libsamba-util0-32bit-4.13.13+git.528.140935f8d6a-3.12.1 >  A a^p9|jNb;TȮ1Pԩ@*o s ʘ=gw*۸Y]ZF9[.ޝr6nHWU)X_a}sj -`+$HEy6;Dӵ!MUB, v#>}aGa~\Ë }mM(YBFo@-cB~j8u8rWCw +SRqI|qC3e{ qo*$4a18261b4d613bf59743de07fba82659fe7a7b2f900f1c384ba6f4e88072806641ff0c3b5a7d0eec6327de7172743d916ef12fb4Љa^p9|&~S rs;Vv' lK 9Ռ,* D 1]='no;n zBlU*^{_i1A>!]?6?` g>p>?d3 : Y .EKRdl p t |  (0)@)/)(p8x9 :u>]GhHpIxX|Y\]^bcdNeSfVlXulvtwxy&Clibsamba-util0-32bit4.13.13+git.528.140935f8d6a3.12.1Samba utility function libraryThis subpackage contains generic data structures and functions used within Samba.a^tsheep18fSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Librarieshttps://www.samba.org/linuxx86_64/sbin/ldconfigfa^ta^tfaae9134c4f0db7ef984fd28ac121df6b2354a10dfe88f5290bb9d4c48a8c51elibsamba-util.so.0.0.1rootrootrootrootsamba-4.13.13+git.528.140935f8d6a-3.12.1.src.rpmlibsamba-util.so.0libsamba-util.so.0(SAMBA_UTIL_0.0.1)libsamba-util0-32bitlibsamba-util0-32bit(x86-32)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /bin/shlibc.so.6libc.so.6(GLIBC_2.0)libc.so.6(GLIBC_2.1)libc.so.6(GLIBC_2.1.2)libc.so.6(GLIBC_2.1.3)libc.so.6(GLIBC_2.17)libc.so.6(GLIBC_2.2)libc.so.6(GLIBC_2.28)libc.so.6(GLIBC_2.3)libc.so.6(GLIBC_2.3.2)libc.so.6(GLIBC_2.3.4)libc.so.6(GLIBC_2.4)libc.so.6(GLIBC_2.7)libc.so.6(GLIBC_2.8)libgenrand-samba4.solibgenrand-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_I386)libpthread.so.0libpthread.so.0(GLIBC_2.0)libpthread.so.0(GLIBC_2.2)libpthread.so.0(GLIBC_2.3.2)libreplace-samba4.solibreplace-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_I386)libsamba-debug-samba4.solibsamba-debug-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_I386)libsocket-blocking-samba4.solibsocket-blocking-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_I386)libsys-rw-samba4.solibsys-rw-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_I386)libsystemd.so.0libsystemd.so.0(LIBSYSTEMD_209)libtalloc.so.2libtalloc.so.2(TALLOC_2.0.2)libtevent.so.0libtevent.so.0(TEVENT_0.9.9)libtime-basic-samba4.solibtime-basic-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_I386)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3a@a@a@a9@a`v@`a@`<@`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USanopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2020-25717: samba: A user on the domain can become root on domain members; (bsc#1192284); (bso#14556). - CVE-2020-25721: auth: Fill in the new HAS_SAM_NAME_AND_SID values; (bsc#1192505); (bso#14564). - CVE-2020-25718: An RODC can issue (forge) administrator tickets to other servers; (bsc#1192246);(bso#14558). - CVE-2020-25719: samba: AD DC Username based races when no PAC is given;(bsc#1192247);(bso#14561). - CVE-2020-25722: samba: AD DC UPN vs samAccountName not checked (top-level bug for AD DC validation issues);(bsc#1192283); (bso#14564). - CVE-2021-3738: samba: crash in dsdb stack;(bsc#1192215); (bso#14468). - CVE-2021-23192: samba: dcerpc requests don't check all fragments against the first auth_state;(bsc#1192214);(bso#14875).- CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos; (bsc#1014440); (bso#12444).- Update to 4.13.13 * rodc_rwdc test flaps;(bso#14868). * Backport bronze bit fixes, tests, and selftest improvements; (bso#14881). * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal;(bso#14642). * Python ldb.msg_diff() memory handling failure;(bso#14836). * "in" operator on ldb.Message is case sensitive;(bso#14845). * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED;(bso#14871). * Allow special chars like "@" in samAccountName when generating the salt;(bso#14874). * Fix transit path validation;(bso#12998). * Prepare to operate with MIT krb5 >= 1.20;(bso#14870). * rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb;(bso#14645). * Python ldb.msg_diff() memory handling failure;(bso#14836). * Release LDB 2.3.1 for Samba 4.14.9;(bso#14848). - Update to 4.13.12 * Address a signifcant performance regression in database access in the AD DC since Samba 4.12;(bso#14806). * Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache; (bso#14807). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Address flapping samba_tool_drs_showrepl test;(bso#14818). * Address flapping dsdb_schema_attributes test;(bso#14819). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Fix CTDB flag/status update race conditions(bso#14784). - Update to 4.13.11 * smbd: panic on force-close share during offload write; (bso#14769). * Fix returned attributes on fake quota file handle and avoid hitting the VFS;(bso#14731). * smbd: "deadtime" parameter doesn't work anymore;(bso#14783). * net conf list crashes when run as normal user;(bso#14787). * Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7;(bso#14607). * Start the SMB encryption as soon as possible;(bso#14793). * Winbind should not start if the socket path for the privileged pipe is too long;(bso#14792).- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./bin/sh4.13.13+git.528.140935f8d6a-3.12.14.13.13+git.528.140935f8d6a-3.12.1libsamba-util.so.0libsamba-util.so.0.0.1/usr/lib/-fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:21699/SUSE_SLE-15-SP3_Update/08b059d7b5a0f63758fd796f8b3745b1-samba.SUSE_SLE-15-SP3_Updatecpioxz5x86_64-suse-linuxELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=054dbb600f925e9aca494b5b679cc81c3b53fdaf, stripped&PPRRR$R"RRRRRRRRRR RRR RR RRR R RR RRRR#RRRRRR!Rutf-8b95755d651bc3ed48e88bc09a16ebd5a8b45ace159328a0436f46e6dacff88d6? 7zXZ !t/A] cr$x#E]Ẅ+[A%vuM+ZV{z˦ht ƘٖDⲍJmWξ/=ND۸" h7K92{Akd8l'6OHX2taolCIn"^BOzy+8WR"a~29᭿%w{vsKA6(YLoWsp =ô1sDtsj>vЉ*TW=p) p 4|=l>4&Y%l_SKոZkPK^؛v>x$$SWn 4 _%N?uҎ5bELwj9)RH[3U +h8pYfkcڊ(.,'N6l0OD<綗MǯgvV0-5>dZ8+㨋g"x׮G"j~PV_f[4+9z8Nݺz4:8ìZ'\vJRؕ3O&[',~@E vSq8]@E[ *#.Mh#^>Sę -#'Nh;)BS$S!c"_d$l 4dݧqW½H\a5r}ysT.Wa/4*/` O5&M/jFXq{ch BhWѨ$ah@!