.{CsFrlǟbk:[zׂ6{1]*XJ|mkR5d+-b!, ) #"q(YSun#mWb49ޣ&0(fs!y- Mp8J_z$' @{aLUQ[Hb`@NFRyGL^;|@9gjeS$'hc;by9 #bZLM@$Zˢymʴ 9n7߷J4Ӫq~)p 7^~9j~:A!Mϻ4淋a귉PŬ0Y?}:d.'V@7A~q!;d64U\4>(4-ܭYMΓAi\7EMi |u12Rg+y#`JiNu2 G0(6~2F!DȖL= 612:1uP;[\1/y5t,r!X!Hm3P! V)RB=fsm%b]*ƈ??Y rpԸʌ"Mo Ѩײx኉N)K'3Ne:HQΔ+VO7E9Tj=hj+kٸv &r-@LNMr7l%/~y 7}d[@wpJN mUg:F" w\yc1_Y{K}RA\?Q0XJuFsٖɔ0'fQ0*@A*Cq.(ҖI/c):S)&;@ٲ1&K$>nkﶸ ^~K# h'-| \{u؈H x8fBpso-9?-ߣXQ̙=Q~ɩ*tAB;^Ik]~uB*6< -hˉ ̀'XOMn`:3}qwF}ڍ7_icv,L Y~>p JjVOPS]cd?$ O14V| $xxp:tcs;dE)xEfgmw |ctK~WgZL'Ax|(}4cwnnCDO%hMg@"T_e ^5%Q O-n|SOƔqi[[Ks3d0`-"/:*C$*ʧhR0Ț& ]ig'YLh*f zF{B^\G0hJlΦ0kGQz:B E3%}D U+U=K%r`}|rczE7ѿM`zhNбlhboWPGoG5v?Z"$篋XQ.jj/61}`IzfA;Pɻ2 ` 'K+|hścw!$|;\C/]ʦ4Mr}<!PF^wӛ,-R^gGqjA7]sk?ҢX>xse}%?alvKh}Nc1',K_ A"W,L-StSgBaRO4"w0m8‰U(R+DfԧXV+cn:*K~k]xH,TygHFQqK%xC_<5*p( ncKjh A0G[唝ig1棛jz[ eYN(f{6]Y,D?3GE^MXy(_Fi(.Sa\u"pv!/(v9 |uDy@ !A>N v I$܅e?  Vf/ӟBX$op؝̞CBsB$Ϣeꏜmn(AFC K?j[[ [#]M#\(qke>^Ho;(`gCXW9CTf3LDI <.z F6kFJTu-ΑE=O;'â Eud;'S-m<`Pl}+&~MAj vPȜq7<jY/.*ę#'΁6Kd![c$B?i{s>oUMk-TYw+/{޻/á܆4R}M-Yfèg5o&p⚡ӻ$xA[74-+V4{/Im&w3:ۆg΋ 9`Ыn(&E+TH[w-1UD*W~Z-sjMn̅8Q;6k+>O*rܱIxGxZ@Oag# /ªU#'eݢlHrTR*x*'ia,둓'sQ! [W@s@d~>!߈4"mt &CYouT!d6>,YgC2FJБAUsmC9*ߗ{Q&;.3l"~kjx/9ȫ|eL_Uf&XpdB? 1nqG|?w?#J:. ؋4N|^--Ծ 5N3 $7pNEnJPG܇7 w?wk;(i]4液oX&1B|pf# 8׸@I<̱ؓO T*ixAPyJNvAt1v/ŨIqp{ Ȕ㎵.E1͘*hfE0fRyJ~S*{D[mB!/$ψ 4JpL]RH&\!-QH8 whv!&N֦D^^*thf1gY)e!u1̑d$pF/$^RkZ%, ?[{6an˜0 .i}W G ~jGu]hRt %Y$PkQb+DUME41:t1)ya kKatԞeՔo2 elQw_3=QZ}* v8AORxO}2m٦އTREz[$:@Iƴ\Kq6~H(+XV,}>ʌAOkTڟk zϵ PVq۩h2j,l]zѲ?>vڧ#뎜JRq|G!%gfr6)V.]zy\#BzG@y0e(Uw n)jmO\#.餝©T-Du3S6zPy $xӥ煯a[fҬ , Zv8M@y|_:)3z)BTy.Ӏ[Q.8Ňk^Ey.On wF؆Yr 42XcU٭XUQonF_ {,iܟg-=2 ,ddpN~ǭ@qO[:KXz8Z(hP| ^) n0+4)jc[>C)@;y($2:<67/܏ҍMͦ_PUVT&Y`N p6ZĴsm=W#vOG|#)7-0EIdpa e;!ԛG8zs^Z n1ș0b5F*'5(&D9($?K7֝0׶fR,l%GR_z@ռ큅.#I5S\ހ>h#/b0vXg,[0W֕|~sl>s㺇=j҈N<U);Itkռ_A? O^|Z\-_'OcE /swjK^}%)|)Rq t5@Qb_Gǿs}yA 5CyB$=)UAu?8ƭ3jw^&"LjQQ8(CʷoZD"XZyC(y X-7#QQz9x{a&-?ǜ|f! Tpk1툒@Dx.ǐ@su ٱӘmp>[b.%u AP:tzUdQ$osE?Z6XKwFHٹ773+@h'b!ۘpBƕ{Q"ԑg'l:՘E>?X }:Lr^92_w>&D jI&p_JWǡ z v€ZնOHtn9jBXVtзw)1Žt<+DSkl_Kr+E!rpZB(L~ Ne0D&:)4sL۠.YBZmH޻Zo@圛""ZPS Uѫ,,iG8={l~3?!GG2m=aku4ɇ-\`niQuKIUAQ{{Fa\%ţI/^hf8.w'ϼ^|IB1  ȁl'ˇ<2wHN/eu9)ce>%P!ܮFIUH2@n=P NLlY`ַ_}Z\&~oeff_\ד<~Y3P?\\4ݛR֔3ʀs|eV8*x GON\y- µ?.͡J\^;%)Kڤ ;4 Xf8w[/I )l:ȞQJm>bA RC* 6 6У2F̫f7QEOC=ц:^R`A .@, m&F 3pUA,$Rgg4 .SC #Ļn9n^n0Ͷ ZH.YOaȈ[j 5pC4X=sҗ7Q%g6̖4.X#OIjgo|8"3Z WQ>[mM>>6Qk Fj7X[qiS}([؊cboP:;W ( _-BR*Xi|RT~9gNe. 6SdL;*W=}rۓsk[;iQx'{Bu0Cvd`+?3riO/!?# 9nNݽ""uؕފ{,]YN3yi9jVmYLEϑȤbD ?uyza9dbaJ{EQ+y1Hh&oy_8 LbwȘ%6e0~\Jn\|MC:?jm"(D, TVZ7zR)gHde);Mſ{>xUS-T]%|v>Ww_v>gH@c9tƏᠩZ!MLBx\Rb˘5j:̫'>^ 14"].HؼV˳qn`4-<ϋ<6EBQ">Dl)/r!ND ,'q>-Od-n"Th 6q o&_]>ZuĈh1b XzFJa$4qth82=?Nݶx<wR?\խɤ}GqʞsE)i-ѺC 6G4},/)coҜ\Lo־8z6U+4ȩ\oƭS/ѱ'ue&jy5/[oh__zߚȦ4$Gh4&]DrOr'[N(I}#1pBo,]M#[Ht JRq PB[`Aɾh9 (#|_2U]@lR8sYd.o*Q셣hϒ!aEg23mNXFtƞ}C$;/ƪ[|h_{T9Ii[AMe4/lƣ=r#$2yȗh@.l!, p,IɣsV&W[D(w$ . 4tqre3>^I[)=B/Ί2lHu~9H|Tƃ'9A xJ-n27*(m~ e_fVsqOF]:n*VɘݨS=gwO-j↑Y6Egqhӈ? m\0L1ŨO hmK3&A9tSqa3 褱I8=]Ǝpjhè- BJ8 j7B,O0Bhիy;Q*e,y؄)i}Yz4kw@~x 6Ε "[iSJeTy_ksaحL '~eÉ_KR t=[ %'(cte0n]SĪm_\ROݠf8]ɠsZ9%e6ߍ4DwӾ21EPi;ձk3&g3,b}+=`^'ڜqD#fWaMyƅoy,Sl#ؒoV(Չ`5CZ b= nI2m&ɹ"?:rpѦ9O+IZ j'mtٞg{:qo!dFqO&vbJ *x^uӚWViéQcRrwwwzJ֙dVF*7ȻOwSOJ^@WKJNT炽uj'8W!b|#X"|@'g}e9+DPLI1t qȔ]dk": Ss$Tڗ}0of!f v$MC[_|2ew\=fXY!Y]0ƂQCR P'Y 4r?>h XBB)+;xV$4g@ij tm켫0ݔL4uՑjJZ dP,|XOEY;i9^ϛtu_qjW5&:Zč/Se݊J-V8vVytjxrSU"D2S[ GcN]I?ELC'/w:Wܚ"@@ѿWLPxʩ{|()~~6^x#1#[ZqHZ2«'!d@ݑ|vMAyz c(aaֺ9'o˖H(wͪʒ:iSQԜA?CžY6|WK0"+@a#>L ػ'(W'`@y|;!}`+828AKK-~^XySpOa5t@ΞVѼrYD 3Ps#>Ifp>|8'fلz$始U$+ʊz8{qdHraRDŽLZHQP%yA]G=Mn4 oL(2'* w#Fi2Sphj(1 ~J7Ʊ V /kY"kEBE_\RJ:k<-i]-IEo-k$ˮ}SItIE `ǚɭ*Os}\u-JQY ٻRbfG"W0+ݮ RhҺ'5T -7՘%}\?Lom'tsWkFao,5:2u=cU-`>S/(w|i˷[h.sfQKPǝq m R9]JnaGaA7CKrXʡ)e&wTbX1A~gB;LiĪȊTM(y2,aȹ{Kgu%xi .s$w5ؾ~N4;|ű,nsZ%cfȌPxWkn.V4HAz0)7~kG-ڄFo l1)*Ł'/Ȣ:(ڳ5 J-+֓)( T]/FDfTǾ8fúԂg6LG)~JlWؚgqW5=iSCU nhe<|>,rEqŠ͉~)JL[#'S$*NeTrx'M ~.ÿ?<֦>>"I~_H8XBsݸx%Ozbp#Ec\Q&oyE 槸 @k ama{K[T:JCݓ,gwO~$n 5z9S 他ߡ/&`S8H(Xa(Qˆ ky %^l0GHEUjs-'-^sC,g^J4w|wZ>t_F2ulC^ =׬4)-@ӊ$שּׁ]qn uC*?&P v*UG dM:mCWzǶЪz-mvQTUPti }]O򜗏;xP}w@UGf'$1HlH"=iTܖw-PN.+i?_f.+2x@'Л<"a>5&6)$Q&/ X@) >v_( *l_,u!q|i>2as#2ZV?Y>4b̮jiҨ߫7s3˻G'f {Qn;#m ltLs;(K9ew6{1=' 8(QL+>S3cs a3RzQyU!oxʈrk:;Ȝpv5xX qF:/8-105;e :xױ+,/E g*~ͭ_bѣa2ԙ;*e7X*Svq{0q){ۀd14.𚽩\C g9jĖtn*EQ p{5ub{M  LqFhoG@˽[ϯ \A*14krK5> /T.>*eLaO1ցeuD+c r1+ v=Y@;Psgk86  `5U/ss``]BZ2_C-t~Qf5%@.ROw]Y>߶9f!B~Y$JavPX/ Or * ӓ B u{̓x^IAʯx: ْΝpU5kγeo%_8`vPj`Eʼ$ƃFhk'::X! u6;IBåֈxg-ZN!ZClO:f閤x%˳B$IO/խJ# Z9?\ȷ-D%FRfrPGԸ/9`;.Thؑ#4w78.0 "Kц֑ZHZm9T@Jq dּWX2CP^w.L(Y^}c"V^~=n_Ň?hK,󹊪4{GTL티 LH5 b02Q^(/ C 𻟧2B4"C9#ybmJ$̵RG}l/#kEsXgӛ7a3i fvԞ*ynUL\ikԭc9dM1K9!DD ; ɠ=4L ?Iy}P$j'oе<`]1K45[MOJAbt_ZOɨ*:qu\eQ2Zwh˖H>+~+|el74RQ|Es36=|'24F)JNG2*Qw" ꈊ׷kp)V+3yyi8Q#,.0*^2qcz X,9` דx0&vĩrl. ^Г D͎nb\ӨҊGNnW!O+7j^#h nו2JRvUў'ը8}X  ÓȷH%iXn?,"8wz._LtȐctco"EnքI" 3g&F9p1̦*cS^-jYXpP~`XQmA;Usdi+sb DP ~<F>#0x))nLx)'jDκ{go\TTB΀#K)0ZT҄xm򝫆 &˚u!6F_,R׽VjdZ]yp$:^rEWо~ImlcGF'Ѐ*{5I!GhɅX^[40ϒQ^Z# ŜOAoꚴ jl+ 'N#l쏻E9 2Wl.V v,.A.u?:>^뙐X>yd?΀!j'a0/D/̶`ɣE3IkA]wkF*'WN`C:JxY?um ~SCqdR4P'٫XPXYrijt 7S6A8dx.Us{n]&"e&m_U2Ck&jiBBhu;Ngm?4,gl^I&_ﻗxa1JzS/y^l@e~nESE% + f8&;M>8k9laҘ;*/YT":ZC6wR~X:QM`LyP]v<|=' =.^ףN3W6h|n W$2k $WeL !|s36.W|LCneem /`D/S]la-Q^Tg9Dp`['O!6O4+jr]Oܱҧtk'T:{g,EPSLZ a`moA bh_`Tby?c76QaVvzys= wjRVo؈_ja/괯/F m}38hmȋ#凕6_f_6ZW^Uʍ)Xv؃˝&޸亂L{ַf8G_ϙ8ҺE&Jn*Qi;ߛ1;a)[KTV? &^`k0a \*ƮI]"rNcojW RtOEEAmlvJ f@yK!^Shh)>O/ŊL}929撘HΛ?9^Ϸ}Ŕh\КB R;v|?Z/,9RP=Xy$y{B:@5viJa0CD{hXϵB:;~guz8;* 0%V7z= wMi|: (a~/,4H~_a{ۈp#dPK10 }>3(*D4J.9y[3V{׵o%2i>~,Z|c=dG HtE (5WT y_5=3o3 BK¼r Z1W8/jٖY,u20Y@.(1= /[>r֙5W)T9DE^_%E** .]9]Gҡ0x#7[qx ux_8(db|Obih&bꔿDU%PS )&'"s /JRYqmlwn5w(ʧDNVMԩ·b=f}g]4?$,2A[om~qf LWO *H4@9fn18wZ.̍`$_qS"̞-z ֢6xkG1#]D1[Ƣ*^=B`+{q݋7n3>j}lw>^^~ H1xMe%YD@T[{c9BG#Wסң;T04b bâ8K&|\GGTgܧ}NIUR%w;-r%[Ҙ:''E.rBwpj%U^rwKBhJ+6|en Mdk'0͔}LN/ LPd:M*u>GiSt 7{V1i[ub ޔAq{tn &Q`ks!%M8d n`̵(>:,6 A⽂HX[ԉjZM֒\DJE!$0ǽ =.r' :G̫ %بFFrK`,I.GkJ։~x"sUܤ |?ŧ-n{'HsqH Z8w'Ȭzzp^}7pp;suc0WTԢE4 ϫ%#HT/`[skmkؐFfp)@( }㭕"Uݓ |}Qx+p`0{~B ie|cTl^'#M>w6D#XAr)ƺ^ }O aڠ+0-~ez~gu>;6,޵!3g, SFX cJLKvo`e)dSF$,WHjI?A*Ä98hb89k ȮYTh)TFoeOځ9@_\$L6G 8 Rk`戆j}~ Z̹o*O SI'a(A)e1niowS_i1 -M-_H3"p`zmj==q""c´.lK˝ES->H %Mw(n&BV;SF4jvQ)8 5J/DH쓱ʨUi,pĄj)(m &j;X#K`DQŤQfʯ^[R? fΤya]1ظ5 XX" =y3OƟMs,=%Q!.fۣhSxjeJu\YvxPKo yf@g(cS=%.j2G^F;X5x3wDE93Biq(Iݷ|H}0c,-ITcOwW<\Ilk >qɵ38#ǎw3ǢyM}P qWwC%ojlћo˱$TdG4;~AnCLh`b= zΛ{EHq\o 09YDτMAJ F`c3HSCSMok?