libsamba-util0-32bit-4.13.10+git.236.0517d0e6bdf-3.7.12 >  A aynp9|0*`A 1X ?cL G|#ӱb0~!T\p"{;[@1h:tdX"xl,7Xut롰J͝#jTn_hIvX/Vl돂=)cJtFA, :m"}'ǨЩNc`ċL(9O>' PMo"]8qArË|۴ӂEZ(nnUAy/95˦?{db49c65d6c9cc14884a782242323ff542708602dde2aa6a59d37f5ff0582b84c7bd6410311d5c682713dacef2d53363a93fe5841uaynp9|5;иjM~(,A]ŃjcT$c:|SGtac2OCދ>s) -dFk=Ud;&ClB(9 9Dá0 ڹG/-N?% K/z=T1UM:ܟ@UEa+PˎXn܌01Q ׃(\L?R ':g>p>?d3 : Y .EKRdl p t |  (0)@)/)(p8x9 :6>$G,H4I<X@YP\]^bcdeflu0v8wxy&tx~Clibsamba-util0-32bit4.13.10+git.236.0517d0e6bdf3.7.12Samba utility function libraryThis subpackage contains generic data structures and functions used within Samba.ayngoat18fSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Librarieshttps://www.samba.org/linuxx86_64/sbin/ldconfigfaynayn6c40066482a5232c7956744252680f0e1db85602954a5e32f253e56d66991a71libsamba-util.so.0.0.1rootrootrootrootsamba-4.13.10+git.236.0517d0e6bdf-3.7.12.src.rpmlibsamba-util.so.0libsamba-util.so.0(SAMBA_UTIL_0.0.1)libsamba-util0-32bitlibsamba-util0-32bit(x86-32)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /bin/shlibc.so.6libc.so.6(GLIBC_2.0)libc.so.6(GLIBC_2.1)libc.so.6(GLIBC_2.1.2)libc.so.6(GLIBC_2.1.3)libc.so.6(GLIBC_2.17)libc.so.6(GLIBC_2.2)libc.so.6(GLIBC_2.28)libc.so.6(GLIBC_2.3)libc.so.6(GLIBC_2.3.2)libc.so.6(GLIBC_2.3.4)libc.so.6(GLIBC_2.4)libc.so.6(GLIBC_2.7)libc.so.6(GLIBC_2.8)libgenrand-samba4.solibgenrand-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_I386)libpthread.so.0libpthread.so.0(GLIBC_2.0)libpthread.so.0(GLIBC_2.2)libpthread.so.0(GLIBC_2.3.2)libreplace-samba4.solibreplace-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_I386)libsamba-debug-samba4.solibsamba-debug-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_I386)libsocket-blocking-samba4.solibsocket-blocking-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_I386)libsys-rw-samba4.solibsys-rw-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_I386)libsystemd.so.0libsystemd.so.0(LIBSYSTEMD_209)libtalloc.so.2libtalloc.so.2(TALLOC_2.0.2)libtevent.so.0libtevent.so.0(TEVENT_0.9.9)libtime-basic-samba4.solibtime-basic-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_I386)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3a9@a`v@`a@`<@`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USascabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./bin/sh4.13.10+git.236.0517d0e6bdf-3.7.124.13.10+git.236.0517d0e6bdf-3.7.12libsamba-util.so.0libsamba-util.so.0.0.1/usr/lib/-fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:21237/SUSE_SLE-15-SP3_Update/d2f98d8ef4313516f89dded66bd0b145-samba.SUSE_SLE-15-SP3_Updatecpioxz5x86_64-suse-linuxELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=1e06707f7bfb8eb1069e2cd32158e83d9424e2f9, stripped&PPRRRR"RRRR$RRRRRR RRR RR RRR R RR RRRR#RRRRRR!Rutf-878e30a3a277a821c604e5a7513de5f1860a49b371655aa29ec4c96e56f1a9ec7? 7zXZ !t/>] cr$x#E~iED=rV ~׈|J@]/~$kĘcmS=%B&4? B<Djy;Yg<&mI;8>%$6YpI5+Jϱj:p5}#G0t𠫡Ue _W4n=70iϧĞ|O _Rqxt`Zϋ}>+Dx8<UհTBu1QۦuUE'4x&#zGH':K: X7U8q{yeG>1|cXd<Oo lz>\Y\,A||֯QIz3q7.pf sakf]y,H|~ n 䓸wǍHUt]NG pWU?rJxCaG1%1;D`wM2,bsnp\@9vzY"C7ɲOW-=Ce>%!,' <EM8y2 /im"ZG7N` ;K5x/͞Fa $7`^VÁ7E|KbtPӭg$`l4g`V3v9757Tm]hqw2KDEZ 84w+8&eLOȬSHUL ~W9Jcه ;Jt".ι]!az{ÄkX8- }#tتZ<2wnzz7Ƥ2cGw 0*0[ˤ ߰R?M+$Ce(H:e9͂GC@` N kM9ԀVf^jצ1*^զڌ >کr-?sΰ(<\^nGLZ 3qu4϶v| ZZj6ݣ38T`",H;(f{l A#i%K(o܁:I(IvWĔ EE_迾~дQ;On&ԖFX/pW^!O¿є!];0>'(Dk6wt\8< 1kWcGjFrށh;PfoĴM6@cEH":} "!<[7̓EMGV0#sL]bA@ :yB<{FYq@iZ #BG 9F޲><@qg<W \{M2r *oC]ĆG$<%ӱanY*uqQډ8Q-D!Ye'9sɽ\IH1dH/iAjaAcJYh)܅mb3,',@.h;ןnfL-`䚉ƓЧNSx0tKD E8s{)$$zyJ(햷S#dJOehh?UE;O2|:eJҊ9_W*-6"_? rYӃH ѭ2Ntr8Jq ȔK VUr= zv;A-m[r80i9 l$Pms#';GD,@aV5W)鴳|K(Z9vL1NCRPG:/eM*.$`K,Ntư/ ۄސT'byepAW-ïK\'9 z]tRk0:iΏkkNB>GCi7tu,u oGk9N1q)#\CY(2a?nKخnSXuшɠ.^im9fiHϻX_| )Գ6'ːނ aC޲͝9eq~Gy̨4l`+/P9M>dйqѼL8o/k77(l) QfρXO1ܐ&K5hZM˨RuL\ A^郶;]25 !ǡjS,jsxluةhq*-yAR{yk]1יq,X*PG:dE/s{0Lך9O|tRt>Qc{d r:c8 FVV$hQpK~>U+;V o^M ].TuUՉEF3C鴋jpO/]dLK&Vs zp;XwBxuQ%7=WEbzXD6I9rC:"^_?ρ,à/3-β{^Ё%wtXd=ڦbI[~&rrP^En#hnOF(])wQY̊WʪJ*rsP̒_{O9Mj/}W@>ZN^DuAW=Vky|?b>*:2++j_Q8=a"ȧu"E2FwqROX1K|%aK@\=594O̫c¯>_d6.fUj4ǚ-W+$|fxVM(3Ȳ' bc3C ]N}#w).#.4>#bB̏f|9+~+7R2r.$?Y5ZoOcVGVkDy ưhRRxc̲BiPV_Jȳ:23 llhAk P_FgP"{"AaIɓ?܍6EҘs_HLy-X jS_RqM]O6v;IZN7τN[lJʅ$>-0ĪPS,er/XL!$_bW^؃s_`z]g;*1iMOkgRQ-Xqfͫ{IDM2S5uw{rs&Rnq;̼8fpIa ں)\Z!1%E EZIa?USJ[9NxL PF3%HrsGJ]#򥊭UJ!EʌHd%`Wzɐ+oYX}kM6CNGwr~4 `}NX#yR,0xL$vfR)nGt9ŝw@1zQB.lPg LDR ,l7ߴwt\4Dm xUkHXJ'[/Vm')08%?Z0d#!|o '/I_E;D{ #Pb `|e{|K%}Z~- dO5r.CN~r(5HuJɁTF]Q#z %c*uULշJ(Κ -4] ф## NEUvքܞ%u"U+K\w ' +H{e,GoA"TG1߉tNEPEPtW!_]!EcHY|}?4oIlbDɐ$ 6LZ! 3z3~eAA]*Z0т~kDȰFix'$}$狁s9sx%\նUT@yckCcЎ *͹'FbѕP<6۪gKxpR\+w 5T-6K!~<^!`^%E)k^(ÉJ`/`_sǖ6p|qCXlBGMܳ)ϼ%3@1E n+- 9EUxm?U-ʪdIwd_ߣ-*,hlgO?;GN0]:DOZ\63%Ȋ&?/nAG m %Ƙ@7i}%pXXik?4m|[n5[w;p;Gq`M~]GؚB"UȚ~aXBOfܝ\M)e"wÎT&}`8%ٸB0]Fv i>p]K>/jJAoR^5 LGmA/XSnvz3q+HatɵݱӜ9MHΓ㋤tMKl v OOomؠ,urҋ @Y乄E#Æe_zyFPyHĺ@'&Բ^T$[w|{˱ei &?y"u4Dm`3O8 P$FZU |D$}"ԕҊ!<oN{4C@}G޽Ϩmh6"sQ!.ʦA[ϢІ >"|mAdOFrm bPYUw% 5Ύz+ {x՘O59O/@Ucp"!f{8iW}cul rz 9i"DTq JDNf i z'L8gG8h0Ϥ.?RcbFE?|KZZb#ڃd!DS԰5%أ}@J=,a' > k(m+AXc7w" ܫ N]Z1/dQfhbnZ\Il_ay_4 s]_31SѳQ!wcyVR ?eCrY66L 鈞/ |Eo(HfQIV;9ѿm`Z WWs1_S,q9>kpM嗨#U%պ@t' VHpc!Y$ @d &654ՓE{0OPaUb~_9j.&PÄ~jO+ ێOM hMaGى˖uz);?$κ}sӅp9eUt&PxKHZ=^C ~UFQ jwy+Y,Y{1ƦA ?i,{-f-B!3=%+S2罊||t 7% qN )J/oKDCUuNm~s䅐R%03z=DI@OpVa3 9r;>zş#ae*vvgLR*,F!U."V̋.:(tt eA:߇= 3V }OBQOA4{'n-G~6D y+cB8#;Ϻ`Q.v효R=@ @|(*F(| d0"EϿyW'~D8o[SYGG`2tB TiZDJJӍ=ȢGP͖N?O áGPp$,U?tbǿkx_IQpvZ-kzQ-d7e '4_UmN!-vRGs/aBpHP"]?.Էӄ=;M3qH8S w"|>پ=XbSa+ُ:b`6F-2NC{Ϟ>OgNv.Z!ۨ< S UUH, i^@8~VoZBl ($dٿS+>CC\"0H,?,~}Z]`k8??fwEHpψӎ /U#uhL|Re_>:sGR""?$0d}m~&+}g4h-*IAYdBC:!]c5<>z27uG&3 lc@I*^[Dk}dr3]"Nobʃjrb zb i`٥3*[W=ܪHIIϢ^"X[]88(h_N76۲ :8?P}I,+.Jpяke+l6n}9M0 ;0UGYAWdpeQQ0Sh, hWת`?ŷ༭ 2 ba&_z\\u_M,7ȹG@:(iX;KV)lY?nRJY-g9MeeXX Vyウ9(DŎ @ngվn|r y@!}UzL;nxiyb2 y{3 Gmj]`"( Loprl2V.[d?˨9m"Q\lY0 kduVv^P38,YN;eHͧ+:˿:<0 Ogfr3r~u X2Ca=vn9gZ:eԥ;sZwa4/TLN{Ѣ/Q Ȭ id1|ԨT Ėĵ@/%v+)ؗJ=!7P~o/oJSc47qg rPݐ{ ip!1NIw&4Aj!:YbDIg[kb 8./ u,?@&vCaA<&1V1I{[ږ-.ev Okz=|Nсn 9D(IeUqn]NabK;p㶝q-}pB͂U`Ǧw~`Pɦ[I1Y)i bs12cF{.=}Y2< W}LwM=]\A3tOg?E:y^djk B[sGc!)|PG1I^ =΋$L޾qE-P_l)qSad$uw€b6IW5ptBlϊnSbAQSľ#ShqdQـ.kfl6ߝGÊ,Jr.B':.|$~uu5"l'OA 31%5"zƾX`Gt `v!_0gEt)1̭A5CKn t'ҥ9 \J=jr6"o 4ۥcMb||@H7k,OL}!۸(R(z@p'Mx-M.k/dI9+f +'jiD^~":-x[MTIԂ䚲UOg:̇9tRQJS89`\#1&*`sޑ fιTVݍ[\4SX|NSi䜿oKe|Džܮ'$T{Z Yl[qi PlΨg'[/-7'OJ4¥ m5YJ, !krHli_9l)R24˻P r 6*cQlKx꙯TLo˽|N.p oS'{xFǿ8Ju]-+f :5>YyAXLlfBE1Øa֤^dqdӡF{Du >gJ~$ZȏHT)y +,I,kqNܻpQC~5GwѢl ϡ^ ='+6R!I)V>hoڠPT#nPA =VA~o * ZI}5n ]L!'dD=. tȶjQo!H]Ӌ?4Bz)6.Xkͪ?N^}] !