ԹPQ(-<7*cCΒƜ=DAl+ \iViFZcݾ%2fisfC6N}YSu({~ՙy+ygm~ <]|%J$U~O^Н0 *d$կr.}6Lͤ$ +vv\] 9zFdOck8=sܷ$6:r'K9mJĶ0Hd>(-(/Fwv.b/t`OyCG(}fd#rwWSVhM'{9LG ڔjxz \#2DѦSU0Ф*b3̅z_s|.N0<uq{kwW5˶DܱH&lʃ}ec9Hϝ99 'KkR(AhP]͂Ɂ>ZէU t-R`z{b`=l7V6b(/K+n&O pŒ$?eA Ӆ&Ge-,Sm#yf+51)owznSRinh\HkU&"8{FI!\qkp<@6{# 9UNNU.z +k]^ˤpFݚ7Fخ!hujE T:uh;"w ENEI&Dh!\]Q8Yy]A|5;6'.2a)[#c? &5oӑf=[ƨ- 9.vf%df >ww_FD2A_H1sP2>O@fViGqz:Gy~•! 9MuldtBӂ P96Рx*~.}Oj8+[Kea˝I ao.qXjvDoBb[*P&mҀfT2-186_j"9MƖ)ĪǝJ}'OTդߒfe{T64) !v|Z,=L6x4e.4||8iGۯn.% CBjc֫;Ozm X$oEN~^d[y-FuEõn=X:tY!C~qكu֮ifn6 ys`i$[b()%US!_ .=4T1.!$jPyDh2batDZn&0\Q$(s `0Qv_vcĦOKax[WjL̯  WMMQ:,ώy] <&e\ -y` 39 ?v t,D߇(c ByMY4)Y!x$'i#|G93njȼ1EЊ P 5GD`urBl/NˈnZΓLO?ܓ'l\JЉ[7|e";z);maSw=]ѱq~H PN>I@-%˓<{-FXZ=ܶb{kׁ|&ʻ))5^0ύna2†L-R 63`Cw^t3 ?Ǡ ӱIZc"a6%"șJsEfn[vJ8BWf{0Ѡ>uf.i:;7~I3aSDBrHnJemlhO qJ"XG5B㜲iRsH*\6bhIMz÷.:%;$*ϣ{ Ϛ/&T9Dʋ+)B5qžV;giE[.,x&%ZPO:@s d<ͺD@ sq}:3uQ(N!*ubC~ӱ^> * gfWLr+fqΥitFvzOǥUQ6QwG3[9hIiE2#4 򬍿3ˋ2񵈷MЍPOAQ~ yTũ^@Ԉ"JI]N0@FF=oʙ+f5Ő"[^\ 7){eY$g]tӃoәghl_8oH#{h UX6ǖ%bƫX !k*Slx{ǐۙ]9> q^0Jp73--$]b2yŬL_r ˨BC_ƯoEn<"3̃ȕ(onQgA`hY+WeUE@O3BFp _lsOv|g)3"(H D>8~_a^jh%/$ȟGJ ˱gѣ@$xyx9|ڿO!Lo' Y\VVnkYiiǞp`G,vQ*pC5.7^1bk 3㞼l-IQ aFB\$W5R%Vk_BL|Gg"fo zݹW&Ry 9]Y\5}?$Y0AOKr3_~R7z쐅Ʈ[necz+i8&9@/Z单y@G}en;䗃u; YeȺ=^ vufd["J|5&NE$,J[>=Rce-Œ ixn.wNp@ C*zľIK`O+o洗(]Cɞs0Nɔg3W蘻yn&W j *ͧp\iה0h8=׽MpD^*Т7ǕơZb YV8^%K[9\F[g3w}`\lY0~j~цU1jkTjpJ5<<~o!|\hKtlk "DN1lI,5kL&ZWU9餔W‘5g.xM QfypU+!9j+˘*%)-%2aޓ u]x%FB!lWN<7=XOhBvt"<ѬS: 'M d5<*EZxuIe%}?K.4i:A.'Z}'7mUoS<Q81#KB* [6}M1gEձV K=8jrc?c8>uѡ's>u(]NdKF. BVƊђNdߞ!f(XzX^5v QY v4Ǣ*ߒn^]8Qσ*24(FZ)W[aKN+h_%ioc͞fPf؍=0e`6,g;<$3PH5 iЦMIxJ*4cl8(Of-~VQN8H874 EP<P [_;l_R2[K2D:q{dMB)/ꫥ)FS Wg0pl/<ԪѬc5j{EYXa#nT4%+Ri-vظ6N=G.)" ȷj=: Kfq7*#A`ąUL\m30GZpR֯bYSu o zu#I[w gϩ6WK=!B۶=/YƮƟ)}K{ 0ŷPsR 0$]>L4-=0C==co8>ݵimuń{ľbЫ&83HS&( pb)HX6Tgw L"6}* aBAI$H ({ {Q (lo?gjYOF@\Tz1_=0=ˮ/,jP(" 5D;f&1.)K ?69q[9 mP}* =rSƀı>pOj^;~GqdԪbrzrntzMO}̵Jk_cӭɹǶraUaj{clyx!u@ Xk=T+GߜJt:5!pKv,c(;qmA*e\YA\[MiǓvl}8@˹/L+@YfX0'5r{T ;~-`%ׇB'=(49%SK켼d^T~nm.9{/*gP3[t[o-5G}9>g< 8+6CL_mh'R3INE4wehBXmC' '`goiDZFL9фo;3^? (uM̍B9xON07a,;XZOD]\`[c: 7KU1!RGabᏴ }=! {Z}V1 i,_@ڢ-c!T:">hNJ5ĝ&Syu~O:ȐtFΏb2KƲT ?=RC&_G%I8*nR7Ѥ~g}.MCqSۢ{[gk4= L2gk*;sf=P‡Q  |iYuNϮ|Ǖg-lbfRⶹԐ1Ș$Z񪐾Õ7K/gur@Oy378{~hh4x2D%m 7Mj )raκa1{LGʝږD)r&bbYkKdx BiNg`u@ Fl " RU͖VrT߆a?FK{ ><mFD %9n??S5T-UIׯcl0W˶0m/9uo9 vr{`2r>ąT7cǰwB-^Ocj $-ᵤS'I8k^J}0jKܼ6khTArkG1 8me)/*L鮨h(8yK4 `AC#YIC!څ ~sO(̬xD5NiVc1 ym]"p-U1Ҍ1|hu]%ʪW/2:p,_5{gVͶt2nFXy,ba֏= PrOC#.<?c4,M2^U?zI<>u/V \j2_9t9ox$oX*2zK#Rk \bWN2oΆވ HTt4Ǵ+9r٪*{WD'ѝT Oen8i:_|bۀ/.i2 [;&YWc:(92)В|M^=,#>zCPe(U^*Δ*d O|yU=Ŋ<oB/:X9\EtކT,x70qk&EtGu hC@B{8J/Ed*Z~R@hZ8`'pr:dܯvǗy4{aj:ͳ*n1˖jĉs;t9=[?t|Xr87N0a_8JfcJ<[YƛH퀰0 M$I v"sVXLB׹- o-H6b)" ΐ['_RA&aТi&q[^0|>e7{^~_ rp H'9 #:nA~Lǽh!;NdLi З=y=$Hu&uR:u|.?( waFCm|($'|QK\Xґ&ٮWᄵ͆(Q3W ;,.@i?fIZ$%{8/F=&?~ `؜,HAvvqP& r7-|MPH;|xNehίw!Ùhw:b M BFOsh+?3h+B@FHdi>'yfVwޮoR $LSI ;Ojl-t؎u(&pױ `-ӮpSɴe ݃Ay$u{˹.|EwSN p7² ɴPVi2 ǍtAӖz@~O5J1Zv,r2?0J_M6NN?^fvΫπVKdU-Q)_M[/\9W)aZ ۆIPс4S+r$%L34t DqXXWw3~|N> lҀJ NOq"юm† 3O/l[SHYQ.H@͏c3\{nx胓[EeA$x!cl7R n>2,xsJi|%##Ͷrb$G j%Ǧ.vɸW>]3O-'ti9 sS AI.iX^l{iCIouz5/y Vz]BmJJe} g? m[PQj0V{w.R vx0+݌y@gvIYYmZ ^(ƾNf>-3CZvqRu?DZ<ܝ5%Ըynnn D4=.Òay.!UWU>ON$zkR}$4[T<_xKXeov[k#d]v _!u;͛v \=| (?oumQ^2AnS(]>tg4zìFsFc ux EsyPВ}C{Cr_6h!I%G#uAבьNTPF* (%읭 j kT]lK;pWc6TkD:=ߎ"!tS$ߡw+o#2TcD,S $%Y˖&E8Vr4\2-u=D* i:$^Mi$NWYl=B0U2F=9e uv 4Z>,=ZD7k4K.8k% r}:)#Ȓ;|)qc@QX  0´3%o+T sZƙ%8_RV̓(.&10*_,S:B%dgŕ L}/xߕuAZ4c Y!OO8w!LR>.ZFiBMEC:hV.k[VV y H.7)]ψWT?dDP߉݀pI+c]v  kI,F`|̡W j 4WtKENZ?*K)W1.$U|=ei̓dG-pZk¤1GR$IР8{3걞krUGhfl!BBj-GgHi 7z9Nw.A4nzksv^[%(Ņ ban&gJ afZĠāƄtaX;n".^ GX#1eBX- /.8N+%ށυ0|i'DvAe̦Ȣ{cRdc[ebIZ.܇ԾUQKԾ[sahpޣc]  =a ͞Xn?3ʈB"+9YM0b֏ +a Fb#X(aЁPT{5!>k`t8G2s-hNիpTe>Z.zWDzx{I_b'M8x9@5shB2 PJa-F9h唥"gak r7pgzyMl>5Hzrq~*P|)Aep;Tܐ+|W1{?jd)IĚl צ74\o~و㘺MqR(M>"LʲǜS)$HBNp ʖ $/F^t `Qo|@2+`1 =EBxw7.DEt>ۃڝ<?]30CHuӐoJ_Mt:d IoBHɪl0fXe8,{h$ ]É-Xͷ{fBdgۆs%c3aVD 8a Suƈ"QUh*;'\R3_/sP純QUHAQ5DiMGY:aȷ6\uP"4 S=qPG0.v3wDz-6ؾI' &_臮%:wdKB"Vz!#g}Rp #{Ǎ_<7eK&.)eP`ʶ2ximɢY. 5o*eũlIIƃ_Cz;r¹jw'&Y3鰂%'w{0`ˊ_n &4unN0bTyg;j8on 12A^1Z7B fhZʗ2愕eu;eES_R-a"=#Cb0UpjrMYS^7CGuvg~歳9oّ6T nei\g~}Bg2ƎxRo3,@6%)b w-jR?]j;[[lɰ愡Dmƪ2oAޭڎ*hѽYqqKxJ IK<X"9I:y+ՋAȪuW8R}[(M3W0NO ev|ʆhj /-Lb#dۦk!ASI"'sV_0W9jČ-N*aE#Óe`"ۧD W')'ehhX9fb^IZF$fd ,lălѩdcK*Y"؎3HDj>%iZNJa^.6acPw| =\&rGX=PE6w*s;os}u+`#ԃM>Ц6t6@oY Qz$N57zBoSi~-tRmnڙ"1z9t|\>"?;/i)#?™2(LV^铬vaZpB&%ZdeTi_,= À(r*@30kqFK^l2oCcfL?^$[TJ)4)(v)#.L8:\:a6kb"~꾃y袿cZYkoܓٯ$ &ϧKv)m1X1ז?[,""En9v%m+uK&u\iNT{g\G7Ǜ|%#dI:1_ HV'?yֿ\&͔3(%U#Wx6Veٙ[vRc_soA;)2<ǐbj~q~+1g%'3^+M}SIeŠJ2 jKAb‹-xH%0ɫ/NVf΍"c!zZIK?bs_ȿhx1rj>zis̀S-x>wMtªq 2@/GtB>3'ZrE>u(5P2LY!Ё.ˢ.( $,ӄ?p6X}(MC"3S9EGksɖ.r'5ts@®6j_PwZ}: yO8J͜Nb"> z )0mªFwqA lt ْeDzr?3A'Y:z\x_)^υmN Y}ͥtSUT^zj3T%V.PBP&{tS@:fT7ZpU_\&-C3`{i*j`ml {6o*Ϥ̏ٮ9SJL2xosF\7"klq |PuG8 2dLWFr9IpLҔjt8T5h+doO_IZ7Çoe:" N[,C9 :XF 1}>Ә@9~ ҁxJOP!1l\)ȹOcIB)Δ\WKTMFl Y&ц0 @b`>ɯ-C>nFH9nwKjD͖ GT]J~T'GyP:NJWUXnDI ȹ`}2Y!L]M>p -7&`@9w㎋i(cmJ*g+C5ѽ:osK\9\oFD%T̻\ 9$Mb ߝV$~s\Wr0IQP3o b&Q9yQ9?$DZ 8M`~mS~9hBk0NRo#oRms6m /.kJ׀Y v}=:+ߓAܶx! o'i GLM8T]G^UFe-&Y$,WJ@ΔLގ*!ءH (8U܏Q#ivڧJ< oeͫ3Lk-;Wm~*y׆h dCSa`Z-8d.T"Wd= }XyugWމ-ڝf *4E(MvB v9h [BkTmy k,BZݬaB{2Lݲ }ЏF'; %s%z x;bK |+ñ;4E1|-)筊vO\%f"jmvn.hqM|j e:To&4ܘ-J W ̯$UD:U'RܜSoo 6ɢ ^isO7K˟X9 ۦ Y~Ĭ D %w!#@("k0]qp'S_O=SrrW rb BR}6p.0Ŕ |ȌkXܹ~8=;b_FɁLjsPвbr߀td,waF}Rx?l!v4#Ms6M\$k`O5b?ע\aFҔqxY@s5ᢔZC>bsX / ׷{$[tۛrR%dfXs 3BUΏ_@M1[~^/sJ3P&#8Y QY!*Xc|y9Fd;N2YBZ vj߻.錿 j"t˓y; AH~u܅\x}{/l{!kB @ VE\E=%5lLӪg]fOiTģƌ`ŮIOxW@[#oN5+P -*Rn%qX?xًbՑ3=MW]/Y|T(Άgiƨ}&HD<`HW848Nˋv!ax*@d%1 $PQOKNKOK&"|͋r_ycD/%T B_.\ e(ap;9=?g~_, OJL@qNJ4 Չ `8|[]uZ{jjSķeTd5Cׄ  vnN ա~ R>l󀔵" Pԓ@^dӱ/+B=Uc5x%xnCfnh|k-DNuΖ`ʩEsԐQ1 e> MJ(sޥ7ǻoŰstv!YFI/1 I5HB%8aeoaeŲnU@0ZJ Afou , ` V.]@7,d'6Wf,]TQĺHf i*LSTRƫ t6/x~=]H}kasûFnڕv5< Īzg~8(t+!.'45]caZnxӳo9kB[B'=J~(dԣ(6\6tE fEӄv܇ ͱ]\{F߅Z> ~pU(k-j~- xDϠb{%q&}x8\Xy}pwު Q55P;DlwB5&F%og_7QVx &Б AwULqR@mRU_TXBh)ǚN>??I&Fh{kvFX,EGQiQS4@(UǖW}ZYF-ud5&bIyayXx}䉏KZOA/cikq*>7msw%:9-#A$S-e ݺkb>1~j6S޲~vhjb=^e۔