_4I>&26rW?:e2U\lNkV,I.[+t^ct>GȻ" JIh%< ,o(+_c *klv rJ?跫¾;>:o̓/}6W{Hc?P^.A'Ls"ra>NѲ$á0$#aKY'vPfs>MUǙ%gj"{qy44nM*KYه @T1v ܓ rk,o4LVG%\] xk`wNrdMڥ0{pS,B1]U( {:;pXĻ.f:Y_֜$xޭO6lIbJJPSeo衬#͸1JnS4K*&?׫ K*5|ϸJU :ȃ@O! Y>0Y(;QSp@?5uXwDRr-89% ⯹P/&(Ԉߡ3[vۢoLKVkfE.%GTMF쐙2Ě|^f:m]B11\vύ/!I 3WŁs/8ӽ2åR|_n.#fUb_~N5mDۼ1Ot6$B}{ ΀̍s>ưKkD&xY)^յ}ъf~T+GRRC(@@O);0Śđk12xAlషmDq<~CK:{b@u~&qdt}ӣ. lؔiJ!-4   ̠'StRV(E!fBȝ̉|3hڽ˓&T};qɍnAe3R3$/}?U{k͸K}iM|8 -<3֤؇ddw")ӌܧdIronP&hyB/9gת9P[&-_zrM0gMG 9v\ {B$b90k%֠ACҤ0VّkC6^yMytK9l7gxTS"6n8^?I*Rb,&$R6kkI?) MM=IsH+vrzswvV0I֞v7h]s#)aNiSlMG!.pj43Rc@:T.Y?ӧb,S`g'3r.35j2H=dGH'w riS$RkLUM6ee\ymE-l}kmHu3!7 *:Z)5]?,?^SnFU1^x\fU,|-`r}[ʻ+Mmw˚Q@lAILf|` У>v oNQRGζ BTϽi &`^3pa6g'}Sd;&39RrzND~jؽKpy$(PT/#/́d}hw{sЇyqMIv ^_ X'".)`?m 2.Gz"Vb1k( oVе*aUۃy;Y{ղ*M?/ZN#࠷l>Yۮ&ڭ1Mt^c"ʩӯ%z]풠qZ,sFi/mDF {"Oš4v,5|L-||K@a +SYySv7Umv.> `CZf Zo{zz,@#`$<_8'eTd#8AX2Д)Ta70]?|BPN@t;. cYY_(3 yANϐ@OmÔnnDX̀ц->iƕ yK=*0VU(,|opfYQ\8qJC.Ƙp;9dɠ/Ѐ-Ҵ !DuAm+^p;FKX.x]ð71=uퟞuVث\f!ݚv@|5-=YSh\u|ļ5D=o7 Џk4mj|-$@;ACRkXxc>ْAƚ S̉[ / AWICmjN4cNO.bCt((m@a?ҲKJ!1#ch>g;l_(c'~ K:Kz 2*B9v7 z誙p4|F(Z%jVr!`cCQppq:) LUyV+-eWĤrkX :Coz_ H^ɨu,ep6uƻ⛬\!Z0&ԉ9Bt ih&s\"*Ub;77b]}osopȘofVA#T'![=ծA9{uZ8Ӓ[FSh\)A3}mXDQrCG>t?zX9;?h饍@!\`5ͷCMHZN0fKvzkl]VZz}eU$|c1f &i=5yj[5L4td~[T`H(lD@C+>CO4RF?o%ᛛMd[wIKTurQ@[Suދ+(m&\OzZ2މED! 08OfcA:rŪe e=a34oLspq"haMy{>t骅*PCoj6$"Z!D۾U,Bᬋx@W:nasգCߐAH}TiYZdo-BO:h`#!l/BK =0 U“mʡJp=(I'Ǯq;]/ 3?HIOA퉃"W n^*kBQlp).}[L̔KAbROegn O@Xw32+ grqP NoЁꅾ0Jh6$D"?!PS~rhZ S#`Sڷ ˤɇ<7`SQa4zd܉;OSZfDڹ!cvkZ5z F1~EtgXvXAƵ thP~K!Sut4Vt;W&R~ L<<.{eF+v*fy ~v<83?OKj.xz%ĵB&l0%[8 r:^ۑ Orqy s[K ѸYOs-Wn`st6 NR^_-{k =48 KU F}}0,f(lLAyxlQk3˄ ȥ!#34In"sI2v _ 7d;A&_`C"jHqOiuz^JJ1] ȧ܇2Ȉ4@3{:.*\iBa})6J$˽?"K i(2|؝@?D6Cx4objkH<YkDZ;0xu!Dyȣٿۺlx..vG/BQj~0sv3f:Y( (W{]qWTksQZ{IO&FA e,-3>2^3hp/EN8Դ 1SXjŦcܔf*dӟY5k,®>Q .S=gwz`l{¾gk&a|J* sbe~ڑDU($*l% )Os[vVmZʎV!ɫ!x~Exu%rR:j͙DsK,?:y8ѱ 8#3&0-(ŞsaEze ꡞ@mXfͱny 3֓OtSg{ y AJaBytTa]H=h=^K(]R[Cx-8(- ~`!#e"M(I `Mm=~+!'LY!Μ@lOiy2yՁ剢Btu)T }X[Dh4f-tdWg* ;O0 "ĤxnQ^H]6REg!9rkM/(Ɔ*a5ߨ{oDwF7LozJɋmatm $'`Nb &eG'Ϙ&F3e% AX/fk>Ɏ>.1:ߒHQiÄI$Aꋚf %hjtWrR &DӠ$VhOd)QPFMwCA<9䗉~sڇryJYqǓTr 5,=j|ꤲc6 +}$|=2aG~^~83ޯ阆X׼/;3Gy ԠsN8 hR!+\4jM C)\a `ݙ)OrTJIw{0m=G6*q V#~)ztXZV<,|i&;[ o˫S9(kz"\m'mxٮ6-kRB^!,˙G]puuŕ[&L,eqA<ܝ&=AkBP8gdx;즥 F{?"[Bim؉ QB {RxP74֯grdţAaѨ9$z>#],']{(LKcea'<[@>rmVSD*s>8!V O _#rVܠ4)l ]iozU?,ۖeoI-<,'Ag~*J&IK <.9UrE^ M:w葖do^Ze"타p_2vwTtW!ޕ*r0y/.X{ؒ]1N bp)-~TEy-Dݵ/{:xI"11cdc8(:Sm 6Rη%FA@MSd ڝv Όx_T3vwP l@)G$5Owt{kjFV3wN[_NܝQ EG ~5j?^Q߲GlW n}cYRM+~{慞W9`*_<]}+sTÊF'oD]bnՋ*Dfޝ66Lt,3Sv'q&.nfk74G{aI HD7SհafȗXy#Q?Ve:Z1&Bw 1(dΥ2 )rjB8^61<͡ȬZo}xtJU7? qaR2v>$CzW4G%ln*eQ#HuDD3݆wN.h''Սj'Ԕr̊,M htMu}x~dծ"Y*@Y=h‾0` uɟm4X>ZߟXwnbMWy)Inx:vl\n @~W}w#آWŢO쾤-lyR h8F=(%Fp"3cUDG&H44R<ҙ .˗9=QgAښU‹sCd@Dr'mޜ .BkO]q(b@\%p=a;|^cn@y`4-TVE3 pov-Ѧim@}l$p'.n^LVy!zH0 ?8^;\\L_Vh""[۟ԷG $9Z#*RÍlL=ͼ 87FP~+xsջ^4ӛR%R( K*; O3k"hDr񵓅cP厶Y汐 zy3W'0RxԌ9҄jz_T"ɧHE6%*( ^tN| siZc\[%)tMI?V+ԔsKGԓKzcixiaD~)^ \ cDp" LeC5ܜP`YKej5b fO62Ef3K-j,{:?}Xe,GAQφʯB9W=ktXiXhp '&u$?Lf+dSV 2Z{kYGx>|;wa.7󎒇m혓)P/PqI,MJBqQ$m+^ 8P)hS6℥zAU3NTZg۹ |hKĸOnp}] ^4 D A!wZ\"@ ׀#1TԓEAJ=&qCM;N,fisկofad $w% K>`+鱋f]Bm=Sx>UbRcM;<0kl˞-i]s5t| #;ˆJ#v͒ĶqG,^m҇b$# q\8gsz,*:,b?PEBI*-D)LQ;󥘃mUQ m?ʫy]LM-a èk4t"|/z!!`]' -Ḡ+^oռ/zS\89[A+bP SxAe&4<)Nok!D-!<mG9 GQgR"N=نfUqg1s4Z—Gy71s{tJ#]筷s oݭ)9 @p~L'ݛiDt#-!%nӪh2UqR4~LkV %  pV=ӕBy8j<,wP߶0Kj5|AjfiOUv5ѫɔF\ʁX9,-=[P; F*kU3m,.Z8{N$B'^WZ ~% }W{ .&RQYI=K䧌H*Ev}T]ppu6CBW$Gq NT/GiQ#=2k  LھڵE@.u፱뽒v63 CeJ2x92ű#>c|US 11{407 '1~' .0!w8(HO>@EL#O8DKm#$C[蕕E2i<9U-~OEOB4g. aբcl %}N\8W{(cPK#*#}hi jPLoVCCnM{Y̩~a<=t \"J]ϐxrC$$Z;M<=&UL67&5fȯ@C$[+QsI,>x2ȬB9ٲno(LlP^qC^d>jn}̨} TN}j(}ȯ>EG&ma,7oW޶V%O%)6Eh!\ъ)05Z䄌A}$R!4 FSfC#(JPjV+dDZf:X]^>Bjd5Klk~~J %&~Ru'/!`qoxu,Y7K J']Fܾh/zh[3 m9lc f+?} :z~}FE˙ғ$t[(X("Y) &uo>Zp->_LQ~p7l5A'/vfwRP>E(HM֟:1]A 4gn.I+&lBK钫Ft`_bÅ?9N{%pe$/HLFҐՂ>R`"w] C{jG X>+eO#HyȨJ_Vj)&Mf㈽=b/dFQY3O)ۚʥ|r< H|VSa2셨Ol2 sX-JrS̿X4N$8{6WYZSq1sW­PpSEr5Ņ"ܝ|bG7:]!N>wܸ.F@k?<|S #u",>N-PZ,] xZ>@7VMO&|"'s/c/A;&K C?X^.<;q*Y +;(r?K8%D6aֺElmy2:rN%ĖޏGb)L UոN8n;y]3<::Wr !CEy< Yj@#KVJU=rJ*L=(T 1vEbw)^l%J .cxCKcu(: 7?k|CM2ܱ`EXE(8Ý)Qo]s)0輺ӱpb8\?eC. e-uB -K!Rm OӼZ L!Glzuj >/H;io[m @>,PcaLk7V'xG9ES,1Gu_du)}aͩhJkko\~JaV.y,ޓ\}f61Q.m/j" nEhI?^qo7Գ }KAۂ<_s=c 3Ƕe+64(>Рӑhyʇw1xc8|H{6}>jAv85S,y~ZLo>e nGgylluocvKW.]NVЙ]Ԙñ> \'<`cξuWKϰ\sVuGtpJ"~nǫZ4,e!8]?h5vQr{G`pXxWZAR͛ߏƦ -*$3hLOϧI46%Nk1RELD=|=L̉`?9AVB*{aTyCL'J KT E;kn:{"w{vVݖ9(: ^ !`t `Wʢ>l¿M;,TƒRPdjE_CBZ*ZQ9<2]LW tQF<+O:k_q hh$/޻<א\l,YnW-hV $h@kj1i;HsD\j9ztRIGRtWhSXu#,]F{jj ( . TaMI7_hpﱑF軵% Pp]7l-3Z&H*pږֳtd823ӗ-+4 6}&Rl2oV(Ya% ar* h+!˭hyu|JVl_U\&M/+$WjkLTR `:uawr?N(a}b8djvm^YroN? vhrE H%*dM fH`qsFwG438ģ\x8 XYT=qRoJ-c:]"_c4"Cx\tzI> fXDL+CM46RTNV ;f}q&bt~>lD Hڭ< z5ܢhg" d6ky{<s y (ɕg5aP9ObGlN6ڽ҈7W څ" 䏅 b-ڥ؍|||?hɲ`oZ!L}!_79dc!4>%g5[*KyꙝԀ`̽8q1"ڮ)6 )-g2u/jv~?G,vRa׌\l_McbgkدȢZWSPfTޘya4"6anu묘ԷB~B\"%c@Շit- !7\f̝@jS@)E"B;6I@%m*fߵT XRpEztd`J}h$@;(vKd?Gf9I[%"?Y0_w5?71pXpnqHF-QV߷J0 8iC.ĮyP:]=FL^c8%/C%r$:gA1*[hg8.YT#0n˘ذk]Պn%-B#$a.-E2iQ\H'G4l0I/|LDMPrW;YÝ#5L[))pojOSK=-7|eke<ĝ0`~4?8 bu+Qbt8%t?uHu Os>xϻ]foU֯U :Ra%'qˋYw[2N?'R&p:w9AR3F.&*W$H-p $c ' O)&,xG =CHAyv (ꥬd? %8ExǍց?%&p趨q-,Ymxq^#Ak^ +iӄV!C~/*qM.NC~f.9Tc2ʓP+"3.SkGVdT6G\ܦ5C! 2M, fe֞ uK7&Pq@!hKАD%ToԹ@ 1 aqyX eI}87 5,ydĪHYGT 2>3 ώJ~U׿|(8rկ$19DǔWC:nԎe\MWV_vm?b'mFUg 8?ŽtC+&9}Sʰ*HmՠHP-tYK^3F = "gZtc idPY B4>toy h~Uv0-Gxg;)]E:Z}9qf$"uRy{vyu)hN?]B "3Ghgy^[+Sh!Ή'/Ewk*'GMSgDm8L8[NlWÊ92$h^Ǵ' d(\ fne_aXUƜA:`MRoa5qKe^F=U`{%_pK)Ije!|!MVg f} Oa늇Ԇ Y2s1 :A k=[TzPԅj~ Jk6E&Շ-X\׸{KO&so){- e¸}ں|U60:)*RD\w|ͻ=c&W[Kz*߰Ćhg%"+ X|A`͇8T$T-/yslMxE_/.,<]KkͣiPZiH#ۤH`-vmLV"Cى= Odr^,*DDXz /&I]{{;%>2ol*xٷv@5osnz M? Ox^bG>sXR*8N/ھ]Ww),Ye~^M΅R22iߒ!n+(?k(JgIg9͡M)FǁQ/(PհGQƎɪuruc+LP.Oԕ`rN/ÞZףSˬ͒jPDqW+˨>r&7˯Ɉ$ɦMfzS B&h)c]dWʹ䪅M = 5]]XSPI#p[uJA{@IZr Io ~At s/C]hZo}=SGۿ^r: ](\$դލ;k/W~=Sz?0:܂zɂ`Ͳ{*dėH[K0! R_(#¬<ʒ4Tcs؃̤ѯx{³"ՈU~EY)JUK%tƾ,o^rP3Z78W7ډ1q!f:zIAvX*E@|aHCHᵗJ3#b w~A+-?]([4񺅖)-Ȣ;u58;?l-L//)⊙=K5pO@ -l*mTP |U]'wA6Kaf̻cj<W(iDo!hc@F iٙtY`f=?Ui~rLq7El l^A\B+AnPً h+'X$M—Z6}P_go %]]Y:ʇ#5{~.RK5K'#8Mw%>+Ÿ?@nzBFz>jh|WAZ-ar"WwPLH*ː ``K̈RȬumJf"<e)*Z/grlP CȁHhmVS~j>F iOL^(Kz_B{v5?EϬ|z9'$R=5\;l K=!Cyߏm@͞ŋߡNi^bouU4S&KP<&yR/BBMՒSU4ɨwU="zyEQGLaPd'Hm~s6kj9eH_LE.