/jLcinFS\ v(V IËu!*{9Z+R]:- Kax_J%wz?Q ^DY^cJi[AEACܻ\z)*Ʈ)C0yYL YJobuq P $\Gڰuܺ-z)EDݹ K8ی,wU6NK 蔿ʚ*;13uE\jB 4Fpy즘IEpȻ({ ㍺g)㤜&1N!3S Wf.o4je#vAk/Uߏ(fFL=aj3Сt.K3h/SN۱,񼄹_jgAesnr+;e1v2 CмBgk΋ZfĢ!t}=+ܜJm/Mou0ru+μ*dAdz b[q-p[ P+%S& 81KHS*o)i;m[oEݒ8L1҃rA9Q(`>&L\S!ݬScEv*jͥX!&G1@HPeN~uY 5qx^~-!rM&f4KN&1ayq? |SJaeLL$tS_x_{(%p{Fo^ݕ-5^G]~ҡz:VkЧ-炋&φa|1"}ؾ~)*~)&60i aꆠ\k&O#tmkP=r?6Gjz~Â\DN&U&PVWA _kqkv ?b^:i)yDBҵjdd'p_<ĻH(}t6nʡu tZ|X|GG*cU0F*/#jA!XB OR ԯ:foFH/ỈU%PsQLYȨ2!# W3 \N.].sqtӦ` iU> 0otgpi$4Om ?]T)rjKX?DՓP5jFnQl)㕷´|`P*B"Yv` 6'hીJߟMb}ylRVBʎ=f nF/ ĥ\:u[ <:Qݍ RLA%sS[ZĐ)/S $߹!;7O[V`'C4"mM/BfEGu(wWYCޓVT{7?XX=šׂ^v̨r-<Ħ썕c\ô# I8\.'Ge g0j8FwM7+Pς%w㎿,,44d$#V!:gn_ψcSv UfI/JyS?E'qtE)< -GY/cO!2Q%' KzC"^הSnl@V:9'#O ;N;~[KBHʧweY.MSJ%UOuHZ$w}!nkKdO[/IX#yAFAr\( lx85WT ٍwcAMƸ.dz\$ ɕC qrPhZѡ'ur&3*)Oj^Q^b6@^4} ]Pdڶߟ +B9 t՚H!- n=u|W'NYi9Iփ0Iɫ{!gǐ.fVwANȟa{-!#cu_~NcҦ`%LmarxMT;9Y>N(cP-¯Q={!X1#-]PebO6G?YcYS_P46{L3?aׅpD8X)y(kvш.j#_Ub-z^'DvCvX^ҀMN߿ͭfE.=|PPFVZ41Wll^S_p6o3|u7mi u FWnAYjPzvm aLNH.4{w5j+c.wF39sHa&LVvmXMMŪ_(FD<5,&9DQUJDv.v_BPA| zSlKxvG˚v~Obơܕh"NJ4պNga9ι(4X'4;9erL[qo)80'ykԁ# WLmfCγ7" F?8Fl*Z* g}&D_X"s[(KN"Arv ]Vcr^ z>O{>%#0*{OBOX> #?dIyiT!l9oڀg! -2'[m'ƸOԕZuuC g&Fq=6F\Kt P+kBI8N Ŧ^HV(}ԁr0MN"Yצ[ av׊c8"rX*DWtGZ xͥ2V6 թX.HZi˽\3 Ҽ{<5d }u0"4j xb<>S})aX+Ʀ$P\d.+6䣜D9@ַR| \ ?;?˾x~5Evލ@RM[PW Pu>I]|=WD‡9&PCn:}cO#(<NTW*liFݖk쎟gYKGUNlսy}ԳzuAԡ_mDpτgT4 xQx=6 H.g O&.\f1r pN$<·+팜Yq,Ŀ|:t@#Os;s7RS=ױplkR1J i|Ow0[ h }Ӏ,f6NR}BM>_#-g z9)'J_i_f#kSF~Ԙ/[!;/C{l_޴W qo.Ho DÑ2ZjO:}PO_\qwꎣejw~T[@r*a4RaDOiRۛ&),Z=3rUQ G"~tsy1c(nJV6[;5б .mY6]}~m{yg M y_YgVu@,d+KUX*  Sgj.Yi0?J)g u:+p:(:a;+cq*Wl-tY amO3r [)h[vz@>%8'Z&SA^0UᣳGHP_Gs q@lwϭHp5L h52U؀!p F5tky^<&_*"FnlX-Jı]{ *|K;9ϭQj??d3@NWERqjM6 pېHeĪe()K/}t1,LԈAĀ \ԇǺU0!8{pǧx ;LMҾvNcn5Ɖ) el!ET*F%+- hz#7AaQaYׂ6s7'6LT(J^vsO*XD4Z!$KKԦB#XS0<GOHMư |l,-J]󅋩%Vi'@!KQV^S Mw-zzXC {H7&Lz;pg,mlM* MufW%'.lrC[ދSr#; &#䢧.x\lG1_/I ARZBjxΪ꽚:9:`a_)wA0\͖5J7X޷a Pͦn43e%@ZQV+<{"i^bfzO%SrV`ME^͞r.KV`v9A"Gy\ g$oy븩s.a2j\> PBf2ox7]^)=D GjN=6S3H9W 2)ګlvv0llҭN2#4ȸw}y39̒ a)s9:թ 9ǾGxuヰc4ao;HH#}!- ng{OYy |.)?j^4}bkEFb="o~t{pHeĭQ!)Yu,~BmTESFj>2joy~li)nH ?t7æKGCݑ#7G);MІ%0bSQy55c\̡"2::.$dIqH<UeD ޞ:5K3PsiT ԉc`Jdrp+(&X %Y5j:X,3Eڗ"ϵ[m^LQK ɠ 5m}=qYY89/NHAHJ [>4ryxЁY- R<;_oo@ǹ) *k b)\.k7ZvT"ʬ :rd(96 EtUϬk-C%-T|t:ek+GeM5t_o20Si< SPR2 /t ̠rVv") .ơiBSak>*TDY߄,e%[١=S (,|⾍s=kvlfMҀ̭/"6aTaJ.nD6͢mEi(+pjsD9 GM!5QǦi]- n 1WklǪ.~6*?S02#n31*ᑐ&2woh3tXKzaV4J_` |%/#I آ&K \$B1 )kB"fLz-!k$$Pz[P/ʌl.dV+`q9n"xFBA5(wM18͋?{۹oԝesm@$51iglq|ׇ3&G؍}3: @Z:PWrVH+ϫk>>͙6YSWGl&I]cN<@ w0 첐hO ˭Y, rm3XZ;p@ 'GÌ x FB8QJ"\E&5Ip.kMw'wL)bpǮㆭ0A8oasZȪ TѦvu}%z(SHF'4~P(W<`1d*L!J؄.MhGZ؅zacGCJ + c~SW[piGP)-g[.!hsx1!n*;PyQ?[%\TP5Qn, RF)@;` zWF[.+&bN}"#ԱIhgejJM"fm1lQɭiߎ)cA` ?>5+V3QqdIW *g!-\ij{#c6Ԯ/5Bȭ5ĺuu}s߸a.W74-&&kJ" fF?3A>ӆXtsA3tcof;/gF Id2Eijd/vECuRO[B+τ>Y@MP@+M&mډl) Cmx6pbX|9=3"WR m0 ˇˊ[4,H535En:l|zz^RkZ }"?HxNҚ~~v.c.߫QflLzToJ9~\[ɿGuSz`ꏺ sI nVa3*5qzӥEW >]k~-}DL5M\9Xek41\ָH G݂8F1j]407uZz8n!7øX^צ=ecrڢ-)R n'Wx}yh4dmeA6DYf3ZSSl&tc Я5tfklW@AZJ Io볫(=#z^@$_-uBmyD 4x D-b9toݿƷVM\f74tw+XBEzȨ $3.*U7B.C-_B8<}P→qpa|aP8So"l?0lA$dȶ2E2F1J;luRHBm83zrP9Q拜sӂ^_+^M)ĸ/ㅶeu8V"Fk~/}^đ҇˥&3'a3,EOFVʿ*D[z vfGmߝ9@Z," d.c_m.`z;96"*>WU.lx[7W"RZf4fm[z7CQmؿ[LMQ|Kz4r[|yE$JMi'WJ}ܙQfW7ĠLyJ&M~NS.C񱘲B da8') 籐 \a­Kn4Kؖ\`#{P~#l(xfÜ9Gx6up c ROba[(d^Wd3U~ Cm1gJ"R1rg'FtBoo1Wwam5 t7!5,/TøtbazKp_^O|Bz3bf2V۵RІA7ZQD8m얼f,m@GЖ2bݓϸl}9OgoһL3}No,≞V?ZYG:=ԭ\Kֵat2_(7<,(՟yGz/[xHIU4-< Eu@5oh^߄$v R* #"q6@横bHÉ-B*9 ƽ &FTM%̰R-?]ȏÇ^iZ WrW/?n%OjW:%+7oS"($Xg*qyAH#?tP+1rA_S{YGPVA4W="lD(; ]qEd+LRnf ȣf"8@y`ǜY޼*ǣ ?}?D{Dyt 0:R՝~]!t~|{K A]6lt::΢m5'wI4A-$Q2pƉd>3~ilNj\2l\1#+Q:3eRissMj7g`sAf(^ubq_ @M&2yV *B*n56eͺfgF~'))찅__.哦_{sŭ0%G3g{Iϊť9ǡ j J"=h$x=kroBL9tZl;+]!:5)ދ'`#;ύk?="cd8GP̟1bN,R`l*cg I,ye;p4hvÙ>/ih95^jKV0v g"c) >c>@7QdURxA_|b:8M/0Cf6;.E*yPz#1 Fӑ]Mvb|5M\7l eo.4Q#/]ZURdWI+.͜^ԨOԩ&0x{<ݨm\=iHdRKhR؝S#F.*0oҲmǢfCaEѨ L/R;eChSb"PFж|GvF4ͦ Nd/-Em-J4 *%*Ed!z5ҁ)bt=i &5{P[AF-٘2'g:#f6XI~dV{tV?F$;\T .Rָ[.L\.%>@o c(lW]#?PjNWVp1:={j:qf&9 xK@;KrhDXѴˬ~–KoW٫d\9ɗ_)_/-sQi11UO9Fղp*u)O$tjSuR˖;>ȏ|ň:4Ʉ 3 L[ +dy4QQ @agv%< m']~pDƠ,gow< tv hu,n/AJӉgbṨ `G'LA*eAh< <#V;#EUj~ awpavib,w5n`.UK'o( ?iYa7)'w4TL $ڠ:94FO~!!יe$h16}ٸ Bgӽ1Nc3M8 r: VM# \kle` o~ܰW*|uٍX lVMsC*妨m^|gc^RekLs,g25Ov<_,\"&d0YWb ݨݞXJxPz}eqk\|;bN)˯ٛyoȥl?nD]XlcÖҨ˧'pp8̳4fSVb(<Xy7 v($L"b]"٬[Wm#vL2$n NwQ@t۠^Q5S?W =%I(*mI<cJP!)4IXPRI m!b13oe=Y"YB{},x0ak 8: ўNqwrcџ%j 7PazD\vE._7^q$ !M,ϋ :j#?4jŨה*f0ٞ#K +]Vxe?g|*]mWZcc2#"eD3ڱΚeZMCke[rn#T,mӒ0tGtҤYɆ.#3vc{ y&wyF餦_3`><Uu ^,mWc{5_\,pu˺ny/Q}OQBg&#cq*[[06*O=+iʗ{kR=BdͿ==31Pn'S/P\YNux֩,ҎB:W/#"2 THPcEԉ6> qú-&dz8qʭ \qXk_iCJ߇/ήB_=8FXLm.N]NIS򃔯PInnHuOXyonf)ck4CΩjF{@~?FKUjU4JAXq\ Bwa!6Gbzˡ|T[D{+ԚhyBEraʜ~(W90ZJBk2;j!,DP!GcѻAcA4cvG_iM葉t闸ugF4Q28 Lgppщ ٘8tL;RTy$LZи( 5G2P16ZX3u>Ayrc~2o߇sՒ.L`[TkgAP[E mIJJ “Z.Cқˮ[Ev\;!I#kJ>SSqD%-qRz_R.Xɼ1SlRL<3ӹ19XddĔ$j$ ; ~M]32  "as< iaP/ul "-ai.\(K; AƏ)f|[Q)TYAO5:ܽ fOƋ#!5]^. GQo2;!{_iT7㢑Bgsq7ܲ-"P죅g1} ZxD2ҙA569J DLD ̤kl.8t a_2?6K=J`k1ggk})HCo> ed }q ~Z4ْ*bmpC6e3%j{2j!y e3&$-[LC#1sB?4> AT:Q_=ЧGOZE)!h |PvsRK3ƭ?H-vYMfN̳ڃ6|gA;Ahc1n 幑&<5Q5rlPpmJ7{\&SY~섨y[%Wl4~9|AշH_&!Q4y9M̱4u*nY&RI6)w2fGrFo>IcMt*eM@ ҃{ d )|I e$KգhމBuaC?:DILEՌC{fjpŊ>v2d=m8ϕE8'QtI1lQҬ6\+*@ے Z|Hb(@iT1Xү-3X=p&F D,84Qoc{;x:mNi%Sܣ=(1ӯk:ʉ˸<\ȗ S}r^Iͦz .N#x\1FBܾ{ϧI$M6N|Ƚ )"%%#[o)'BGɇ:ø_L~vNR/ bB)L]4496V ͛F\x7\o(p^d&7w~fXAF@iWT$cS 指)=bRsfqnZW Ȯ<،5z*9W <=*"++~z>VC_[vs7,s&!9ݘ͐*8eg#U$ fhr(iWC%laK! T7[? R0r'YO6QE (帷zJ=nMV .(.9kxF? Gyj`EZU~ aoUXv=OF%OE/m?F6NzzITH]XKERbQ(;]xN޵:捻*_ni(W@Qz0*x2RVT19 ͒e+Phy([;MF 3Jp UW} j~W/ʜBF9!'ꁯ\?aJڦZsVȶP6ϥI3sW=col- J_DDL,zCn<^/]5j XUV[el8+xW/Že6?_=@#W TmeGM#&.Pxbt G UȌ` `* %υAY[n-K*lcbU?M-D0Z󽒌 htԀjL tdmʶiA=t>=ʧT'ck5n~(=6(2!"&8iɴ}LdJ:ðI0?0d+YRd2, $R{>ҐPytlmcV݇K":uSoR&.bA9%anJc?t ;ⓓG0ΞN_ mxY V4qX :&1hB2^$8zšMxp7*Jք V(8U]#և Đ P=3BP&/yl.8{qBoyj;s,VZ;:voȠ, E$@Ь͇ Nr=JzUmBro19*<o kđ׫Zڋ=D5|U3ۑ4 )@`؟9뎫WsbbcmoEɲp NwC236~(6'QJ$i|4iqIzB4g JNqQ mt~ %iNC#u*Hң7Ͼ˝Ml؏\IRiڱud5rokJrUTx]jsrC71vs#iYMQoŠ?*J= J>W|_uZaS#Ӷ HSlQn5pPrvrdzSI`X0;:|OŭA=WT$DhڥD5aOo3?9*ݪ8>0|j=qt]5qx_l*#m٧+/_t[kih[)I`ΝoI4&rC5z ܢXzxb?SRngh:d[NY7tL|x@.92Ő_ mlkv|mխ">>/ȎU\Un~)AU&1 ef3GLo7 db,%4sp.  13 ;6l U_iGޅmXp(FE-Xi>`"!w{0& "*&g_BA&@|&Ƭ \a-39Uaquغ^vjuj`$ pQ&cR 5p? zvn_s s~Pdd"9:ֈymȒFf%%hnzɐ ƥd8*Q',74)H0MllMoAL"E@8w֡bWzsRa!ys^ľ zc7ϝ q6 =Dܗ@9>g.;,h r>eBqckdSf P5N[чx%p#l+4A;"9tJpf7H5Ք|/8 #E=曓Z f#]Fm1:bgq-lۉ( PBAD@lJK8:@Lj8iӨLjZpv֒hQjl(X| []>Fj§jbxDB[=/|wa&Y3Wk{Z;9?