|}z>wͽd A!a֨ ^;0e۬d!Q5+76&dwM%bu)n(L2H"5LJ'lkEőQfφVlavZgۯuƥ# &M61(MSܖY!]RnweDv֯]^e$ (t"`01lT)|;*hhu7NDCppfW- _v( 0?A %7 ,QS==2*5 Cl"bj(1ȉ.8h*Oq ꈹji/(LH$)z8Rm==B3O/Zgik+lM ,=;}iqpOU =nثjB;8u*Or>yBޠY5^ee3mۅBpWV;rx!BD'\pIZ\^q4jp_},j2h wcP̡rI7Yں gPJG0n@|y.s-~n8WC@OvE0=g+岗/ƿ,L"A Gԑ xk{/"8bM(#=3zWPF'Tt,J 0E}dzVgt"Ҷ«umQT[%QFٺ|ć7UW7ζ `W;JRxV #3/DА rfLJ \8D6δ aSb[ u4fUC}uȠ}Iz/O;2wQM{δxt%]Ϊd#?Aը ߜ*ṋ֙[c/Ҡ^4ΠwH~N3(z߮]rl6_ZF{-#⳶#SV`SDb 0$lFq>z`w'3OqDR5k4Bex2{ {1|Tﺡ^mʯv䭦LܤEۓ;oS*PsK栍(>snzH[ )j\Q|rٷS8r6ǘq l;҂*v`ihds_@hU՗Z}msy'uJU$AA ^[Lg5ZNٜQۆ)6C^ݹ*i(oZT"rf<=_ς6_E.\p%8N?DߗQ+nf 9 \kܮ=Y͡WmjꤏY,r-O{\KU 3+Y{7z:u̠ G?[ӒrXv^~ .}JcI'IpuU$vAަ)H>㸨H {#ʩђ1&BR.c*d`D ]>;)׼=oM!Zh6*A]bWlw\7kͧs=#GG`Rڗ*F ݊/d;Qh1+yBq@V zҟȝ^$l2' C | j}ss8O󴻶&t{_B)Xg?2AGg\6.|BF"QJ]Dal͉_߶)GpEDv\wZt$H~c@F{/ctA?r{pM3ynOC1?s]GճסF;*#v6෱'sq_/?C~mZZ<_}IJy1 8σn88E}0:p\ ?[t x|ogM}q8[>fKӧs@킏-0ܜ"> R]HϪeӎ!jNDaX At# 1&sM͘%Jdyf/zk9v ,_v,] !5VW·@vTcBN~A 3?J^:L12`0Hj*τ~+'4Lf9)X!zs;!%ҭHf*%8nklVS C$yjd*n#ۍ㝄JT;11:r+7| ¹DFvx"Vn믤,b݄F06FԃBhި5qS3@5VhI""kCt 5U)E <3A1acJ33j{wM1Oi٘$?{48 w,(h9bER~Zo&U'eT{9hQB sh~=5cYv@Ijjz+־HZ%);~Sc=L0Hl* 8KDd Gg"a{C-ma`cr:K%oC`#˃ ePYs諯E7GQ" սdobBq+Q=mj3VۃM`)r|lx6BˮǏ~(J *!{'f :uA޺E.}޾"$IV:e֩k温 +_FNcf)Ɩh\ YGl+J?EL$#M|F:D] oCWPvTJB&Wtr  >Ӑͣf IƋlzqr͍lރР Θ;`J_z$ f1 FUζ-XamW; 5mހ+{& dܣB7at#n[:KuN2bZ] ?{p8Wъܐq9 _)qQsoI? ?ݳ 2Hs .۲-/?u-F`~.NiUA"Ub-=x!MZݓg%.RQ܉ R'x_Uj9bjǹ_ B8bkYm_ПJ GVDs2)"nM?Ra $f"pЄ3頇?ͫ"\;"Ѳ7NXK:hHM QTo8;qȌuo6>[GC=h\dg@9lé~\\+%sjQU7@gc!,Q%$PN 6+zCEbS~v8lDxeO}n,0a!EiH !AC[T+skͪ$YR; O8Gr`9zN"gC<+^vn6R;/pw\]97BK3ncđUѸ|MN~{su8.:qWeЦܚ8hj’ũ r3;>v_DSf, 6e7HS&`TR fQ:N=Qx cdz"]M\ި$'n)+!B n(Μ}oԫvSNn'BBzIbی:c<[͑deEۼJ2脂Dbа蹫S_>C-f60!+\-Ȼ#߃UTI(O|nŚ2%8)7J^ىƝxI&{:$Cb>|x43ÿ1󢺲'v%0#F;?ImLGm' mt $#JgGl3oUZZSN}5w@:*.mWLX%՚HF_:d*K#"@ .,F>_hc-b5M "h[*d,y9y&Tʻ- 'g@jKdTZYr@ucYF葃aUyj챔T/X7 -CF95 9Ŋ:r-$m.=F}q3#!ڐXm NҥuMyH $⋋̴=sds=_M:㳖1]߈Dm̀Z}Vvš擄} j]T`Pqz1hC&!ǎ; rB:XX*,hx}!Py )oɀ\y62v3=F>bg m""9յ[;%1ILKy[B%6xo#*d6 `$Pe+ךp%Vsѣc~N Cpkg˹ FHmZ(:DvR-LRX^E TvǐDGULr }b%IuSEcT,QO$>!eU)ȮwP=ySTD8q2\B. $篎5f?G{PR!g0.klbnK%Gf0.uu2ḱ,hIt-VJMs$Zٚ?{]UD[{lߟLYmy~MV=g0G '1-E5l֕yi(gΝ[? yϩ5`7c1:cn`7j"MXPʯYZb'"+Mj[G t^QCy"B 0dz_ v'1S"E7nJG0*#$S1 g>0߸MHs6jǪfߧ#-f[g"W9,J^aVsAYQb>>C v 8z?lRԶv;&{YɳԼ~}8!@tIn1NLyOs@/VAk%4\OL)s7!=;c^g2nVZ B,J4vdK+avLS_3WCX,˲FT^T2p]x+ .٘iDn `fh,{r7l|.I` nQyAUVȰ_񛕐z1eT$̙6}]`i [ch%&S?Cxfϛ8"jZOa{ T{!,`>:+ʌxO)!AED[c p@xq5/|+A}v4?Ϋg$gj)0 s<ڳ8LegIGkJݾ>[E &RrwCwj"=4|bN$6 JSylc}.X~x!ɥF^q` aqLE Zu+MF5ZQbᵕ$w):9QϺ6 :|o#Ybt٫e#2;0]=Ya"G*%Պwj>QCO*3?fPwDƐD4ߡCxtrZe$4=*J6i0z[."Z;'h!A-k"W 80,M"%a7r)kfrr~M/+ݗ4k.)l _A@]Sb$΋dx]EPzzB?%FHi{ G*<Wc=IG.+PsX8 K7 $uY^Gy % o8ت1mތg U!JiaAU`"q՞.;r6߁Ȅ:F8m  84m.4"rl Y(Y]bOGe򑒛n5=QRFPZvR\_Ysb~r~tvʼ){#py~rs;(%>}(U?˳▁a Eu)MIwn40hB /~n|H8Ĭsr(<:V0?6DY~vS] 𞎶C%:NOp: D`?4B` +^3 ]^{H|PVk렯dܱRH{W4t4+z8B2J\qıczK!MI` (аZ*׍2رjE1?*Z r`rRRx}Rk,67u )~8}1,גۻ>Aӆi+v-Lt|d;\"LZBndp݅U,QLCTO0:p.i#KZ]iB094U)t:' x0n$LlvƗ8Tژ+Q=QV(˅UEuǘe>Ƌ>>YO{z!(g5t909w/(}9<>6:W]`ZR脡7L)ƞ vL)ג͙#I6Ę164rwb=NkA64!=}vɹH[o8z*+IE3HX~K@PO".[ջSAj1~IӁB¤v 49=i  OycxPdgoAyR+l?G wWP>D*Ee"59c7iiHUzVl/)j.:-+<>i*-7l#@}bۏLxL>蹽>ԕNjJ{B>_i:+{2|[2'WBA WXLTBpJ f$q`< eX$s 3N AiuψӜe]~|iySh>cribaN;WAO g:GilGFmixSG$近8F[U9C+X-"H gh0}_9A@UxsɿVItN>Xe4a .q{{)Τg8 K#9vE3$Ncb@%)(#(=^K OKР:`{ %-dBgh%A]FT`-/Ƃ3^~]di"M*zLjO{R3/#y-Gj>1t='i3h lٞulP} _cyV "dC4*U:[Ϧdh-0^g-Y,Mijz#rG!q+]L{Yd3o$=8Kmt+J.ak]ܞ0{8X /EJGm|X:+5 Iq~1CkCffM E2A‰z5ene)oNC ς6E}o˄+J}\^:], T2ÑwNjv\(Q !X,3k7d3W5ƈn 12oA7VN#kd_J ۚ 2 ;]go8k$>5?|G3[&J YZ}m#O0UWa;qoU1C \37w&_uMWMd!;8S5em;, =I^͔c^u_WS <[n]-@ 7іrp-~c5cy5 ~sjG S?Q5m5lF vߐ0u/OBh.qčxr=}Efg<>9M**jflDCEo$K$7BSrC5&'a{fG˶? 4W= 0F(Vѐzܑ& SD{ԏ}Ǜ^e7j1 oإ?!H@<̌$OwOR3{\{݉*GAa{ /X0{$"?̮#{g86,bY ]W"ˬ_ug<dgD#KNFGN@f 34"Q!.`áetՋA 5%bƋG\`^$CA ?#c#@ e0c"bI?q͉de?:xO k٣= 2,.Qh pot;#:MBsEoǴ5SCP^C]l[x:VQns݋2ej@r^XlD \1A>,a8@0o]B!$QG|sM`K&,P%)[^<~]%|Ygʶ+Yi@f8sQyAȡS?fh:i[Ii]XǓV;Ai@1nd`M9L)Fe}ieגۉ͏RB6Z3tH3d s9{YYL%"+KaK|2pX1 txtrbsHLfnPqj0i?P4)wONR.0>#(!G%ǵ_z\Kh {{ Yڙ^P@?I!܃38eX$ksr5]ësxEY?@qpkjPtV  M:m_IƢ{Q\;xUkaR}E̋&Uvs_u!]}ō.}s$x;>h(V'$ÌLIJ+)i=Bf2Ƞ)d76i%"uϹ7~<}C<]d2ZvtP/!r>O}VgĈBjo+KzgQZ ["eerv%.ai2肜n aٜ0(&%R+t^9&aI)9nuZi''||oF>'X'hSm^%rcѧ٨w_|= cI'TpԾ69T`XrJM2*j؈D~٢N.iNUnGfc]}xN(}(@ݑZ7mdgaT3rsXxRkmLvG;$sXY#r䇖eSd>=:$T9 YВ.K2$ Zd3%cAblD٤Cse-@\rȆט?cb*ݖKo"I_.>h >sJ'l#+XC̢<Z7ێ s1سG\$@Ȩ-vAߐvD/c1q|8hڳ}jmYD*F)kfDlV EV {܆pBEt\sگ8|F`ӵ (s=?%N; w䊙rodtJl)w"(8 j@Gi Ѿ~ BAKaB 0NE N3qJG[D_*yj]E5n 6}0+!N![!<.{[M%Kx\qM~BvKAIT!ӗqcD5pXEsJhAimuǐ(<65C"ɘ̛o=yP&0Rs`XDPf" /sihڪ P1zY(ڃP*RAM8NZ ܞ&t4z,G ƴGs)x\W⯐ٓnw'-i}_x0fkK-@ /xULinQtfi6rI98cM''j PJysE͟@SjQ@jT [!t&)0ō]oDbDd61<<~] ,R͟)%3G5SI_ !m`7ZZ|U2&:naC-XIF(Edadlrd>iqd&|^&"O1ð:\?<IJ%Ǫ$k7ZmmaB0.*sIs=UUЖ塍%S8`o%N=e6EVۺa [+Hܠ~d~^"[f݆k@U+gy\I[|`\Ż)?zV*g6rs %ajDTn%MNY..Kmzا/O T`,b1ntgޟՑ-- Ol ], ,Fj ??p/o y!C>])Moa?ܴL5):?T[^kԒ`u@HSm>5mCԣbKlᅤY评=` !fZ)YkrAO.˺pG7 SXb 4S;Py!:ٶ?Qzn; RѬUҺޞp_@B#'jh~:`y5 k,%E;?Oӽ09$U)~gb%,öq1PnWZE&Xf h,?|;y@jiNJбz {mˌKgNL譋$aBxBE* 2&$X84es|u2Տv{,ᱟL2d%re+gSCV" ,eWyNmG '^ Dݞ!5Mqȴ.ҩ8 NmTln埨Kf <% o}1q4cPOWˏ+UZlB?eM}*YH,q!ZRL _9(is<g~oq?x$a3^rA; oM;G4 @C-[]` 62ȷb &M=6H \y A Bl'Oۯ_8,kq%Av=`:Z,Zd(& .&hT\˗ycVq+FB&g+oڋF"AD$F0T1t7gzc_mmݽ9w`sٔ4sj O<Ƈ(GJ:-!wn|#18p.gGDE*L߷g Y^D2+ a j:ϼeō*_{,lڦM'4N%}yCf[gΩX?63g7 oe^Jq9 of,+̀2*R5I٤R gOpOX'0ʢ3k*GW*Hʸ^=oz:}K|&Lu9KznZmFLGGZH,E ˍ04[b'90zK8koCc֮IjZ0+2gbtEDivveEHD#H^>5pEc}Eb)< "q®:¯|TR:6BֲǔķB!Vdn10b0CBܠv~5\=",g9GFUө-V\ ޚXA ~r#D54+& .Ь`DR AK vKlVn 6^S5mM dOaU5މMY2/)dW ". "yJ׊ `>`UR7|z,=[B|̴$a ˇQ>ZI 3QRR(%dN4Gq){_Q}"EX%PV@oJa4 6W屘,'Av|2&ፖEAX=q3]=Imۉg>J*x &/ %?'T.DM^s!Îfc~.2A!#af'dpp Q?>Dl<'EZF켻ࣔXG Usb(:!hdL3 /Pr›]baIXHG8 \۞K?Qw_|GY=Ouv@J^>\!ܕ阰#G%K] -e>"vBAH^Uax cj9 Яc"üG2@\M1?ρt;r.+)B҃C={"۟Pq kP4R@|?SG_|&T/J6k(^~KL ׼LdT.r9*_B(Ǡ45WTbqѯ7#M؁0`,N&KF\na|dY_5MXƽN 7;xj b=byh;Ezl' [} ԋl\Td\oIOXU!1/@n_,Eވ B7L0NLm5YART~i8$?PI!R 샣H.)9 ڀT!arɂ;` 8[@Qٗ&QI lwW#L6 }bԸǫwTU 3쒋Z?o1n3U+O z~8+.FD;)tgÇo%TZ+:| ]sUΦ&z¸]vfYϨmefk+k|!TͿ,OZ5 ノ__ͭ,/]n 9W憴U_54g O`Mu}iҹzNŨb'GgHʼfӆ rВOUQ77@MH1+)}ω ˯/[q暈)0|BD(F\S>RE_ߍ ;\o0s[$`i.