=*ypW!Y}>:&˭^hoMgSCvK,F-{-gX|QjBnJۙmbϪj:X4(Ӹ06jԌ+2CԐc UXk˜>0WB96γW:NFUB,Rb~/g)fuSfS<1zE9;xh;iɏܕ (T k{;Jb't+>ApG' K+Xmdה4rKxW'.nMGc݉o RF\l*nD`[}np}D~)S$2 k`^Apu(Pŝ8yXqWfOYh4|,@}I\%\ 5,  U) NN-{e"le(v\6/e"ފEw#c>u+G-9,t\z'zcu9Ed(Z؊[hw썯?O]q};.1[zRuAO+&ܓhMуц,lҾ:prp|l8}'Ueg%ïfQ|ii%E*3NJUr}6Hhoc~ʅ!ht!';&2e{Ue, ο|31i`H*7DƘxF_DW柛]X f˛H|gyL>Ģ,*o'4{jR7҄gǼ)7'5͔<u4'2پ\l@g.uk$lILFA lV],„q,aW -dp pKޫnY,;u)YvA-,:JrLX\ }r۾QnID׺*_ZJ kE{ywzD+'8.l( aIO"!V`/w}:"AZwC}ff꥛'veSCJ6,)[>T ǁ.N5^8XErU3*B&!rꑽnc^CEG)۫9Aa=I@w .DH^9m60~yMu2IzFr^PPݺBBZ!4g#IȑaHL*nG; #UNO50bB;`)@O^m܊AO'_,k[4& BFap䣯X R?!~'?!M=N9EґMO4BeEҍQ(BTnϫe % &&{!:s%Fw ڔBV-+v٩IN1ĹX@a᳥{oH>o-pCi™l^ o5T .BOTMv|d<~pܻ^9TM2س֘uepWaćmg@O{qSpLܼYe{.J-A' c^B:P#o܎6Kzq|`[dk#x@,u+:D-(><[( o 'i{| l#RXRI*5EjiEF$-`\35P`1/)ff\W/}a-8.@/ ')ݵ~Ov C/4zp3"Jg4q,K$p^BPߔBաj̐#a3zn/4t, XizqG௶p`@ 05aEM )>0csB'$nK7.'eL1\]tw>SeDD7! -RPn=̙{8i]5KYflkpNfEBOبqҿ&V|ãwaӬ^>M5D`I^qeF%'Oz)'|w FNԓ 'siǩ/5J̯O*R|DbZdSk5M8_SAMs˚\{,6Y% [dz6[n_ V;tLT&2+0HtZ % /eb-(%H`xbiH{ߨQ|8U\C ͪ@ɅhKdb HMo(_u"ȽjՎ,_tZOCaQ- Y{?.mΑ踍9NOH4B{!+-ȚG*o\iFK &e([GOfG%t3tyTzWqE/e+-*3 (6k 91^U?{MsvL G}+ B%ϖH^E q]2plհ]mQ 2&m=)87 ]5lыQ$Rr[fU/7\Pλ7:sQ}ȾVv:#`}AE"Fb҇ɸ!p.eF|n3!,,z8107PeYؿ9%3kMʱl澯ye/qQ>NSa#dm3v=C19\Ce)6:[ LwaP}Z2_C,ߴw` &0Mg6׎bB>io ŗ'fb0v bVyO8ZĒ[=8Hbr )H_Nv:&A ׄt9mʕӛۧњ^C+~ޠA[u1栒I@VfIoQe#j`3\D$b?8J'3\U, ]"H:w' !HԀ!6UA(UQpt4Vל=ՔZ.*=}~A,jyt/V0HoTS#%j|nEJS5_.rv,DkjRO v6Ӯs,VEDɢ~ h녬Y:tZx Io^ڞTeQo~}/s(4fYwqQmMc#*&Xx]W\wb,hkuĀKNrO VrPف;S:V4ZA0#GkfO8?8qkTs,>99WN#hutV@9QRĝ,t |w. h}ye7 /!f06ѻE2Z)J2d3pHH<*ɬ(1Up={T/<~+\`I.P]fqń 4k߃y VU=%#ob~C`aΜ@ 4u'KC{>ExB)O3J3@ z=évc%]AUa i4?ʸ=Hi"u\pPM/^LO`0=/ 27H~ݼPU?A<}>EWq ?ť&AHQVXm9M;|p_ZY2jk6Bh:pXx,8VM'Qy7 w/N5?'g&~JB HUrj݇~ͳO>nMqWA!^%S0zk ZJ\Ɠ>@$%8A1zj-N{ L}y/񌫚!Q񅬂RchcVŶqtFCE߫w&y#/掞|w8M7qhsVg]CCuJ+P]wGҋpG:>`@BUȞ':(h&go[a\{#Eprt"{6NJUBI8js0cEt=@zesT$n%;gĨT1F AR.¿%6+;fj(Q#zG#3X;!KZF&@R 5pǤmSб\- J܏i$#a k}M~ $ů{EbB&JћAqV'нy|5C;!d>x /Gwm+a"܁5c!HH5&.3'H(nte}VReAN/0}!ywBf-QgLb{-(e;{dxRs!=W t1y*qTԺ'^Csz%PX(M91ߚ]u٩y̞ H-U X+gwY"Ĵ=wxl@2 DsS9)b 60-:Qs7ėh+\]@Mžf6apF:4^h]=-wg8G6RVb7#6Ў#Y LŽEZϚkbs3jjeI {&PND/%.Ъ Bz(;&t6 z_G3BK'J/X|6LY*@1ώ0a&ŭ1S_rv -a&4N>96 0jקfiV4ƍc@8-RKh ,;VB8'yl7t@kԮR(侉̣%Bu\} QfBP/}^p/P1$Iz{DH;k^NL㳫?GTx$=aKyͳ77^IwtB.t-h@qfҟ#S>?C|e%=04 6/HhWVBϣZ,GrCLqqiϰsb]L=7tS~qQ ZUwKvIE+3YLUq-ő7@L ;VҽHtTBeqXMnDlFf 6.XBƂOṥBg3뤰)iTM d > =Sݳ ; l%+LCK?E%42yUOQSSQ!RiE)Zb3YC蒀j`I4HiW1y n~#r8B"W1~A˹4N\ `Q|LZ1F#EKDF=s`A?SQEH\V=V,N~GqZ$rbw7õʤ(LF5腻Ɲ jlΊy~u(s8p _@y. [` y,ĊD{OΉL{ؤ=ygr=و9fu!^~l] $zS}vV` >d >`mx[#m<XB<6"@L]BǘO~S X$Sװc.(MK~k `Bw;Bp(ooVoP-UC4v@8# Sƛ9T #TŖIJFwo}X,oN)mq]X÷n7zѺZ$x%Ҁ*&k5q,n#B-{cMCneo+^,Q #ԩE]M]#5x-yJI`znBͧSaWJTBFVr~2ҋdp E7k[ 濅KDrݬ!JRCc~F@d ~T5-2.ywwkO/?..Ġe߀CaPDH3um$% 7F<9R "Z? n{I.G{.ev4t+Q9n H ç@^+d SJ1WBXhQX m^!h|ܕ8 Szsռ~z&5h2%`MH "9G+P?Mfŧ(jj7}Ÿ QtC/ z\oQSp miMQT@Lm Pr:sb^;Y 7e73mڍ,`Z+[0~<8cȺjx'x X<տ&wvP*7k `DC=PĊ|rߙnf 5I2z/!AZ2>=mѻe$FM՟Yz #WCHV鋂/gb `75ބhڎB\}֢B9 X"΋,ugzkE6A}1 dҚ#)lBF!;AJ`.5T}mr1"N=jn WLbb8*8Y ^<|Q>C=+ҨI7Hŭ v~N܆\P~y{a' vfׁlC&3؍v%<҇~92%E;*fV`0ކ(ΙWQ9 kDP'LS}⛽3Q0]b v[AeM "pQIm(De҄K;ݐ 5 &J&ya"Zui`+r_DID ꤓ %DӶ2k`a/yS*Uܰ=lK MlíDΠ@!@a,L*[9.{ $|0S&R E!v'ϖQl,(ʢ@T &[) }5cӣSar0e-9 \J QG9ĴJ9kJ``'R"z _g ʸYg iܾEtp]=fVN/Nۥ N'X69 `|<|}.<)jy uuDt J&e%~@b>K2%eUymoHQrm9zQ ^Cxz糢Z2uf8c͠m ))Ӯef"^'U WhJu{B+4PW$OGg}aV FMsO ͌{H9.Uф&gs8=d'{)@劯"b^7×I$XM^22 "~ƳBkCv*{ ~ - }괮|ĞTYs?-.Va>4s7gH]-pJ %>/b@KHcvKxd /C;W*NxcgjSb?ՌqY > C!(ϰ㢾ĕ!H0xnY;фhqYΩ 9dW@qrnKu:ERXt36}L IaZ*9}d>Ҳ׶k5/<{vȟ1|RNJ8wH f"ie~BكP)qbUr0Q0lZ:@:D_ z2s*f‚4VuZQM V;!6`[8g k!s91RAq" tɸ!a߭ W*YiHE$CSAv$.ʷFK^ #!ۦ>U |Vڻ?5!pkMvn;䃸&\SPޭS9%>r?ѭڮM]=)>ݤ!1[VlnnHJh!BK͢'b K%I)O(aFs+8Ur S+\$8ko_DP$M}{e~i8_^F1Ou ҕVQw=W'ӊꠧp"c<We|~($ԧ;LQX/F}@'FŬ,r0l[9 ➦7>X5Z [P~]re+PR;b޷WbD^b 5"pXB@?S `@0`O.|%;$.kVopCenA ffU-c +h%&J,eaxn/t~YFB}݄iX(ŢZPJ.R9U '&[O=ZN 2JZ6 3ݡp16F"e!>J6n= od"4 V0fhmtp?x}x4aEI|`18 k.  ]9\~_[czir{ }"l]'7+ X ً99!2E=Rc".|2,[WS*Q)o3 #执UpVc |bWT*&'<_ɵl?90Rᡷ-5OjPeNW[VJhfrV7cG EU/|ڝ/3NȢL 858̚<=?yB,2JkΣp6pr;|n:*&;Xa&fqz Ip?S('h[q-=hnZ@%Oձ(tUߜq}?̘"DGG/)?qu@sK7\+S$0F֍q״| koV6&Y0&{L׋5`skgn{=]9+>\r02ˎ $ivDTU$AfvWbuj/J?/ F~I7bC3m,QE t_[#1VmLR}"QF"fr08\p[1qP!WeWÿZK'8!C] 8Jg줧#/#f^ kgኅ x x̝E!w E)l4o rIDpO~·H{e(?35Υ@%ф@뉪&X:B {!Myir OB1yT$Q&a, @${U$;CW:ĸGNơ㖏m3^0+LۥO#GJ5|ډUb@.kо?amb4_ ZƆJ!"իH` ┢! ttDj{)d3̖Hn1Pф{~%#j&o! MEe@ِ /.րK[wOuqaO2ۖsREu :r\~J֠ōU^E͒[\*H[CК}ΛYy8"#k[^r);\Te;8tzi?(S+ 1Jecշ,}p,]L0+OiM0oPOb.5)= Üc8A~˧AzMjp}3)AE(4޶4Y+y<6ߣڍfH2 x j˛)t逗,XT#_zHrFUb֔2W7)}eS9h$+c:JWDE4Q MxNt+4S1 <8!vjQ!2|L_Bߍ2g$g&YDSp⼁Myq207<Ħ*:ꝸlQRA/ׯrkJKu;Ϧ`M+{b:G[,?ڽލ'6=(:k6I蘅(Z|$ObzZDW$h9Ke =@Rz,Cw E0fPUӕD h9cSL+z+e]?{ԙjq79)%;/5*eUk6Zכ+ޠ#S gl05خNҳHB~sh#8S ӊrV풐8ؗ6$>52H~ WQ}p5x6Z^S?.}Dj7:҄1#9\"%(<0ÓtM QAqPFh0IJebO|C#.`9]|u1zެ7\4YձmiŪ;:N3åjW1ʡP)GCL>S#5 HcE^0VY\2-|I(_Z1+eo"%nn> S,vW3L ك;c6YDF3赱}ꌌ9h,'VEpC]R*t3P^2aQ?lw`pLɚ)sI>/9E64Q&ti+lQ 'HU>\$na/n7K[|}Ȃ3]f XkƟoczA<|x H8#iRwfc'Z)tabXkIanmxȸ%&|5o1 KBvVk, FHyA3G;B[ 6R%mk=BUp?s>8ldYX)!5FĤ挣t_۪2BOeYptŤ6ɉ$1h״/Htqk NҬOXnV܎x|iȲM lAxXR]+F+"Ӵ1 Ji|m/3# j:^+Eԧ +uw HNKy.ͫAT)"2mWk j]҆,\Hˢ222H.h\VDz'ݳ;} L#?'㗇z^&|+);]{;#=6 -?W2} \\ ݭ'ă5łdd\m2~{Y\,,H rD];*wq ~Kۇ@p uBV7ZG7aC~asaTr*Ez.l&dلf!S\6Z9f _!76JFH= 樄VArhIk&RIu(*,Kɩ<߳[uՂV:tyYmɃW0UW&/IQN䂝d- VM dߜʦ^s(B^F;I95OxųRpxݘ^ezdirdT?R=9# lqSNAa{|ݴ nZ 4ӎ|Zڄ}W$=n>kܾukON5Zfo# 06#G󯽥r R)1W.>1Ci~8aı=<^w.{+lL>vm6=3IEU\F+ϜF&2o4\|k&P%V5dF{,N a6)sתtG{m+W9n_DD.j/7<̽Bl3[fcjksBDͬI g`EEae K$~Ff׹-7W. "_i۬Jʣ" WSg6|D|W'Jt,:82Ә|WƾMSC޵0 -S~V׫BM]>U:Eaϴ CL:fxX`>} ?UwcV+}ՓKo\a-K.cjdd盋}^MX(C(/Ⱦr.-'R?݊x+Wvj\&f@ZT$뻯ma/g# _Wٱy^\Ь˻ 8Lw[NBZTw3WQ܉EPoT?el{I梴OYh4 i [^ \42R'G|ZO kW//sV"~~Xv]: 'x9$Uiq{<2.3`mf>;vg?V~WEPڪO?@S#PQO\*w;r2&cq4Iz[x4UG\YN%0k41:7f}1)*: eT33L?(,D]WFL,$@lo;,ylh) [4" LBn)n݀ky)],呹2kygM Pܱ#7:YH+ X+Su RpB$^޽w:ďypaR_9Di֭>kDiHKV/Kc֟Y@] e4 k>Dtz]fxX^OvL?k jYSqG6Eqz9|yd/`rEҌ-eqоi9U!I#:0YyH}c\4Z񳌀zG CjVr])WGۼ ?4ۿwnXh^~]%lO9~]{i 3"SB& 'g! pTo{}eQXa=xWvpbgsSAX>F81x;WF&C5sQ+AgDI7ܣzoE~i0S+ȎС2eJJMJ->E8=jC[ǜ˱z[S`>ֻ&@E&ZHxV؂\x8=u*sk6CZ$j-؄ c1^ϣk +:v6v$|:STo n!Qqǧ.2Hi'cZY )9` _JhTF}elFOk95iΣ>=#GH+#XVv 4dua[y,>E3*ӗtɔ%KޫzTU܋`j~8)TҒg¼{%ٌ&v:G}I@3)؜L2p0,a,B >r}9lC8#6 lu 4cɴO\㓩Z.ˁ҉]L\Ò|" +l/!cI 1YQPfX f;{I{c\ , a%$H;xqҧ+ф]ԄHe~hyUXuZӏ7?Ϲ a8PMU?j ZE ?np@O9:Dʾd_Vv`*PF٨Ìx/;="Xwiv)Jd2Y>cM-+).]:?:ә-._J-zEsB秉c Vu5p:i!A-#%>j0ш \Y+#=!JS`0XX Ya jr2UEd5tUrv0Ζ)Qm}K&s[Lwl?|M)Gcf;i ?ciW!C>4!g'P[i]ћ2NӏMsˠ-:C2;îY0S­NXk*= fZVQ! e3qc^\YOy2̝VɸI2>!"F S"n 2 |䬛//$LrcR']^A@t# $0P V؋!+ֆ܅菐u,66Qӌ_gJTД9t.HW+ C')&wEx#*m_K}PV:% ?v'Z'ufxo} ^i_!zn4PV4XhwA x.jio_3drS-;{8A")8ox*ݵu^1L'Ӹ n|ɗЩ>0  e1d`r,nm Q '%!3oga@v+J }o#'T0z01Bk7|>͌鷁Z(H3B6X^lFKj+X^ǸKeNU$,QSC7LҚ_=c1PX?k-i)NV;S[*Zȗ;M] Ɲ|iS9 $Hn]nC3@'͹OVnnŗ&NS¿ h/prM&_kK \/NWwe s 6X7K3j=p~臐(X{umJ'+x@"xcE*Ӧ!