`@u㈇)u!r 0ׁ?b5:2Q6V Jy\ҚT5ĥgS6zanpb䲼ϕ=,ܴ=᳣ z$a+0#kЪo~XUJ*TXŔ)!b;Qk$3t#WIG[B=E熏s{I˦_$d6NJL._b׼t eۀQ>kGdAgqls} c%\sE2cqǿ8@Zcr+1D{~Y0ث6b-9>cՙ( Ş8A{+ڧNAHpEos.OBm9Zɫsiwxko.Z2hhUR01ڇ+a ak}ƭ#:*ZDe~7oR?Q]6R|*ȤbS8@h. _dwPiHh~pUgfPzϚ%Z̴8HSK_cW A&.8So3MߜB[CА{C5Fԭ`X1"K zY*Xsi{вpnr̘堸)^hD&g+n(ˍ`&5>#>Mer'܁U 'T %aq^-b`m·d/;lbB:o˨|.~:I^M~*(s?;javd16u&]j֋vz,RGm7>>Qݼ`ĺk4  LגC/a*$HD}V]I{*qS:IH!рrO^!F]DDVJv0^^R=)9Ey78-wR{ 4qKdP'[N09Y&p?he$<:A6ǴUuВ2UVA'{XPQ0Q@H^HաpN@[o\Z#ʳ14Q\k?}oHMzsp(yV_πj'?&|h!n_cL2 Rw"]JNcM$7ciǐl(o>&'4򢵤15 sBmDj^T@A*HʠZjKyo!5vZnKV]&ٝ|ݥ86z(I0`sXd@F pn}1e@^ʅ;ǎ "بҠ?m) 9n> 2\bkx>WR%1p{;mi0efLB%!ӎj&qZz];-StȂ5 /F12S0lۑYC,%϶٠&q9ðv gQD u4Vkbiz)χ!s3Eݥ[_X r72S׵ԛ/ۙ0="=Ql6E'[Ifo.!,h/jRB"C{:Q$145NNWq@K)'gԶE x1K/kr&$6}>QT+ 7sN: ]AA\2?p; 9 p+ S4ɡK^zneoiπHĝ:]>|yI\xER]o+!U/N՚h|2ٌҿ=9jh] IaBV{2[:<. ɞOcX U[5gto{:i#HmZ|j:P$ŝag$\o,-B\jo3B֒t[[ 0ţB 4^YG;կLsDIn_PVo<Jo#D Ha4SAAh}-/[3g,WH2-&`>iLIz@Њϣ[V6Fʂ|k}Ⱥs0tj ex)¬ AR$&mD1S [P[@gBsp?ct<@ߝwrfT!t(C{o;NE`2 k9<ݥax@MFq, TB0 P) 6$.dAYPr^-'El#x\p|#F]A 0kM1?~xgrH$v!'}],bD!iO~1bXѽNP.{jHfX)eG`EATڧtEYȹRdxA<嚗> TݤVɟ3 ptFA8U$bEq}j|?s{ݰZE 2bk'˜ I<;}3И7x o~4{m&Hv "v_2?"86Ѱ_[}:6^sy =}oKs'*G!Ju U-cCPX/ ͙-1vwyN~;F!e:+Ża%pW]/+OI9L mfzVA[L$ G4lEH\I8hyTGk5Oae6ɋQLA׉#KaY1Bmr'T9ezG-m6ԿB%10y)uΠb].q{ <-Hqyaެ0Ypa7"YV !ts @!X_#o{t?G.j͍ljs&FDb>IIwGA ǘHPzD]>͂\u8s`s|'w/7CiWQ$y%Ի+DpHbxqsLH=V3f4I8~.7a7םCŸ'l`((m8ƒø瞗<- A0Ɇ<Iz  \BF;4/zK=u_-E~T%]@Y)  rco:'ang_? +J$8Y۱s`]5rT).?R*uJ){ M4v_Dpڔ&}Ϫ Sy^N)ZZ0 6㵙>7ȶ *>TumI߃,|\Y}hy> -3(`%7pp/vT-mfъ>U `olPn|-Ձ6]`hÑ5I4sɌg4~)C 8k"@:<ل0P.BUh+/SVUX&7^xDnp*$ib%9wrjV˳*f{2nT5ra݉ePY)PK'3Q9a$z[~UӜ`$$g5!hSRr 3= e#gCInq'S%2 o6c p6\{޲rPPpGş[DGo,Zd2,zœak7[Z->$v@S{ =@j+՛{%U"0TCEaە)W!VKPaƁȄpIb 7أTGm/'OwHu#bsH'w}Kґ-^M!&'yb60aS,_ \y^{yO/R()0m9e8. ( 6Fڝ,_nȏ=-:sS*p&2۪Ԓj,Ɔy&CVKpgv;Y%C Jq 'A^ w+P m  \tҜXͲ^fZ(Ndw :VlH1S⺐m_ T3*jEų|#3/7(ȞWΙ8Ai[.^Y', RV0+'eiGR`e![IښS|wc} u>)$F6JMQO9{.QLy)PEoF&t*^XΆ4 VGH֑lrhFvtH2X3u?e$n!^EdK Dm9iPbEU'qh~93.(7SFGP5~eDP7K~lQX,(DYh ܶTE{+HB.Z>脸r<}y FI$C)؄l`kZ0ٞBҮupk[&}>ծm nߚpS|%51 Ҵooγ jpC΄Ӵ26 ɷEzY$$eCrk(m<TUn|>Eq@ƹD^Lzg!H# eu$ZX6?x+62E\FuWq,SK&f\nE2`;b0v JҫDel!\f( s}1W!1uɦXJ *U+CK< [pՓ^Bೞ67|Y0ٯ1o9a3 4r,>!pQ,FGYf-WG^gI@me3Xn*j  \,\Ӆmk3$̧)7IE`WÊ򐝱Tkէ wJ#͡s $ "j5nRIOFүF]G[ 8{™v(HWq>AG65Far-$ǜ!gs~ڽEhnC+|/+C}U(4jEA;䨈b.H_Dn+ B5L;d7zqO6n eR[bN3&jp@ a#vPRNn]E%GT8h.jdcXċ*x"hs7{7/6x`j[c>: - y|5v10]Z̽%7HFib8VRjvW8 wgRmH OE/2)]XS9Agג )E.<۰йX_d9 tkb;iiLRazl=GLAiL?WQ[u,ݭ-xh88"MՐN~1qCF[U.*$; )$Hm5;zcZA'zX-`vΙlCe3nk=a &>-XF0ۦa @ZM !7,!psގ !:t֧f(M4lmSgqmCӞK^DKb6Wq-KQD( .hE8 %ɾ߇!ddEwehҪ+L7 `3k<Ѡt78]sL-*vBcp4]\ZgQuc1裶YGqRÀ`'Kzݠ\]Q6Q5^IH6 @w-I!zJ\sˍ*|=-fD?V;N3 ! WUf?:ƽ KZ4"ߕ2/g%@C %Nc~lWv^y9\ 9G/)/Iy>Ax[IbGUdQ%GEj. M.l4|+r {9mm/x$Sw9}4%j5 {}u=!бx?W,Z}fKQ xwSh/TݕZ*R R//T=$݇f.a36f:g`Ցў0vki( 3֩vL\C| ra]oy9Mܚzl=ڻզϿѽ4XV1v7ԳchLAXy9Gy >L0Da)yE6A×t1r?vM{Dv^/FqO9gkcX^XiY"v#!_ 3pQoĪ2G=ioyמxbʊY\0ߤsuRT9f3#:.c<_FdJU Z C=ҹIJS`ndJ#ksޱtT9C؅d@Ʌ1w\+E35c я卯ga{C?Ar]hWK9͐J8GcQ 1o^j1>.R)dVYn(aM/ Nd>& 8Dc`AYEŃR 6sU!UX7a'),3v\kqjg~X'0;; TH0hȴiM!O 2ۄ5TEqrw-cCr:\XCP&/MO:毗"&bUBˣ }N6;lZIڳ4jI8kmW^]@@͗ b4~SA\Sk[CXՕŔe We,mJF٘.V"POJʁӄ ]C1`vM+\+bLD_P®q۹ 8~`FOp)^â〿tr}էX*4uu%&0?Ϟ묏昮)i;Jc:K$zcy QIZpuU8?8F3) P.YA >vZ~-BٟSG1hq_(hmbBhy.a'?LٷWIl \UlN\vU@>CSs ː5ÿXe* 8*^@6iߙ@3 NjLAkeB/ϢMW-k$H t'ːk{B0i&hШEL`AdpIbFaL=.TVKc9t!&K 1⭾7r<%LJf_6O0"H78J? SɗeXF41-4 "_Pw~ODj}ӵ h,fNK#""/-ݖ9N8G0T X}Q3 bMd#,E#~ :V1vzPլcz>B/+(pBl!Yv XT}>d> m')vE hWEbq1ꗚdr Ճ,czsI"ik8>t;LdE!uRj7AnJrW?'=B~UuQq7#f':]U?t:,R*Y3-?E)w^+`&V=qli 7ң"('sq^TH;Q*Q,. oSZٌ4|7ͬ\x6{7w7:oЄo+ӅzlXBLQEJtA^oI~fK(r]7 EGiťEb`CڪbZQe#ʇbBNxÅY } V}kaj~-t \ԖQu=%RSQ? ߅;[yH>m%IH)u9KaS~U.8>x0jfOyVY'm k2;XW8dV0;ݎ)0LKnw>EI/i4`$#,(C;D3# aT,HmU vV0k?59.="H{VκUcR[f,xt$;`, Rn-Iӥ Yuw҈SgR/Z!*̣q@md2>ĬsX-=OA(E)Jzn@L)Wm/ Ckr i)Iu1܄ס+W<&"RO3x%)'upOVǷX^o+H☖+*zLِo(a=S Yh:= \!p$`Y]mҚQ+tFFHF5BV݇j#;}r?֌* v.!5[-0)@.IԼ f m679d(f*1>G>\Z'o]ѐ)_Q*8?n])3_{g~k|5cj|# u!u .,C}=ؼkP=AQf o|" E?Ays!p ɀn(\hzDFJ-.TKϳhi=BA?( ?ý/x<Nˠ/U0rNICBk#0!|h4wn&쾊6kV`l~lpq+uj}-h+BG Q[,hȦє5^/v:IDDE>N}؃8)Q}I|TwC,82>C:~[ÚPAEР>j}OnZאX<Og(˵.FXܬ){Ԫe)ƇVxrms&Z=qU.< KB#:Y*E͏sw,!Rxɽ ~nďUh@e<ϾX tՙw^CMU0Wl.D󱤒12똦׸!3k3Ov swE9 /$SJ͉Rt\lhƽt%H@9Y"^w_ܔJI *6H T"CrSP+?̗7_lSۄg/!;:;/xQ:#<4pǢg#D8\\ƶ7}fԗ{*Ƌehִ.z}D&n?DžnA\+gG갩{᷆0@-\% M3\밟 5HQO)}BAL"_$~'$<|xu1*]pP9LZ``pzU1U~,+OVcoOHF%A| KB7PkRu۳K8(b_#{I9;1l &+6y &4IcEPTtF}BM'p|I @nk=\)}yi>k`!AwX+YKd'kV>3g5*CI7n9H|ۑ7d"g'z!2L#0ALeލ;{-0zl+R/+-vK\mK!VtV7KJZSFN v9NE{7۟O8e-P6OjYv$Sd4e--\Qt"kJ DR:]=hsh(^[&wWw1oehapB>zOV֋-]P@=~Ϭ(wy+=WZ{Xb2kե36}.Antr@d"aˮ4Jdy_DIZ gLꨮLOqA8b%2-v*[~N,PY`?g'6TA4ɴAba-s'vL1iy`I `JoHm ~ hSɪH}ރ)Ty|wcFK Sm (dHޟ#֦b<S|@W-%'y{~$Qt6>aMЧ0!BT[h>AE^-k5Ip3kp!G;^dȁʑY|"K٦;=bfA kcmu40X2*i ́^ .?7[ <[*Sis#fQвWf8#r~Ւj3lomlʾkJZ)FoЍ.&sĵxkIMaR@ 2iλ*k; 9D0zW,kklȹ`+;pԣ{4#+4!Mjɳ2xMۖ<4vqDà!}BwvxXXxLeJU3wsS` jJ!cvFB'YKfE G[Ŧ\OWQtބᠭ"ֻScF$'+N:Hbܵ>`j ]E"';~5f(pW«Ǘz|p&ϗsJ._yAM:퓕{+r+-~-h8-H$XhKE˓']Hcp[8j2[L_!K Sg =+q.{̳CN%tPHM BCI3y2u;N U"P{O|FYBAd *Sƞ뽾N\iEGQBiʹB3̾M0 >c+;uGT]qy>hcme J+rMM5""U]ԑR,_1vsCC6>?#î!m_oBv %5dr_FɓWb6-9+61N"#)1>2r2Uss´_+ꩇTD{'KzvU!k)3IJ߳TFfKz61ZYJ_4M =GW7x?PTdqp[SuF} ]Obt\67m @Jx}_V^:p:Ձ 0 kQ،.< 3BaTҽf>k~3)@_P=FM5aK!TJT<3949WN̨Y:R!}íH"HVKW5r)@H7}mW(EMIT&fe2(uaֆlAA9p[:4?ԪSyeFS㞽4|bBܺjNZhES@Bf O}I^O9J(}qk c T*.[QB!JY>,d cgf>}ˤ? ___O9HR$:kǢv D+lj{ʐ`a\zCR)B/;90&2>kr/uwOԒ ?> aL9!8mh?}v% ftMr5},.Vŕ硯d[YDb5]mqJ'nJ(l.CS6j1Ih$V}8M}~i +D^Z)Xm25J amb fC?hu7^Zbf"Vx;-Y Ӟn Fk1eϽı3lumgm k<ԮS=$£U?jaT6.@ 8V ,iHV,NhnZ`ડÑONR%鮆JF8=*I'KAeNИ+FJ@ ٕOOnmil?cH[3 *:_ܷ&0k{RH( y<uyk;Mvj]6أN8,اiðd9Y͡pQA793mck0 ./爇(Cˁ)Oҹ K{G/h!LrZ*Egs{4A^s)f޷WQQɟ ^|KK(J"{uX"n9`rq\%3GJl굵!̽<%=ݚ?m~ߗEC=0s}VPk!v:<5vۡ76eUo>#?V:DK^ah _&r>;K2;n_Xɤ-Jޜ`)@9D=Qᮾ\7n8A"y tI Q1λ"-yUۀ7|r<䤷 6XXçYg)\i$AcsO/>/Rnu ‹ӳ$gx/)o{U 50^/ao' eJ9'!쉅r54;`{$G .2Pxh&,BDRUz (m~$?o^G-7_fv nSES^-Bi'Y7ZVxZ)Ž&g۠3JUk{-cn4rS*>E.%ʠ߷u94t80#5#Rԇj0ں)K  %_K]_,&I,j(tiyY~eJ~]~ &!ݒ,G}\Aŋ's>V&:4>.̤HL4<ޏ$]ؓA! m`0 =jR.,;@5C (dWA!JUw= &A*_A7d\)qOs:i35R Zsj&QcRYmmX (6կ8v;s$:TI' aprg.5L(9Z#8 7(xuE`̹@Dm rquY)l(F qe_+QзT:YEVC:Oo4vhOߚ'DRߧ?U.\N(a#!@jvV&kVhQ|ث 3E})UC. %d)+rSdq:6-[tQD1,^b\@"r쫭|ǵ+?C*@t&҅7.il?3>TH4@'<9bAݿ%CfP'aP̶=! %rr+)qpD9|j$~[8CKyX:[OC1{B[]wz=+ 9"W?OiB~=<^"@y\"5\x Fa%lWK⤗01΅H`ވ(82  Mal lbL豛%;;.|~Cywo?&ܱLS4} H&ߐҨUؕu;04`쐩6@0ߢfo%9'Cԏ/!Ib&9tˤ%N#i8p=5@4ǵ,D.`0vAe)'i3\WOEYPbUZ%U5bL)eJuhgVn~kQ{f$?J!pRK iD;bev: dXP|`.L*M_}<_W8QoX80 e ۙFIlq'ku:Y |/!)GƖW;T!kH0Ӹs橐jH܍)XE\|@N {"γ\0ir9Hm{s8u *p-?0xsʮR$UHk/#E\ w%lj^ri RGK[D-d 6J'gwwTySP2ɭU~ӟH݇8Q< J\xFxE⡵)2y]_\ESױ]R.錊8Ԇj1Cץ OUOf s>&`tM:"6JA*2p'w1:~]to2;8HCğoM((K Mw\~R4P-*J3i54x _4Jx%un96*HȮ+0;NSk@tφ.