ӌrz6/YF}6G. /*~͑e !& ݾ`ؙS^\OW0g >[?g_A-bބ(}A9n\! <Ⲑ囫#4[?:i&V,P TJ}'T5*w[i!OTOmg튃N}m *oWOWYoZ!aXvrhY6g&% xn[F'ۯ5ؖWW.+~9XWp 0CQA_E TmlIKY7K 0W}@K-z㝪];DimCL}zPhG0 sV;=>(\WlˇԪtMd,VbF8rv/ѵ\bK up8'g67(Deb ?rDaxs̼p< %+͖*4bm'UjMַzx!سFM7SrzX2pBbd qX$`ՙ6G**v}u)i"?H} A>E|z";~r얓:{Z Ó>uSiI$& d_[OvM3e~w;˩#i[kT?^l\XP_0se AzFG:i-q#b!8*966P8&'(b˲TRaʱN$L]&z y@~"7%j"CՎ'1(Ynܸݨ$@-lÉmsKt:K(V$qCH޼qTfɃ&&\$7To؛QKO}w`U'KδFM yEpT&*$t Sc%Wʈձ6 hyʊ>XouDRAcbT8!k2ON)MT!ʃ$kSai^>!`6?ԅ'kh)e<׍^Hʢ*܆;,魮#^)1@mAH`U8aPyOL#Q!3 eʋߘr1PUhG$RvK$s^g^AI, yw q̛bmY~lc (>M豓"?Dn\Q|$1Li8*g'(GJMT?7 hM4\UԆ\ f!}i<,Un%ڍ%*>5N"`{x'Cg;xXs=,a53#gxsjc8FF;3c Pg1`N7(>~<,elU_\4ǔ FLEdU1J]ATG̛yD7^4gȽ:k.L=[΂hnQߐ":Wmv 凢 `|46t4( [  FEeYfxpJ<<ƑlЏ4Tx,Lu ~M${pDë=!g#K>dX=qjڷex8ˆSswΧϗ dFˣz\?"9cCIkHNr>O3 P1R]QXtl&KO  o );WqgNu!P\l+s'ÝV#"+QI1; s$7^cFoW;Lϭٕv 〖gaRjPb]>Sw *W\oh|-J4 yO0h pPߞy};QH !8wp8vB-s^KL>]쇙t8%g_T˩uCx-j4JK15/U:s->6L5-fhԐˠ nBt&)sHgF#rgp'B,BiOb>",ռ#t$XF #pQ 4Z]DJN3fw6WҀ̢eeNiCr^QMP:dRm#z,&~<%/ sTU-(|YԒ,}E;3Oa_ W_&~o٪ .9 gͳѾXv&,֐>֕ݬ=RBC Hဃ=HM13}/#"O {Z/AnuWn?'.'˒M`.rcD3DŵgAm7$i)Qڵ9HV#G&%-;#*MA5eF*6TV3/7RpeN^Ӝ >>Zl-ݷ.IsF'`vQ|N'=(l4o w\qUU[X)IlݶB.!M\'s csܰ! -EqaR+d@+vw1MVۗ*8KQon4| -Sz+q@BVlǾô kժ+ԗШ: [vߘ1܇9M,*6^q5%FZ@IԊ*^rCj65@[(^n|#j`SBzmHrn=K`c?@2H&f\eJb [ IVDU)<0X]{'N), 02M$i괊B(K`i` >)8? Vf0dF 'k)Si@d:I,`:Ц=:qPe}[r]o44F&˘PDQv-z;@0xbX 18QW3W#4FEDA4O zfKZarION0Q6'BT!5e|Zz,$s67Wђ( Ok({~ ;=jBeZI%Pgwc=AX͗sҖ9yD(>ؑ$x̃ e1ALAUŒ; uY tCH*.FH/D;{wͪATJB{ȎcudbABhsE`,>!c-#vOM2w[o*g JbDxɫ+X'6ZBepnV0E k"P`D*A5؅u֑E2r<{N4wDFx#=7 6Nxڪ.rW2.Tu $FsWiˉ/Kԇ輠O孻Rk[q1bWtg\ L'̱ejTF[( ̋4ބSs%>} P7ȫKo6⛪l- 홊̟U0/ƗLIԌp5,o?Ȏ5ڡC|iwij{a&%G.e⛐"*&<%v߬id N{q)_2R* SL+L}w7V̤3)~HWz-qpa@r Q`J;(O_}>NcƓbC{A .u78]24]gK.Q\mF0 zV.nnEkM.H }ECI F' ˣk-WfQ$>;^'!E "WNc!4ќ?0;ɜ/i> rqly^pӷI9Lgvz6[NB̥K)%3ǢKK)82X z34˽/r[m~Bš1kB ˘d*="mD:;cPt#-5qaG nY/ x5n3"ktHL7kd8֠5MO0'f6H.Ud)_"a$AŨͧ{V/[lYm qe+؊혣9z["+xjgĦJ.Zu}=<#w"9uQ{;z1T,ZMG?fQҲt=k~%ol0e5/Ozx%K}*:g7b6O Y6"}^L.M-s]^ٔK7j|?±ѻ#%#;HL9:sPZf]Bj0eafk~36ޒΔJmQVBљq %I>_29(Z5ݥ6=VatiPY܉+}t t0hw< ũz-IƛoTLJ8m `ч;ׅ_]5`kR"1< cZqw7M`4q}?| x1\] jQŋ1*9q ʆZP0݆0.|,Kd._6Nڎ! *8,@ ZB<k׊8h?65z%șn܋1^[b t.Ư@o<efbd%t0rȩ)ea#P!!=0Ύ yDס3{(W|lO^_SM ?9Vz$Gt,Ƭ^f#GvUwvb )`T]Z:V&Q?0 ÍDHz (ӑCЏm`Ai#tZ=ӯ9r0፴qڒv$MpYMo-GsQ@oQ}T80J~4@c;W٩F%g"yLQU}h>DLn(Zi] Y7݇b_pbKėmWtw[oj4## g9tP_ ɛ% é~1YƎ@J5j.*Ab(`=" ʎ g3ӆz/'UCBE MU!qދ.ir]u7a/:U7d_NZ4IS4jp>ۇR);Va{pfւ"x&vv6ج6*rm#H%Ic hZ<>D:URMUg@tU p d"59dC8Om䇾)dMl^؈}TbviW:|haQ8g<9_S:?n=a6QܦfJk*x]]CL=Ne?& +!B!dȜ*LY`; =#!RGۮ2`Y DlbI~­0GSE.*%̚ vZ@EwKܾ-L9f%埉# 6mfJ * M[d*qF e'pEFR{ڽ184n-,kIzQGZ_%X {\6>Z zyYvw~J߭511P ! W1+C9 `͞Qz e(>N#qD5>9&Z_#^X =Vʝ{{tٓYUMg|¹:hsٛg^6RHB(WK1yliovӜۓڎ[P_iD\ oQbJeNږ4RK=$ғtONq]OZq"@Dw;U[5Fx!&|[I0N k^N=~+dt]h[vb)v9 U\ U19Xt x+i^iud(Wpv?T"c7\軺}9s1f(fvEJO<5|T@>(F"{d~UmK/iu@(@V?Ixr-]g df 5],Z2y"<ͣuJ1oB\c L'?)6mY)1IH2T/J#7w\|F3 NҮjcITOSU{EeZƗ!1 '>5@KO}mτ'c3q^"*~k_Xk9&F:i:9k9\?.P`yg,_Y7'&2"q YV9Ǎ!cL 1Yki-l`_Oyz&S9|Ts'Ƣn>6_ $h?)| gb@##+y:/mcp?x@r* y7v?ENVȽ OA4u,.Ĥ=C*7ALsW[G2Œ):}w&yLL;!Ĉ.;yѾ Q N^x$4QФVqNyijռbʬ$)5(6ugzѬ";5a gW7>Sv5 fy g\AƄзU﯀Kn=?'? P;:KOm=J]/^O#txB@(!a?gh;[Gp8LD;Dvb?dVXVPP8Ⴆy͉K$$fyz2&]w8nF:"JBٖy٘\XDXQ;JLЩA^b ^N}'ae, !<7w).dxnVΛꄝ)5!y|f+W%^ïZ{}6\U$|@ҎzH:B -S7EV!bS~SX<5w"VKBRetX(bjݬMc) 5C=>;Ͼ ~51Î&$X6~lw?imQJ;hvƋ^S脥B7㸨D sAWd%N:Tdj`(xz-YXBJx1/F~Xg!v/ٿ`L3iqL/:{Áp&lvjoE.oy&piZR-Vp7_ݝ{GT=k'*@&B5#h{C_BR*ϭ5$ҡſB+ړ~՛գlV!fxpiV20DzP4+9ٱJ6-HDAzJ+K]kl[tK))s7CO(V+Jme)9߅Zv{]%$C sPdP>H8k*pyG@pe<! FK.X)>Uf:>dTJ&ʠ+a:hܽnп'MLz?P V7yթGd\q+פrQ5h SKRј$uQ'ėDbJ?zJ]aOM[3~07iT]+ 0GV+ Ż CgObƢgv$b0& ́5Ur\3 \r>IbWF t&.hcg@Y#5 {K`<>`y6^K+YRZ8]%DD`:Kxib)\lȾ[MOZ^GzP/u޸dĹ>eŝ6͘TmSOIh+`>_.m4WN#am}^6&]?f_r TӒNG! VtKOVaedlU"i߷^L:*/mx#[x9_'?##60T~u^7!d?qXq)bO\(d:zBhIgN>#K YW6UQ崘WRƉu{]b1ÉX)qp/pA|toZFGbl/mɱ Wcŋ=oq/ JE`f9Xr4|+lg*CwKoƇ TN32 CBb<3]E0߁KV a"?Go=z17W ]h!8Q'_"HJDlDwrWƹ>~a~u4 E*2)MIh29&8,,KxtiN!]ym. bG˻ctPwM!WgFaH; =Xܚj6kګ͓#6Hm*?ݨ1ZrjloHU;G-4ZlUPi{4c7E/;̝Mv42;|ѿw.opm(},և%ھs wO;|A*l'.W{ii>Z ERXְz% '&l#=3.2][r*{]_5"KR\9gG4^CrWpE)Ő%֣sz1ٗFW{PMYN]6&ժ6%ھ2;fb'Is+}v!Em+%57|U䠦2iA'{mSO T̝Kci/|md޶0}p~dAR7C {d`+*C|E u҆6p1^z$e(2ꉔQDKPL^ 0Q*V6}78]23!,u iXr -u(Y\Jե2=Oدϸ=Iv AUX7jx:]/ h> @-3G$M *v{= H ko̥v>ĊxQN@I%>Z0]~ml"cy@Cc{r?Ic<B $9l* >u$gݮ}JT ͨ4k^NYa_IQS:f9TT@ӄT1Gcb> u|ZTDvq̀ǷU~s{.53;!R]7"Ƅ fiYR".S_gNRuBPdrs8U a(.a@Y';I öJr'Ű!nžDJ wѪ?Fܑ+ſM5=1ϗC:IjMpePDteӣz$>N0VbBN39j 9)@ԸѬu18dh ݷ4)XxŖ%M`Tg,n3X*]i4dw`TҨ$OFZIDw&ۏ.Ⅎ{?]]mK1)_ڽKV?0w kLAL)U&f$I. Y$xJvmRy4P[D¹ApxV=)$.FVr\=+)4H\(E'FQT_}^ً-$M@JƁG `{Je#=rby :?1#).RFgmt_DN\vq|B^%V1ɠ0) 7ue 0A *:KӪM ୯6̟c=ށݼXlE'v \ȫco LC8e au艣>[b>o fKfL\'/) 3 UjOz G`_сi:V Ѳt89xhwu8sF$gS6i* gݟQW q72mm.レL2OU=2DQ.Bpl]+;G_2Y˿ pwD }Fq =!EޅӼCUbwWs]tjn aoj1W|4 7.[] I{y1frYgFG򙷪N2>2a:*CHI-EZo^U%Ӳj{z J;+ >Zi?O.Ju{ڢ_M5GWL/q\THT)*L]:N?ldԴϖ0_S>vj,8COr8&X{`Ҁ7KS Oyč93 i~YQ0)A}TGwXlᮼ9ұM3 FeV! 4~|R;u~ x?޼b)ꂏzo %AT:lfOIBsO+_ 8>`/hLBYS48RDtCƶ#8ع`@Ɋ.bE>PH-Mve|øV}?#[`UTb=DFѠsk Cs:P[]ĄjᄹM`R.]`-Geapf[ŋ@#U`s-Lt8I*@ӈyBZ$χIs P'g "{QMNÏ _ i d+"˼s26FЧ%ժYO:U)1vAC:+IR.Zj1 8)#Lz*0xzLYUj'v" k$pX:^W#L)ڂ l˕e6e7-N*En!*^j$֮QL6"Amx(dfڨiSsL'dpԫ8"eAgl y@PX[ř3fWerOL &τ7 㑢!~Gu$r615(*>ˤC;ںʑ;i&Bzk(JOV8w͆Q~{"۞лU]~p@bug8ӟdZPčԛGzsWH:/^')gtv"etM+/{UեM7IuwA-?/~y8DZK ZMV䨈.Me|@Fc0HwbIqb}k\nd'ƹ{^myopSD\ i4^f])&%t cg:f$ =ɷ;dyBU/f{lB/$NcЇg%OEp-PY~ͩВvhHʼnbGkg3A]']K`}{7Hh+ $6+?X:st3IȚ`>72[+ZݠQ*"2|B>$1(W/e[ӞD@ aU1h7uLU=`2…Z?Ȣ[-e/ru{4DNto`]H˴=xNo7g.{z^}2;)|Kg<΁dV:rF;5xt ceО34 lctg?<2 fKiY(A{t RA~\N(vuvpIafX7F8T}3h]7 ="t0 ͳ/ÈY>lA JrV+FnѨP",9_+3vX(6wn/ixT3/ Kj+fmݑ$qF V `>'I_]_ۃ`/@l#!}5wۓׁ'{EfRX꣞H\".S-bG[9 )yhmm٘Iq658mϖ*vmO C:s&LM!j.GLTL(WnEVXwۚ?qsuH0.B(Iz+ͩ0 Z\Df'&% ,L6q1mQN&Ŋ\)M2.MTfSlƁL0j`VCX)|ʪZ``ep."E7E=aiҲ@S)bD5ܤHg;'rgr$m#s'NȻPpKF#9pCǕ?C%4pOE9thQ*W& ʣŊtGa?,]4ΝR[:7:+e!P1WfqdY-?K6*7BK@_}7ki.=^CL&.y & g=]ok!zu(u1e(S J9#>ڞ+$aO)폴ٍ֫BBܖԜGT)? = -jzfʵ*6.[v["'i37:c!BX~u>>X?l;ۤrbqEpB$rZhwSֹ2lR%i[|,jǮh%nȠ2u I,iwּǍY POhβp樑^/PvwʇAS]ԓ嫭!?