_ )b:lODopq>P*WMeB}Ek>@d0?b#/# P k{V ёqQlR6'|"k!d۪X3)f`-Kab- g֕mtШL X>ߠ)*t Kؑ֜it>%n1[h@N3Ј>80AE) 6 wd[պ˜mxmڌ:JN.r_k-N@PK&.L,ERΨr%GQI 7\6"9w ]) ɇ)RWyDT*eQ;bpkTMMD"?g[ .cLQM>1DJ-L̬饽d{jg7&B/(TzHqK1}u+\';2(%ǯQ\j? ְX,mBzMeCNxΛe`4mmn`}ƨ1.?!*jtem&в81nX2E R검Qz:m}NLOQȠHO7]c5tpd9[5A$EFAԥ;m jRKB.kkLxjse<1klGvRV$ܑF9ӵY~H1b;O.-Luਇ8CE I"5;3c;6&yuCx8t\@?@&OW ,Wyaq&0e0+6g-9Md|Қ{cfWVh13A8ZleE !EkndCtV9L}Y_dZjx$3xߊV7K!A 6"q[껎&{D~n]!3ȓZsn(x>lLbiGU}AcLM|XM JԾ-Q ml͖ y:й/D)5[KprzjP@dwoYUW9^8gIe8Zm:Q+ `󛊧bmQhҪnI+3u߼Q߫HGK7ȠN,p\n x=r[qu;,^ZAߑr3\řhm~ L1lAK~^"kXw/0N<129= R0gx:an}a .3i1R]OmҰ~Q5:^aV"q/iHBnS;Mq x`gPU&H |o<-6*F ]µؔcvv"e$)V& [( O&cbq\툹(њw#x*fMWr#vSG~n_2'bK/j@C)+@ggKD,*O|gY1`i|ǟt+x̹sBة ./?əUvwn~{48h1m!=5s:̂%μksNY:S cݓaѷz2|Ӛ s,VZSJ;|UlJ.:#)ن\ =yɕ`F/hCc&܇J"s|%SEOTMtM}Vv'\kB;%1f,zAn̓p`h55Sjc: F]b2;rH2X{ǭg:2(dΊv-/]v;K~y_ H}ӰZArg(H&9S]]"% K)E%&qCRJAVt-b@efJRmi/|(#ϏoӅڛrL*xRJk(&>R /atep>oSVLǭ6H{56V3 믐 .ӌ10(IԟZMNkj.CFbq a1TV|ЄmbTܦ,) @ҔVuw|CN6Bυ3Z0aB_x/L!jm=$/u-$Շ<9/&;tq͹$%q1Ս2ܿy3*fQj#j稌ybanD 6#EEB/U6" 6;^m,Hy;ߠ կͶ5{#caE0"?ռ n;3%,<%a yp,),) hk>6n/ù1bB ZJyWk3ZkZc&En ~8UL5`̉qX\ĩkQk& VB`s 8G2&i,rc n#7TPnH{F^ϥbgIU{dS MW҆u[~:/L#hy$pB ]I՛ɮ)8!ms+&'?Iֻ{Ώʀ/z%)݆41?hwtp@mhBQi] VFkؙ`0e2!e)n'Jk ,q-gGhIׂٙp).VL C.i{/L?t $vJm{Q} w=l }mÁHdo{uxeqS L!dө8{!gH0Ն7m&;iAVXII~غĝ ~SW L&%'ih.dj[w$" թ)_X;B</MEDɩԦ>,Mʉ2Fv.qi}ur@ Џ4N.erQ#$\+Ke ś] Ԭvڌmhic~8x}=٘)'8^T{es| Ϸf17G!3Bq~7#sAK%=7DrZbY2~h=jP9> (2"ur/H{2Q/nh.YAV M^XpWRVX"䢍o6c+w\( 1zK7PX4-H nS䵓OS X%S\kxF~2-vSv*ZO\:Yn %)քB~ bDYd 5{i01E} L q(2n p1n/?kz>`Q_6瘆XO=WCyv渜O nR( EJk+ 4OѶΚo*{GU QPbfaiFkf&Ba96[_Wڍ]<"2!~]FȠxp5/"tOߣR`e!CЄ-9﷬) 3f[{؛{;eeOx7-|Ѓ@e)sbutk~,MҵVqXR5ĭ!~.غqI4EЮv,r3gFp|Y};s,2%ro^3 {+6ƶKksB).9lW+#=E5=!/-vƎ}TFxvrqM=PJ_F+7MN8h_A/LQ .) C@pIqRci3*GsbaqĐ쵗ǁB3cJ)"uT$GZf-he3w2.r˛ #R<5f{?{3 $-Щ@+K`_@Z< .P0fʃI b>X;:*ǹ na^-'4ړmИyab¡)쮔$y`ctz{W>.)zx.[Ġ *2y'v2uH8&WM]d ^P^p|i/?2\.2bdh?_>0n4=eΪţ0O|RIh٤3T㵞mURL_جf 9:oicᏭ44FdRUQW =˥+<||85>}iߔQ 8-h:Xs}Z Id\ea9`bs;}ـ˭.kEՇVCw]Or}󻟒n8kGuFDJf0A> C>rw&'iC`I2YU9Wʜ{D6t#%Kz(Gʗ 'Jq7m/y8Ϛu$A>ԃū'^euAjYq^8m#hn^ixހ<$%Bv|I04NHP%UoT߶sg!znr`zOw(؂nj`;7 ҀRP`NX$iș@})Te9ZxƁ-Nti%co(g5`㥼m2W&\dճ̡RŎv ,v'JîL%~O^TB nRV47&Kh)-cAEw.3 'vj W~ϼ~BsY}oۋMxdts8XOslZs|w[&yaz":HOy3Q/eF2aT`T+ {VXpw>C8wXf´d??NFGlc`g{l=􄨱* \lF݂CxnVi}і9&nKa9g(s_Ta0Xqlf"A}5MR˿Z)Iİ_<>Eލ`|CqEBM| #k"&E:G4?[*3)]?gzw(uAV4!X.贓_^YZrWwa/z')32?7zb+Lp7,#_zvg maR :_2B I"ǰ㙃P1"Cq׺\KJ]D,JP/ոEA*L]wimrJLW3 N,T>gc[xDC\k]z\Xj[73?5ǿP.X CmQZ%"Za<-U_B9Ez#T?$ /#h,1eFrTbbJrvBe]^|CRdDk^>I+i&E ^>0TuZѠme2!8~Z(TI/]z,W/n{f1]]bz8&^]j-bK}.ry~j7䵞ƠN06|"F}tG,H$.89`Zo."+8Bc\360L7K琸p_hpdt}vQӋl^iHz?#ļxġyQ)ܹj༨v!*Ub嬹ۚ$￧V7u)]=;Z > $^Q+=䋋y%CHh?M1wPN= zAj5Smٲ5c}mB$ʿ*0nQwa9o<# X ب ?ae:$LdE[(~.oD9ο P`l@sދ#"R! t{=B۳g*WP͌~ROOm{ċ'lx9\l2Sԣ_fo#Qaj]=](F_^l\} oEE͢qiGuݬӗ3LTsPae !|Z-ok ~43(>dh< 7XFE^ܳRHYpϫ\4U2VibPnLS' +͂=p #Y`ra'x8BqsSgPoBFB q+W$7^6+qNf$PRM%#X= [zfO*/r벻Ms`wszS";-i L 25ܳxm'^mԝQV2S8ZT-FR̟K$ lr-KLUVmJOq.ڐz4*KCnO)2.+;3es1JTq5ܖ{FG@^z~_҈_A M &۔+ ߫Znי~:kx!md$"r۸T3~ىy'/.pUELs;iJ}bOS 7)`(.+`}/ 똯S_vnAgL@|됎`gE]o[%ٍ {Xt\ktVe43ǃf_::^isw=R֦&3ؿ&%($ b="+R ʞ"~Uv1qZ{XP5a:CTx+ڷ'gDƤz%,>S:AY S7A4%$T>H{j5ܷ1Dv崸*#Zx-F]+}Mf t8mux- -2J >P q:BW[V}ZR*0aw@aۏ:8UJ`[(2p+J#ƥ%l{jJkS?VnQO$\"繒mv_&JK0Ѵw~-ASҨ @/UՠL/&p:}rpz7w= Q:DUbuz\'bs3 GɰƇpUZA8<J vFA_afk?zoёgSTd>c[㡜`R?_.Jd ]I>`~+GxR|-fw$ z#cf`ҩPjQ!B}e1&į;Tf{CH٨uE7EiyO'Z Jz%-7N9r%!U>ʈըb5b:'/I.#"؅[|]'խlM8z'u \:I,YE4\ Q+6fÂϋGjml}pƟOƽT1=BbE B2#>f4̴:.ܰ]eU:c%@Nb/縯.^&##(5K45A9,X@ ZO 9z(b;I`M{(_Qp0ʻk1^4 )i#Ag|S$Y- |SIpҏ %Q<5)R6+;#;g雛C͹V<[18@\ڝFwU2'C|ٿWm3I?Vā^nv*ќmR(V3qLR}y"$˻>|MεA+)jwڹ|QR'Abe#n'z{Y)VRed7l#tgE@J:PMh6|$9Q?Bq8ܾOQ4;'BYy\%`AųI,* e1ccd&U-\q#^€u>1[IFU}}]*p޹[C* uwMNJq ,6&Y0-LH[* $zlsS;է{ݲ%e?(Лӌs^vΑՏUeq)GPmS] G(4_}jyQLDu齛xõJ_ rݮcr)L/]OF"{;5tV^#!QJ":!Hon*61z,ajKg.֬!wLKR,E8/w9V,v,AڀqiLl rWJEN{YӦvZ25*qs.^]n+Rxdj} E E!}~ aP14y1,- IkY-9/,p݂@2l}Z({YB@54Ū#Mwl5O.*LOXKJr5N_I+nK%i)NwO~ v9I?G|&[բ/|ZkIn8!5-I3 '"wy>{|C_.'r8}C&fwjB}Lj#VE{ufu#`0:CVHtl'zi4ޓ7J8}yGX{ W9ZD4l#Br)EQFŚd{ y_QZAt+UFj{X,?,va* mnl,fglaDM+:9\}vM&"Ƿ.H,ȇ2pMrf6"F6Tr̨ H#^$լܮuh]w/zs`58afg6K NQ}WzBfGhT^h|7U*@T"z]]z?zBҢfKԌ#\#J</GYrmeҀC'LgiYKzItV%jJ@ b#qaJ`9n{:V*|F4N>.<7E)IƖ#O¨0Q^*/Ib6:orbs +t$Y.ocV+;eWɃ׻~ (( t+Jrኝ[ 4e |nM FH+ F&x7^0? uݥkY DTit3[b.J1d8Z4A$!)#Vu^-o8h'Xdk]#÷;͑8E#Y+*FL5rZIJ]K9;OFPqLi~RwI8/SBJz}pL4AQS'A$.#Nj)HLM@gT=N^!&#a!pRrH ?Ul$~&BeNo)YZP8Ԋ TBFJyY#li|5b߫+n9t|.AK)=Gnoz#sZ+#?G y(G Y?OgG3%t2xWGv'*/Lsr Ŀ]ZkY ^km}\Ojdžw_h&,fxGc4;"AcFZm\0K*11_||Z䭿.K%^!y"iw .O`"6X;?9?G-8>5;%MKPDPZLI^ǩwR[Y-T ~7"3|`7{C[pNcbdlS/u]zeafʑa Rn3ff4ەZ}jO]]&L& YTڻB[TۦT[-nެ72t㐪 5Vo{>F`̍ZgJyQZrBrVf 6?WˤKW֑Qھ|Қ8A|$ShY]T6^!\:eaͲP*(Y}PIW1)L)M9߰b͔U#71wِ931PVA#n>'/z .&쉕r-.,zA!!`SPbۛR؜@r(Ii@ r ("n)4 (=$iihZ7`Ei{tc{JGU[)73N@Ӳ}V)=jjDx!_8C)&nZ}1$k.xTJ AIƞ5x{_bv[.߀1j }q3>7VoZd(Pk(qNÕm*ze*N?czy1c;WBE(aeG)˸~±\hm$=Vj&%{Gy'M<oɒK=sCPb7X1 G'g!m`%;9HK?^O'kZ"Z P< =n?/zVx"TQ*;&)1@}q?vEѮ@װpV;oL؈J }y1'bNP2L(ˋ('*G;-.!exZ]' 3k0Ob2FHD,K }qHj?FCGV"wjui%/yuR <׌'D;ƉdTV# k7G=DJ0kk;|27;Ey&JE*dw@ /Ӕ)?@O0ʁKKr@\xЌ);$|0wtD> p-wj*sDJ ]Hڼ{QW" &93mdd:UDz'uW}DU"(j6֍6j gТ(- :}W-3cHS!*jq[7Цqk-[U7+C2qH  :ҭ8pX#JWZ_s>#^~_nGHpK&H v)bP1 ҬEnܡ%r6r.&\{D>ѝ%#[${L+7Cہ]$&lJpw9NsR 1RǗZf/`xN%d\O\5H. MO"*#Z69=T$ 7( Ϊ|viW0` Mߙq촂yShGW!*u[)I$^zCR v[ptP`xrǛȼc(WFVw5zoV`M;S /{S :76$V3P$ '4qn/ жfмAi8AK'CgGxmDzFh!n0M`j kgkHMZ;F7 S3 Ԫ:"֜x̗F?fryX#iYGY'0Dra⸹ 2GO\wiɐ㈖o\s ]ݰ_Cv`NdaAi~j ;=KVLdU]!5erhH\alWr/Pz [.ve_XCWCvoYyM!F'eC\0St@0 9u=Ղ? _Z6uՐԄX.o2 6A3 v+i2h#oʲ } QgGԁa:xGܛ>) q-^q{(ҋI D Ak~9F5/r|R %u|>խ%CE 3eUn'Ґw6q^cPL D.Ž`N͚m$T(cB`邛` 3S7צuHՊ λ9{k]mLaxd%۾r2HlG -\&~8J_4,q _ȵHUBW$hl)y9p:Y4s/p=S&_ڬfEfq4)v9nf+$1?`vUrWC(4e(2,0qv3^PvϩܨTiSRL(ҷP^H/LS-jz<: Ap֠j`D j>7?!@ra@䭿Q|moo~w!ת aw3SO(s{Wv"L~y_kAo.]F¦$>9vO]߰-iP ۓenz锕wfZ¨93 t ا![~ OvcOu aeYt+?y9ACNMP2nt9A9o,oc aMY@_D(BC͋L8ĪiGŮ7 ԉ`g.!6(NKٰ([jf)Ӭ Eo2?@X\wmƻq}QY>j'|{Ԑ'fPil$Wng&y{yDrƥUT(l~Y[!GAM$ B{W'ԘӘ >T#I1Qv[ڗh ˧X/ڽaA{߅,Z J:rFʃV _w?7-1 PٚGuqiB2V(_{R26|HF|s*9]S~h^X&D$Ql5z|[é(ޕ1N(pzЂrqdFxu.G"pDTrem]LK:'W1 |h3^V-#HtR=&}>1iȑ[aYMB$X2 2Jh<3>Y\N8 P{gB0zlD33"j$iiqcIY; JEP@%X[dlB2$ߘjcҒn<=As5Jw=єjx j,$!whDuypYucd26Ǥٱaŏ*2*ɉ,gL^L{<-/'Fo;yi Z&xl>eח73"KH Ԟo\RO+xzуqO?Kke, -td|/.B?7/CZH}c7oh|f:Y:MƂ_!èjxv}oЦwgRCw6]<"C, B<;xPN΢nHc-5+ݝDhUb,uchME\ Ys3D͐JXxnPu{t Zsh<=#'ܕRSteĸk˟`8J^mI.9s]` MͿvy|5e&g̓.-X)qy5"6O@4dҢu s|94Q [ƅ | sσZۇcωb:A'ゕ#lN{tX NTx9YǸЄw^EyR BǩDT)121_ 5;FH|mGu @8V(-# #LMN%WHkڢLZ/R m2P4 [di2 -m~\;ݺ2K3|Ԧڢ;Ss*5N7?F_FXrŴ-m5cŬ\b&2еD,]\`kFaRr TFb-@ݠN(J[Je, Gq[LϾ{1ao{Lx~Œφ)rriojFG9Ap ?7uI]wl2gɮ5?P"nPf7iP2; ]s7BYY#Hn\QzbB5mZU sfZ,:7o{a?g)"ȸf?B7$شABxD]:F8e'X\<2!