}Lbuc wϙY]4oF4:77˦xkLwIIOk+`S?1g]6kOw%{T@)Dq*sO=Ko "<94DD`SDq>Q?UZmztjdECzT Oqw }ĒN= C C+ښ<j#)Re!yb3QI!2Cn,:/t`=>c/~PN2i垴!9Q\}gdxlrWZ8K[}U^.(̌YnŸ|Kr""j=~WiS Oݫ>~wqkҫ6RP_bkb_׫Jkz;^&]3e%ۈXE3?SB@t|k#04h83Ͷ1:Or;t9*_i$V붱m>,o5=eEJWr}qGc!os(q=so7Y :X2i7-${t@!D`6I jGȼVA^gW11(VM˗}+ AΏg CYvfI隋:r\.p(Y[հC׏G_( ]7:J 앾.gSWJ8L@&#y[~ j|G+՞{S68'/K kG@chZ5flJ:,XK:&T:ѐ[H'FE4.8BZQE؅ʍMr#@[B\Mn$Anw9}DғÌB8u4d _iS&yAFL#%2e;U;6T% BvL(vTOdC)y Ms50L^y܂|o !F;%t+Rq ְSr(,-V/4pͧr嬂 +Z%NXq*<;%G-<02qkl4@g1!]/"ؓjM*JzaNIk*J:uh]R)GrEmx97%d!(4 Lb[gVp G0`OGIJ݈A0|zR+h&kS;A,.=ozSd2\<ӱԋIqgiLJ ˴.VI\ppV'ZL?t+\ieRCth:?Mj>yq?*FZg!zUG:y k~_v\_SZnDn ڸt`ڡ"4*kj([d{ӃɈ ͵DۼLh i2rCVUهe<6oc1-B|a/[*]]ד8l"9_ZNSܭ8s^Ъ[Ϫ{ݬ8}twrxu.c%E (& jT[{\)tyl{zh"\x5#\L+ҘNoErC~ĎsgQfFX$RMe$]U0Fz%"}rܼsd O/p^q=5~$:(Bo"om%lu>&F@YU4KS--19v)QDVu-{zGAv0F{^q7ZN{O OS PۚHN 5a8q~0q5"xGk %?0BF9,A;i~2!X6gK3qWB"zlծ}f)ia 0S;B"_f50%p :$!_6^Xɡ0i~=apN[K"i %NN<'/'o.ˉ @ZԠ]Zc&mmRutK&.Hj0Ix ǼߓDfgv L8l_4Ȗ2B줴)_FSe`Fר(wT߄U&,fc$|+e](an6yM"SEF Sl{LPP3߶UK3Oc=ܜg<':<{,f.+ k sn@ǯZ~{liŲ4ޙ}K+^_HHl[0hoXb1N2h ܴ0y49{ܠ?ns5p qs/&cH O$ qR ]rߢ7̫[iVN$:%Q+ފ *9쭚z7.N3oY1qF9N'h*{qַ_KO; 9 Ռv#L,XhI0CBAڲZ}eCZO>f[xZv[*QIŮzDdҁEE]9-~s2oȄyo!wlD=2ַZ_Qݯ6@Y!{zY-ۊ\>ef-鐂|^lϐ42uZ-ީ LlvO9\͋90w5;L6qX`9wEajN}'9[bCvqy6/l\ToxKXJ˸ޭkλ[KThޞ.ś:le9`^%[2XgxVIT-0 "w={O]D%SCn;+8mYHP=f Bn`;Zԋ ,#)b@WaD3>ɅPߛnup|2^P.Tnܻgdud@I,"m3R;:QiHp5ע5Õ`>R4Cr'2t-ٲ@4̹9` 5!l+A Xq EG>1i[up%;x㶢zJj] *=deG"{&t~7^Ёh ;l#:V8:ߐwQj SFN$@yהW$96 {<{#.KpryLޜb6bY#T s3Qp&I!v!U`ھe')w  ۜ pU f^Վ|mp u-0B>?)Nu[{qmT6n-{7VcdP0ʈs7?JwU 3עH{dηDF(5UXxܛbD>HZYUdqga^nM~n`9Oێ.805ɾ} K}@\-G].> ƙP8+zJgll=2"91S6D5/'0[rNPy+'\R':%`|ffo@~ $rB [f4[]JWlɞ%4Ɣ{ހ2N=tڍ>.PtP`kn7Fy0Mεql }˨}\CPQ/Nȅ Sd!~A~re<)Eb# eW3}x*yF2hpLɾw&|7+!֥^`rdbOuyShOH5BuD`E'¹?W'3prG=[Rي1&TUȠ]zbCx|!i)q~O1Tm}n-<+}'ӡWa.W7}Q"j8va/2`uAf?5*`3>٣*d{=lfFGAOQeѹ +Q"=A&ۃD3;5X}ːGI dިCp.4o!S*eE\ o|/`Cl6b>& 掞|5x H0@k^w]2(Gݫ^ c[H58C Rߟ w/߱à3s&Cx "nV%|Ƌ֭*ṳ{(=̈E4ʴ\gÖs2'^l>@M^O9Ì%j3+d,yr$3ZAZ( N '!zW7-}? ׽2\:H ԉOPӊN`JԔyj8gkW*E_?eQMB(G49>!IO|?(<)l0x#Hkqb?pwI/h ӕfnhq T{)^IQ|-wOajcS$ 8p^caLnKyq'GsZE͌t'QčgºƆlC=(\3}!PiSN* i-lU=T :yOh _?أ_5&X ":<*_ +prZrBLu6"| /S̙ZýP.<G[9ccJv {/^".ۚ<<;*m`#jqM!^)vn1\RRa, 0SF z΍`Z"7E䋿)5tg .=I|eEXRxRBqv|p)kV_s uӨb]ܰ3d"9HV*In I8(ڒU`^n[ihe+DFz]BcC(>r>'bn?4MF^2+]Hrrꦶ46e[m^ ,B2ˮQ6\CUowJJt.ig};q !x' qrȢ1{r81%4?"pEivp|t D55osKvz5̄7+;oh[l2`8Qa6_Rh]`quHG\2:͡r/ t wqK\axF@(^'<ɏhu{}n¬kcTSom(KJZ/lC}_0Jgp:z/qԌf ,,cuZ2+`0y5ַG٦6:cG9.?F\$|ǎsnQs~XQ_ǹfcdtbXdyĒX@k&y3(!ƼJt/^*3h==t=>T nbc@ߕz%^|>˨;HOP[̷}g_Ym@qloJ!j2umWwaT#R嵐qAuv]X?":H. C/J$יf>կ!1}q:.S81̦8-LܧU N@Dlt|bQLjd;Z׮oeK2[g:'D7AJRvMIÙẌZLZ<Q=7rh%khhem93rZoRܻ"XL2P/Y"r\V}i\KF?GViߋ&yI[Ԇ^W w,CܸоWCl+GI$Xɦ/9=\j@^ڄĆcw DjJ/nZx}/~n)),|Q219Equ/IseIQT!y uߝ]fҸD.q-shaL0E>=zZ-[U:9AMГ*Ⱥ֚%}H݄W3ǚG蔬QB. # +W.ҌXAD_>P8& ٘^(w+ߗ7Bhn" 4{E4~HؘVns{? 6X\G%\|G(;f`)D{ (iWbTi"\i`vH5Ð|Hw37tڮr+:`n=vq24pDDgk|?[^#L&ۤ*jXq^Fi.S2{|Sr֚d7 (䰫)^kGZ|tZYTƓw7ϵ-*63!F>n, ld2\Vmr8c59>MT\%ٵM~=h D3gY"IP89xd|2{ յ'q_MJ;sXм} ^k{.eE];̈́|^9@L1]/u#c(WHJ|&aDLCKfd-$s'(<ߥ6=QUwyczҘ!"<./yJ - dE0+;莼}}žXiNm?ӓWz1qsZjB2D`6[L?wcC<X}j iv=DD&l_}4,ʃO쐢JXY|E\MD7㏄2(NCds6+{Wz^aŀP!^P)z%&V>5Ba io}vڧ \ɭ-~XOJc2}.PE^<Ǡǧa>@ɫa֩1]z5*=3 XՒ5"#^:&59bN Б/"{6c0ƒs \u &ܦY8y K-)*/Ոi0 9'&BK@6wmrSV^7gj܏!g'WaS8gMኊg"78)iKD= G 5B GI4kCT0ᦂf~"4KO?fozX- -sʔ擯pEz⫂CqYs*\>a|NZ݅W>[ި/v}O-cH:gs\c չ|VE׽pyKA=15l ->bkX<bixk'&(!aBwޣǣi T-0Pв5ѿVtY$0$^y֢5ll7? _ԈKԢ2OpVm\ ̓ L]Fϲ~,>w;N [6Er r}[!{sCco-'pv:#5#L} ?]mvu捶t ҉bzF{Kxb72 $5lD}$OQ8fslEV#wu<{h:Y}T䁫vi劶#RYw?aL^HCO+TS3d|bZXwr>q8.Ԋ e>z*Y+7RsMݸk!NmoG31G-nX#qB<8I 'ɦ(\zrrgo2LdlD$-Jb-o}Ō'0g$Y/5x{s06!MRj5]#1 'nu+L53yOQW{]CtIBF0hwUҶ؈ Ciyuj=:cGw/}1V@M -Gx-jg0] ?{Qaאitćm~+#2ٷh ">pn>tdG"OS(ߜh7LQ &# 46X&PUȢ6k>$,s1D!P޲,̯%32P߆$ e"_:c^` x\Ȝk)3#+N7IJKk//HSo|Kn=&zV-5vG]]Ik͑ @3*>6rɭƽvcS*ꈛ aa(gN-hݣE QB"6(]Ni:8ӛv 6Ttۏ]'_1$OI?M=z]]>#7]VaY֌2ҏ2_f^Z pJ d^| 㝙-̥A:),ȷ6sp*MS@yd:;ĐS>sJCA%zbBi =ǝ%y<mu4R={`5xG|G7XF՛GP+nNvN|[?*'Q0=>6~TQpI0՗:e6lmQ u_51!zxaF^pi*{t ;$F@=)]vv]tL̞`L8D tzE dRnJZOtv""GX)#X+(;KͯT1zD#~DV[ӵY# m%Cc)R-$)b _o?|ae' EN VLT+`ڰY<îbFQZA%n/ It̡3JXD 058!Ku{'#OiqA. :@v5OD IYwP͢e"p"?oƮEx6?`{>g ў{2)AHFoH Nv 1&{YL|M!s_m5u O!%`.?GPH!3+Ce֌9[ <j{0H*x\.VΜ\aBe z.feoUaVF{͚ЀLLXG#CvhW<$_"o[t'öݖ0ss1{&y>Z!݈Ƕb&6uNSJqP\#dY,lO+J1L&<1Ds|2Xgee˦UTƺ(Rk#{P, {>^1qg4%ÝFx=hO,MtUPЪ).Ꚁ`b/Z4kMtB,-?eN4GV,gHB3)$on 7_էf״ e\;?=/PC=P#[#H:ckkHІ OInG%akmZo7r@W1TA@8ZQjLE&>'u5OӉ~;$s!<% y,!&Ű8o [=_ͅ o {Z8DC^)k3Q̮W2)6N"&H w4 mI?O=O6{[{(Yo|$۾_D#htxb oC;9z'dpQO=6\v u~/*$☐?12GV9-sU5"U* ԛB0V^?ލz|YZx.6{ 6 IdFA_NQM &7>ݶ޿GܡLbBx/2Fm%C~ZcX"f7ᓈ,\]jÆ`7dݏpv1F<3'gZC6ʹlkG%_f^ScĚ7lL/w W`5fr,:DS~֗o;YfQ!r23܎n7:b-tF SK>~+ub ysxgG)UGX?v-\&I^qq{ r.P:۬@rr~zDbm$>P/ */z_^ʳC!L^2x~j` L/&X<^#lgAɨo3Eڶ0|Y͐Z˫ƘĀc 0h =B{nT5MީơnM2iY?xMDby?{(Fя{QT!mƬ.43K*ѽe>#6mh;?S`}Лg~ϳT?@'*a|l A:D Hۙ`^Ŭ5;|B9{\/mo[4)Dh8!?3=\3DKR1\ {??1fSfZ.1N7cA%Tn÷=h L+šo6&@E&Xs<*(&TWQYQ %%u0'n2*:OQo"LV$-PT^x $Ni_[6dFJޑAJ9Գ4s;}ҹ5jykK3.ƀW1 zBշUGhE'dh_/rMG m=Qӡ{6gcKdXY|X6-5G8 娬n\ƪs ϟêea?k!HENERpQ1$"dހ!vue MӧMKcS5g[} [%hMpZwbolHIz6!vz^" 9_I4٢۸+3ݛKt6㤦IwYQcx"EBz+tubTSCGxp5Aa!q{I ٳM{*e;vp_{o%c Xdaˋc^ !fwgƒpxN핐{ FcGQEe:Y\umO=к%~ -<Rդ*%4"Wٝcs* 9H#v 4 cy}e7èN}PuJH csRP78;X DmLˀ85gY0Y6*n'rbm%gKd$GM"O]/ o;ŔcN!xO5ĚJS8.Jł ?.MR3-3MX4LP> 1r>/\3%T.|dp?N0a4eC`VBC#- SJDkXLىSvr:Wfg~°,d;>jOVl,>iZ-.LmKmJ@BeW/CRNP{2U%pI}AT,9 Vqlcw %̰F.M[C6(Koz)9.BskUpb1[_-zߡcV .s 8oԨר;M];?i8>f;s~eh%%0(>\kbL:^@ʹYMSyCS[=MH$Q;si9o|D_92wp&ɦH >[^l_!XOa/ fx`2->en]t0WUA Tp)N파ٻˈ`Yjox%!@7۷끻n,dؔS]03NqebxP4&XMa0ܘKzoFHl8EoN 7A[ G0iEhJb4$K'+ELS.ھ% Gqke9.?Ȯ`AI*dC~ʶ$y\y˝:UY!o"7ЮsӞu,^1=y-ZeEkߛ?[2:Rfj|2Yd: ]*w?gI椷foϣ?qU`5#yBRhkL Wj&K47Kj:n" ֊NSjU R YHT|F;ӍV:b v5=lFb4|~I&qw Bzzv~4{.H)BRn) lR&Pp9@d+ڔB@+C6_ރ ֯6qvA7sȘ>0ԹceAX i4<ioJSpݾ䈏@GܔmRFm>z#J Ya533vwX '}*s`p޾as]ٟXkp;l9_.&^&wo.TcWIfEaŁSZ& WA;JԾA->wDM *ML,ۮq(:#X5ÿYsSTH FfDa ˮ}yBOF(;`Ǫ]wfe>*ܼVP9]R14rr.dM=L@FL>i'7v ^N`ؒ@*"$V0S@bYSIbHAQ;RgUL*6=@*CB(mK?]㍡uġ;L6F$g| ~n=&ySuy=Q[Nm#ugfy}}HYлE֠X~ c?tFR}*"^ ;wxϣ91rŏw\t=q SC /T%!Q#}FYLٵ^2:J=:S΢<5# }ߙ.+@dd߈ Rzf; % j | _z;.NDTF}Һ޴*HQSN%[<Οd A~Ԯ@3Wmx/#QV|`\NOb|%+fbAx8O_q#qEt!֋LN2 OXyiZBugN=ٳ':w|#|I3A@A\JJҩmY`ү2•{P=\+120G1rm;NNBzk1|<9,OP (&wXoQQo534ܺ/ܒ[%STQPebi ;}^7= zlCԤ=<S襑uCgMp n~w)R"jp&bP3Sǿd- ρ|iT犁!K1"$f*wӗf09z2űOj1^<zt1qAԮ[ -8Gեh&dڕ =hÏ"ؕg􏿂-|r]9"J\]bt "{SG7wn[qYNNhD:,b品w.T"m+$ Cu:`Aǥ_L}.-b6ZǥeVڽSI.8?rķųV*_TN%:jfOfrN:B9wP}}wY 뮃rsvY{^H E_ a&?Yܣ jZ!