_:D%o.G!]Bp ),l<D&"+4)r{v2D LƍPB"}ѳ?U Ca$ukIjGHXւU-l{UɩS~mؔ^qh0?LOj 26#80tTިN;B|a$ArO_sʢZQj:M䙢%p"Кx,&8qV[@#,&ǵBՍue:k^kE%'0ONՃ_/ɢh6ZN{+Y#JvF4+ ƀha CɖĞqpL<uwbϥ=}{38ABj9.'Py>rT E;(²"vK%!Rjq|ϯb-J5=8 *Z ۲V}B#rXnnƊ#11 YFg9w_Fh%2\f^ˢ/"' #$nX76SJ{5ITcmIq\g8 /1|mϭNbˏD{nDˏi*w`ͶҐj"@ʶWaUi 0LvKћeQcLM>lˬ:ӕ7a,Uepkn*GPH9w*`: k:G"vٕs{[y1!l;r2w(G4W:Gj=#leTYiEj8M xq-f9eg!Hن00 Djk!w.ƌ :2aO22Ѱh-~d^s2ni&S(&7Z9TYi\@6@BhшŎv"]->88𸼵MZf>Ƣ"r^.I%p"`V|W?G8DtAE?"{Δ^gnWUg/pDN!5)$>\ŀVld$Wԧ5S|k,y4/ʺ(CCđ$hs$ZJ[\jͬ봟p^I#S01DwlBŌj4Xp; 7v|#fA"885tȋdV?M:r& Ş ldAhG1pLJW#pFIz*;Ñqgss\bIh}˃w@[e(Y+yh|~*l <Z|)v3TL Ʈ@S#R<5[TӧGX#%dbUP梸3ld5p-we` ʍ x #ir\1W.ҫ!Q#\ϊW#G"hZ\]򬈖)wQUfW&Ε{ИGKn} JF8uOP.i%(׫.M*/MB:]!oA>=L3ԏwU8rU9 RkTM=@ qX|,%VE(Dq䭦t?^IӶYG g/td؜ iV3 .P@M*nȀw q<; C>c-uEJBM[*=zB_i5ei+1.!^kbi~CIJ0%=@^M2g[)RlpxZ 5mW z4P XF&D˻|ܺR 4 S"zyyt/jcW==NzU\i*t)F>SEudlv)lMbC $&b" &^M<>x.G(`z/9Ma٘H*5;Y Sjܓ$c?l<2LŽ D=Qn`gj}uKUz i =($Db0x(oAEI Mnqwݳ^RjR{Կ4"z~/93[B3n?OtM Ƽ{]GhFf. \KY!}5*q"hQ=sElܞFžsS3t@wui@!.d_M%}9>eL`eMںf`ѐh̕[^mO#N_g C嘡=Jr ؤF{|Zpf|`O7ͱV;*(^bxi* ܷDԠ ag-Aw$0q;)ߠ+GAwauVыޯWc':0>nECBO5˲.)kdneA?P /l/t;yBoBkXy*V[Hp=l%qFk96 g}6J/q o52]P\L~Jg—Ȇ43ja86P:YLAcúc~;i @n=wR"3fGN"KiiØ=q5yY=7CEeT_ZTQ"(APF-Q+͹0RpWYK-BYT +us+ K7 IИQtZ4(Df ]vzƎLb3QpY 8>%-W AZ Ѷ+oc|;/mO?v "7؇V7?>v,GjT鈕V~TӝJupCh{j@Gj)}Z(Oz G)0Hi^Ī3Ȧwh;Ԇ^s@f.3 <1N"6Z;4UÝD<$?8D" U'9 #7qS挤8C?%݀5 0핕4#祥}_=ʭςwtu WVu<tF[2@˽F%aZ&73ȋE*9zdSP&5xA Pʡ{?U|sٛCFac3}G>af9#ɸHbX|l.z-bFBGт$fW ,ccc}}(Cd>mMDZr>lOuԕ! yn=FXx&(錛73[G `˵T%j{WQ .*KA/`sMȥӧNXh!e0jjH#g~H,77,Y"$؋%0*)rMOǫ?7HH\? !kr~NRFܜدWNMr–ZqO8z`o5iU%}{HnHK+E 5ҌR1i,VGꎲ^}*[j~\ƒhb@DR ocB¿GXӵ_8ZL} D_@XSL{2ۜ_]*c<  _{I}6DC O-V2yȝXF6}G: O~8}xuY$M?35GF-bӌƅOA"Ϻs FWNsAKpUᠬ+1|DO_:F9|DZLz @*p1dI5-PNLpf ښ]TUL<]![A{*AEEnD׆Ei"X)$ˡ*/~tET9'"8 7l1pe̗-by6VXxI+uNj_{W+OSAjSC1H&MBS!yͷ^ bpͮLAG\bV=ސYL3nĴXڡY)<42PgEH-WAvx+kDYU25_ +.sݓ5I>i2gm:>R S|S!yOBpoŔa NBE<QT$(LZW״ Q'ui]i4>ktlj@==y5lv=Pvφ.NDmvs}2~ vs>Lkp? 2t0 r 4ieS2J IS?s9K癔f)[ ;k}5p6[21q/?Ѳv~;\f\ءv>43+|CPAoJI"#QX#琦i"d$̘n" 31yrpl#p@L*f e T@f!9PlSrk\u.{x(ɺxM1 Lm}7c~YG7qx=B 2NAzw;ogOqYJ;F-88_l,v- Q\lAQu/B'9~ŚMȼTCh┍rY GSqéqezSO7ste5uOYeAS";Qe`$J(voqÌ<(/c:KUe^XcspmPNy@Z#2?rI+6w CMMEs?dC|s l  lKӄ^'7CQ?Γnn(Cs4Ȩw+#A_uy葉 1~kѥ~UrH-TCF(-(ѥ7i{ FfRo|%_yi3 6?;*I Y'{hFEh2BiUkep IOeK_0E[F24曬|(8~T]+|Q ;-Z.}Vd5a3"P7f=)R{`fN)j4/~KGS,T>=f67H>WWu dRMf^ZGXٟHy Ѐ))u2%&}{:)~}ެYR5EAxXɾzItǣR8ꕸn` < 6C?C\v,skC+{oF,l\,ojTώ[A[=hJQ L?eG!?O>^PrErx.K:-d+=%Kg ó'9j-T 4J~}kch7o'J>U_d7kƚGV}xWVeVf 2ݥ+zPj1xX=Z?u{~J8y_AA0=krD(I3Wū13n# ܃Ld+#0AR;`Mǻ9Wme&\@Q (9>y-uFd2,+ i< NEk=|hFWuP!,E87񅴪dt}ɲp^!8"w8eM7Zڙ;JrۘO.'|d* [GJ<@h,0#Ik5Ju˘qZD%yΗ`e{+C:q;Wi O_>FA[Ӕ snTd0o_vAsh iNڵ7^H EEfAp &c蓡ӰF#\th6e 7 /"a !#GjûaR'w*R_Ċ,wJ՜5V9aInuΞhR:T,Xn糯.59-W\L6Nήi?Sh!InVeCGCNU&LZ֓&h/.1hHǍm8@j1KinS ʷbFNE a+tp11gpʣf#zIW4yjm~M^h@Cx5x~@N~ٹG?zI`\y&qS  rY"d`488F|ā+ _[>л32 zLC5*<,c;:o:iz<[[hk :g_&un@%58 Y> ƲR'.X3bM}͓ UP%'/i{hu,pBf}4kYLÐɀE ܳ "#./obI&i3u3@癩*}OԪ\@@ݤ\S\_\ͧO̲p_WU03G-ʛR[&tfMBh_$%`e'Xm(U_H@-l`77QaUf& kO E@!CٹO/%6/0{q `5l.d<7r\}Fu8ѭйVU3 X!qFB)LMȵn #iut(S4 ƈrC!P {EISy\g9nQnL@)o}qaaDͮkfmO:I[8q d_GLH\RKmŪY(i 0AGP NgFsY[;^l-r d8mW؋Ox+-L,.DK~CCvO=tI0#@:4=Uq螁9OTߦ΋F ʏDLnNſf:QLi%sADܨa."Κpi']h؟2dvY5fL!h$1&#8`uK2<ib#.쥝=F@~Uah&a X_x] krE.* ]?7e_kd,:e&aڥ g,cUׁ)l 4V<ܔKI(΢#m\oExҒs+tBw8WXj},g[}!F ((:K O(iDӥ8½8v9 }z`CFs:0 :Zw_}7Pdjg)'BiKN%Y p[[z{?;皡YMLn+ )ec˔׻w%7(N)e*;Jcq `XX]#FYx,XsxfA7uN0N)CvzZ k,Sp_*{XF)l&pQ#<8 *>$[j $9 @̖yGiIg irhLR/{~ 1u.cuX@pGX#L(aBc7Aujs'լnؾ&?o.9[w[ 1yRz{K0}fF~BSw$Kuxv$mr[LP U- 7?_e/䜴Yā~"tep+ߟxb ϣݑdqwjwRW.>KqH䰉 z1y}Ư)cV6N CJY$ަs`p~B>E]HaƼ{]˘zPNok^{<rN#AIbR`D}՜ZsmL%pppgCh<'țf]%sC!ha0tU|Y\s ܺq(i-7w1^:690Λ6ӂ5è_s!wg"ḿ 1%]jiTދKmE|*Oe%cnA6~s蝻@ڻ) y'El]T*\UiX[S4#؀jv3X:()'钭vi*^ӉM⎫#v5g.B@8%$ U7S1Hp<[^E $CIvcܼc4ٺ>u@>v|Y0-eH]cEMrwŒ"jx4edYT]GTNZO !Cg2?D(Uoj岿,P}ˊ EI+p#AGCA-BYt ^t@@Z(Z [GrRp{DE|~7S$:ɒD1oAel!H!y/*^k$J}dNDPA H4qS4aAa͑!ȗp?(" 9w6ɥ10=H@Z~L}-6%q *WIn|`SXԔwULD.31U,뫶VѾ@kNGM< `AhZ!IbOqh07b~^&IPa~YtDEG5`bø=%v!noɞvY`әFa3SXhp\& K=[wnĶ>)4S2dTo?ސ+k`2+)/dhD{F (5&J2{]S"T+1ƦJ:AkVsiN R֓^ kf}^FoŶ,NK S(~GRZ?Z֯2X헅j]ȴr!uMj,V6LأUqMV ⲛD Xuu02$l}oU%^/p/1SJ>bs4N\KĽ[` =)yrO=$:p9OPKEۯ|uJMf} FΈdҡIU C:V#xq5ɀ&|ݥ>[DZQ ۍy3뱮`&_s}CUb˦qfÐvК;ZT#^T]:\᚞ݕ }y}/pvp?LMC3YS H(7~(,0~Hw-,_0X4MvY56SīV.SG4mւ c~ԟ[uB9rPq bT.OCXj?ͪSI&^;$n⤓rZ׿!Mf^_4ӣG񟜢4tહDdRw++ȃ_0H;f.z5إSQ5krc>yc5| YԈX=e:]ŤǍ^ak8rol"H &(r5`lq/&li]nj6~o_l1"z^6*n"j7m@cD K{P˰$ݿ Z^6Wn6z&<N+_hXIo"PȚ_:#"&5%_%8UV}p˖B|%@ضEm6]6%.vm=ηNis΅,w£fQ%` I|x]>E" {7mАf Ҹ`dLdeg4KkR9k_ɽJ_J-dYJPlB]v̶P{2E3J7 u@YgHKY{>U,PV=$:mȌv`@j}e@B8V4$Jn/dwk U{y \L)P{IۈВeMKi(lM7f)O=qTF[FPM W~H+DuJ/Plњ&4 !kw+IˠɭloPTɨaߗ|Z ?g|u8x')&tkm*:g+F^NuSx"V.ldIB7F'tšd2{ ?;k%iW8N}!X(ټb'c\Q&k3ד80"$%VԂ*xי*Za14\,qܵOI|2RdOPGsS޺ HV"b{]E dR1-"H\Μ8]>rIFPz]&.&k_@&Zhܻ8J[GX?v¹7FWߧ >]w܆ߨQ|=j R?S+B%R#H*4oب''0,V3sǝ.Cdq;w:`g7p,.Y6nSNѕiqknuY2I'ܡmkcos-=k!D*aʽ шFRQ<\VJg&2YӌG%_ X \yVi=.; Dڼ*^DYk]:=i0~Lԇ"]gwz@f۽YPiizJ;tNo0 ]2_LM9y 3,f oX t|4W,?G6z㝵G m,*S_)-?i u\@, etNfE8uqJ¦FCJ`vx;a$8ֽZ!A.JEZ`:.BFǚ2r;aFA(rXr `6Dߪ97=×f/T*A![j@y ԍ\pL7ɚcN2# R!EmX"S%I(>NxA'B4Bvfۼi V* #!Pip剄LjxMw,DuO4!tEm(&\t8[NPM=2v-V5wG|ɨٲ/BGg!_fkoXN#O) 0J!k3OWJ)rǴJ{0kG.D6y0AE7Z\(S]⼽YP =-V}G,TLjuւnGY%^UilDkn\43]DzEr;'Jz_K/:wVٶT{INMvN؅vC EzGru,*/` kZ$Ga}b dVi_yZH kM fK"G]<݊(\Ke|TbRJ p3ryYkPks/`ފK"n814,VwҤG*oCro@1P9lҢ(}Ԡp> (UnRwp!|ij"M K_U*xK!ł0ݚR؋_+D끥H>;ހ58n2|SŲxHR `ܯ+ⷠH&UmG6?J' 8M6@' H[/{d(Ӗl+/T, VG ( n/`xs܎74|!?ڔpdέ:ƃ` j^nnuWok-^#39gƀb~5ML[sXh:f!3]QmWkȖm645GZ~侄Zn\:02G]wx؝0}fC$MWǠC՟&WA/|(iFdw7ik UoMqCu-qD›߀d,}I):`FѶEҐGIBvGZy CY\m?}Ͻ`3Q[j;`>X-< Y7;}ۼaEhY"m~}\`4I4 BKCu|ds:z xJUE\ fO%\͒](,~ GRF5,HEസ!OjH dJUٰoBf6m4&\j4Aؐ"q,Yb5 9 |J@:A C&56h[zt;pNXd&IYTP{r zj Ms6h..9܌Kkʜy wWj _Í{[sIJPNnEeu/ao"'Uz8ѬΤYGi~ڄzzpXlmelAT;s ܬh*DkAgF!/"|KCFejڣT\d!r*]qpQB7cR`-9$r .HfܱWIb *B #D?K{l ]zt$&"JnE*1bRJGrFKeJ"_bݼss8n.R!ͱ #N)D?VMc{ zoL'tCi]y oO&㧤! f'(jV'[^ux5utmQه24b ҬϷ"]/0SdsB)!s7J5sj3eLїɾzV;RhMl X Uff5ef* x8/$ 2j%h}X#_{E ~+iH3fCa&ҩxȁzq2X+x/~-q14Z Yȡ!t-3^ҟSW U[=K CoQ,w hYp|5F4 f63WuL+3|b lPq^9wRi'ɧ#)OukP0"{oJqwί+;w6zԬL^c_qTv\ʒuI{]/%h@A5E0Gwzĝn" 8 ".< kHIBW<}ydq`yž?Ѳe/0BTd%s) lv yBV%/l{Y |T@o;-`U^"ƸU|)DhAnQ>PyTWEc9acYL46\<ҒT˛v)Z~^ tk@Il7Ng> <-eL&^.zrPxČYGQng?Qי`I{7X/.