؋qң#<}Ob }Uz}/c-9ZTd E z$$㈚SED 7=F_λ[8']AZmYdX9^kdvIr2# #4RZޗ'z(i22<)R9"YWSjX^ <#u(-l߉Q5EȚ [WD2*ļ :%>|`=`Ĭ趈mYx`δc,fk8'_CR,τ )2M$RҲq"WtfW P1 v9EM; b{M_$e gyxu XYQQjы34]^]M&X{hH.n:'cb"Su(= hsәP BxԀB^.e_ooI)APw{L59 0U܃]rg@UMGۓ)hh9˶.FΠƵnMEyUĸO9/ Zg{225Zw\r~F_n=2޳E3Ly)Co]{RAv1;i0'?V;(8J%8ȃ*bAꙠSX)NR5H*sdpP-\R 'W)(*m'vsϻ:(+-$5r|Oy -JaTA+NM =u%v<9)q7Z=@;,~W>#nG $bSHec,Ȝ aM9|gtcBBE@1wHj7uE W{i;ћ(ǐ]!* N:]AʄuB_x(1 KZe%%fh#Jt>_"b?s݀dZ >TvB*lf-- Uv*@ =LeՋEmSQQoXUt2Hea{ZDε?P6B<l 7ɦvSRt& `O$kw;m+[M>Oor8iX2)xt~/N HarN HhŕsY{ZoXa$Y sh?L '!ղzёQ.*^7݆+=Xͪ1a(G[Y^;j+Hĕ4S DBSM#z912JC:YqIB_(ѕPqf? nd+)׷V榮 Sroy*s"p~tȮ, ë!pg-|PHa rd}ؽ/}m#0c݄ !'|$&U*OM=lU3'x^\kb Pf>Fl;wUā̹LUgM/R< >H3&fLZCa(VV68ź3ɚfBG*yFa%VGr͓ׄGa1yS!xvS8Y-h{HH/t Rdw97/9k5uJZRAk]bt)`*cH%[G~zeRF[bˇ,#gIt2 τ2ݪx3@I"ߦx=F"q3%}r 䄗C8TAVDθW nEХ j!B4>-UUI^浆#ky?qA~%P.H씓Mő P6p(Xm62e *rE-kzx9[ N֮ORRȩQ+\wԛHhoWPtu% '}7'րSm"id#u,91sfPhC^b"`6"]@[lSڰ3wmJm~HUxbNF뗒ѷ!V[5jy "5iwglc|lp h@:~LDž'<DFYo9;vYj6LMރ:As\4]Oc.:@ҼSZ?Vo!c^HVƶ!κiO.$D*L< $;4NrJT0GP'8#5e\(ks1R0im!|^(kvB+8G @I"";}"'Bg8+[X%J8d8'[x[?L!y6PwMCZM65 9DTQ&%5m1xVS(ǾWKLb 3\ybCqD`z3fFtdS!mR=%StFܑ^q"r>ZΌbi{=kVuڌu;GBjI{aIYb4XKqc^ :\U9zr'JoבBS9WQtn~C~ Nݸ!x[fF=~Oi/\A뫒~g45ᢘi;dux4GOGlalr;{ZܟJ;Y{gwـ`\PJ 2 r$+{hGlUN,9u{+K.Vn'օ'}7jdda/Wt ؍&~D;6š$H֮܎f>⍊[Bŧ=%VOz!:h *+ϟv1iD6kOBuTZJ]E-XLi_q^[-UX+\S>T? -A 5gmN*I2j9`&Wc'$UzuBZԴYg|NTqܗ avspu7swrjm +r_Ҁ"EiMLHY]3RvO p֪}8p|HϿLwvym!mU^/[$m9u7qn}#c!ߦ~mPw|L2pp_e7(Eފ\Q>R[e#׏\a{bnrx-E@ NP{U}BɄg<맽ΨJr'N ?Rez뽓5Bi# aC{oTσ=ǵR ۶ TqjrC'G)r): g/Oc)SP}s NT5^n9=RjX<^+x(DAA\mb6H#T@gc1Ƒ޳SU~#Z[8Э< awp`/^eZk1Iu9ᄊt9EA:.xnZ[|R{~&x72s*RUɯ065]Vy8α pinnTr'D #@q?-˹RؕGU'7xOmCF|%S +<B">4 uugeU=r' /q^q }k,1}mW\:&Dt<_<}7^ɖ-5kfEn`n?44dJQ}6u4@Rqz_2#aklߍT Ekyv MUj (qZ`?,~?fZrFpOy,h]]Ĥx[%*trӐ ; j7 Oc06 HqAP(jٕB}a ),86R󲨺~$ԽhO A;2܄BbBS6S޻28ar|[i6NiNk\.]5$@UCqi7D3{oZ^2#T.ad7uݛ,"v@(L_fg'㖸T#tf{|];Zc3'T/ldU.בlX3Og컽K#}?s|̙RߴªΛ@nI07=P_OeWJ.$ePzq[nG$[H7ZE+X V +lbo=EWrEIhggauѓ3l-lORC;׶ ɥF#6RIeA#b~(ÌϚ!/TW[Zxj=k?6f ăP+~;/d6ZƳfSga爸="QǓ~R+ ׇ -f/xSf /K>8ww7b/DJt>a0}T m8g1hC(:}RniǤ׆o#R  }/GeiZ Q44=F4 f%HNKpBk࢈|-Wu ;0 i$ R0RHB;Śa^fזcW)uΐs {fp` .(+~LީME-8'xt`Ǐ'@$Z6[77ԇg%x"r[jqg݃WG h'F٣ݘܜ*4*}a/4H!{)^x0O !Ǥ_0u>L$ `|;V 1\ 1q0  T fX96ڨuH\ 4LDjԼ٭ĆK.zéW<0Z:l4G?Gڙp<1XrB Vؓsr>@ɬ0EH%( ; &))oE4UNsdVw9j 8BX r40`A"4 `:5 8toۅHCar1z!?( n2Qb!7ZZ"6t.$.V8*ޫy?\jE+D}da.ٹO{Wie ;$:Ԑ“ 549 #`U_ڒ= /=~?=;h (~OǠa+RU{pr3+ |"^cu C|b.zw](B"EK{qI8]_t [MpDri1[R ư2_t?Dre|_V8#5D&xȦ-R ?ٝ4=XIY LAzs\AǤ˂Jؓ(l[.$mkۢJ:B Vٔ6ZuVN=䑲U`i&XT Xf}߲Gmq&HQ;*cV1KX"88r՜ԹAx,gp.ʺ]!FeЍ%nBfO=\JT ]{%v-vOxO))|}!^7DZ~7[^\^aȈl+KkcSTC^H9*:7Ym{~p+:,4Ih9'HFҺGzf{^$64R3Ih-9B?6[) :B>sB ԓ r3e%W L|>.)1DHcTXNT n?"Qw])?:A9;)A~a9ӈidVX!,`'hhs^\sT[z}ڬcnj; NO:ƃoew& 7ʫRܫD96).×|%P?zdg_]ԘbG굃ImlF,so3NHFd_.9RȒHnRp~H \7 d)y'Zpm o _A, *XE t"iN6AbŨǯ`Hzw?YО;^k.uW,hTԧ Ʉp,TQශXq{M럣z0l2:|iJm\@92|cHg1i6ڶD|ШԜSs,E_G88=W4*I&Y:HXmy7W+]nC!+-x94WH +rF0.@t jә&D@vNOSӓxbWBb55p1='**,]n \u7p&?0/d?EN:fyֽg-ns*h¨Z_1 xbWhI!ǃmn.cT#tY喆^I+\_j|;r;|5oOp7pgH*% [S׹[OHc#CCx_Tkr,ra%dRG4}ͱKnw;rװIIV pFڊmp4x$*!)p^8Yv 7cSrx4:Dɱe<,v}\nʚn,82c@@q`Ɛ,M6N9Jlu7p5P o/6˴eI˪M%ak7*ՂiHP 3gh"Бy,22s@la`Їs57T߈!UFPy;B9Avȑ&+L}bCkU{V˙˽Gi?Ȋ"sU").z D"yc~)I[}U՗&L`k?^a]k*8\yQ]ʔs_ \z\&ٺiQ+t/#|@0mZ ~O9IK6dC0YuNlaQO>)G9/6@58@oIBjVcӔL` x-r1a` Mlj Vbz:yYf]ɡvVp^ҵ^ǛĎ-8‘SE%>EfT;lE J0#UUOgڨ{/vK5NרЗmy+msw\4`/v9֨kiݒvX{ٮ4\<\ ?-'5Pdk.Q3}]hN~e+u>mǯY)$4ڟMcT[BAfwˌ[-KNU}.TŲΣj2${n$gS;d7$y3;ϸA =U aQ÷`pl{F G(wqKidK84:!X`J@"[#!I߂g{4xnvm68$.XECS|LIonIhb#"t\vQWr~}:C4YfV#chd_h=nӷS7ܨ*C#`>Bǭ+=`ܸJ3a* !#790C~[o_]aIqv_6~۶d~trSt3S 7ju^8kks Tcl]'D'pcAaeT褆.k<'{xBo{/D4$'FS| uRT ɟw^̦dd./9*Y:)DxsotSQƀ+fϾץiSsLed @!05M[w&8'h$i g/qM &n{Bz&+Bhji7#'CbB~bmduͲ7S;P/DǗN[w ꗔWb0~N4ۧ%~N&G18i>WwAtem31gP\ghP0rvl-bp!/)39`jsc-Os X+mŅ],&FM@G-:Q_P-cڹCûruޜ@vԲitY n>JLAuXB: DjoN8Ԣ|?Z]ٟ/rHOfrFRc!9+**և78}恖I֡6(&&WY]w0.6򋈌f--e"@c/+3YE]QM~J~ɚM<?Nq΂RG;N g4w[I>0Ob@8;Cdg)Gȴ:w/ZYf+x2KަK;O=ݝ3G(EKI/*|1D!2 CM9lř6HHzVJhZ@Őz;X,(-/}%|ە:3Mhcč4V؋qSC0qNj@ 'U?N߱A4އ.|1Pt[0>Slc-Usu%du0UR%[BTLk1>{i0X1~e#Lu?};ٵ zܨ‘Uúf+`&GJ?ft睑ue άʞyKv.cUʙE(m\ *Aix;4`ez 5dz_ '*y/cFJ,c0G|h*!JKWmniҳT2f P됵^fhfA\!~BbJ|Nc-#[M&3((@L TC)i*L2 ʉ3~da% T@prSz9U#cKlF!6v_9E[~F,v5n刯v&QH6Es%fTo^L'Y"O!E u2]jHPYMEWIJeIP־"wƔ3 |Wg'թh;h2[0VwпKN&;zq-쨻@j.9獟a\Aa! s,qe.;Ry5[]eܼ͌>')Nl&$eq_6(UOBdհMG M{(pT}Cj[Z)O#E(|^ |ͯ|#\!RDq_Gd;כoΚS#5m3KL<9<$c&Grs҄ԸUeH~5JKbnsFhIz ʅw~*s7X.D*GYՊ~X2)(v&{O֤I9}OtKᚒ*l,3li#tEfkmS!el;g1{o kT gҋElfۮ?yE~H0<4KN5nݰiuD9rL{o"@m&\'tNII_&[kI?Gm_ mHBgѡ3Q }$_hNoJ IZ!Q_Bx5"+y $?%l%h*Z wpǯ.̙ 6N~/Z2X?wq JeF~zgfko?B7 eS{3.UL1ًu.'wk?Ic X+Fq{Ʌ7jţӰ026o!7- /G(=$}qC"@5ޱD/e3zU;'Dq9).a2{Q|G9(wJ w_lKMq$/UMs0sUb_֠zF ϸ y+? "5hyW{rK8Xs,$bHL5Him EJM׌g~lB#ݶkn 0r7rbbĈ1 #6+"{DPfiH0h³H<ğ:Xc!6=^̍wkɩuSh±% <)y\q]M8tl7A(ujt)v] ;@'Tʃp/@lQ<%p5@?!ʑ"LnrݠL'TJ g$Hԙ%.;%?Z4/hش/56}::g_=A x85`)UAV aIpnY.zIm6VsEBxRf|ki٫B~GmΑ8ie=GOpvHY>5_i]`O'ffGK9.o֟!_ W8β8<4Dϛ0_oj'I[05pzMq c?sK ^H(@7Y֘O*^ _V M?)V56r$N@#Dq5}ܨj¶͔"GdkrTUxX/"05$$ קS{. &_08AϜtL(I=Q,i{N1)dSȋ ۥVc9nt'XӪ߰@LJ^H4wMdPLfQzt1ɏu0iCIfؕקɔy[Tf!?NS-5t|N[)<9_/$A#3dDNcyD s7r$fk ui]=Q:>uڟʅD Acr{ۚePO:V *47m=o8cUtBw%wF2ozz\)m((𗭎ر| ,%;$E-y/=zjs,ބ.B7Q""dhA6 FC¢e%kvfb~"B$WH$b ϥJTvq}P vVa\|x].a) #6[~"UN c*hY+kukO>1QD*Qn_..- Ǣǫ0S#H"AR~0~3;Ǹ~BZw;}w~:!~e\o$D/Px~s*][kw#|k.B68╇Õj>$u1g9.䥮B~87ex8:]mAťԹj!6-5L_3"__Cxۄ+e}F5vHL[c!{hLO,s> {"}7Q9Kpq! pB~ e,HEX֠{I+t+0~wbݔ_Tl/JR^Y '}t(ekj_-Dꈙ]!q<47& b.ɯbkLȆ&ɳ&HNKSp80n(o&皱z^yG$$B|$Eq_~t=~M] Z6 L l*Eeqї!V> ,{x6[0g> ]њœFQx%vxShS{[ 34ڼc#D㊋'$zRNМ#AjlňnNsך#AH~ iLs2CFnfVX*7 4D|WBAufO3/L]?Ϭ\s@vr؎; Gnsl*7mّ\p(E+6)>/Mh"238-薛^RaF<`OkذsL 79AZdu3_PV"I0B6yl*2B^ H] C(ti}h:cc~S8~7‡s$:2cp+g.BN9swu|pu,$D:*p.њ0Xr+}b8K- | 1M4! c'E_w6,[f}TM(۹$?JPR`W{ީXAj?~/pAH>n 1YasR Yv2o&l"O7Z>'D+ :h~>3%}:9lsdU 7V'_U`Lz~Z?~$z˛/|eM#Ű􉘍;Ĩ7fž>9\9L")Aa㝿AC᛺X)8yFUqV,Znj|BrgT\xgSΒ㝜OM8XtЭBR-IAhC'o}DKʒ&5[aⷤ9J^4o =Y/JpVu>`3PfMBOeken=E 0ڽl[PґmTr$%B;gBɖS\ sH SK,ىV^CiqZz~܅t}6ZU19&~%#l@ԨqTV-W8ρ4 4҂T87|u+qbh3hJ!y/Ҽ6n75"MiS!L.vwC_g|RYumAMŧ\q.0Gbis$Pn+l VhzeCm.&ױ {*SJChdw,@m‚;7lle4g`C3S$1ʄZg^Vk,Nj^"AZWVE}*S'w!ʻ{ ʚqٱuJѧeF gB^9LTڅh37ƺf{ɢ\Ws2LHS8fUtE5UIq%rT~i I/U+ Kp H3'%_ՔC(ZW"Ao韩dƬnސ\:A?̣Gͷ}6_GT,a 23 L`?"\OO 뜭exfHf`Rl|skcD0b= VD1ҕ9ާz(,6_ z'D ~6:kL,V<&J$"pJ`rE(ydI͔tIP(800ak `o;@(y-1ꞿ0d96JLJȎDR'y^˯gh';o"5mSלFhr䷫sFL~-K@DTFa9=azfQhC HpBxF襸ݛd̓6`H.ܔ{gorL"@*\@FNaLN7Ö1H&߼DP0i> ;Ļ-zLRQБӋPM8l=G}vndrIp9&zT$9c2>RҺ <*!!