¾8ړtf.oS{V _( 퐨 y}[^~|9-$w6EiG0SNRdJ1E漑">6:Sb%yw&w gLbG*+ Bb8O0GiAE rϹUƴchtϋ}Ბ1PA,!XUF2,:iÔM%cfQќs!a34QFy=LַF\k@"4/ W3Var'C|PL LP{ gW~B(hR0,31_"[ݫ? lc%nԓQ,ZA'w {PZtz[>9>PGyK^J6uN=B7MDv||K!n!6wy"&ɬ˜G  OT㉡ʙnf ZT=`Dڣ(Q*;sHuUO>D̀6Yf=%Y:~i-/hZ[fwm*w1^#Pf c-PHx{[+旲NG:`NS%GR,|J_O\Fc+s;wLr326*dC&aj`4zvc?y%Vr8խ=5I#};e%D-Xz!Z৹.M(`ESC/r3k%^ʂZcDﳴ%rw=bXPtP,oϱZ¶c5S9ƶ}(i@fxXRdp*i#gKB^BS6$;3v?95%DRoVnj"M=o lcWB_sg* N{8c"Y41G XcYM湲QCnT?;@k9 я+W@ WLtPj-;8zyu{* V]jgH-I;4st\ ەKXt%+ BMk Oē\Alha9ytvyBgIlVcq0s.{9vj=ݭ*_@X>Wtqۄ  ڝmQ]eYWS*;{U 䖧CqS<k[Z~7~F)F ۡE`7B`s>,rHX߼N[gt} YɆ'\1Rޞk=&N[rmy.E(PDP(T;Ўnk@ l"o2bϢv0K问K HEiӚD^Ρ`Phl*0J;.|oбm'/R!| ߍY)%׽ŊcbytҐ"0`0'y$؛j=F&r&)PT; FA2>j&%z̋g)AKm88fUV*s|Ƕ]}qzK$4`͟+eJ=^! r'ZٖSOh#YyqV!V9G]7z*0R59݃ J>c# hdb L͠b/WGw};30pg+QzP̜?A$۩+qҙ̘ߠeOCuiȂTU%Ͽn ga ?I|bٰh8 EzX)~ .Y")V!pLسჺ97a9?5)F☪]xo`h'WuVy9S Y 5*+C *_zHpÉwL8Z.]D u%*0͜!!Mw$T^V;17%B'i7T98&T5HDo^DGti*tWQHnV꨷ ͈]FwĀD=KעĀ\MX$ cZm<['Oe!e>;я3rZSwYPaIk،5"少$EٗQX0 ˀAlZÏe>8s? T "R|@O|#-֮s BeC1A# #?̄M.P6д"?yҴБHV\+s,"%GB_\<j;ĭybt`œ>xxIoJ,Th"e/5>zI+.SoiJiX#{Yw0DaʸUC#H:!q;saTYZu6Do}޴<_^ng&B?}4M'[0ۖKT`⒈P0-c?4ݢCrHЫ43AG⇡WΌw' cV n8yxW)4҆|Н5+*a@ !(m-1N"N wвDDOޟ8(@ܦJ0mC]oEo9AFIW^m"lu !2̨A3I]o+ (ƙ4oRh sxO72MrVM'ЖMoX6 ~$DA7"R!ӇˋSZq{qK{*! ofaPM>N4-!e~>pR/i]9{͠'q<ٕ "2ݾ:1a{p5J3O푓ճ \=|ٯK: $2-4MwF/V9@7РgJTHh*˕5Pwik )W ϛg@~xp?B\] /@XvA+lxZ`)łs_2J29Ъ<:1ZZAܳBpSQ7Sqz[7Vu>6h:, z5Œif+πњ1yRװUb9E)#B>s}AG0yՉkF *k弥chEQ*LxZ.ВMXq#kde.cѦ 2unN re9Ԯ).'}1MU)+II-L-ouu@I%2 eTh6U/Kʜ~ؓ3c9@94J=TBٳg7' [JzD @+iv#oʩ%1sJQ|\]08V}釫J'@{C$^Ցj6_b0 LV*97+iGXTqo #0StU??hV.6j|񿆔_s$ܘw~uJ:$-Z44}D;q)RorW" wצSu ^\F#ǻ*vsۄ9G*4w>KqDLYC2`C5 (gg/&ay C2ᾅ;먃W?{xG$H^=T"MЩIwBId hMJ7"*!^<ba~N/ރa_Fu* ~̗ț0z^K^cZFѡv T{1q.WeL=4] YM,RDtLC.`}omYi-Aʘ׹;h ح# X|- /Q8F>;=ђD5iegѭr#t>f^ru=ݖ4Ē?]w]*2NZl T.$v2tF3\NŗZ~1*E\T~*S:$z3\r!M[HHWH!=K`TPr`DX\Hw Fg i!Ʒ*V]XRRj;>_?: &ݜ$ " K;/$–S %HH ֹ"xK1&jߔB2sV!B1fXzʜ2ڡ6/A8}A/LOwA!CGHGR3ey&]1C j/32ÁaOxwN'K'Bڲ ) fQ,} 0|ph o.^巋ZFRX"!iAh@^YYϓ,,%.^9g\U BݧlFJ w؅bXX32:(S`;"*vt ?,wK,4&h%(0~PQ;,v{|7U_AkN[dX$x[Wv^CzuI[7ۨuU0j1.Y;O_H|$ъ0Ԗ 9廦;C̭NB!{A(BVѻ$t݋BY@#{:*2?r錱T3.|'VR ˣpmV/(=4n-9贾jA% 8J+zK/^TjOx̏:Q~sSb-nEDSy P;}6N,;|JLv5p^pB6׼ ;#EgHM2e$AK_9;i)EKޒFm)p.PnxƠ.1RG@l[-T9,`4ӫ#5 wm++([U+@̟ |d%6(X0zs]S~.J =E´crH^ȟvfnH]PbUQ]4A.D c4ge"UA;K_ǽդӖѰW0r?fj.<;O1/Q҈"/! SL5Sv+}cQX_qgv;?oMO4{ϊamϺUo<9gtHOUmi%e ԔA݇.*pb16; :h|惌 }|w{u*k9?`bytp$PyWBzCrA9,@ІJxbbyk5ĉm} *f)x!WC$|4}+"e~: ȥW'`El(ZMW47;sHsU|Q݂CvltSv¶_h@,>jVG;r i1P/wfsEKaCAf!Gŏ80}AN֙7.A-ąY ͔WŮ9=JXML \(Qj~S \dh/' ޳n/sLD=(nPZ҄)BLfدA?BRGi' Kڞ.RiOgZt-&a]sn,Ols !n̺yFK σ{;6}狅rȃғC}Rsоs=eĬȮwQxCv26S_b2A :(?I,X~^ ]0]ayqJTҾޫz*Uނ+CAl~[6xjr[ {BXpKZqkДԨVaax7֟7 4Piw?jߺ¢:iOh)B˕SoinU[yL 6;hxh醟c٤ur,VNaT J#`ln7G ̗g[„G?JxO*[TNSV7nٵMO-~׵42uRY7;Օh ڲHo_;)ߚsqw'9f N LD vjެDJ')~ acT}EVKTp| gA9eQ"كHodVb^GcXI=_.S"u*]3ۢM`8(&6yZfRuH6'qJC{^O$3UD1(UC'Mur=U+db^)6<ӁP#<%(k.2]pweT@[?.="\AA~V8ÜHU!xJש+6 }jWȂ2'`Y$R7k ɵU$Pb+6X9p,Wv.[a B5aE:\Yù|xPi @ڪ5ۙhXU @ZD^gWTY5a9cĒ el.[L26W ;H4R"y k]eǣOe<";=Gb/{zm9+Bwȓd`0\ 07ۦc<۶/sAYjd?+|b50/zm\O[kbڅK6^tBLVs;}RpQ>XyeL/ѳܠ|m2y+wӒM뇢S Sl:Nl*ph?+XzXRc7Yd!PKO Rr~NoT$gb%ǚhуŇ#uB2AIσo e'YǙ]T|.I0`z9JgE\7_knB UŽ'5^%;B,-y<䨂}67 J fMuP9--JEX(뫢Lա7ZA_Q)B ¨ YLYںʈ%Qu W1f,C}V5P׼KxE0H buztc{e)=1=\6#>Nː}Hf\@&+&'.jg%.BމQRԊFw OAz=ĆSBr\֚2ly;(A&rI54 zL1Fk%`H~2AVu2m^MXUR, o`VW9 SCo~aӿ4Gg  cm*PWn5N-zyacL& 6df~ ?I ʁn_it(e):N܄e`E% wؐ(IUpG3TGsթnk{թa7|6xޡ'n@f $ńr`Q]-xV'}]\G͚IklC庻AWg/Is>wKAe;D<%U-ؿK7{rIy|"RDNUfIڣ~rY01OT7 o˔:mQeF"'}GIz?Aql|7P|Ўjxfly8>mn.cuXKYs8\o7ta ZQ,-$7R34uMSbx8 |~ }ʐhAi-al++^JlO)Sm͞KHmC@Q$4T韍V\M :!q%XSm7-NUE+hGgLOf鉦vDN@̫! ,6(\2W{o,2$ '~\_E?L2~9xm |TLB~?wT63ą/Oqv/&;Pa}a`B29T4L,sLx1lsv5$jYd?~ٔ2 Ysd c7e9{Xjm / ??u4H{K[k]W,_s#׊_:MxEY}G3fjshdSbω_~}h,O04c#ֲFTv= Vv`Y]uTwE5$߇IҊ|RcAIrjE s9 <2E+l-X6"V/ g%B|,sCB.L7Z@0kI.P.F"0sb-e/|'[T%rkЩ‚/N1wxXG^گIElaU:Pw9>2D_:#:O{(=r`Wj#1 _Чz8Vumys\B~F'-ö$Ԍc$ 0 ^|m`s,=?}9B~zjT 1rp٪0贰D$Ry-e6jv5V,)>U_{Pd`*UjOei1zPZX(Q/7j;@Ⱙ)L;4lfUqW CxO^)@wa7sP4jDj%͇ljF1Jq>lbŖ޿3eTZ)DS{mâKD y'=p8uc 9b�*3əs'dSösczA9kE P˸i~L0’sbKy` J9\r C@qڪ/{$!&_Y^T3e/a ߴ}}+^5X8/kˏ܃Ϙ]w{cd.7rqPx8VݡNٗCʠXC+A[y7o׳2hWifUja{4L6w3ANmt,OCȘ_ݑ NHG&C$` a :VfۧǴ!5fα3\FhLPS%ʸq}\=p;*' Kp˸WON>7꒐E\qf#3ZDICf5uY( 2qפ)"WL-c^T;rϱ#~,Tn ڮSH i2=g'_/`GL 0}+z"Eaծr#yiWH)͌,],>:*葡5 FؔW+j=.ki2L\4HAN>jD碱ǸM;za bG;F,ѮU٪!OP$'0Z ]3p?(gX)s1hG[10!rr$/ϓ"= "^6V;@ C2s[m y| ;sJ^zQ`He'l6H}YOkȩn̈-CzRt&F{-D~i! 4H󚐊 OV{r7_j+=Byr]%k ˑt}^ﲻ",2f.?3nǺHŲ&f2Nu&rj} 'ۚ $go7ҙ𱔉-񂶶:?K@3WF'' ~B9*VoغBY~SbN/tD Eb$"CI<D/<[BPi?閳y0KOW%TVlj>q?zslnσR.Wx׸ISк 96IC^FIMHZ- @e>*mzVFwƊ;`qfgeFHqr[߻?MP*qrI\km܆UUy󓥇&FvKwАfO$Xͩ@y%ssl4sc*LWow5hA }{wMJl5'`_P_Ax#T zMK FU&6-c1_bWQNmDx`vOt<PY1 @E@6S4q("PL/ 8ţOUKO.+C%v- JYX%o:&͒`:/>S0ͽ1@8 rFA-WǛv2J(qp3;Bh_O4zU-fJ*vrs`f1$j{6Q= ڏ֮gدыet`:Ke)=hvZV 8ifqA $"ƀSuz&UW/?]Nn,=d\-Mn _.uޫ:(ńp!sOӸ]RHocKCu>_ qQ{Iq4#~V*+`oى`8j+) ڙ~nGR= :9rl@S;5#ŃUE+se5,Lթ&BoD冣|B^rt"UȈF'~Os;l&V,:34v#60SgB!༨c]cmw9$lF qHnb$sh@̦`9 ּS!ֵł:aߪb @'AZ–I? d߿dHwb&h$;AjJeΪvb? XYP&0x;y80znJ.GRsc-o.3*d;^DV~.PkJapع[^y=qoڙG_2ҲS*D7FVb{9QĄVV(`XxfwVog}`Ciks3#ԏTPw\bN M* A֮|4klZzqQ̜:X]9{;z$hs~cKYB.EJ=`|oH $>nD#5u5P?Xy64&oujrR10UuxǜLjq٣Nݬ`̺+6˱fF0GW,(qO|6'P=.njhK i4X7)"&[F YjX coƐ#G|uWcF; P񏹥^8^"8rnI2lT#FIƚ`L8ā\W"Y2,-|JARTxh~ kXW3E45gHECeVbQWRep>t"m'GeKgbS>,$RdCZ+UM`Ҹ$K-"4_-G1'1%W^f9|,j.I aA.?aBȑA0^q4l8K-W&~Dc:-?шrƶhrcXdㄣ0ͬ֐<|''/6EH"ñ?l gD;> Fʍ)!wWoG'.(@ly:J(y0lUǸj>֊kv|AV:5ǰE19v|UUD2J"le;W`W햢N˥שkҠ82r r%V:^'So8S5ݺcxfUwF 0C>O s^ < ܠ>lq|>v]TYT ĨHv\}`@Ψw~wpsW} &JXJi< ]neja(bF|@R]L rvU.5?c7wJpAr8߅W@;fwo!s%w Zh1rY]/(1 Dni|z}0?d8[g!m9TG{Ef'Z> ݶ񌡒?tƖIi!Ґ]7zMh.veݑNãbc OՀ.cID ᰶ(gdzXUdhjkwoD(crTb bhr&Y%n 飹TH?\!ɴY 6A?:#Pm#JJ4GWY I3O N!fj0n56 $l>MBN(z58"1roX[|o`R~)^;ƷTOUO}d*YXsN exa>h^eToJyrec7݆LVS\I} %֡tQdȜLoj#!?ȧGJGvOGXxxhY*Y.)ݲgdB",˓st3>7VR\XEz9<>ᱭL1U!u`Bjiq48\lf)ޤ6M e%琋R;4X$TruyaΊcU?6AtaFo$|[;9]~MY"NޕhT3w;eij̳`3ujtB;N6TpgS\X\c$2 IhV@*)>uH]mQQ ~L} '18Jz=(E+jU{.e㒒k"6rc_ T&;œo:FE@t%MkjMV'cLS&j׻.\e+tx5ɜ&2A8@;8'!Bq x<2I4s}y;C!gTCӹ^)';zBC~-BM U*Z[Ҵ'4/ <x-ϽνlaXRkP 5iŨk ?D$HրG AC7)Z45.7`Yjk)u>ޥMbGhLz4ԁJ­vBwyě L`HKGXT? ީ,T^]m̾]垷FDk ozȮ|g!>oXqRvW4Q=LA/JF?l_βrRt:THKşw!Iͧ$ffL~Mf9~/BUQ['3)Qz6ʿOt'sދW 49)*tL\XG  hGRY[Յ}1Π*eI\Q:@^+7Qf ի7sNw0k))a鍴bB~^x(y(H pX>ƆW;5_ˉꙸ˜~D ~QCȑ͖jP?}] :J=hptKDmjsT:vٌK߻+ aKް+9Yn\Y6hw6 aaOe P".w-SX!GnQ0"3Zs4'2hV2s4K3ڭ5;vzx$zx 1FaiH ej=O8WםOٷ]]s;節_3"T٧< K*c"܂߻$qUGj`st#OَNVU/ RحiA*laq# 5'S8JmYb袥.9&5\ 1SEoK?ͨT!^BYz%EtN㷟$,nG%/ށOH6Rd蕪YTj41ol<.-!ʠȦC//n4|CZR-ݞ-8+<%ĥSU㈍DjOCl}DWјb2K}1sGW3 H,7_([QBsl/\9?3:~zڬy"*_d@ը`] slvbzvvմT =*r"=$ṳ\\GjG81$.mst:r7yx~10tʻ/"3CG޿jjɅܶ4b`W{+³yhn[&~榕|}UjNbf 4U!䇑]&' I$1ӍWFc@!ӵtBle6Öh](=r$p4 Aj˭Z;t03rKwHr2e/4-粜\N[$B$\& .~LEMG .Fih,E'i!8q{)@ ?8r?GX g isU[JR $wAfYnש\hM&qcSZ$RgvSbjI9}$!vu4:GB ~v߮r6WUꗎ?j\ń,Q%ɕf(}ټ}"!phKjm(zzLSm.G_m}ߋE=1e`08pK4 K}kXA3AsIM1q%ʪ](9>BEufP;6ɯpMĠS"N3;6t*<$ uEI<-p >6D> m!