>@E_DڝZIXoQrY_S2D(܊\;Z$_"b8^rnPz, Y9}H@A8_j?7a"8FOF`cP8`s`N̫t\x"CsIϱEY~q$SS)n])0qy@XcĊ̣? i c gr?/Xn[ujGg! qpmSu`3YEj Z #րY'zTX Wb? /Z +N8Ŝ&[u~5bw d;Za2zi7v7l^6,Nf'w2<05[4i\r,P'b y "bL"󉨠 X%l@jrJaWy}yJ #JM8av.ɶ0J㲘e_\-S7x!9ciW eD;;lP%GFD" q0Z!3K蛾FnݯN?ʶT-~_$ \7Tћ1~ oL F$sJ1a%5{E52 u;SZŬhUrcc>mf*Z)pPWs.ܬ@.kƒu_ E}|`8Z )_2 -uFzqH/G>fV4+Z=|XnSMٞ%63ƬwK/>s PCSbP$QD9tΘv~ Dq(qV^{6$yiH4qh0'Yze5 fįȩVw/rLwN\@n["'H%e}YcӢ}¬mkE&I1- m24`nU LxT/%S\P|/R v"P!(+4>L[%W8sX?]O=:|*H c+,0!~tKKvsXG}\Cpu|B&l8 M-:pn0>^9$^M |KȠ8D1j/s5?2>i(JP`_k{ʀ.kC㟊Q#@Z iR1"?*rtԘo>kr̥`ڃJn,7.Uʹ0ǽx)7!g1YPYyVɣd"0_vTnkAВ̧wT30XE9'8V[N6}8pW{xf +2㯮) Tv¡lXax*R}>=FO}qd̫[&48`6e]3,JJ+EuuO]& Cރ5KUp2,FTBږEI4t8o$Hf!;6cҘ݂DWݮk1sV5}( >a`ިgN"B9-c,˜ĔD IN  {w|?'m1>zF3|b *Ά)2HUxH.}͌ "c5I ~\G2KSC3Mu> iekVRvḙȦ<# gHK1pHxJ\5/H: _?la|t7}_*je.DK9r9:@Pl[{z# <:GV|JgicXքjH(lsc:}Y< n4tynA2,RPVhZJpbpl6~=Qc&!9|*W3_ @Գ+vPk1' dEG10D^\1s-9Aɘe2Ϙ"f2ya;3ÅLJ-l3jt1ɻi> 2.Yp5->و|k,+2X]hXMiYDSk%bg[@"?&+:@;V!cIJ_>Eu>%QY(|nĘ< pkUzǏG/͹sf&e$X1Xp?WTD\7 fAg|1pzS0|u&1~UqYC)K΋.NuW֔7(| mJ]Șk\;Z%{aөQw1+oض'stД10Wr422HfR?Z#+.+gb>rnȅwY/&Z<ȃ|}#y7Գ1S1 MK3A12ˆJgNӃg]jSKeav%:m31)fAֲ41S<7 _N7?)}c.Mϒ}r !X?k)`q~MQ_ zOxC) rvE\>ݩUj*BU]f#̛ yz~|Փ말h)e]QQzowgɢUW7|nPDf{y4o 9t燶zfvrh%^ t]ڷxK0c̽A󠝠w^3j/z+jI[dy0GIBU.mS9fӞ}"$m%mm`8ScDrCE`LHԹp @8\C{{"à ϒ_ @Hm3<]3Қ[TNz:CWi><h8ܸ&A-d~N#V/ܶX1sIj!w.x7$ c|,6XrϘ $7">x#%Zն^-$R͆>p% >=; #Y0=Gs-)jFΙ_I+@?3j -$b}L0١3|kDlvR~1UA3.O,i}iʃ:0wV !d4Y*IJ4鎛L0xIKY+%SyK<:fύ}.Vf|Ρ|i.,rӄ^P7;UY45-zBίܸa'W|4 މָ=lTsHnM { `q%"iʼCR~R)J}q7!.uqѤ[a4z!ˬ!gnGS:fOY>1Om> cfGE 7/v^PYl1wSu5—UթWd u ` RZhaH*+\Dz٪Jqʁ_6v[dYw4{0L2pcV  ^"e9EVN2 7 [D@icK|{lّ Np x9Ol ~LaVh=o&s@ml)AC x(UG*h".מR`. @ @N,z\?W2aME QIqZd]MH-*,82uvOio/.WLc`IѷЭN[fSn;{d!NtK>:H_(5n5Pm/HFylaǑkn8ioC9-Z=r1BXOvcuF܄Zf<Ꮾk͜ 'b Oi: fֻ__̲"1ZxOf[P*=t?(pSzlK3#g0ScY蕔9smGQ'DRTaЂ=1:O90S"mD)6N j*QX_L_j[&U߹jF*. m*"qv&+{4@zs2ϴ`%: 9_Wxsp`}EXTU},7ۯS}g]y˞!}FuSbX9.R'w/!sQ4@Qemw \l~s헀y$lļZ+Pp8qel77uVi7f[ 7 GFsÀͦ V'HM %M`O)+T+S@76F9Є"{dX-Ϫ! oB1`tn+.֌lVxuFAzC@i?;P[YC4ѷ}y 9^qݱpX kPU Wϲ˖/8'95tFa&@%juRRJc5ǗY:}1+g%jN1H{_zqTꂍ m2x 1KW0icu4 ֡BDɎd$]+3iL5J.QU ~݀L+zoE+sz_ْ88 AY,3K}BN!x챱r 2RIgI[ D܈>Pa>{7 Ɩ<޵Y^s݆,pg˥Ƽ+̶B)(9l$/gp#1U#rr/\ENg솞eR]"<ɉN?h8KLEѐZqu)ڌaʆ8˳QxMӻ@@W|xPPz~N!wG\i?Ȃ: 56$Fg(>qF2PMZ[,J Tײl܀_`T0z4]J|47L3j]XIAj@^;L٧ݑW|wxBLӻ8L,0xV0kLH/XqSԡsk p'hlUq^ se'b Y Rl( ]P p֚^\[Qg"E2*k|Z֢|DZ\]m ~q ɐ*$ %iC c'5} z^\`*\Ui 7k"l\91uKU 䏨I䎅?ޜE`6CψrE80Ay"mU=Rp&ПaWo3ꒀCx%~g*oR92nSWdxාI8:8nWqL)bW̄ۀjs} ._bZmz#J# qrʄu.=Mo!- ٖd`9w<-ynr痈ڼyUWY3 D.+wb2%WvH]#$žvُY!ѿT)m:o(S݇csla𿘺FDEIA|}{̧Ȉ]4Rw pہ}اwEێ%@ [rVȢXm$O; 1Td!48U V48?rӴ1m>\Z8{;ugU\/q3 iݙJ+z>$s.,b@/]*]Zdu^vl!AaDmD{.HƍS[|s Z"p.0}g:QJ!stp|cmn *5%&_Ld`]|Z~ p ot9"сO=F_ PU¨E֫>;u`jS5H[h<;\6],Ps^"\Eph䄉K%,[d̸)ȬB:Lsdbg_+,|Y[v$iܷ2!q˒GCvM~`aw,>9k?AaQLҫf0^y)L=&i)84ׄ`0 siAm;"@L]o#[gɏk ʅ'2h,tgjx󺐑ӣ7\%hzajDŽQT#@,r^2(=9d§pwS4Gw5)XޣE!nu`?'oVmZfe :A+,Tb?vz E#vCjWxyo|)ngp'[_/\הӷXndTPdN k:x$CDŬ:q2<8K dc^vZ}3ZwFk%H+Ζÿ\x#0RM|5oya/Xܣ젒2Iu!E: Z͹ HTcS&gDބ.JaAHjLdR 3"S;.vxi(P&7y!h1PGɡk,O~q (q C HF`nГ(xɽq?= )hрf8ѝ96:sGbֱUwaOX|q>JFz ^=j_ն)S{Ӟc҅&eYJr7gMs5= D]G6b N!颈p6gXaI0L# )N2MrbSKHB&B֓=T?q0|M`bHd?[+a'F*-Ϝmv@`UnO[CaJW ĸ6[J2W+`~]$uҾ}opVN\Td^]i' b1fjOkbʻz{_HlcͱAܾuQb%WI B-+jlS ElTؔUN0xAvzB1M͇k3BOMԸj( T'b$b}Iۜ/kP)veqn# aO,bQ@a!#宋cζ Z)pQ7 d~JF+C_N%%Ugm:Vӡ) _OfJ+tq[*9c;6%WUi?4pOQ!$6!FtUB`sQz(*0Ye4vz?] W(RXf1S0XD4!18 ˕>f@cL Gvn35S+Cc[Bx%AҗLe1,jd1" kȻ?}khuZӲeU}[/opH!3yeDubxx6]{Lk9Un駗=R K9ZqTJ[.K^u]ْaf"_;yd4z9]4W4<7/,qBh=C3r7m`ϣnSݙJx)- Jĥ@Gհ+~ 2#,Djhi-^XHRRD.@U'Y2 kd;"SIdǭwl:QYvw]TmH nj5ذ6_AȄwmGកO顀1*6T'`4H}9BTqOo\l}n4FͻSԀ[@Y48eu6ACy҅O-!x0 YΗ4?_XDOK{:,5'][UBF,ۘ$*\y325AdLz@Ӟ\ UbEJ;:]BZV?=#Դ@/0+p5.g[ewF$KlO6@dI6&8s# [lI:-Bnp!$sù@Gb#QBޡF{@֧y\i_-)U-+F4MX@^`ܱH^ܾ߂ǗʴS"Xôy7K6 !ilAT,)/̺KԠweWxC7jjIO%=!0FF׀'oL4gO<5Kqx bԑ,3Ⱦݏ tXyS)c|j^EW9 C?\rtP6A)8$vbt>Zg(!;ˇWՃN!^%9SgˢI [!Mۑp %t Jl^ۅ]<8sɼc]rүKu d`Ww%y t䔃Očvf1Dj H4[}J1]STc <^/jnQ n(ۊ@J̀_㣢cٞj1c 6!"qH na|v)POf snҝˬҖ&i J^R|+gO4bI|RK:Oz}֚R'ô  9 |MH)eNJ0fxhݔMhj'z_nCCb=G:.lo(@  7JP6]!V8z\y6!S"T0b67+py`WԵGSn YS#OFNk0 b%)[_ѹ 7G-*i@~sMxk𥬆tBzw5N|ήmc tMgS!,OWUTu]J!X[UN511ч޲=|7?v!U0b FG.M:Fk^`/X-^Զ:$IΈ-XĒ z8h:0Nbn\鷞?^H0jNjGR$OXyH02 ^F]MȬIȾ8`/+4Th%兵ۚTmu U-u.Y&?;‹y1?0n |6c5<[x{U訬[zm";~ȘӀ/9k/? p''?c!N}F,]N)$Q3TKC;gF0mb5zIa)R+U9SC5+C;DT`}i9WËDD1<3t:ƃ׶ 0PA!HWRS&un) %ձׅGcmip=!W5I4oOp7 /0"ӤHkG'ӰU2l.Q8JA2U[u3N`M18~YKNLcșf! I'P6ĺfd(,:(>IZKDvPi/ݿϿ 4h& $dL,ǪAAn5-W0Z KQQN[@-PpųuGe5 - LviFv1pB>iw $fwź Z7e%}ZK)KTמhB>Hg*ޞF79Z Y{E6rNrg8AsEU^W1n63=l6(AJ鎟+ɈUƚ@Cn"hQr 3Kw]DX:$-kऻ&ӕ`~iOV].Ƹ)  Z9,:?DZr{6ִ)r{S΢Uo^jB•/ݠ<}oͧ8/#<>g=H^",t QI2,LI틋)+,=:N6TߦPH,^XK Q:2ѴfNW_:oБFa3ɖľ5[k+3a;W WTGOd ,S??̯rP~&UpT!X,/܋Zy:[zMo/<+\^JU=vX>Kpٶ^m:ӕ>Ze }I"laU҉kxk+O"@hJ[d?߯㍱p1IzvfBVGaicr2LzdjadE)\Z ,Xa+ٰhVrXk%k_/2 ߄ 4JЕoZM*nt-@KawcqI5д XÉ%%߂d%30jP^q{ã˧@KC~ =g̷Ҽie7@Cmp%s/IѝÙߣp YT"sYuٺK.q*=%Dw :-iyDv M+'DUW(l۶6?9#MRk[r7QVhr3sr|X ݴ`[A? N}&I9 h뗀G ;rOe[t6s♑*P]$4Pj6EϨ|™|& 4hI1}9<vZkW-a1RsTP@4fOL'rzyvUHC# 0z6Zm1# am g zv2 /Їcz d:0}ZƉ^n| w/q+ة&~dxf35\~Q`m&'t_*h Cl7G lYII1 ʓΨn`cwoH}:ُMtɘ %L#Ҫ-E@jG(8 {nȩ^0~7"͞ԷZڱOi&Mw~ W5+qs}i[K*[ԃHös~Uwjlfym*X =VI_,]Fl hPrY_~r浏VdioRO)|k6';f4<pA<~EՕ܁dk%.W7}$\M=S]y]6Ry}D&$KftbyF sUhj\R)sRQ [cIo^5GcPNRlZ# tq"{VlzrCdĊ爞+*|P#&"CnvA.=DEN>kr+sq/3- c/V>9ZDZ&IqN`Vi& t³5Ӝ\M;Tr3ۢ ]gBΉ(xd1(yDt|eet}ޤ\N"V"F)ޏMy[ ss;گB4nbAѳ?Aw-d@NfؕguOygSDIߠTI~>hO[rģ]u(08LŰ󘐵 Q!A!17XU~k5ꇯYl@H.;`c2z2K?1u\_²3wC_!_> ,wfXe pd%2EB 3Ce ZwHkfd0M b1cVVN{"#Pm;CGmMXOK< +IXᒢVYA%l `Ky(oF7wU _f|o urVҚ-=9gq+j@L[!ʛA!k/_ LOI"GkH@gcQHH7#+ \"Q- FSU|v x}=Qڽ) 5wR]ؤrm)S fhJDԻ,hMmcm{k9%1$oWܳd|-&_n/ e(쵉pѠeQQ2`R *ҥ`(1򅍍Ϡ#:-H 5Qx_yg=#*ʧr;+U'*߃Km!̧ay'7`!ph 09r#՝)-mo + okP[϶:ᎀ/z x{LM/fkP\Bώ=j51#րi6} ҵoLU;tki= ]~|!Toh@$X?#Fx+XDġE }atPy qNs v9ӈES&s)I^Jy0DK WI%#\Z%axvnƼ5ѯ$-r"U7fNgmFn[_I8Y2"maaEIq_.Ďܠu@CnO9(eAT9(WӰ!RHை4}cNPo)dNSDy/@9+\&i˰à C^w#L m-TPΛe֊EˆqL\nB9qVDD~d8%`&6e9Gn' bίIH^iƾ86h7v- $N5E8kzQ-â@m:g;K"0($1yye<=[FzEZ'ttD ~>Vze]B~3$576jA$E߰1Y};btdxm bv4vqhN:~K9̱߅4/lPqvc< ۞y!K g/7q_plzpܮNóu jKd,fR OUfhOL@0A98Bdj*)D!jb⿿ Yr[RӘ|-aH*gT5#$;T5E% \_)҄ڜrOMа,ץ9=yF\:@" lftW%F&/d2 |ޥ$`疼R ϲv˾W "Aq0m%ljV#dqME]Eg^11P&K5J| UUUnm3W?