`R(/YbS{L01tX#ö1+= d <a5B`A@G:aUR\H!H$76b #tnI`_ LouB7Kv lZbBr-UNc_0j͠k܆cӛkؘĤ$:' ye~P>*Ԅ\[sԿw*[Ў!k` v[O}z2z\a}@ѧD]S8:SGjxfRJW9a7,նj27N>RM{nn:x](\̃΋VNw3BvAޓ{W  !w旁>+bSO$pI֣}0WK{sa./xvW7@t] "xHȢ5ZlR=:M}zTL!KYRAZ; W$$JÅK [6c{UZ@NA~EDקҝ߷ğ07ߚWLR/Ta;u.$ÝZ~j^ؐoAxQ4##bCU80cMJy9M 'o| z`N(:=_)@I oeEruDQL֐kȘi"Q74<C6g#iaxQdLz-A&[JA%e7E:P K0t{lnqoN/|v4ƌhZ%?, ր-mjw8sbʵ*Ð$-l28MiPt=X p╊1АF?G/;T!)hu`DME1io)z?2Hy jKXo|nǭ)T4P`|'!̨E\oD)el'S}ZZd#0ޏx h鹛pu6z2^H3{߁3 z6fq ^.0ȴ8Ùː6@]ح4>̨^K~gl͈(4DF)1ƣGVƆOРˏ4}'<I(3}AO/`Pea>nxshRzK`T~*8=MnaOg*|@rYGLP&MZF~CE-{,oĸo<WlMoeU9Y9MOV BOȂn ?TIL{U(G.RVQٷw8KJBٖ` :̨y*awСksءd&IƄONHOd`UioЊ߹Y5^V~?Rԣ)(|6G{Y?RX)?:#&HZ'EiXwc&yjf}:N2zdUaHdUݼC/ykIlk~ױ}\B9@Hb֛FÃa{<}we#lÜM$QGPiz^NGwk9NYQ [)*\al]׊o5{qMYd![cb.'ϥl<*}@nOJ_kKK_Gp}Ss/_N< $ƥa{hC9 iJ0*Tv czX_^ө`O,"$&\kI; B U 0ȷNA' 7TϺ{Th,vȝ:&h48RSUeF FJm|-$C1~ E})ϭ+})wRSNZ:/aL UL0Wҕ54*~Oƙ0 ym 宜CM>;6-` E}[ϏaxH?L޺N'T֘T|ìLݸKvZAj?C DAK3މ$e_+'xQ^ 76"#uG7qdbӱ WjW;S5 ;"Lki \J#ߟM=x+YEh\S5YRSKeHaK:bMm6ȫj6G誯VkQ煛T 9 ˰#]"v-M0ߎV޷'XR~5e771̈{l0I#.9l,MsLv*bnw`Z:]cO >lT^tZXlaf ;j/f,& ;$A?%U6224 bj 0Xly$@:;;|ftW<;RԄixk1OgAGIh T^G;DO+HdU[H%m}}P"_,sHn]"޳d,@TW:U,)ođmRY?MyWQ8y&mCz8z\T{7T"y/*å꩐ p^r.ZXFj7=*L bv'y7WiGʲuʇTKQ]l+2l۹޺5 q]YTwPPm֚ h&1?⡸uipCt](n*8ɕe 5fpq.1cpPE*0`dA 0mٖUHu+2\ѽ%a?t!i7d*Z,Yxgol9av[ߚ Y6#BH :h4tڋkq&1A#vefi5<\?譫6yT^%CWyHmpg7jʾ0r h?IﮕĬ2KP{5+"6=5RoUʍ$ >$ e`i]xݳh1L'e, ˟e,5-!Q#X[m27r7M_O$k&Yj goI)r@|&Q+ -[},bA"!:_4ZU.l k?mS ׹ cjI6j"nNX>>*@3ؓ;/+̀Ʌ,)r)I̩' 6}3c[ CW< TnFƢv1 y/x쟮'[ø$CÊ Jw;¤#ycӗo=[D]Ӿ$e `dR;MNrcUPj<~\ K[yR%55_')]u?ytSPC"k@UXx4麰a h8ڽOwaȅi 5qΊlں^Kr1Wei $fo_ũF=ד676;cQ=FܾƒtdK(okCBu0 'qH/^_eV ēiJPmʅ7wF͖לMR\neưYboɹ*BbT6dxb/p`QcQ__أp[yW(BԖaZm] Ӣp~Y-?ÌbgL'hYRyQc1>dd9 Iۊ[L+9w>$IO "C<'çkjF Y:N%9jO-{yws_?⴦Nm kZ Wgy1ʤ-w2OF|V%{A?jW8PԹכ ҐZ;w?XT4v18u! nW9G&0p*wz7 o97X -4)#:B 끫>_1J -zatʂSOZ^g"e̲Eum3/Jw_<LY#4 M;,qQV]p- ZX w՗}?%d}+-B㯔 JFG:[KT4%l6m}8߿_4y*s]+~7Sq(m==\XMˁ9K)^-ܽ~77J% F~۝(;g;`S!>uWJn(Ņ!vNorZN6gC!l]lU\EJ+~`J&#ߘFm5H⅜{n*dcX|E%֙X3J,fK,֎iHOu vv tFF\&DLm@.m\{}<93.SP™fQNޙ(r(X]Tg*oџ3W !7[VĀAt A~fԺ<:|zZݬ+ ʖ19 vKQ& ̹T}dHy jjrG6>FYOVNAQ'S {SEr=3o Iy"a;H8jš.3kV-b2H,wM +}q%®l{@S nO-=_y8wmU/Q7>f_Gin߬HjxPUnr:#2? uŶG1VWblH %} ",A6=o-Og^]zX+#w1@G?῍3@oj8N7Hk4 doQb\,DӟʷBŐ)tـwr#QȮgmyI^#k iN^)#'3bO'}J1 Lm4ܠk5"l1AQ:(`2e1uz t:QiC:W Gix:(s²gJJBİKtGnAO&w@Ybէ;KS;({%܌đrJK nZk&7a dV1Z@Ɍ-mՌVϸ Ʋ ?%Sdǰ$& &%= Y#X%d[]Z6zTfҷ6nشhf9]>Żz/b{RR'"[`T4/`b[ߖX AK=:"38.%'`g΍̯ JTڶ.}}} N=doIQoh&Юߡ2ɸ$ju58U.*r|K-K4B N tQƜ=O'~˒ ac@)gP/ceЂ bvQH][[ZꁯO@KAXπ5A#$|"L~]⭩o4YW}4/6s׏G<M ރKF><>UG?qtNm7U8Ė9b.7x]غxkthsc]yϛ4oyrGG`*zشZ.U,] \?^bva-%p@uvM*p`Q>~Nf/٢c#6_t_b6iFᆱ}k|@~@gM:ӯA%ʡp@w[!,cKdԪ.纄o?,|}eDS^OQupZET:$mw>M/ υnNd8Kzo؉;nZ}r{#8ԭLgz14G :-Ζ"H|Pitaw%ʪr6xCa;y\" /

i mF{u6j뺛b8Pˉh1^rb0{z}nf*W;<ג2la-[D#-H,m#)&j{x!8c8&ZZɱOY`'!N46'3pUG7tq'qH&2nEU}Dbd){G7P-"r4O~ Hy5C?‰-/"o)0C+j@p5[SfvRЩzVlU-OUC'!I4ZJ|pnqv̭Q^Skt,Pup%. p`De\SnH`f!@4F0W3Ue4Ry9iʐs/E6k_dtJXPmx3zXQUiV&ZQL[w*paU*/7ps,?LŚ[n(c/ ƒX>"NXR1wpbzq5F _5G0g_5dGT5Aǿv(-$鐬X!Cݚ7ryI}nw{7Az1'n;}(`[Gf7^Hm*%"&ӲoZ|2ƍ J)e&ƌr;7q.7͒ %M^59)٧-lf)d\ ⊱4)DjnD) /ONbl7@[{fܸȱִ 8}Z,K BU/uqLA~QrN>4 Ķ^մPjJ?措 3Z3PKSB*TXf3@\(Zpd~$JC< ZN"0湓>8fR`5ʃV9~"meAk} B DFNLjb1W:H<꾇(W@]]ẁC*a%!vBڠkb2jK)*8?$f.eK^A)jyXIqb +ir}:r+9?-˂&}s[U yO70÷do `!B&)uQ?_96}Xi F iLd))VsB.~Eū[@qm\o0j[`a+l >b+%inH>0ıx(:^>L]bJ3˚M!%+dJ1]jiD1'mH7y~rܕ.I9QLQ&R뽙iʿϧԿD^/۞12HVœL9Yph⁧M'a@WO\KSdw %Eg>0V'b'gRV3;ޫo~d|;֤f8C9TZǮD5ה/5YF57,1BK6$NOGԠp( h_ ]TFc\{YA9|Æv|*T|ck=6_ evbjIuPKۋ?o1d}&Xyh)L嶩A ]j >O8Ԍ~Q+uyW:Z0GR' v6w,%;LK..'#,¡emd)B~YR'ٷ͎{k?@AMGw"ѳ~|'W)i:*z@i~u;R4 hErA"jB] ZP g~E 2ұKeڃW *)Ey|bC흭@e;v¸+k{ٙvKb-%J2?AOc{]La K: iY!RH+4iMݶ BϞ)d: }[MSJpS7B%ܛvQB'`s+Ϳ[~*h35E!FVHL}Of}y`^<8[N)5,B ,s%9+vc@Ҁ j+fuH5Ȑ6^/F"-~3B,L9MI̭,AF6|2>yl״W`Swjb3Ÿ.o1le4ܨ" ,=X~BDmWQӍMBl%.I#="|?듨"0)y~~ 棹U,GbC)7`w,mfeԛ44)x V_\ILSM'ߒwڞV J$ u:d3-WROi֭tu9fsdtuƎh& \B(8kDm_LEzzJm$loڼzŷܳ}hrݶxzc4,Z7RS~ZOkQfΈXO 7$<Ϧ:$ ע j״r\I5"Κ(`P2}ee~$.Ȱoȡ|30`k%uRI̝-F"}Ȳ $"]@MWX,4e\eXytz _ pK6Q3Ma^l~e%I!c:Nbl+N6@^Σ:-sH+Yk?=bݗ:2UPxS]U{Ew 8QxW,|Pu8#zUOJ]i F1J* -hF'*V٦]5Lk\NU$b>±SMHFqk?YI4"KcB#Ok&p)}z -MPn@e o5R`0]q*y8Ry*]  1Q9~G\2O< 鎅=@*X/H[`P,oN`_…'``( syQ&ĴB+"9Sioت>a2ѠZa˻:$;=9bZQXNKsDK˃WFKC`@qGg渂 ; `= ꖱshzoa(gqȿ`\:Fyډ-Z^yoMw1ӵaA=0"2g5#ɼ76׷#,}7_p4] h#jylœiR~!Ju8#GT cI(G I$K|G@%9GSԆ EGuQ mDDUSȣ/6?&2/gv?. \ivHΗ1[v1\C!%.u7uMkcy W!Bys-3ۧ]"+3R1{QZb.A' PBbɏN2uo[Կ6$N{WX0q<89K/L]-i⑛L2˩?&訄+6lhU6~N@?>Y~}aԁO:r{zl+sM]@ /`s]&ң2h֛ӮJ@F#/}C]zy e{,yu<dXI2TIWh蒞65N ^niE-/b Tkb~&@B"Vͪ`KUS *UkғAYڒ 7UH0,Q&wylO8T47ZFuR]i1# V97z oF?5* H 7"ڽLr|ES0##9|z3 fL̗R}.b}ĺ􎗙c&%&Ưox 2O ж5Jcxh(L*G!þ=Vԇ[Ike SR˽0RIhdhU7Mͪ?]b󤗧Ք[!/FfII}cghy;C[_De_6YBi"- 0u#Հ`H (8Ciju;+{>= Be^{otFSQ8i9zf M ow:y4JT0'L 8ΊldW?l=;Yá,]P!M^V}!)wS3P$ &+Ӵ,>h Dkd\L>#%lUH^ɖ>"y E0)#|:[4˹Ơ(Ki妔\1xf\CSw.ѻ7ޅP+`w}w ;o\A>PqQdML;/Mm 6-K)r*Diw4#/H5}@4x@l}vNIxM!̛^&,Mxe;4p||UdZ|IhS#%"`8NSwS~f[ (~i$ƣ w+\:ןy!ZzD䯟QH1jW'G0|>! +ls]zᗥyj-e~8Ůڨ/jZZ`/N ~|S28ٽbey1Ke(7f{)1nC,A i"}QD ɩ@3\?0՗] )Wv6YnO\F=;G|C2ɭF aƯ7e[21mcvUSLO/{6e7xKC낺 +?.lAjO~x 8EBi<۽b BB dkښ&${ԄMqſyP4C Lh엛1)ryw3Jm(;\ 6qPQ*y7րIS$ڻ+s.YSA3 )k{nkplyd͠>tixI]jOEO]#, PИ;-gsuvxD/ͳ"7u1dѐ˺I4~} X=N% ԩbYmF^ ¸ouxl%&P:UYVwS3hʅz9$$Q?^ʑάf;(hm1)tuFVh_ORP۫ppOi(˪r:T&U`?a7oOC ц:oU(^N4IBQ bm0*07tfj>nٲ:dy Tf/j$ `˔â2&Iougu =xN7jt<sy/ʘ1S.u">ѸG4>n^N%X}5Enq(x# P%hlB|EOܙV4=:xo[2;.)k({ð{ӿ ]qt'J]>Rr;G7"|R۸"mO5RujfʟIaTvBmĸ |2e6$3 &3V1 fa~:_h{IcODqp =H^#58F)Sw@"7 &,(؋G$VĖ= I2b:Pvɶ;Qt%n4@fW) E)5Rw.;KJ.Yy$( O3 ?Ѫd" *h[q&@oV<mr D+6o5#UŶPF^lԸVUi/U,)\ sd-"g1c OUv{v&g#`a@pz?@ZR>u+Av/4RoaJ#c .*A4 L#`\1&ƖlRSqJ3JA>O[Ucy7i\]/kR9H}(,K"8#;.Ofeִ>u)׺(SH͗dy1kҗf2Afli_I]|Rel?Յ5N*L&h/mj=7}÷,NW:u #/ ܮdhaOšJ{^e^Ҡ]% }>8Z>ZfX^ݵd`^+S%"͕X]s\6vMJl]kzHP}ÜޏI m4ԭ-̵HT͟y [(\Dxӽ`P%qT2\f%xt}0[уƵKHUԐJOn\ˉFEr{߇^L#4)dr'9f^Fd} +زyǡTDeM_lm^r? Pa Zv,LѲ_dSR8TeT ře} գn+( Ê;Cr>\O{1B?uX)~.5'bCk%˪C5Cy]N-&.yr 7x\ $𰶾nLɳWeDUd_noq%H %H; zxCT4B$c] ~"F8hxŽ$ Xu~߇|}Ql~NHd-pw ‘pӟWw ֡r{p88ShʫM!5F3MLR"ߋpU>g1MB>rـdyANUY𐂐v$Ps\IAtIt ^mZ ͨǘg7E\ABS*=!d\% xo50,2)O:N7g dӜ pNN3o s?sSeGk&unT6=Nvm(og n6`BFwJR 7 qH7q%Qш$Ggs :Euɥ {t.# ,}UTENyaPL5fz݂=wcTv%T~֑]50|u'" 7TLO OX|k p s6~h)(O, %+MnFz<qR;@#թܨsH_%t'B<)ͤ/b2PnCn}Bwif&gpIs4+FYj"T27%d,J7#k0[%"N+qgɪ5aQo>FG$yg4A r}[ b9ȗ)[ ^kϲt0@WP4եj]xR<8(c$5QZ[]6<wB]*=^?%#Y=oyѩ*q;n"XϊYy@TĽ ,sv.j{❃s߳ 5CĩWZ(@`F!Jd74'vyR5$p:7DOS)pTpiK$%e9"P$+lԶ+d^.,"0sD˦,eiw;R݀hI)4wV$"M sSTe&j^| 7c^K j,lW:Pr.~ DA3^$rѴ FC'L8=~<0ļ.)["d#v轡MuNaq)G mj@&GQ^790GFBN'*K dj,R,Wׄ:,=< .aWi5۵UM}-K?gG-t{^Xm,);u}\%pMc>3V݆v̺2Kfh]@ n%Ӗ?/@k%T gɗ~exuKi8Sn3${tɀDb_MUῳ7!equ<')QɣI&F08%A~ 9uOÚ ߻ Pm#~:&?ӂ08 3:@kKw40m8؟V?7YSɗdR55ZKZ vIu2I7kӠw' 9aIi.w$e"|7$a8P* w"k'.%+gng9'@èj]mmjMI .ΰ喇c?