=/՜QƑH JEmj[w(6, ~@d,;M!S]Uv>sl<\7(V*P%%+/e*F!7mX¿5> {t=H>:c I fb$ߕkE`7 ֜SLk)|#a`Uo"*Uh-gvRd뗜4&RurmBMY,וMt~EC5g&&tJ%C S4pVqγ_M,l,] ngk^2hh3>}*OzXn삨[!ܠldRcT]J8L*~ъ_RץIܛHUq4!@) 4P]BH; #UoNy#!GLܣh@\M]+t^fz~Ges,0 {6dŒô$PȪ&flta}K6f{sx@PլPͷqK @^1:R7?C='>~?N@.W]Tad5c0;N]zFX{}d*) pV{>F0aZI+Nax9:Y.S0sƭI:>%ҙcpH ƣ$$up5rf:*~V~zL:kMO$5 ha.QIAJȺDS :93 SrE@ZCCkg9Ѥ/M=F 64 }LnDN0Fg;:q JJ﹩LkO6r^[}.߶M<xN>}/|"8b( IEBQőW׶#L?ɇԣ`FO^x1*qV8+Eo@}RHeS2 {d PH8rm-6SX]bf3Lmef;ݴ|ٙTorKVbB g%dM$Î@\.Y{9c䥒I9d4条$ \S@]sQ$ӝԆ*  ;cBzA( c#L)|!!x ¤4xFF. 5Ɍ0slD̿رAf|x@81rcٮ{oh- f,~)!#WIsב?>2$3lL=!tO\[A&k\+6cLL&^E[Ǡ9yi"\bi<I7w \I+3u.,y^<9K}zPK;n h%'V|1@Lww&ڽKcǢ.ḺAk\<2qpjNVKbOڼ@p)'C΅FF|kFC0z" / 24?L9QH svzXV'&AiWE{!0։Af^ñ]Q/HWOe'x Σ1y_ (^M<~s`)>:)p5x k{𳙆3Z5h )Aup˿!PVO*R+bPT͗fCօl_5mpOV"mwxC8%yQ&h\%NkC_sEyC*dq_ Y( $cUhA$r˞Sb9#VOk/ctӅpj45%R<2F((Ə;QS}_Aw*s 0J pe ɡMc68}pgzU6醯['Lu'#\[ ipSf0ǝXtFoc_R2eZ4^:ƣ,X8J/'biHV k;g}8uOYم7`(jtiL&(z2:C .=Iài-D#)Qpm=)Z-ں[^oeu,S8]VfT+ %O&4 \ssS?2U<$:!>MRϚTm)Kp@3H8r)1{7tA!IՌ)V!*~Yx 0{^JMÍde["/W: JlН[-@M4R9./醱H#E@( =WR.Gmbξ>T˰.n1LNVn7+WqU tΩ|񬉘a\Ix>q৑u9 O[lFXL k<uK)p"4eu&\ y&.,&qDUq+['I\ PR%W}_Vt)$";п$<G)9ZCuUXtʕ.c;2V*g|>Jd9>PV:jO0ew,$R^CIGĈkτ 4ħ @'õtfPP3DҚ$f uc."^-cݑ,7-f7a~^aOqD4\2%xNU2qXT&0«ǍFxXu<ДQ:$6b̹'yλ0NƙFxr8I|U%r+ ~=uTBVҦCW(d ktK$תko j_C:Ue׹ьʭblX~ {:zL ,)g(9tNj<IJAy֞Ȱh6J|;aÙ+ FZ89rZ3b-ՕIhɀr"q3n<>o3yeZnƒ3!"he`V+0x%z1\XIq/l@)G 3_վt034Lʡ%y2*UTd aA-Se~|4Ȇ X4BH!Vbk&-6P_F]wV"}%^׷ЩrkT~v&+͢IŴZlohF~ՂrQܜNۏHidXhŐÆ[`ib=K̈́X<VBvN璲 pt"fIzQ as?`.^bgRI:R@N&<:F&IQRJ͎ډɆ슦솹$4niKWVU4#|Q,HΊDh56[gL cAUF>]|Pxojf.NmKa2d?,ǻ^3oRW*Rr@^?}E*F"rϋ+P=5"AB2L]GuYdt[IZI7FB:6cid"aJ;,bg ]'7NL뜢!@?:3g /ۅgpD{N]9!|֙r5?j΋{{@|Mװu0"@şT$Y9qQp ] ݵD|Hx ZƯ2e Z1l8CxH<"e /,n ÄWWMHUݺfgxx߻Qd >!d:!{ԟټoU%:>:*)jq"?"* b]zrI$YemGCo A< d܀l tEz +e 붌p2OC>T/B: D*, hU-@ϧCK#EM?c˲,jKԞ ݃1o\D4<'J&XJE߿[7/ Ln:zzhMxC~ p7~v0I8eo񨟝Z=xFB(We뢚lPЪY#DOv6EpHL9Ytuuh 3@,8ȇcIL'Bf$3;_5Jَ{>=gM6E8n>o:cs>v&{Dh{{\$cPUe.+LtHJ/  dr jB8yt@Ifd=C_܍pae})V/A.ϟbxGy"eMNӓwhL:)gտ~&҇?AQwaGDXjP"N?~<a~ a"em ey Xf` `?d2P$/h `706)l9Qwof!^"8}!PPF[#uVqq.y*d*L7y9ߜ8b Zgқf["}yE;{m}X6wJ[ĒZ<9 9m be.ȋ׬*dt./mɧbꦾE (&?%tM J Ojn;#>Xnh5=1v R ~΍8a:}V0E9G ׍SکVFK_?3: K齵J*HrygYeےFӮpv1 PuƓ7*X~@qdpQ7tUۻYJD)-\+[3Bq0ky(kǹ6&Qw"Wbasȝ mf5_z5žcSjcofh8ݚPQltc R|isMŻnNsW4 ٶ!SBUF[h+8{'q>GBABy:qJR%M=x}P +0x/P<G)qm߹Au{Hӎ׍B_3A|L(_(&ʻ/unpf !fK>&5q!uJjq°]MKddMyDk~(όpc7#j]bQC-tFaPn{`HQa"9@::%.*57s2nHsuKfc?j\|óFNJJ!Dj"1ervf,AP掗|ʴ%'AyMd-ןd$Bk0 oBO2](E~aڕnGR"5>㻒 1醢SijڰР⌑čH !edc~jzz'"O45i f %@4Az 6XQ07.ǃ{Z:jI uf7}˂ٷC&4 G"҇@:NV @6rgEK2ʁ0Ywpגd׻"ΐC76!Έf~Ɉ& YM#d9ǁ]C6@S~:)?emI@.* aaӎqI|g<Yh,jK,uMťd0%Xa6@+)%3aC2H[*Md8 Rv;Ynn|뷷3WƋ@FPhHmz&9ęT.#HIf)JY:;>`BJEc} uPI+ѱ%8aI透W8+ҿAKe)ްr8fˆwv)U0U[Ё`8Rww0G#&yǡ 7{=*u"7(#d5/P.-+mxbgl fωz$nSD.~؅$nx|7uarjuGU*5ĺ+ʈ,a +)OӯEe^}p !BJ}H" ^+.Dev"st?jí,EZNQV9oskDtLڥ^^$~r9&F 1MOƌS zy:yۑߠv[#B td_8qg_e)(wn?z!'ܼک 3rs1 3!b\$aBձvY<rH+.x 1&5"yB3;6mCP״)"iC.J_7-6"1|D$9]>=(osg4|d/Q10NVǠ嬤u\ǬUdYZ!2@d ^ɐ!#QN#XmRt#A't(}|..3G4aRbˆD&O9 ʦ_ uwb+j>`;%h#FZ*cQvi mg"Zn2*BG%0%,vрނ ǩa #7<*l;l@]_;͓Yhub?A_M nƪ"CP*#٘~$ȂL\r Ms/t-(_b@;DDoN9@h6'?;‐ 9ukr2cA-,ݔ$(38 Am("^HZȲNI}l>*zԉGzZHHj?8I2>5iz}\ A-dn+%L̚K1ycP Kuu\KVzv`eX"*e}ЗAX09$b:B.~ K#UoS ,Sh|W*2ş^!R;$XoOjʓS (# ;r΄{'ÅhݎrmS DuQuJ'ZDqo5ӝyz;cȚT¢;Xv {Y~5Bh4 %[1^Ux'/;0nƯ7P?|Pm{M}L*4]EnWfZ@"0=#]X:.^IoY(1n9H? ެKCPӔ%6;>ɖ1c-N \Gny%*8XF"Jdz{qHb(V6 GIu!1LNF_3Y8ۧ.w|(iԩa `ǵ;" *,-<7bӦCݪFڲ<LJnjPw򄡮/Ttϣ+/R;iCcH9[цGI߮Z4|u#홅ja}3cN *!Fb%#95U<*`*}pCO,ky(oV~ܹ,1+J;TDX2"(. nr(~>1h2 9f8rYio<U#<3XhlYq.k#jAK6i^X}.5]uY(h:lUXތb}b-Hmw2Ǝ .4W1Iģ!9^㤧[ DΛj4IKtT5o_I?PC!W#IC$G+?B_-Ɣ}Vf#b7DaYߊ^6euAl] 8w8*>)QmCXj>U[Y>|{]!PMyؓ~=.Dll$ Mݪnv$?nX6Ě佅 E@ uoP+h.m1ڳpwsN)|mH#)'lH0 3[f 6l`"=˺zdZuUtx|H k5/{2HTc ѷ!W|z:Ș{،'}Ӷ;t!Y% }-:I|kk#ĝ1BdjnNy[L;V蘧ĵ\JBN!1 J̍LTh3^10Pqׂ)5l"T{HFe[(5qcR{kGAPKB(/'14͍= R_eX5fl#{32{tT3\S.bhqcL@A^sA2ӧ=k)Pj %aQPr)K.+¼O^HRWqj5@m΅Q) l7rQkAo>W"Z" E (/x\PP|^Pb wfk uF+nZ=bOn}e_:$ eJ"$v`i@> T` KrqI/T>Tm c*4#bOHQȿGX}]N"8L|ak/]>Fદ/?~{ L%au$uDFB{DؘX1HY'IN&Y7uFA- N`d*E4o5d'r/k>o`l; A$ye'm?d!O?aU ;\D$clzrcU񗒿2t5!GmxK[ )ˇٴ+31&Zx9c夳7L\M!kI`V&|(5J<}_H}05:vpTʨ~'9fHTx6u2Lho+mg|]h1J08ViE|_JQzA+;q {\Mb/`i\=g[#fޥ 8۴HIPVd5 J "MxQDa4 Z創Qlf[,W 't%4yצ8gvTc!-Vo{0fagru1DKc%OuQ a|lKv*4h0A:؜ZO ;=I2bdp=:lz@m,naI)ڞ^ ǨoҵYLlwYaN4׿I> epY',ئAwX +GӂBw;֜Mnn;;(:c"ƣsǽԗ.\ւz&;,+5_\e*z 4,c4\S `SwoXmĢIVIIQBA0@)П_R_ta,;`*$;٦rJa|(aoЈzN3u(3>jp%=7%7f쑁I352 -^VR젧:(25YQg $Uզ).&4X,gh90U1 ܿ;i䞶M T\̏{,Ҿ h9A')*U`g@%' mӑ\T7MD9A2'^5om"3ϧ@1BC@ gB.GeB{< b!+v`0/]1/p"ۭG |~O7w? Wl==̃Sy!Nܦԛ)p9r> Dnvm4hFB6㾽F>5*߹EXZͱAć7XӚ0;B[ T~kY:01w=:$~kn",6}=Pz/υlvBd֯O Zxb  ŭR|U9PUa>0-O{~V*d¢+^ V8,S~UNeK^)q@ i˦W IOt#Zv/X}|E^rH&Vٹ'/p"eޓkH-o[ "> &:Ov<RJr*wI +6Em{ґ3Y #ߒ kڄEO5c/n T9 ~Í.ęY,"*F#j)$c(s-~̹[B 4$0$uՁ-vcdҐvg 2hbG'43T o=8(rsj[*ȨdsmL3xna(lНB?DZ=/8&(eӵIdXXW&ZDP1'u"kUlH.ÑH'Gu,KG a![֫zg3u1..!/XHxXDzӱ*1qu*_Ɨ3rF~IDz|{byH/&fu:^6oGw.smffR/{f.r㤁?#םL13bɌ~!@RsCzd_r"iy%pZXHeڌhkv:oAvm}Y4)'01K=csL'Axƛߙ{$SHݿhoH+jcY1D '5+O_M,3F$MRTJUh~`$a^O}jp5]O9>n, H7lQ)jg0"Z}Les ְ/[)e)ץ !Ŏ4?%uL ,#?Yf#fP_xQWw RNzc[I<3h Zm 4Ϭ굙FzV{=:n#Yz3\Q\Ue": + eﮔґX)fDUcwaSɦoOBo~E~-VV溌dKo ~rWە 8Ճ3=^֘,M.2>!uɲ`s&+핝 xQ)̒dX3,3okή1JPrEC+ҁϼ^ꛃ'^V)y@F'<s[8J<!*vR[!3m{=0#~XrUVW ] 1rLwܛ!-m%b/23v8A~ =iKYH1Z&p)9w&=];kpK;Ո~6ܾo#Pr=28ƨ5g4y (C?ߦ:M~!,w=xߡA_JaDC3 Imί,hP߭)=slLkȈN/23&jy/Y#зO7HO:\{TsWP]!宕ΞsjC܄TC Ecw1bKḿ}Y5VZPӒXB DR]+ɰJdwV,yUڏ`/ޘu%P.DsSTQh@I65 S/4Й:fռHդ!+dV[[QxqWXᷡwk0-?.o뿵zno{>?H'.ιxAX}+ˠaEL9K 4h]\'Cf 6~JbGfΒ"-|fl''YU“+g_ 6nzjɻg^5FsXʂoiӃډbl{gp[f%mnsVX4[AvleH:~68Jg=pcRQK#gjWIBCQKa}Q}<ϼ<k--Y^SdW ڧj' qG~N9G9'7hbη*,Eꄪ~-JNFu/gxy; e"vA5`:$n t44=q+y4U4=Nw )zVTp_ ?ev^XRY]ueKKD } %̅SZ5E''!ٴh/mG')[ם=q Z i+,>UmȒx0Ԁw&l* J,3yN ͚Ҽ)0!W1?זT j՝j,Be-=\/'\ KKlD:Lo" wj%&q)rY@ eA(aR !jtYlGW?teV(]D9䜱BO$p`}rMi6HZLX6yL]-3J01BQi}D >VH3`ܟ,CgjxYw pT t6ӿX\0hR 'M@m+0@o뾍 K2vk+ΟH3Cp9,im$ Soy_FݮÉSق+⃮ST0,J`Q=%ך'vjJPbA0J$E }xƭ:CZ&kth;K^'l~ "_IMZ#iM"$S* Hi8o>(QZb k.DN(aEF M@-F7bSIng})m8uduU<&%bv xlu8Y4hĺz$aW s |j6F9X"0zD%NÌ$S*t7aK9$_j Z8ȚEvTp-w|JN/ aV 8&y%bnVuuzz,ӮSc'n;vbx-Yᘒ$]`+2%R{Ǟ$P!(ͿI'YoXw0 udƚ21-6ɝWzD'ɸ zTap߬ *Z+h8bTW\㮨n wb)(.RO#/y v.oS4/# uEYHYiTxW6E'oi;Z ̘ғ%9_21`u<ZDX~LK*[b;Mm%>.Dcбx _`=i*T7>tl[UtUz֪=;g7[ :&Ωl7)yi)̬2$+eKW( m-3i)h,1|N!oA*> bt",xhiMe{r{yIK6Vwݽk+#=,IRs%Ew+L lj <{%. fª<*܅KJxCngP,U@ J$ᵓҋȻ7q L){%2D'e|Z>!+41 X$*}{ n'cj*b/&= !Kz3Hc&.G'L ׼M|tg~ gO ,m~̿weQ&9@6z]#ݥWsy+M qd17l툶HsVH|1n?&3;l”n~x\PP;;(+BОc&jOލYM3LoiR'uq( d0a4 :H+HʟP~T/3q+!tK#Y)FǗ`Ȋuy> tW 4gtR <7{Yf Ն2zop.M!B?bUWQvx1v*BjJNso,~^u)Ns.!