#dAb)Sd!t8мi{Z4/W:eu{XMcXIeRTܮ; C٦tWWF>cwjnmKVM/43=\gE+rQ1&EQtoS`zlA"LXs4Q$R20`K/g'oEծ , _0[â:%Kzo`֕wWqo z 9Ui]p aCJSH&-15GrYB)î;-*Z7 <+3zš,͎FƟ[^0;T(ݕC, Gx c|-Mk %t vC6z0r6ęuX'V:ƾ#'tMڧS)sYBnwƔ7íB/LzZx2^ 5 ]}*z5ВWL:Y8C֚G!ұDX]O2/niyڇ"8' uZv]㤑5/5*g|+Z,T)e(Fk(a@!hYi wH9z",Eø# DP4 a[;Yz\m1[]8ZZ?,0&סu1\tEl[7bRސ*UYT{{`Xo VYZXÖ 0jb R;Dt=hd{𡱄J;`r+lqO#6n9Ҝhߜ.N9b؞*}sHu4ށOWE7a#[M8[ֈ*1Y&9 c+5a$F( pwL,2ְ+ĝ`x M˻5%03Yirކ@$=U-cyK.yx;d4KtmưVXSlT{_ӏ:FY n[`s_Rz#j@B5䑻H;BO4Au׷s/E%\hj!`˛X I@ϬlS0gB <wC@78:cirpBI~k+]Sj98T +OM3 q"G8$e# +K<5/̡-)gy\T6 |J[N"`ň1*v XԧnLe ur1Lh/3>ly L ^ d5/CL}[eJQ^gAI0Ǐ% Ȑ^ŒfKɋfzRtaQZ/iÒ*RS&]4f*$2͜~'*)(!p#Cg3iVC2hv;{/Ϧt^Q 0h$9@`}pR4L=ntYUѓXSJ% "܋!R:^]{ұ)c_ƫBʏT9ojvNy@VDw qn )]}M܂2;DZQk~()ac 0`YJY;=B&.[ hh|fۤl^]'In3)9չ{՘fz#;T+S1\oc>(6"Jm?δZc@Ε12~<{^3w^0.@ǀFkI U20y`'&C۪StѸycFC^Ic,x+,BHPKK͘|W>u3W\fksJO挜d]-k̇S`_^Is@Q[c7w< :Ā=x CK:BYԥn@+\X8$H\zu0ƺМY ur]je㩻a:E'Ҭk;\5g<^NOO,yn~"-#IZCs9nuӼ<݊\ vcQ*db]pGv^P+SРgN/\] #C<'IfFXduB/~p14y6xLGYa-E@GUoӄz;>+bzDoZ5cRdcEږ| t1$sg9N!uF57)fb,u1\Jl\;5Ѷ(_n;ΣkQf]_aŏw:Œz:EJ%aS&Mc@^[^q*qNh͌Y*\qw!&㿐.\^dvP8?݌Á;]P}E/іӼٛBj=@H6j"9hbHe7 ɥ~x5P͍śnvl8a wT=vZ"Y=)6Xrc|@c`ѝ@OcCph$ϪcFr )]!p+$D&A!S;rz @;!*ǘB"?\ N$iǴ$6cU'N nŶ,0-i,z۟S|p-52;M.#4Ҏ3ں[0'7^0b|WcUDf8ϵ} TPg62YL!v w;䐱c :h)^XA˓4'~i=SuqԊb!ߝ!cv 7e.Ev/ EmLVNM퐥7ӢK(K^@JW{4"B|FW-dy)M=ɍRx6+u`~YXrК}[8w6Oޯ!;i3y\,Cx־qcj1 4S)e>KD1#.x,|>`ؔ.Nj{:rJ"NfY<z/=9dØ99m)mfHjZHq㚹5.K"&᜝ ;M+>fKJ& h$aؠCtD> ; 矧m,Yǐ* /6m˔S[Fpے^wtewFvoa|9x`ZiȼLX%'Z`8gbՠK,DӽA{U'<kfVtLoCL7um.i #<8L儝!ا$ 9c:f(0twyh&Zf54)+ gL=JTS&vcx@/hc~*mÑ脮KՏ a@.wPʧ&3țϭ7ڽY)$ 6ׯ9r SJL4;sM4/]Ǣ:`J@f2_'3y%mһg9 ]Zȶo1,o{coMeg㿕qoN5p<NƹX{!lɯ$^&,ˡ>&aDo߻5xC X&Hڲ򩙾 _CZ%43(bԧXlqٕ8O6W%)헝X`Le^Qb #؃g79^ w$<3 %U{x]=P@uӣkFKscLeYN;V#G;'?kzk 6%ᏴFlHWI7p$5ӸvT益?}cŽNSrG98W"F O_wn{ɔJDU!v;?8%aZAlVAĈ ?2I\},bZw jS\5G#<ז#KdvE%W1}MNiљ\Y0AƀcZK-4).=,0NҚTQݿ`޸?F33^L}W?\= 071O+h/S<ҙ+;GqfPe;UIu1d:)NK3-AG{6]сoΘAWN `{R y+8 ^n1&< VrzҤ8 5}ssACLڨy_QF~:<$BcEAm:g-g.Fl|P؉MHe- Cy4qOźFc{K[Pa_:v^#X>Vyʼ0\c1<&V0hP?i(~r ֈ@\t=mҬ큎YR!d5jJQL)GװupU|O˲C)`S+CmtF]V bTPP [O2K4J=r|RWIuJh ᫽m0ej1'[>[&-~ FDsT4OV6H>f_ "ތU g1kce^uJ]O It/„8<,5XƳ ("Cc~X`F/B]klɢͿm'g&ois9r ּh@#ykxFEu ;rɵuNYyD(N8jO9;y;MPmY8Rܰ"A^uP/ cKgQHwZjWR/,mf B'v" {]i`pTlM$?;-z8K`d׌qPcNyxN_|eRSɵ;XJK١P9Orլ-%̞+ g&spccj-0.40IMߓ(7﷐Ier7 {ԚpXRF'svquf6G`TR(iNWd/IrTFa}L6ZFBFnLB3D&6g;En=pL<)T2VNqolr'[ӇӚnNb AS.ppiM+O[gګNBl2DE B䨮>% )֨Ƙ-yWN][U…m>6TBܧFпUM Lh ƞ#u٘M%|\/dc_,'(-bҺ_qN4؆7S2V_ 5-|*gxI젂W=`dPܭobG`͛/Ak ?&oplZ[|40>g]^#{SSqC(!Bp`KbeZLH~ 7 w1?X>V4iG`C;k Q:gC{'1 3Uۭڶ[6lf+|_ZUV Ḻ~Yhj},~i+~f<Tu#I `xmt 5+a h_פ*l=,.ȝts4=T$hQv瘐teVSm;R4xNo7ߏa9ѯVo-hRpN1;ZL"/U3͡s#XQA3^ \KE^(ySZs}zxSMW7|m{1W6kAhɾk6}!OGJ%pZ#6f sc&i{)CupX$+x 9rS&a3)cL@3d~ۈT7[ i_dlB+>Vc͉@ލ&Yi`F]*xP+N %XyU7w! L"璏5=z;2!,;ZA>jۊ㵷ȀvͰst!68 3Ċ>@G/QbeħCN$}GX Q ITE7KVyϓ8076 !Q4 ПEWv8]idzVk;g[kNDzpLáe%Ns_ c"X4;ݽ&TS_@@F "%,@ëOQ (louPhD7;b ̹(G^l9p*ʻ4aJbopfmJ 8"lTvDn 'iPPcgeKA -sݤ뤛QTYe:+=& ˁMyӳo$ Fv>bUNߙt~#;J@!nQ p[9{0n>+ʻ{-oR#.JVܷTE#UNu1u_b}b^OArvobkX `31O,pe>}]uV ך2pguko k$&5i=7C6ffRT4<ҷ߭4~{\zRƿc٪.(Z9avߦ/B;bݕOLأ^dk0 ҈,_(q6R/d|{Tw|S dһM 'iT̺P繂_n SQrNz+,CLpXT&)kD2$Q 2‹=wߧ8N?8? OUm83`9 .wk[M\B$ӣYѣ("heaCk}aLTy8B9 Z ]r2[J-¦9dPM8Z<`: fGN7TC1FQ+X0hc0>=e3[F&+6p<6 0e|<4ϓ՚t,ș¢Gv!RG2H Ar ^1>;,0Fl\Y*]  ںʉ܂kb_XXiX&!=u2+QPu˦L0@#pt=\TtAy!KUX~6uU ^Ӗ\U*:̮~s 0՝=~ĝZ綔&.HXNV`wA0,6oi|Ӝ4L59jV=)TE‘lr5"beo.CDOQ+NݻiBk)vd:?ڎ)CGFBzdWLM6[< 4[~}n:4pz(Z8Ok>Q6T VJV4 #1S5ZLݣ _t" wD㳳$T[5Y{bմ9D2uf5" 2=[mT,_ B`-L.ګU`Q/2!큸jܯe{.WR{(,x8y+9.X7ߔnT =!X g 6+NR//Wxny*B~DiIF,s0ZuGspK !"é:='RRc[h2kͧ|᮱tXr5SD='jV S}°_e1DYfC[[I\n2ij/՘?mʏm(D+rsY?gm 1)SI8+ qTK 6OwwIvv2c@f=m 9KPܡ*/$%К1#"P\x 9r:AKq >yMޗ6"ڞkzKb?LL~s96A?8}%{YGSl-٠ K)-qҳ)V M 9NT8*&D'61t\f~mӎU#+ө)#Wڢgu]']Qu_lOy,5EXRDpyXخ p˳=H_ǸE " )~pɓM*W/?BoN Bl Pq"$^认ɛ9"^iruh-Aߥ {01d׏0mKذFU7UP2p.IlӢ+5:*VRDO'Z5[]a$V f糾X9uk8ay:{/0Rd!D*3O2(g=yaS)@V7uYP)Eݩ*YYʨՇ$%EWBy,jLX_ԄMM6Vه D^toltN Guu`WXeu$HGAЍU픽u! $K[40 fa>R 4@;?ki~pv詁Zn;@Sh{`8'O)_Rg>J5ܹ:A@'& \C`[kpHz!Ht!P+=3I# I4b+lhIQ8uAv<~c2 cSMIl;| {/äsHvJUqKYOj2/ #iۜXꃗҬN}msD:W<}݀ rW3]Z"_oZnzh)jqI\vz%tdKa9b9yYm {\ַ28٩)*oᡛtTZvH0jj"wEQ|H末;o  :AǦ4\u"*xLl /QդD,x>;II]ZnKᄤlXiȽ nRVb0fJ{YgX~p.zBȪ鼛w3+\rgrt)]6t#B8 k6~{C ՞ _67x㤙\$#Aٍ: f +Jdw]v(4ϕR;m+ GUI7D" t}Yun / &1-?SWi.":~p=@/,C]@O)p5X/kZ5%'t `6xwYi{ 44K4|Lqab^R@H]\C!^'N]E:v {[d\¡#@A qX E1rFtB ~stbtnFļ+#YԀ-JE6xds2qbPFjq]1^%B%Q`/BlI|Aql~#2"e.jma2PH2MTYesEAh^ -΅mC7.<)Vxz1035Vk`T}u*Ykwi72ͬ_kA-)nVS~ʌH|,`laӋ##8_ 0Yfj@Qg(ib%#9Ecd 4vi&0ϝK '*ڂ; +6J:/ B+|nX(GCS|jxIpTY>TX PtpJzMwPlWtTWVXNx<4"|"W`>QBO)Z\~_AN0T7vҫp1s. +wՉSEo7 l tׅci5-*Wj0PXA9~zy%IYJ}C- 7 y0pE/CA5 F[dL, =<i{H`Oh RHRF{ۯ!U5MEmP!p\ujS›]6׿hNۦkQ׃L0%pV`+'|2ASzru!kRhͦMW4%?ד`o=CU[zx.gfye?gʣB<4Ok޴eT}&t"ŦO4+sƔ\iN!B]")h_E,5*8|oB;3=XY` M^H.[YjIdpàvgc[h]iTN7,d8D8jPw 1i'C@ /8Qgrڛbª`ތ=Gw#?6 H,-4`D)R>($2uUW(<OKk P`N8θk0u%>dn)s#HXfL>DUE7&-4YqKH'ô8\V3D\`"̕zlXi@0t[51Ɣ"h ]9&M`<LXp8b;CUJDĈ?!T?\FA }#S PW$ "]xz((=tA2ACg黠3ʇ, ?k{0٠z~P- sus}d[ hVec[؈:UrK^*:ZRz&u؁*<%~TGSh;g7Us1o * +8?aw$3y w }-o8N#d=^UyV@jK,in6fs m5¨y[c"5bu_ҊeTIN?f\Hrt5rG!rn͟-o*;v4ǔZ*ɶ?;u bNH`\ĸ ϥxm'Lh.ʻq'nXưSdAbW(6Rp}.' sigY Iʕ0itj" M&>7(S;t7zS_a哓i}QH\GcCmL[@̝"ƼUOls ә&V;Mˁ$,&Z`cъ9 Z.CO՟'B|3fǤg7= Rs"%f{N/%fljߧ) :fÙ.᱅PU!gṕS l~0װN(ss\Ww@Ll3885Qt}`39CZ(ǞPYۋkyL7vp|+`w4n,F?@Y.b䲨4N/wNV=9d3}sDpxQW$n|q1s%F/9$7="xd:pʇ2pإT깒|YcsOC ZX3ÞӢㄑv#te N>h|t1ս4lq^k!ݐTp?bkށ <0ay:2KUJ> &Y7&T'wugG{c}4mS|']'z.~@Zf%'/p$bЛ=oPD#HV+t)[cg˙rn: HY-^`q &s{,P?A,\x B@ `6M:NM x Q`j:IXVO7@^A53━D8  #0w/o'rsӨڙ E[ب?Zm2Iƨ>GBxlX-k9*Gǡ"Cϯ<ԺfĜbNj e͸.HRR^r#hJREZQwru~ mUqXvJQ~_G0tw fqu\cUTۈԠ< gC0'= +נɔ\ y,yY'L=yyy\6lkK5q~!g?;t|9Fϓ`\ixMb2s[p--礬PԎ.ŶQlmTs7!{ruP&W©C&<a;Y>0I|]i 5b+πϲ:av;\[<bW[K i=ldacsRJd 1+዆WӡN)PP,{7Yi'huu7IŤEDP'͏3v$zhh{MJAOnji7y73v=U7#W'F>{L۵p`D vc9{AL.]l5Hon7Pt[-"q+Xh[ft)1O>8W6B 5eg(-". ;lVĴU\WB[%?8k&PC?FtTӻǥI_{.?=C#H 3 4hq^ڙh!VҮ8>9糠nn[0 ]1WSϽ.ԥM]9uqwM%I0"˵Ȧ`%x7< *?fӭջ9@ʙ&7xbF1:#&`9҂t`#+to~fI~\|AU!j.yHG?n)j:~YU=Rb QdmP!# RZ%RxR@nArPsVr.k'QnwR. Fk͖>1Uh6>\H{hI\xk*[y.ڽAfy sd}ۘ`GIwXh~1:L(0y6hDK 8UQGڥrծDqca6_ `?}/H/YcOk|0~&v/ ?