^ h .U)Kc bok"ZdVUnq,¡HNFPۂg"FG-4/DxƶŊJ.o :tE*8t-K6mAF-djOĸm6LѦjs!,EESA}oPv \ҵN d1= 3={aZmh?Ba7$IV -bN8Kࢇ؎-4b*,G6 _sU0-tzк[qjsAp>B@S\ 4t-`#=/Jiғ6A?(K º\;"10zLNriº4tOXA>f-q]s!ڝ݊^_0K詮!e?-9jU$oG9Bt>LL,%o#/4xx ʸ̐6Ɣea0˨M3/Aj Y\{RI#4v!\b? =-I_OsXi\@ (xyH#X!]rk_mLQD,Vk: ^9F99`s:v k҆ZI5moKx EEBun]YbBxK㍶mF.՜{}pYKKB~RzweYgݍ%{ ɦC/0ڃ{u?O+F}^^O %᯴ =bDy\ xu$<*}L $LRE+wæ{Ypښ<3NSKf@+%ηV0wV-Eqk|ؒ~r>ɪ8nȍ4r5"uo%E{}*yɇtzJƔW .15bt|ܟI(kkʏEƦWLUxQZ*mFXv2,q 7Ȭ}_Y@Pֈ|cN[AwV`l[c*,UU YĪh"\=FJKS[ғ6UoOcpX9Ȃ6Ϭ*G-Шs5B9Ł꿰轇8='X|]Uuu*qz1z-  kV=fTVK %ML1LhT&q[2#>Vi~p8 O.`bLxݧ?X`{_o`rܪ!O`V.)Ή7 KEhS+4KMD6vjvR$ 5x0dz/ö [!afNi?=V˖zSh ]p 2{0A 6W7I1v4hW{n4bU] jxcs;02LJ\r}hMW_d5i oQ$$j;^urr[v-Ux'<Q@'BXV)?OƠs YH5I13kխ!59 m=AF#:2⪠?t._> 7*~k$n}hsl܁Wr/㣅-o^VvK#PAǟ j0ف;\6{wWRśjZ,IJOz̍ԩ"r^>0wTXhtuaɞOzSPZ_k&UckhUl_ )nfXʷvhw׋4HcT܀~ jKU[D{[?FōsfKS&Zv֊4~6H=(*C#ҠmDz9x4_`@}ơCL/@7/2dKSWEPGz*ORV~!00 ap @eDۍ|o?X!VfEAq9ob̬sdDoxyd!9է:`X>Vɳyzg޴ nͻnI" Ȑ\ \^ ąz(c/oD'U2м?(łPoT;aAW(/8W7\_v:|ezHX'"JWPV4b=`{~7vJ։Уx,ٶu~oAahPO;JO76H12#Q~'W1cnk78Xfs[M)G6@ 9(%xfbp̦D6JDȎOz+i]ԭ/7bPSdTF`J |?-'Es`Nm/eʰ(]4 Q(R?rTh@ BcjV%fMzCCb 1B-D6W Nsڲ='B}P h .'<5(6mώr΢a5CQIiIQtYxIqv[P_,`:oSg͕8Zuw0 @g^~ugHdJWCv0854tW z8 *pQeGJ˗a&An͛ Z6!eY-hLe"zYW*cAFMI܌^BԔ$2H hK T@Wb _V` dq? +!bdE@ =55<8 Lw` Pr| f>Tpܴ/$aѤj^:ZŅ}Ռ57UXs~FC,  pIּӪ:E9RD įý7?3E/2n|Ďz3僆T>c+I(et2XYrKaI߂>/1q0U\i\ ຂFO |J:!tx/~b ,R=6bSW}|?ѻ>0M+!6r]v4|m+ͻ5C2O .( fj lꋹJ@rL. w|ev~$ìܡeFꬋ[EG)J,*H%`Qry:7B􌷥{(GELAH5s ϱ?$5!} _hbi!5Y&M/am(5ɨ_,?kyq*߰y c0 LT=MHzlwӭvÔ9T/{铏X B:&?]wٕJmMhgmF~BM6/JkC) :Bi5_0 (RHL]7 U0!ng;_I9,镖dJdgbR3$HBQ4tE^ kjVk|3nk0٭Cb$3y2JF (B_(߻;HheS,Vq m}=nd;qԼ!ť`ijeOľ& z2c@єh9H&u;J75ފ6Js48d/[~w Lp?٫947]_k:vֻo-g&Y,c O>LȀ%̾*]m4m?DBp·#ecF"<'/G`Re}=G )In!iQgdc0oz+T(T;ԯ/HN 2"2&mFXw@fMވjܴ}⦽4/˽P | ġٰ=lƨdOoVap\X>M;ig~V.i=&Ti Ka#6NjM C@k' zD"M\BNgs]ڨg Nީ=&TS`FJMBSD< or拑 i[ {Rף@cPJM/G#MOвm0kjkK~;FxI~hռL8pȯÔ-qt4n`:qdtE0x]Fcs&sqi)keŵVL`:Ã^PL+E+BF9鲰%+\%6<}NJr\5H07#НrSވsIxspIX jg@w67D#=iNoGE{UxDݿuC*Y>nE^}Q㿫q(w^<?y/MjZ]K/ s0nDd)y2mMW_k|[UIw1"NBT 3E1泔˴2heb^&4)"~\LT5]8MvN|_^SɖnB|z LqѺ$|=J/y#cz[2f/΄=Zbd81b|?fTIm8bx 2T+RJY!{֕tL\Bar(? Yb$SqXpp'' ɠYc5LXhAK#vfx]4/R#uJHVo=˱4Q! Uߟqf .ffB*f Ow˴syT|@ 2kox,oΙ "Xq?ݑ *d2R9?*H<_k S*qu6v1 USFa5Gh թOt@l9xtFr`Z?;kY [ޗ˴!e*RhhW]N7s5kշԕV!үEcdޜpanl/& `9^W ]XRcZ_q,FLΛO.genā'>Kꠔ!4Dp_\ʅ|/0a`FX_%ԠgA2 4 dBZ*%t^/6观{7,3u{l* R@ӑ E9މ0VR|'sWg^'IPDJFꚜ;%J\X{~N-_U@H͉5 ofSKMvxօ=~Jg2&9kȔO8 `uއ;Y I GY"ys 3  Z/ђ}q ]EZ_l8kͲ!Tl$Py 4ʯMvtL,4IJ\:)ӈēCKAŚ-.-p\8&g٣d9{ &da 0JQrmZD;N170rz }%ٷ.y].I\ 3O[s]QotpJkI9; 5rR3%(b0ry7|;B$`ͣ*X'z Ke[x.LsJ&Ar.,%$E.!i'i0z2O"۞jOW+/!=Xv;B[[H\0.-WDmZvv"#7gm),w4ω jq]dcfqc±=y]jY'שJy;?戥ڔ"c`lk/nTKھV2nwM=1%XјYE<\O[J[Pi2fj 79V4{*Ady^$dc<4Pev@8Sov0],"Gt+ ֩lWc4w=3t?7'<>FS*6g2 / RR?/VxYjt֦d"̀g yOފga(#wPOoE_]s=\jDx6:+<;+ *ØOub7sm)IBȜeAA`yzw/n&-Q} %" x5b= ݘ;B_wQDĽKkOsS-{^Rmҏ?/]:/ѪG έ0fg ed fS \Ƃ|fa!eߍ7V.c:ql}7]е TRp,UhU*ۮ"6œ%`(=LT)\`:\>$uAà/1)( cK\BUћ= >p$3b~"x. ~4p`:q/׬'K~t-1rw ɑ I>ys{vNVY{~ al-y[(]9_aAM9G-5=[J">{׌&4R#-^N=QoҺ1amϘ(A[$ɿR*Ha5`o3(,a0r:j2Wgǩq*1 c_rcC8{`:WOt`a@Bj Z9$+A=Чx_Þ/}Pwfg]Md&-iyBo<=x?'OMƤ ʼBDtup SZ<KVVza,engkfU "`!{HI| .BnViw\ø+ bW_!b5G5$WU Mdcm'=ުƒ?}i؅zG3Ǹ btb3څ՘o Z' $tN:9̼Hn/ǝ}!ORq g',_[pm/$zWRE,:i)7߁] 6@݈g4fPF?0R5I lʏ>oYWKmzrcUX22 Phі2\`ah5k*lZb{A'Mԅ u;4+]b=]5Ec_̗́-]USuȭW]Y0*1d:0 \VbZ1&+0ɹ$n ֻUnG>ߜ%I-̕pMl2y%c}jކsVd~WV a"!A3yw6?>EimBK&3 s>a' !i- ;F!hm6|<>BNGVOJ;Pѽ_}#!`tx}ޙX kdOw2A-Xp/>m&Xmk7=Փs?d)/̰oTd OpB.]#K5@c HWvz`ĉ>Stp5?wFlp3cǪzx"yE8GfǸp!ElQ+3{*NLpCbhOmNc6X0w",zmU0ΛҢZofEA`XmɛPDq,6-ޔ4 a$)*rG,arƼ+wݧ 4!HKz"Ntibbk~M_4q ]GUC[=0[ p xM%S)ש%,unkP)|mq/bQMܼ zvo贉bґO);o$+Ŭ".eCo ) r#C_à<6z*(%ntdG@LZ,e3 O["Ң-w;>qu Y?k`2SS\zYЕ,20R{" I`DRr9Ҵ|p*ti}֬) =HK:DwoB4tj+D͖Jۉ1T|f|Wcz3{ذPKĒD<9/NØCԦRuW!+'86sj Z6*Uv@ZpjNhuiF5-Jsl+dիx$t-GIPh^턶h+U/QUxg@NmEO X!N4 "iHm@#.sˇ-LO,~pvXcn1;,C<,ǵ¶ZtUm_ >i0CʣnQF0/r$ 9 j{>05ltr҈JqY:M>#tmᅚ}h\ [{:ר%uX=2bb408d M&?5I J. (+2FZC1/4ޫa[|WKށ1~"D;oFjO2()o_ ![Àۚ?oUu+m,Rw#"ǐPWXfw5L+)U&__/rP% :X|EݎBt1*)R-PKׄ=?ugm>-;r,j[~aBdI+4 ͧ׼8m,1s 6J ːJEdQ'byN*#j,o#ӧ_QwU\3"(vD \gz@%BE;] -"F) ޚL0ɏ|bn0lͭPt֔7&ʠT?l=eb 4&"G74mMQ-Q{Qgdp?p|4/ CL뫳v73`|߉6j|IMe*NtsBE]6$fbތ7&On%]0!0Ιf5H>uK@GZKRxnEߞ n7b[T^B=.s-'[^!pHM7+: >t2>#C=52ERة$&qf܄2MDaɶ+ȫtT t[zg{X'O8Z2 b9yPI x,2ٱs$ |t*c,1f;ZF162*:n-NRf?i6XbΞa*CmNziMA*=d*K+%{v{t^Rj@~C_f0?W[J.^ݺgUo_p+wL-g qп5saI_&,kts),"·貳< RBS2d*i?YԛkVF-J>k7/NTQkV7-Yfd׻2.lT9vhvV`+.}hq1K-DNc~I^VeAьP{JԀzKs u(Sת!ՊR2Zu|?;I\0[ _WO TT:远y# #;%7ao )#e6ܤ8Y[.'"l>0J0 ?ʦiV2]G5#0c|@#Ijoa9vֲ{SڅWc)oWYKU|0hv78qc)-,3ۢљ.kb>OMKNS+ha ~ )cTxin8DSLeU1!,`L#{']B-+,&p3&vP3x }RMrpЮfBO@i"["Ch74bYʉtSZWy$Wi.չWR. =gѲl[C<l;hELWEI>B8`HysWriVy7|R|?XϟD'4FWOg=^'c5KGjFw?A Vl0J\? Su4!1vĨu,.zTo:01*WX[#7<&vC ^2Н_(GvCV@sB;~Q*Vg`ypV"MJҔ1t=~0KgBsj32s VwsGB: J14Hrw{P{{O{㶃m3XZs2g12W CCMR~~*7ZV*mcVlgF*СeK̇#`he#e5wRnI> ^uu:3o/4GeOy45س'9[%szk |(XhײF(e1Оrfգ*!0-ߺdpOHWSYZVW`lNB+Eg=Si>" Dfܵ{:HLq6(fGfߗ*bڍȪB8_(ҎɟPG } ]' +ILu1oؼ_Pk߈]v$ wD&\C]3/G`L/"W9coX#-z8F~C)]NkiG?T}¥y{S/EMD&J7yN-2qop )!ݗNfN3w5H"T'{/03l^78x>JC5 n ?ϭiTHYcVCʸoFؔ| U.? `'^BL4Ʊd$Ы2S$ EWeF6Wk"Ah|N}1ZF^""v5rt/쟀L ] ^hٌ8ߘQ$ohl|a AwRPG]`rziYNIeX 1<}> Jێ^A\h:;J2!} $d9&ZR $FQ|:J7[{re}wʲڸl!\%/Q"8aMے;I.փVgAnRڟ+mTB{BE?$eWnFSX"m;i&#ͳLjPf&8' hƈV|""z:o Q6[0[pOZtjU.}ADE'(QOڶrR@ .d0D XYA@wE@ iϧg?ʙM6\Rd)xGc>q/&Tg;7{°Q+p|@@OD0N/ӧ v72+Bx%h\i `5`e1 g:l6d9yd-ыCC{xYl'c^y6y&&ڃ}NT) /bZjuA lTĆ+/>9A {8H\d@K6cJu03Szm(j0rJ@⷟(R $8_Vw\<}kd I`[ȸ #US[*+7z˘Vut#YOW8{F}yC8ٱJrIZ> xTΒ9-G 'DvRG\f. Ek>h2V7cHGT6<әd*UrcNRqH$Y^w4F, -=VTíbI;ӷ[Sl-LE޳*ay"+ޟ} ]3lX x# }IB8ť3&GeU.‰OJpxI 85@ U< Mz>KᠯbsSJѐנĂ8y '& SG10GJ0?Zۂ,t_t2{rcl=N[Zlɱ' S8&} o[0lA`f[McI^n\~#yAB9eZBmWݵɃ~+A;UADv=H:#_!nSgђ6Km+ԭ.^q՟e#z6Wg8I+[I5p1^UCGd3:3j!Gj SHQG3ۉ4SoMWCU,.fOz{`@+o#T}Csau2x$\%}6BU]:/p1Q~f4aNċ9=/T/zUZ]"Ohleh J;Nu\h%>?AՕD=.bJ^oe%Q>[ܨ-!L말ŤзbM-^Ņkkl̾ǝTEHV ljs5= iVK|t)qbja?PP49KtuLsu4s'Cp o4yrq$,J̝)ФJȟ X_\tYE,268vXu(ҜU!pu'%S fA˹}49Qut7lGG :g?|d@|æ+&F^G1pWטA8$^&`\#^_08d3(H[M N~@\?ٱÑ0ϻ&PZD6EmaAŽZQ, y%뙎uV1/;U4ϳum0ܚE=g2rL!Shwݾl㬌aʘQ>Ee}|`NWeXt$qw3~to`^' L5$bB+Xb/ f@(z4`Qex `OVԂyUHBI'•RUv bF#F𙵛D@ᓞQ.lD7V{b 5D)?V {WKDkg`w+FǦq \H|~)E?SXo{| gRJnŃ_BοJK }٫a7gc &#k/:{ J#5B@;HUq!ZbY ƙ!2J hq[t|~f$zhv(oL?% Hy)@x@IEI9#ԸD=Kq^^P`i'|*[[\UrF<'"jJX6R,ct ã/ ޶mw?zb-㮏m`ٕ y1X<(aVQR_m|:p딎+KnQY:pxj s˸PHL£Ivqi+V~!|&ǪB"QdfpE:_$|v=-Ϊris 15"y _eRAp? (/2=?u3&"Q/BF贌L BmyOwMrٯ<i(,NKʩ*ܘl;7 r|,kH]jvzw'-_=Y҄et4PyPЂZt[`xh #Ȗ% zr}[LՖD'X}>TWrVE!ߣ,^;Ojn+b܂c溶=2j7'=!)/#`$6F+"1Ա<)udIvޑJ3N.Y,qus=s}(Ju4$!,ϴT-,%^70'2{*\j]4u`$Pr﫥4]:NWK,`@.S z[/uБ[`;C8H6Jw,e"ZFI{./t~%( cЗje#(0Éc:PUD!q[%]uXNKbվ3IUb5 ~^s.