ưqJࠡή9hϙȳ|\:zx \eǡ <>%d~=X[< JQ3J'R `Edtx%@mfMg15 pxa ,S쌿i5ZFlsxCaN\鄾 9`H[':|A)T‚Rv}@ 0b$6*} ]ۛhwZy YOaR%i A'>fYl+P1sYEHTdp{f D:оHuʹ.Nbܒv)e?'qh8*vOt(=KEEr+p_)"*w=9VSUcT7c36T"ڰuӪlYCՄY:DLOqU@T9= 5ğ;zIh.t6JvQW;(m[_ce`LHYB;E:&KRor^Q`M:x˼בad%\cW0VI t?b7?Ϻw#e* 5TN%,#6XW,skCRϹÅ@ܭs>ith0/YOt[ҳ:) ʀ{[KV6{pȦn:\Z`ݬ9tm- 匣Af#hp6p{ݡV"|UO< 4392܋!جb~UK%^^PJ0a3s#[RSp 6y:}V՛El]kđqa0Ѧ4?!D\ ILPhUΊC&&}O/ ؛$r s^%U%1)E/gm8ӏ.G2bqW |+ f|Z wz6ɔ9xOY$*u9 "H F$ f}O!~cHLHesHݩinZX$rT44}C6oB˕֖V9G k~/ ۋ`E:6Zַ KHv~36$5_J 삒lxM!9C\UnYGQsI@&hr e.s7twɬύ6ziۥdvt#o{1Вe ]#-Q-e9B<0pUy{ Dab;ԌNᛶ")Xl |`hGl36iۺqZXDV~ k5jxh^Y' g$x1]nzNzL-TL}}`RQ]HfRp跴9%Т"V18knZ?l)ED;}.=@ XPz (^Qʳ܏5l NO9[bHo/*tW5xa `P`Psy@D\#Ũ9, +߇s'=z+#E'^4a*1?Q++ тϸ IiiCNjd4]XTP$6ZIA>b&yYEaodٖk(ST`/.PM޺ҟ3{);CNxl)ZK ar#o[sk܃,Γ)/V!jKE+mEs ]>*$') *+qWW-֚Em EN 6U4!YwMdll+8)E$-vo]8.,7R~@НF3lPL`,W@A(r)\FW2͒wQ_F8K~#Nq`vՐ-f0:/{a669cjJdCiͧY4(%oz,v9c6!HU͇jx]ٲ]"7r1ϰ@۠uYre X,,+NuS[f옩f fX;̡7('? F9ه@$VHYdǎM]quSN3-˗Ʊ>,?>0% f&jp7; `㹀˵{<׍41E#O&F8ƚ}4l"qr: h%*F~ËBiM=Fod :Dx]i^LH n&X<*$a0ٲzH٠*ܤDZeSoT6҆2fsRora183k1̳~5ƚkyI3c>շ.%KEr 3Hʷ,O _`1.,iY,:!\R7J ǁQ۰T1ΫյS~ԩ!PLx*}8wh"Jj1$MhpIuբe=g\RW~Оe,ܺVol] _/wv@/tT$I|)ҒqW4FrDӈp`/YKѺÍHmZa.C"okRIe;b`{rBsnw B_9,˲Zxy3AJ+.i_h*f1K,m]9Ʉ+BZ3<7{ؘecVγes=g;7ug[ چkC7 )]^m٤:nm:%0gO1pv R.aXQ3X}@TC<[e6[2aOcWmuQ (Wu+`d4W}`x8΁YnlE:-](F#a@ CF p]DPK~Z}y53Uz}3/?`7s% ǩ ڀk/,hisUd#S=!A?q1\LM*x}^W@kxɯ4n,˝4u.9ʃy'=5ZRS ? A@ZY^"R,A ]wFhkaUXlUAd0#KmWۢY( UeLGnvy?EeY>+ kcP}a1$ [r1dFZ_ߍ f͘L-s!~z]Eۓ _N@yAqk{ђ849f/Άk3a7' u ޸ODfSG9EAL%{l lL{6h0ԟAt/0})i% 'qئ=$T+13Cy)='s E@X #2q#cr=ԶJ)vwNP!*Vf+ƷTՄzI8? E$B|%L (/3H' |L @3v~QSֹ.՟.PZ}@?7!6Ytv( S5_Y'S) Q3?<%0Ҹ g!xU<OFpA)[ p(p&Q4+2Bk^yl7+| (#M fXleҾ l17ϐBdU&vp!{YQ$ėPzEvcbr,ή :K&&Duhd%#ج15dk}ܓwۦca"i _Vx$uሊ,E՗?ط ǰ LZ םv Obwiv$fg" Bw(Y>wpYb*꺈e}>xk32WiM=$LwHܠo&"}|k|xm_^Waa:9G ÿXW<׺04zk=F VfJ? !j9"<X] Q7.{YX2GWo2TzG;Ki'd7ۋ$Dib/ =z|KC&`_.tLAzs{ww:J[-Y`܁QQw./vO.72ZW1h=9gW㙤]·DW6vh}:ǜALT]7{(6` ݰ}{ֆngyDo}k/L} X j6jȀ3۬uvp %b…'Z-5asa7e!Ri0 ] 6I9?^-͈3m@^21H5E`E z=tO M6heg  9bwם'O m qy60GauR@P޷a=%xB͇ma("pDVed# IksNMUIƅ7(3hZ+>f[ZzܱmVfzojt4twOgkE+*=4-؋ݕ^,kOq<6,UDcGO!t Cwl( [.SdX(:( kFb+v)݇aX.M#){VBW[Kh?ZVX9z,8,&2[S2fd9蚃O+N Uc~5%2n+qe' x HB&7ep 8&VXa w8x_fNJޯ۩rj#KU nzرU -lB,辫r׷XxHUnq4C]|}.4tHzVVbSl\b 2G*:6Ȼ>!.j]9WkE5S=!2B/ӕmydl7ԌFg -DjsYJ7LkBtԊU @k U^}*p$ms36lk} jJ0`nWhLPIcF:Vg";>J LҦ!ۧ[rJ4kbI`zwKN& 冉85ϧ2FX8#[ U2bel.xя!ԏSVΛPR3:FcNHÂ/;)vtKc7o$-kӉ _w1W 8~C2G^c'Z8cOO_؞ ? 8RG{ފaݵ۷Slu@oS@# B5pVR!s] }w_hz @L!# [TG[>@>j \Rje 06н?C؛ [n #(%]j%ȟ촾>.=|[PS$-/ܒlF`8}l=A(r ?O~#NOP{4XRo4:p{c01{WtT͍MgaFKLW3Co@4iD)\&~^GDrqr%s">fW_VJ{QdI޼ r m+s"PPna> Şu@ |ۛv^C_5i76&ABe=?zɱmL=PFǝ=]&nӽ9 LiXy@0btP7I{@!3snX2}ggZ({[3G.f RqkYXʜ#X|)T1܄Oǃt앧4@f5D &3bvny0ʂb/#H Thbrȵ [E /ю0 jb ]Mm;oxoܛK[M]!,`4_3 C62rUq8cDƎK<0yJˑ/U+^Pr;%_x 1ɏ(=X'H"P斛v*}M% \EaCkԟ@EҎz; zR[ķa!ME @3D`JU+?үda8+CH[ s,i==1PД# :Il)3g Q%6N O-ebAdU*}oF@2(˘$s-ŖKz^ADہmFJ‡\oH 틕͞Y&] jODJGƊ|~@$+VdCiH^d3!/Z|ү`=N6@Sh2 BpN홄<jTn1{O" RGsoc~FX7p^,8TD…#Rh;!5<^ɨvr܎wϭq!@` 2 ~2FCȶɞ>! x(or3຀컺愆'O20ҨlMT !d1"cJ J_^砠"_SM$|ΤIDԭV? }l.y't^yHy;ΨSHz Ju?ĶN 965?*%!\l%6@Pxӗ57jInT!5*슸3 @N?Ū;L}͝&Q :8Ln#!iZ][[lD&7@cWZٳQnoB놪Ǥk,bn))Y]/c!5I9Eg *@y,SKZ ~9Wm-oZikk~q 6LD[ffܘ}O'<&3 O#t)#p7aNɡƮ ƌykU}z8ЊW[e l@փ1~F$̍.A U]~~xFZ$ȥDJ^xX_\#ިؙH9|(@sN8K1?TK݁T ŝYr)9&ԟGM^䅛ue=K^y%h_ ؤM}ST!;ta"̈́%̴ެZC"~wh(Pz- {}#ܧ#|䚇ȣ|zL=JOfv0R;z7l%DII1U{/!. ybMR)(m +;0#/pΈE{Ef$YXAInQO]|>4:IqOg$\HʖzyiD{D\_53!Sܩ"iK+,mw޵QuI3?>̻|1 %0KֺR C"lDH?L]=йˉΛJ2b6"U t@=Hnm*9|MdU@mKo^}F;"%-5ZzjP0> fPmoXlR0GbsZP$D2߷|bBe]JJk-R m@̰UzN_D \x -TMɱpUp OG (T7C{OOeBik&D3rS䷫I}\f%tP8S P!XLK&7J , {->9- s~庂BN2':zSH89<%!  m8Қ|Iퟋ{ө4|t?)7e|K ,#!)?:LAGaxhw3a&("wۘ c0h.' ^x4cԟm ,RIfz~ ؼ☵:d; P3Eʒ!pbw2:Z-4vɆ8MH{N> @EeWUp ZEx澴.U ~r l\Y~O((pgŒTEE,h-o8dF}7aM: ktًqVs%Z) om@ J!jKn"h7a#WxQd,8斁B!ga oJ܆HU}Ȼ aGY՜u߁̉qMp /dt7-k^Tѧ 6뱳S“k"Te )f~ 6!(YJIrP5 XO2cML5 ,9DjG; wpO !$@OʗFݬ{&TsOQai!.@6↊;lu!_'vAf* 0Dt-b:+8M>痲N~qrxn4(4e8Ā5<̗!9.u̐`lǰ&*o~o- .rStBZ!eSK㭉\$rruN2G)#(fV*E'Z`3Z@)uTD|7udԛtG8Nb^\o$,ߕ-C83M ABOΗ$T #]TF4yuš8dnG}%ip6CU#RUG.`{-{3~[)!?oc#(KlR103)߳K-a*9lo@Aʈ}%(kbt[(Q$NDt5fKVpT_ë>Z7&E$3˄FQb˱ɕ9Jp n ἳyzBqO$sN͂ k&ʥJ" j*^ !IGE14yѢ|wN2=;ѿeڞ㟷$:A"J y쓟G+ȉ/9c hx4x&0Gwwɿo͜jIpVipFTDϚP ]2_eYjF=fkJu29T\hT׵ P=&7n*F-=ؘǷ_mzsD&_NtAx d}9Iq5{Vfb? Ӱ]cQcx&dƴ1buY;=U -S,oD:omz)]pЏԂ L}A$8f/ r0M)씜IP%e]ehuo Zy{#Jh2)y{\rO7JP.F+mx&oХ0t dfx?m5/s)澧|a9h?Q,Cl1jҦJ!.u A T/vsB3ulYջlM*K$E* uJB"s(Bh09bd&5I!=NjSQM \gUƴZ'z2|JH&Ǖ'=ͣ˸bR?f`b^*5Ѥ?u1lJ՟s+#cӤh][`Ζ2J{y%tB?26*C|助(cyg2acID"&UbwŹkҸD5vA{s#*ljPGV$δB/Ut a(- wv@/Am f¤H2fBj8asDʗ&,S+USf/cAaz Vc+Z!9*ݻ?Y㮷>h״k|l%y08(ߩƟ{=DH *Igfx Yg-ypW;4oZ E,ĒE:_yqhCs  V?7|ӧY7Z3KM@WV.7g! Qk>i9*U(ru[1*zJ,Bƌ`'e+u\њ1>5aC_h8HZvk;}a$<[$K076nq9<{M:GARuT<$zۿ~ "$ kngF +4|,= V;C-dO),jmpZǘכ6qV2%(8TL| J[vi@Ġ~u•p~(ڏ&\49BLۡjt+V9͏mÙ#D/]>t&.+yKU+z1_9b3µf-S)/q =_:k'JXs-yRu6y<$iB{<] /_Mt~D3dCjƻ l,KvMQgpài.o ,"IxX䶎RϺu8GhnB,IDN^V8^HMJ+G0`şJԪ78JxSk'2xPzQ|m_}!ӳRrp82d#i@S_^d9:\_wXTNb^.SJF:tQRr (J)S]hHTEH:BiѹeQY? Q)bgm8gz E`"-E o"x]MS2,{]ʀpAN{OԿ>" "t"Ca{:SNpxSYvۦFpEBd)OQYA@t]ZTc<Fs); 6@P&!O baMQ|~g{ KfN)]?3^ٌivJZCw,23i 3qNZ.Isj8}%)u.M+]1Q/a ]x &CZ!QN%)p-.)jgZ%)\AfǦ 32jD-zΌdIڸ҆2 i4cqխē!~Xüv;cs_yL립)›n͈[7ڰ1bO" -I2bh_'t}L89)FU/ܜ>Hj?.4!4fry[4+QV*$?9DV=uku,F}1[^M0gYNP#n]醲Nu8A&P rEm Tuy2"e\O݄w0L?a[\Sy11qM +u,t, wRP'/|eC̩@o petX&9B]ʽ!H5 $Q r;$. R]z | `1e+6}w=ߨ$+20ĊjzoJ Jy!IG?c< S8;sZNiFA}厩s_HiaBr٘GY :RfctF$u)Ph R32G]K|?$Ү*9s"Kk_ɸU֨9<}EF42O/1 *̳h .aM jٸ9j<$$s'bıiGj 3=pޮ{i1ikZe' 3*C4i/ĽQiy`o|&r7X>a?a8ZI^AéBP%ĥT|sVD˕^*!cQTT]*p6"v.rwoNlj(VPuvPRPC ۴JY~i`wQP;C'ҫ$Û}}~2>Ϙ|T_<.k n'oںfP/a!FNe2cԚ !B 5ž@dڛƛcsM7NpxOhξBndrfнCPaoMQ\~bx91w:I Vߨ (]6ȰeJ@>u+ܗ#Cq%DGZX)ƶ}[⒙K4LU4$׿B ?4)_sBg\q Ey=) GfQ6Frm,pCҏT/#MVddk߭@N7_p-h=/g̜EVjE?by˜r1&v`GPD=f5$Hx-7ʼوL@t`{nIͲ"ׄP|\6RD\VҞiJ%m!ଯ=*UCDޛ6Te D,s7YMT"߱V޾7' wW :EsA1wŚ<~ʎGl*K6E|X"d C4D@w*F}pQLJ?ESA>_n31W_iލk1i"Ě i^CM׆Y_/G7L_nq`?Rdvc4)&,;ҩP2QzZ8tWWf#s0r5=9&/DvGr"[H&okĹ7X:Rp!޿j棽IsWN;ٔ63a;wf7¯鲔dI^ǃ̽`J ƥ@rɧtļg:dw]2$ͤ|@o/!R(.Cדi{c֖"{HyH芞C D0[/' Zu?mZH%gՔaRXvN,m@/!脼$F_PHHvvfHQRw!x)N ?2Z s 0fmR'2ov (L`-$j(L֦ؕ*nj'ך#'P)/ưuZ<CjJgIځ),O]%ߓ1 +ڝq^Robعzzr6M4/%C{gxuh=K\YKQcuEhItج>!^(aC@|xOUvv, XѲˊ)$>KZJΩCrqAy*Nebqx x8ROH_BWgiV27GI'KIϾÚθBA&`&}7"}oYy<H.I_eCre 2H5 OQ6@{ɨw5Aw!On%e{SGlx~-w>8i|6. p'Ο(Ӫ5EjYǷbNԹpvM[e? |XQ\5)vO(rvRd|!SGHI!j7sA S-b[&7my'(1E1`}vhX!э  YSqvR2m|PSTyfG="LyJ&.3.>P䬔ڀjlw͠9zp1%XN`eJR]M cNӏ]TNTvTn7,EjŸ݂'7 sM5b8,t+ $ {h)l#t[ص VD^ў 5cN*VͰ ϱHY7++$|3>gI}8?CC[g/h{Kauԏ̙l /T`V&h5a,:{Jj㳞M(:qBn;J V]K]{k;Fڋ1/\3YɣSiYm< Z,#pm_rW;f/zi*p+?7gݴmٷYҟ#K|EB9W3c"NsRn%Mu.IuMzt1Gqk=.fLk-`tOC?71+_ZJ\4 ʘbn`d6.UIYx΅.V@ԱO\ɵ zRQ!?^ y/8L/_ e7y-u2NAP+_>js&H]fASgi8 5FF;:,s@ H]'D!Ă/rJr5, SGuD6Ebijb[S$}>tv:RTaUɛ)8R"Х,>Ox O/ĩLTL,NrT{>Kea U"1/<"Z|mZG‚$"oȀ36N۽WAYV-%AE8RJ(tC8A8 m+uP/%"=]zݜ@j$i *i $x3VM;b ~Ha1 ?4Co1qVNIO:r{`NdaIB#Dr9O7YKƏCwl ['M&^ 3A$4ٕ[6QYc~:!yt ;cӰAR2YY?` З_M^y)B[#٩ul8믻jXfL GT ߒ'$b)wJ"2R%<x+t▃?4U~YYN"EHj(~F [> wdB=~(.`^6-,/t-qWys\QwEDP6g]pE q&6KQкo:h3G\wAҽ;ȴHY[fnw+xyk$M ~wZ݃_Y;eޥ0eߙܴPFi3[B]Ct YA]PC?l9a>rcNvmn5\ zGy%;0Kwf,Sv" PsQoF5SV[>2]6qpk$Un 6UMW-okvg 2HnW+$b߷9Q~7ysO|,">nX0~$"QZle+|u㊶ S+Tc ŚRIvO}{ &HW{{*v؇&y5WvhѕBfވ uH6h1,%sSQ!!ܯl2@D9?7*(R*BJUa "fRz2 $ 膜BCCJd¿`#3F ,AyȺ=j !N!oǗ}2޼>ʚ2,HVZiƅ0xvCqE2>v۱uoF6, ڟbn$\Fֻi<'0~ q ip?G^ "Ä}A 0ȰYw\DDb,V,M7R[z]ړ#;a$,=lw=۱c (r'S;ӦL VR.-4栵g!3'[!dXT{fЊ}EoߌMD Bmچ^xڬ gM}l?(',\Y*3 B%}`|/2մJt⻀  `"'v_0l"/ 1SsQ+*sM;Qcۦx(튆iQ*vǪlE%%N7 ғ{9[:B'MHX#$L/40yIh:+ M<>g/e](Jys{k@G"Sy^RR2@=`N3=ε(Q/f$`ڋdF(B;UR=Ң>#qDHÄO ֈM#Y IOkq*<E<.BÍl o^p<-Ym+5 ա sހ޶jWf̷U0V`v.guk] ;\X.'ȭ aW ?'sˬ]@$g-g"@ӋDO0{jiWy ɒrJS#sH|*ť)naZ<.OW";ED m)AmhvB.='({2J?ulZ0ˋ^]c M<>0yZ #2_5n  sq];PJ<śѨ؇̉LdnH4a;`~ [)'KzK7X8PA(l `Qq(ݓsW]N =U)aw?MÜ¿Pi^/.4`TSY\y|;++9)$<7__geFO4فpuM5$NF*q=5c#1yLyl` 2hr{@6¾ x<./>)2`"RJ?MͮJ8#I rcW^0Fr' )R I*8G$/EHF+)b9|kF_*b~a?H;?1!#57)?,E1wކmd||W$kV`ɍ(:-yైDޜqxǀ?I4kN oJJ+`窫ҕCz&/Wc<њX  q]w /)bCϳ#]׶8VXFV ='UOdOB_])1 /,ApV+B~s_eʭ^ގ(?=({/ $sGDn@Ό$0PF<9у1` 8X l/xn+#pzeLL{Ex&$ޥ] ˤI*&_B SJ{dZ a<#T<݀Ƨc|ƣ+b,n'rP`UN:v$Pt6f-j?#q^ǿzhvM5bWU_!p]9⪂SZ#Qli w0ԟӞ1u.*>μC21"[Da-ػ? .q!ڛKdr-<![4jN#qQ W9.'cu?1BjxYw lpB"?ݝp*`Kr?=?mcBF^6^8(d#xwt?Ebw@9[]~NK.bA\U;36`J}=抯t]5q} ̈LH rfp'2 Բf&|!2j!ܰ4vGVSMJt~)B9WHqʰj Kz}6 #Ĭw$=Še uAlrR(4E#vBu+z…?U}bUV\g`u]LI S= eE5 <@sZ["Lx.aYG8ZZJ7 vז f~}v2y$3Ruv,pHO}a` $Myڞ͏@8| c%߇SےCSsB# o1O`RY":% ḦREǚO6O0V3\XUTs2+3Ŕx7VG6jOӪa!=aLq?;dBV rTV׮}3[ᫀ .a׌S-|z뿟-ggL;`z9N֖'<@zia%JrfazơdKA!z(;@Ų1UĢ\(TN?%sB# M53 gj7ڈ_Q$H5> 㫈?&ȥ|ݽ6=o$C8 1 aI11`|x-BSHl15ҁ_oI.1aBV8c$,K4twOfꗩ;r̄I^[S\݉Ȓ[>i $ Ic '$9&5<Z"io 2dd=m8-R=ɓ.+ 6?0|uD\&zms1 fN2t"ȋ1uMH9SGYF2 $CJ [eE6$)$=Ħ2bn"a'B\lѾ#\KaK:DL Yu]zcaWk0֟ar_f56AtfCA܈JH'Q0:m -^ e:Cv{C-j x@S|{Y͒m&+=ܾ^Q5EyRTm5ΉKֆ"Up^{|onbM4dкp۷DKy.L:T;ݠ) k4n1{l-P.B$ gV!_Z %|*b#r;0tpNd~|mUl"ZIL_kBuo]99PQ0UsR׀ ">D _@ uIϲ&9p|J/@bNUkp*e\;I;˕)NEd*(6~yI6qv,[ډ hT.=D((NL` xŤ.o*Un&3ahԢm+%g%zp=a祌2Z3*Sb*΂se&EJ! W[r<$pzΫ3){p#4Y'|4|FEE׹F4+;q;SsQ'YcW7-VU#QFBtZ~'rGrxr>U M l$c=>eG~/?zcʣ[7w3MN҃ Jϛ1v3l 1t9޵2HEq%#RH,Y(]v;^P枤\TI1G\{LO;x=HU:/W?D =|K_2ǝsg+OzU`O&/:MX__cW4@\[dI61 _o./E 'Ƽiwo%PM?u[S!6UP:.<2%]Ycj[7l1*v:Fk%AθՃ4K"6P³4($°L(?k -ncʾH^vpkjE ~ڡmU{u%GTB`n̕qg)qόٌ·y(tڄ WgmrJxN@;*,[bH r3k#_=sfm)Id$X?:>h>Լ OusB5kc1Tba,6czLeKyM_Z3Pt-Z֍c{3wwżAivPx6?a˚TV@>I[*D`Nɇ(}c#EP6q N} oq" Ql 7[ձ.C۲xTXqêj.íߟaY ^G5N;d8!;,4w1 iSYY~[qQF9/b~%+6> ~TsjwQׇ^V-T +\"& ,"s)M x界n"%b89`nfk -#0\zH6-4R}BZ<3^^~]^` q*{>N̝R7{"_r]˔ osKR*Z ӴTlۼT) +b'puv,1&6Zxo26 jMEKw܀1 RU|cf8 w 3"K_/+ja|($cϜ-[3BYAMq"CDjy]ZkV]gih65 ̈́iJl̖7KeqϾK~s7Wh k0%0?t[!3YSIVGKmL  9YQa]q;OK'K9j#qhB31'q"3''93EjS4Һm b?8劆Bn$= ! bv_ⶩE< $i`H/(bEL!±*Ŀ0˥?+E-ƩZXƕbCƏּ7O AJK˷"cB:hj[c6F_$؇&a2FqE`eQ"#rRST5e6kW >Qt֠ =6t9ƶTD4R يe"zȴ ck*#Y#W;OɨfC XrS}`oSiG%!ҁ#;݄f# t^Z+ Dbr ǘɓ!dU&eVF{Y:m/KDo i7#.PKpL,O٩V2|uB+ k{PA|E[ˏh{96;4\/rcNIЁ?>4״Z3Dm5}=,㭼:3Of+0# 4q=ñM ^Y[a+7XeڵVK[by0lsX^6ko欿'ۣ7F_5BMѨp4+k;+ mؗf[ J,[6̮8TcnaAR2r#;SP=`UOɎEɪAt<Qz<=ˏ2 &uL:'F3vOo6la]j*-7@ !MZK r^FB'6!(hXz1>].X" ylO @F] {.^SRpP:T8tFGkVLsgZ.groB}KZMWA@m7(jZE7.##Eu$Hx:hwɄ9a? ִQ:c:;Q X[N6t%夗ixWv'+O~f $`7SBjD77-u4[ώ2Rz0 yĬq>A]{sCƫz0(m@Ll)BvbrYo1ݒAIiaJxJJ@!'2IS-2Tњ[X~ XBpQ?5wO듼 ~*RX 16|-1"]/!=}bT<٭׌f%tyٞdNC<՚̣!RGY?3Zg !p3H,DFz| 'DksQomD['p#;zܥ/? 3YIRҙm~3"Mf]ܒϺq (mN_[MyR!O~)if[bpqyk8e*ĠNDb jtLAn_J)MH?.mPCp}>Jڝ,Yi$3l i°ପ[|TYJZ}`0(C(i0h[lHb{#Ⱦ۟^ubP?*G٠&>WqsC!]F3#+F8/h6xXy=ynar! y2!ƼZFl+9|T*LEo|'Is8dS얲ʟ}uLjij^ )Mb\~ [;7e;_7*2M\R>ڽ֕1q C&~Qqqo ࣸ~ZIahѠ;SҸb K[OlI%8}q~za;۞%k}4oCGMy΀HG-޺V}S+a G*U4{9v\#_>ɐn#`CBN xUjK7{_3^?x=5jo?BcV~ٿ[} TWnhq$pX<A/I"obOMMWEHMwk+1+-Da17h4\ų=?7(5<4Oh5M5/>enK d8҇|cRy-lIp}PF#LwmV bj6)ۆbĚf+:CMQ+ b19m@Efgt/YR6Rm.7juxm,mԤJ JO'=Ý}[Q F&Ykj(Ł.}(enfB/fG=(Ņ΋ϒK#MT-b{pS nv` ΐ 䚥:Ppz,gjk.+ve2FώAqrw5x/@ZtFFw*lcDH'5D;1M/vSCG/J)^Z#ݻ|&pQki=f4'W}(30ލͦp^B"ӘmV q!*ֺL'JHc[{C-_ͣ2wnOJ 2Bd Q-IUcݞ\<Lp(x,!X Zl1I;G]{47'_dbjgyf"z1}d% K~Et:McJ&D!쭅l=>;1.>g=3.>q#x"麶B2(<@ͩrDUfbHo% }xCxP eYɟ+/TCz1 Q8˱`L Y`d 5EMN s^ F% FX] lêLj]lц4*>4{I)n³E-C# Бa.-nRB qcy_7d="7۹g7&BH0c@;Oe'I]zЭ^y5W-γѕV,)͗I[*?z^Y-u&=T/I0:X,]I92>.RŔ)v;9ᚹFm,a E ;j0ZhMLT;^~U Rx(W[$\=dV\t@L<.cW迻KDw485TmQ6Gu^i!V=ѧ=F.j$q *oWV 8oًu$=+*?g1ǔO>5oOXck+5'cqFjw?*S=P܅5+ܹ ;ZbmN6mn> @ 0.Xr#=d0~DIF9VN+&]+ , 益{.wP&9L 8W):YxJfNtd-7Qݦm0}ŠS:bؾuӤBR3zt;n ƀ ̛&.RVEt[&j:shbf^:č>n6]N$ԮA3^-.72c(s߯ Wjs[_ ̜4eDc N$/_u૆#%qgޞ]n 9 n/0hĥN=fy~ gEC(]X"Q,KAuK52-[,t #)vր%9Xk9š5NQUQA"?mI}b͙PszqMj+s]iugXv9lqdJnOæE!d̔ER$\.c>J=?:"yTδ]TAl.XAUO. T5xH;T_l0]bl:gW_5SCgsƓKmمIIЂd 9rD)#]C8?7<©),Q'Rq.R:kJ91j)ur'HkY *Ҵ8 @RD,{;0Su҂t ֔}4A/P6tíc^MϺ8I5{Kϩ0-obYfVa\j3/:kr9UI Pϫ_UClO|sؒ̐>yT  >>IyP RASoW3AJӨX$pbиp[Zb}/VT'BMT~#OIőEr5yp_|y6>jB.o`;΄{Qgd\NKG2v 'C*.e[0jNQ׃Ln/ȚVd{v`HfµB 9>W2\= etڶdަI<' $;l5Ze~ o7Z%@ k Ȑj_SJNCI)Ck+]3UsUUeR y;vr4&M) [b\,zDжFF]P#~k֮di7Ԉpeۑ4[byIT{]Hvwֿ{DWw,_.0'G4?8u়\'h[@lu[q/7Ǘ: ҟC%HfǢS%r_l+}8361ԁ{\2F< O 6sR[9g [D| _9i#L"Bo5T2kwV> zd~'9S' qH}{Zh[~SDx,0HuaOp4.ogY>slˬS$RhCv_K\ As‰[xॵX%;'B bYAQ 12_`;-Cf+m!@V#ѧ 8/$ŪamD-%W:3@T/S@ǣo7^'vR*߭g3 Fu/}+yi/^(4^,oL ;ږ&kOV;J v) ZVou{ հJ=.vLJ݊w!iz?J=aD4˲OYrJ#,쮁K;!Z-PKX@LMy3Cx#P"O-х >Խ>e42.i?~_-.?3٬ TRɣbtG܊ACy̪|D#F XQ/]gY7*1J3ÍGj.ށ5R+kg++d/cp}=K@pRh6 zR#fOq4AZyFY$Z#%cm[jP oql÷Q֌JEI@0ʱxc" L(/S@F"O$>x+10ËmJ KDŽPʄ8f#6%ȼ+zVm"A̠Kغ#]W +K[b =4RBSynx t ;N NE8g *U z]hN2#EC@r#'k{K!ͧ t͹ fkb†1γ :B,_ǩ l@}GSwLȓnpoUMtqu2WxoUe)𒞀F= ^ԣܱ 骘!_5wF5G\C*0 9^aމpK֑e8*)}z\)b-T;j ZLW%E)xߒXN݂ZIGR#iտm;KB";g8=O(BLMc1ʬ|INh-2en9Bzjjqm JBßrCJ!HB:3?<;w$Ӹ%otqzCS VG Ts[f-~a?gp[/gS.JP[ ($%ٗqI_H m)?i%,_3wIbʕWoǧh~<6M":cA>` ȷ},F!j=WVV CHvy1S]*JܡH:J)U:iH44q|IBGns`82N_& f$Y~W0AT^żM7h) k,#rZ [AX" qF`B R vVHHZiԕGgI\͍PVWPRtٞ"]KPla<~{ 2+j<auAn#ږ  ,׫X1__xDY/ ;E]|$#oթ?/ိn$d&:7ȓA3$"P;gxNr +'b5.ӔwTxl<]l(QΟWYhx ..8ŦDҞS^Eq/il{ #7WO$rAΌMq*VIcv;%"؛NN{Lf0qyrX0/vӰ-3Uv[EhX׻O<ꅉ{ vGpZT-hsA;? .kJ:Z/$"腚wkgBƴN,Fi9Ggx!-?&lև381W$`wŁ:cL ߦ-jˬS95|Ha+PĭWm Ȏ`'WojN-)=V #w^f& 7_U׬wDUfke7Duwy6wBǔhT p6mbӧy5(p0\b*j8aw w¸#3A A /]K}'~{_8R>+_Wբh|$gf5pS͡'*h+Ul5Io4ҵ|kpKuUe%vpB⼟܈ ά yn߯zZGQ[Iٺh#rש$5]hi\~<-{stccM^QИ*N|6$,ir]>ƁV';pF&^d3QJ "%IP}nF;W0N5tIrr=NvZI6 b}~fYA?yk s<(p*K)CXGJ,yϚڝY5 rXzb><{ąCPx[UifvE6ܜo}+jic}`#V|v >5dJV9ε"Y2Z)-.Qs':#e~Ia 9hBΨPGX,붙 ]lu}U';&*;q MZnӎgr!v ?q[p)Ѽ@2kO2{d!1׍Ǫt4bNԪN4Akh<x8 Jm0fA9a]c>$ن!]L/8eI,hE&6*vџAv,&,1߆<hXn8` ֲQ<` E\Ll7Ӯ5e(~I} |7WEϩ}رgf( W(F惷6L'@ \Y=bQ wI1~ʼno9x6nL@cݵHUQ[g~LSG9|IuNGI`AGО_SU#E^֣zC?=)\Ob8Г+)KI|Y\?j=