ҴIL차.@Sփڏ~eY{:vZ7te,"/%|fp^diO@BmG 'pi/0V͈C6|S'uSĵ0sZ*Ӓi_p> 沨Oa& t3NihEK/>CgC_!rgP)emp PxtL= w㧩|$68%p@ǓL bImkﶸ~ctPovP(8$!̾ʁ }M:D\*=*9Ll"fYNam1-9a\H8~CrS]b zN]6,Σ*u{sP۹ӽ_G!h koݑ}%AN獱{Q#5m@ +_-Nf7;XF՘nes{lFRR-eI4L[A 9䇺L3fcC%=) GW+^ZR|I~Q<['w+]M(0:ljh5e]L)>>:@d=!5ȴ\/ن5fi]lyOJHWfYaL5R,/*q ~y6d/DGE[LRwЖSS_ rN>V"Og+#]SMIHگ azJmXYgR;,U6K : 1xG P>ВaNCwz[hvJ>НJN$FA)ŭkok=-}C_lNt3ürȲVw~$^lGBVnYg\ vQmZ>lU{]p⤎fT/HNUR-mKbA Vl8D|S$WLۅ?uZq4u>8yTZxl«GP۪!0 /H䩱 t^z8`n%(AyJ"hVS\&'ɰMIBu Ja9 I3ouQ9y?ƎfχZdp,[G& s {^`+T-ަ[  :l.8z@k-B8 [-ӞZCDmbE͉Wڡ'nHо?d~-B{L뫪' ۛZ)RMJlQުK_7lo !){[뎇c)fܵ{vLK 0̾5EWU0r:8x f,/}vd sHxi 0.|s1-S{E24@z^r tmisR셱h 0MWmpMm-Q멲]3[%|Y3暓5cՍ$ N(~TBI/JZIfT/dp@QDF&3݆qPEL(cyWY3J dpu%~Wi{^t^#aND-#qZ.X"z `q+oÑXԊ}97qϻht1{2-3MVzme.GzD1Im7EU!bwAM4! (T?x1.d՚lsNuA-?;C#08Yu ,-l\LoD [YbxwyC7'ˆRY'z~=8Ee?J^ŞTGmD&4Ͻ8uS <@1'6ȼt 8c&h"'zYJrF21{ueȱLh#JKE4; A|?:'ȝ w=EIJu'`t{)o׀Ꭽ뗮L͸<˼ ȇe:ƈl>Y4.3]Rp1o[.%E 76v9!?V)>ej' !t5@Zmq Zo?r)ܬ%[M~&X9c:u>!XvR[ӿ񓜇qdn9{Ud_|ҟB=K:OS>y_TuԖ]Pc0/=f','8֛ ޹JGsU*ɨ5/z2\!A8JC?@<~ Gz_Pyܘ}r;4 0UhX5\oUW0z8CzhY>M jx#EN`3R.F7 ",QwAJķGީ Hϳ3PUDL TSjFDylCƟpyNP{P==1AY9{ޓIK%ae~ƛu2j['l~ mr9 &ڬL>PjhXe%ڀ+tIa:-DŽ][ #xL%>ԌdHz%N O+Lue!BtT<9Ӌ85Gy~Nc{ gYK遚13?,6Uzp\,I{;9FVIbo?rKvpd^ @<65] .,"(Ehb6tFf֩O3@V;;Ra$K=F#>^ _ ~r$v%\N wzJ6Gv"IRUiEO1pXS % 7lg_ :{n.б^HPox?K w YR6jÍ}EKZk۞r:`Qgaֹto]ZTn&KV1yS<`aV3m3qܖӁ^#W^X-#'Ƕ%e LFEq7/ ;H;VM)UMNk'TwCqCWGfc{,^J,:qk,Ӧe%/z ?{ ٍQ4HU yj,amKG +R{ ߙM 2VNlŴSt]*uhr7UaΦ&̦Oڮ5*KC\Jz&"J1Ȝү針5#B;F 3W"ݱbyl]9?Dm~n8 R˩$!k)s~ ."ewi^JF1X߉>> >&\?xjqG}4Be🌻tc|MLT$jYc]LK+\3ԭ#2/U\pdpS/wXɓZtZb >q6xj*A0eVnpvX@* ~-!U pi{˧cXHy+k"A/rq-=~Kjk 7߉_968)dO^~- 2=SL ^>{T1.M_SSD6ۏRW҃]|3mKUM܉bN9r0TT vc>1,uҡxΐ.\)0蚯r*lM2lW'[;w&Iը z}“ .'>xAZyB.TF;f2nec@a^޽jZ쪏x(R@or_rovS\2-OZo~4$ Yq{3ƶ=jѡ+?L7c]X6C'[ͭ>S֬OZj*rU둛u&jW̪15ոLU>I^͒ԏ#}%喒f56 }!r;ʦد~۫ݣP:L3{l0*NE ul * Z`wL~梛8[ѽv(*#7MRyh gc%1IicIPϋ#:tyDc\ A@+}BKe ڗDA7;qjdD)\唖Vy#*:@8>pE|>vRUbbbI0~IG"絈 >aAnK6R ?2?yNTAZΤ?ʽoVlTZx/OX5H'N} C\K9+km21c`֎2QDE|=GSK~56ܐ.FǷ䌅,]@j}NE)TU [gg ߵ]Qak8y1^K4Jru9eYض~"Ov }GG9{Ce\euĈGHwр͊]ЫT{BA+sgs;+L}iYX'huk;bnqXz\g*eW`8?atBtW&MTW캯D˂8υITW>UO:\z״`M {zc|)"cg2\؆(l jK=ّmv)ܿ&ݠӢDHn xT{-18Jj{N\ևtpD#~Dt]OV;}=|)tΡ4g$kl :moߗ9Oe.`3n5ov{Nhni8e4U)*σѻ"SؼKpEnȐzWGSO[6.#7 ].+J%}Bq\O:s_u\/%bB;q.ٌFd^VBKXEk&j$H) /yO>{Ttk6BK6h2oy}bXSW"]-9@Ak(U E_4 m1!5W60.gc+ƦQFPʑ,<9h1~P deB·j圻/3?Y.&[|kN ?%S)S\zaHIPQ$ǝKV7?1]&ݤDۤ> NE XV:珏j" R5T *~حJ /a79m"FtwhۄC&nǢkJi~L/vu]CMzy+؋98n;p)AԈ#2I<ȏ;*f47c &ߤϠzRnAO;6OqY$T~fƴ`@ pihdj502 h9菁 nNȖ񃌒/{4J"4sO ӯzg+noydM A{4*hC.K5ǿj`@eRT +hD Me4#)CU* gw y7m!vXJ۳jD l^qKY}g nbVw/ A@^nlr:V7氖iQoNHSQCw!Zm-ᖮN-lv2X]?>=Voz^.\&; -!l/r=zHekm d9HB(@Hv"BnWДܒo_` @X|!V@cFHJ`  O-WL|՘uű,9\ LiU2xar2EB;MՅ@InwIT;aJ@׉ŐTWfG3#0{U@:`6I+]E|t4edz>%BKs nj-xÏ2+הF.pF^my<₦fH&T11WYH1>%gœJ"M z)E*.Jv$?}t478SAɒ 2 OS 7!~TעlVh]̑w1Dv,>$~8:'1R.S.ݠ@vu=#KwTr?@X' y"5z6&a L{3/REvQߩ'ْ`>|jyYoj!ħ3X!-N:Urv;=k9Pkl}ܑ3CE{'{DxßguOl5WiwI7-VJQHe3 1M!hvT`ʢW eb4^lObהcLH3/s ۰e-شiΝC3jBǖ:,n&"k6ڰ4#} )%!tSҳlC#-mb'!u `qͦ-&6M E6y!Gc f $6z "%/LSDsFJ|#(،kqJMca57%k[cDGHwDڧdv5{ sY;M kiN*wTQ;%YyIdmWj7||s_ /QmOMR|<&v u;=X9_:.GUj&dJֻu΀aFPYHmVO'1]LNXkUaݷrث/ٸߎ^2>Fa 33qy)?̜Q4u?1z,$Tò@0[cW@5W$=2d.wp ?gt~`C@sk5uΉ0D\S[ '1Cڤ-A.hDD@3~Ǐ dޣaYR[OTa `͘iyI^Z"aV$ɜ'wpUa1K_:1Muް_?,FwU6  Vno7{UUcjeYݱaT<]^)7}o'wKE,RDgpVƻ8/ř=;:fexP Pm]n^??|A%po+Є /^G+kpIkՅc蚃r޽g50CLz0nN1¤/ NTκL|sbЕ%iyC%v{Zy2 45: ̓; e*`XJY6xxq?+M9m{-TDmǭIkW2~/MH#gbLi JiRWhhf܏V(ye */HE)Ӳ8.=VÀ p%dWĦn," ׸{44G^)0k-<z+dTȢ ]NɹnS 0j7kjae,9=6Y/*wVuTAnC/ F/LEmp~ayQ 2-X@wG $&cnaSLBLjUӸ:ާnm A489K|p@MYvm_6> MayzVCHR6=#d\:;VKV\2e#fzD&3)Eɕx ARI|bga|B -܏l<ĔDg?pO,Fkm&Fr@~HkCE[| j ZPS>=wr-%4>u?!3]~͜j0q-Ihػ!UW6ќ-$lzDw4ٸwMD완c~*;dˏ 6fV|wMR.p6 /%Liq2#`|t뤹_ŸBMSTnĦIv= S p0,I$=o"BtT<ڟ'&|>ȥ } {_7۶f_l-5[\/A@>ݹ.~MihмrVBf\UAYh:ƥA'T& )voz]Ex5_uVٽza<2R|DZ)g 2@ Er>~X"zvK:b?;/o~HFæK" x28FahqUKnH:(-4jT=Q j\E H{Α[ZsS3*mA%L}QׇAa2@\AzL/8vRnQW vI&Xo#9q|Q!ſٸ;H1Ҙ,%ʩśI n#vghl(-BM*.Ϝ`@T_e]0w pG D8@&kA@ 5F @4^cb$UՉ0F %3з,lD?bb8Uإ+}=_\sN_*?bp&Kq?s;tmZB XXABL*h'NpB5-Sj`ogGyZW/G̶4C }OI!{aŔMG­ F&OhئNt%YU'9{9k-?n# p]y0*A/GtI1SAR*IM+>͊s3@0Y\ÏY;)dn7J):7t^jnY.'ā`}] qダٿ?h 83^&b1Du#-=mO!ij'%̄_d!A#1'7u lP(.{7%b0Ί)(Xv0|JT_ogkZADSXS]d:Py$G)nr6Ȁ|7kظKi_ KJ iBq׺YdO7rKMa6WY| / =K-<(?V"8Vjvz I`gjT/` Rۊ@(rO+6I[@~&hoZ_ *PLP&~Mp[_i]"=ط-t"90yFqu[JWۗ(|ِvE.e gSfJ-w y}6'~QuL6̯i1@ɸs/C4_dϽbCI=]:@`_r7\ X=g~MR:I!<*^R8bV]b'*Dur:^lPٯg/»P02>?k\,+T3IH}|fWňV3r0R"ƍ]_ f|]Ʃ p`uNGz^:s>EP~n_XmyO6Nj޿= ~Bd-Ny؎%lVTjeKYqq9it{+DaQ^c\8 )۹)4i0o!l+y yr}Ѩ!ge/|߻W8hEz=7$74'2=LQZE| wzLBWkHS9'V ^qF;An";Y].%,b֜37m,xT4[#ew :$RP=kS䫡Jz+\0-']P}O1,Cܕཋ2uOL'5W*?͗xOzu>hlc_QofŌ @UȂjp>Ȓ>^cMlg0SI&G?g0fOBV"T}! } N%)~Ќb> ~2>`mt%ZRvh f>;˼mƉNJDeyj_2{(..g^DPҷc*kwO4 H3V#+\hV+(V{B%l?bzR@JZ'@R|hCSaT<\0? OoپpLkۙHҩ{q% 8 <)q1 Ǫ:]Q'؉;[ D] n,,9^ (IʨM]nV$ %vr;.<]j fs9ˏ=x.I^y n&P!^=`S;S~f?/QJ L)ԃf)9v/ZY=2x{?GRٝx3xS ˸Ii˪frYyoA*{RW-FF|\VQRbP.b0{][s/9VMe</FAʬt9,-H  ORK|6HӀ̱<5DMH .e< {͊9T0[~H)NTi΢~<m(?ֺL֓I8zOPBf@=!,8VVd5K"m~ ίS*LimFp˦]p]?s [KF IB\%ܡv 2@i Im\ `%/Z)U8]Ck1n<:洖DeM)qL5dM)8U@,SzwoeUGRN(AC B. [󙫜cֵgJמ |gW:bblF??s|oVݻZ"+uZ_t0q5s7!v8)`3.A\DE-ܭ+V+#Fj8^ ׽N/Ry`lF>CGQus( SM#PGG|;‹ĜDvNëfQ>: HC3B@nT1(aᠤŶ<[HQ[|/-7 N N._MXf  "yۯ( r%3CJJeע%7gJP]ΠZta~ 8R$ 循 ΰOyY{MLRҷmХ 2 i"!2KTrD/D9;5<r%.׋<:r@\>Ɩ )?$T E"p}W< oVYĴԞf1; Sr^_NUCQrX "EPnƿD7l+-$h%GD( c `3,vG{e/ḍe<~!'i(lB5xnCƾU%t:0QvȰK9OY(01pD$9~!CLޣJ.h AK9BRt;w7/@pQZ^ 2,-i=* ͩ[֐~?8ՎX:V35eJRB'#ަ;M(h!wQZ1cl¢%QC.nH $1'd<H* J8evZxbکQhCsQ9 c 9Z`0e7{#On)V3=[ 80lYh?zϫUH&I5Mg^(?/HPaz 3SBDM(~'$=3z#5XDG7 J:R:;O6rܯ3SSy(CFq.9sm7[VtO-- :TKno)D H`e Dmp?6$ݛDq䙐?ы+eil!HI,xWnR|x`jf8R,y#( ڊlgbؓn|/,a5(@UY3#Y6C]_&vܪ'xZa!TաOGoŽs8|;K9bņIAݣcIvB3 q؛ b3NW h֢ҧ`eD' +Ce5sFleC+$qZ@ɭ&8QJuB#]y Z [ǬsA49osȲuuwķGw 4%X,~?ou:leFq0u &CGV5~p2h7"Q9?SeW~oȫp~:l.݇hޞPx"pQ!\$\KƞHQ(f,HpA\jE!rYZ @>SC=Tq_3=3 & XZ=(O1\jryX#ű.8 f+'ZƷHGqbuŸ&}ǧW'tC fA^6 xV|qZ!9]%o5#AbZnocBgPI*F?Cِ:j S(!ocgu⋟H̋mY2^/,a "^: fPqqMCb%olb1K2T+,}O:(mt/ wˈDLEHb-?CἕC^ĝ)uN  ŭz)0ScAI4ˁ#pGAfn@MԕBq6dJ;Pm' 3C(;ډ|Dl|2~G @+Qïn50iZ V䌖[v }5W:rtTܘ=%H !**N.x W閡Ǡ-_[]c gKbE9! &'᧎5OUk$`sӳrK `jKk v8'Ww$IUPARH'YzYNRH%]|v}'pϰcɫPk^[g\۶.`5>:;w<&N7zMqs$PB*V77X4d"'gmqsUT EԵl*"|ƞNme'Fͣe ty{zktY}0_8~R5U-9iAx|SZƟTR#ύlڋK sE;›}H[z@" 'U\xS-xDix!$qDxxh0CR*  GordCx("G9,!4aq5 R2n[=-f;qs Gizw2seeZ f/q1s5fķDlgn:)}ρ%ǤWOѻ:/ p*49bߵ|A iUt`Q2Z-<r Ty/5IZTG~ug% kOOr7HzW%/-~SV1o.>k9*/("$jdWTXPr*S^oKl)"/ EhcjrGUG2y}߫&`O56@g='P}fޮnQCos㛪Bލx7qPHᦙ]="v~H=;(\pzR9@?rԤzӔfH\3mL@bpfqv) Z*u_'&Y~$%OP$~&ST#B~qk4Y=_s)Vv|XV;u/KFIM+YT  zn; 2&ooG9ȷ ܲRktf YZ