~dFNT? >ͥ9ΚWVᒼzPWi,..U/bU|,ެ_)5jftW-Nڭ R*A*qά纶D7?o{W$4͍ls[!J>n58Ewx| m#zh1JsȹN+Q>RZpەj,cbڷ121 :?mo(~,iJɭtDSbr};vXfY 4nCz .a`&RYD/8XO4'?jd}4Y-\[Dp[> }AVA` ߅"q|;BB#!:Z\Fcue> *F_%|k"  HU@b7;F*^3F( ׁb;jX­1ǐz-TǨNk*g@p7h፝;{ AysTb-8tk3=:jB,`M S[W?6GV~A*V%JyJCh)o9%Y@WZteT0ug·^>7yY{Tf0a_9PU^ϦXyMBP_hF5waӯ .ʑ$Ps:s(|E'}b{٥j ^.\ms;E|St*F5YowZ7[-n&"%=?#1s9K-V%%xbWnF ;c3\ŇMmC*k>瑈x߲S1{BkRUZ$+ȦNQH,̻~HH~4VT=#JHI:W܆Po4p3b6/UL#ZgTI8Z$? ! Rۯqx V5Li o+, * v(=w~.4uz26fFX*v:w4 pf8$.}!ѝ*~%5u<85[0d-Ȟbә/:b S;ހ vթ5)H"J7) !M4 X^?^_*o:רo)E@8,F.߳X(D@1! ]Ĭ&tWs؂e (P:p%^#^~ă3'Z6t_`h$b)k> ̸K\%J14q60:rP'k/s 6(﹍.4nfNeiA{bC RE]MU7%S/ɆNC1aݓOf8EI1եke`7ښf)3V*5= 䳍9LsDM Z^i͑3|b pVTmร5r,j%lnb-`C\) AN pNF1*bپPS )[]Ҳ.+7HW"S+_(%6Z>ZK՘J)6oZhr81Z:hN[^ӌgm8zP*k12*C f7G޿ > nV>m\Xzz,Y:;ϑt}$#RQl/ wI]C|eF 8}h@Ҙܳ˝L;MwUHubaQ,{#eI!8᫾g^_:X5:Ne|:}XWw'fp")cF3YE-^_TQAC5ZP2Uؚ6֣wqXy /c?(b(@MyG0ƻ0=\^%_8QpiQ~BpSUnb8ΎlӜ {0F~۠yO{2"r{$zmc# ~,#KD#Fg̣.mJcEݳ6~JD{& M#hJѱT'  RysOeess3v2Qg~R9a cP7)6u\G(7 $=tNͼϔ^8. &hAH:ZwwW#C;A}mM>TC(;7[hU.ID ԰VnLL4AhwqOX y@J\͋D]a,p|Lk95fs,Aeb Ѧ!Q3l[J,+hL 4M ˜}z^gVtxl$iB-Ja$섄ȰB]S72afRSƖ"dĩBzP!*,YU`D u$i)Y;WJդ'Wjh\,e'@ X] Al![A 8(nBЏ\e<%%kI?sR= qN_cK@`ýv5K?H'&LZI3.+. Xz $ /ETi~ȵ#QhOJ_ }dL-$;c8saӆ0nbʰu|VKDq)nr"F2l[s&φPbDqU !sDȖ}gZb$F'\ns^hY7v|Kt$Jx۫>w Z}|3(?@nJ8$aec/k)A'} AI~"}'P{*c$R?r$bN-Ywœʂ٩=uOK`koGVE΋Ϲe5O΃?NJfq 7S| ~R];a|x4YtWTF K$ ԩG١i>$bia 36lQvG}_5c LyZQY721ćj.ze""l%a0$nYYpUka ,fz sAYqeK [=`<˕MTFY*wU^Z4fGNIK^s}lè4viȬ(w*O?7%ާuYV@ 2Ts!=IR2 R#F{0HjZg*urZ-K.Rkؑ6^- "U[N xHaߓђ=Rj0iPl3S:F~4A^o'4 l^;-36v~9Kc-}΢\AxQa1̊/=| UǬOaclZ z7Cr8mU# S{Ɦ+\{e١,ծW皅"%ygv#32mbk1фob,zCJ=PLy}[e*8t=;v.tgfoWlἨ$~mOB$GQ#s=r%,e PC&WAp}(nٝ!AgC;t.u{Xd% 0F)x8 q[  Fv-Tfw`ǕV9"P{m/ lɿi zY^BxU{CUl}-,l.9nx&w|xqQv|#+O;qߣkPa =T}WgZM7#ϫX^Ϻy?3Cd4yhA/A+hEfu;X.z>T͍/`G֤Z>aΙ3cNXAѾIǙ b*>}<O?G}WyH!i_; ;:W-ӆƟgANJ'Q⁁63;c( =Eٶދ5x.\vBui5z [LY'MLV  uQBڑCg% :UZ$Zx_ ffZ[Tdt Tp (2;g:$ǚ*g?5alW/hvRش8$Ln"=bf^Fmq5 9V)[=SFtj4 HWZv1/PKvܨRrZ9'1cC ߲S2<?*Q YEDtpa+1_jV?ngs6u7jMW.-belDZrvuP#2>C>tN#M@NIP[^䆦ir.Uzf!ߊLJĸ^IW DYL}E22r ; PA.A 2jVP+GE R8BJᴐ[9}!4|.-o":U.&gUc`Uybm\xqIsh1ADZӵ7,>y_!Pl/,8=Rȯx(:X f&r ݱg *FLFiy)?*1ol)[wv't}*A|AW:< 5zئU'ML lpBaEJWL"2crɩ'ipּOVI눡&bJUeEBϘceոӧ/G~!?|mx j_iM{(+S[W<.pLR0# XD`#2K596@kUzoAva>x!yP,$zUP ۟,{]?دnyX]GBJ=gα2,h?"\#W };Vh^涕bΡN\ު`gk@f͕9 zz"&=ުh i5('v6DiܩU9{]1`,C@[J9Q"&po7k/MۃT׺eS u( +cϱO6:Ԕ`kg!`&47%iȅlerڳt(9_LY/=Zq@LUi"M:5^z݁<;%O G݇~yU ٚXwR?2'Q?8z/ ?$+DH-io'cp'sʹߚg;:5blS9$f;#)6%ӯ9`4l,{#O xo_!O);΄;=M׭%ˆZBi'1͛fds% 2Ls˴!|ws,s`d7}{E/J>1xZhĵMȗ =sv|]<[}>0iM^ C>lOdj)Ng)̻B8gJXU69<d:vdIc3p1fzwV37,1ȍĄGLd])Y6DTsPtdo(@ߚ 'ttN΍Lxv ʴb"^Lh2fԈVlEP JG{.\4'!q}y3)XUD9٠ЬG? "Jl \ uF8\C —+Js#k^u4xI]^Q=>*D Ln5_O4>&&z\t|%,0`Z.xc]tu., lMሁpv żK5`ʆo!-^sݐγ'|ѳ2(tZDj:-t?W; TqN"n: U$jВ&VŠ)#\iK #zBn.N=B[kG,=rI,.ۙ5Y[¡u2,[|\=(FRUM& 61_dOUR͗mk-ޯH7ڶZl5I:m GAH5m'Q؟ݳ] y@t}[,̑y)eohf@Ơr>Oc [ V #hDz ZMeDz$d@蛜zᤫ1[1uЀ0$%ng"UL*u wrQ)8 .6# krk(u,<2ŤN!N%XT& [T+0 3d}5 <П)->i"X~d·B91^T˃yxk0!Oz $I'./TQ:^ .Nݵʯ?vAǸ"E!`)rPYӗ/1:r`F(k[F:2xL"$ͩ!^;FI[gw-0/؋zkTK`2,vZ^~@ژtAbKFl%=]koY2#g1' $폥Lԇ|'lOo[6l3s2nVIleˆ 1*D8A- }G+EVSJLPistDG2\]l9gK*=:pjiit} ,WXiI-OmJmJL\:)G6*Ndv#lK7YEǖ&b zP~UT34jx)P -zus "ݮ$ir~;]ιNDNd~W$0}I}Dz͈2ںfGRhrAe%}ݞ@(sOa 7iTh%%v牕ȵmE*5)v}k##RJc.ԩrsʕ3sܝZ~Zt' ^~{Zpat"/jQƼkc)鿷:tryzzwrm;pDiZg0Zׂ܉D, ,T`e0zpˢj6}/`e'?@|Zd 0"+ qj_Udv_#ab  *j!! yvV|'@6_!|wHf;yj ҕ Yf )٤E=7qDu&ױ 2_'Cq ̸uƳLJ8vO>ШK0f)XIaš\e9ZR@nV2^dyf}x ]CSD/Y,6h,F*&KSI͹zK>=PTPb-MGybtw2FǵjԄoD-JBax_nD"KkG|; ? &N®M&K;ry^,pO6mrar *1p]mS< !g9ﮣV史NJ jFswI(T?38s=R>#wz7(c&,x=h1BLn2g0 lҴ*N ǤiK` n7q2zl#?p[O 2 "* 8Nb:!/G,k- -W>zӬ'} F PMCl7f fRL}ّv2D? ɂ2zS,"WQȀ,$Pׯ4ڟ_K-GeH-7OMD-;rF⎕v72bܦYh C/INjk q3"]((vJ|ncH"?@ury6u{*=2&ilo]v*DmHHr:Z*kJS{C#+Żzg vqh:Y:!}xk*mߌ͌xjDo,CP j{AH|mE(w)]rC_f < LnjbNy5lEQ؞}1tIbCQ~.ٔ*727DOd"fyj3'AMLEӋ:2\1\4p5_< f`\)e&bYcbF|:mBuڢcj+-vbj#r| 7| 7Ojʀ4cKB gjMQǂ!f*` 6S Mysy0ZhevKM49uq3<l-dzXct'mUvG}ί>e/g*FZ;3[:'1ZZK %&&gmRҪjrH˞K{:,gcF3M-}EBtz^Eׁ̥w!,ʢ Ё83dVܿP?ow7b34W;ݤ| v[ u:S\AWbЕ5 ?Q->V Fc\p?1 E)Mr!08]8’(#q8T~DŽX-㮢$nReHd5WbgOsְ<83A-z\eƦUU.iBh݀ EDBL2ҲqSAoMMˆȂ(Fɣm}t`VfjZ˔2t3Uq?jtåW]:e_XŻP4 G*4|5MԨљ&0˖ti]_@ ˳*>VKr%]ru9L$_+,Hag:۬2I ?Ϊq"0u3em 9_'\߁K n oY0oXj+=ch hLd [:,wuPMbels[w~A ".,xXL5 ׳!y!au4^]@b f!V5re}`rëG'K">W)%Ȩ*PwNpO,O,f*4Lo{+,EZa`S+KtVa/&vE`L2.Je[Ӕ0=O #\V*s9o{٠ aܗ[HAY \\R\N)JP{62KgbHEJxf:f%XA~1jՖO5%rᢁF&Ðut 63F0k8W@tсrКr㑇^HQQslDUcHڶ Ք͟}ϹeaymF1OsWw p5H:mʺ tYA:˚ lrwm:]y"1 (@g[TۦH%tCBdǑrUzovxA8 {V8|ȚUSX_NiBB p1R]Ɣ4Kk~#>~TxF6S_;2RwR{R?=^켠2ޭgN.vC ?7钉#/ ~al˗"rl'YS5%BWܲG2PS a2cβԇ?BȈ.M\Az" H%x*&üI+7'Vϳh6Q.$`J1QF<*DJ!t7 j|hcg;[ )4I/+_)>M@XQ?bێ6մO3:hyQ'VU U#iM6^7UW[45Xs0l YҬSBi/#ۭz4J2V}#X9SxW!&Sx9ٻkkr2DZ:E%U QX)) e;z( AQ2#I礅Ly((H_o%PBj>6_GeK)K?hD]+QX+ kH&y`3cw88y- 960(+1tFھw0|(H~SO g8o;㧖7׊sN$azic| 4*^Jڊcz.Ossi9W(u,f(T3T#jtByk _[$f9g,)Cȏ"yуڰt島Pf0 WJ.FIx iE3 \qaYL5.m@+yGnk/Ș)[ j}"sNjj~LfJtk1Fm Pb̥B͡TD hk݉%.QgT MJ1(zd[F+="xB1*i?pu87fyL2$6k~?V5 AZw'mtY4P)0zgn~ŕ>@=1빒3- 1I,@.v/Lx!HE _8t2RO5[ \c=w@آW?BώưJfh}ԎxHn:8콤~B'!@XIW F>[4Bo;RrU,;J[ e'k=M~|:+s./a2W߲ Xl\A>ާܑĖ+!R,pSÛLiwsf~=BiG 5 F ƨ V-qed^haNoT'Wu}3E!dm3xr״.=ڬ2m~-wDL\!s-lpLz>$nh#]DL-Z(hΏ6=Hd3!ݴ09|Y 1w8n(ljm* g!ZٹҀK"Rf[y+WtySkqz~Z H)juu}& v2+9}4"d1ҟ?pq/7bWS]x]\ZPATQpjd2g7De6(s/c[2dɎh  + h{Ki!ge#1{SX?7UV€5ί~'m.S8>J-7UIFA33&9>F ?]$190{ R`~@\2"Ќ?P_[bmd4DrTS .Ss5uPƏ!pxzas꼬lg)C=>S:bcFNs֑LNlذ%!S40ՕaSOEI9~5xMJ8Mͫ,eUE/)[-. #߆ oe /e@Smgd&/sS0NqDU֒HѬJ-x|ur0mrM7@HzO;Q ɋ)1,)g]\ioGjdaE۾#Rc t &/ H`ڔ AMnj#:U.{X,9l}`>@Ǵ s^mAC6n; WFF+v'3 ~ EWp^mGD󰙚*\sm%b.2upY8͉bۈmvmOee8SX(6TZ04lPx6?Oi\6F 2?z諒4;KNUiy:`ZguX/D[6}M"+ӺN9a R|p\KTr^܎Dbw4"uF,Zh8ϝS!&@lXmq(w(Xe+<*u$}+.T 6K լI HH]WA^l`qLC:~B+ y"hq.yRSx,zuiK`1H_|n (GY /~kK4!(p)g~x/ vQ\*>Q',x2gq^\jBAM} R/cMz0dpqm嚔7F=C ȮZM=WYE my`aXb 2}\ϙH"XF P,)7cOX1b ~fm莣*ʇy@^/s#'_yŽ~KGDsWQ7 JMc&OD2Ig&b%k^vIHG?M/J{ nvi Hץ}rBe7l$a\B3*BF78*hQr3B1@{X)& 6;Q!hR_&٪ SU4bmf- S \MMɓaRnaڲDC .;5i)!gYsӛ'XjoLQ*Α0#ykJ%;nz6uU%I8`<؇9Q:YI~&׳C-)aPŜh<;\ ϣ̽#a^l0Uͺrg p5 \ 40Q&ź^w J ,)uFُK5} Gv+KYɞ4__K^/Kzԑ"4C\|u빿D6?ByjKWb?&0@3"' FQ9"q0XV3hCZĤюZc>6sNqʣR;x̲Fnw!N>b~UX{a9@e@t~tE1&!*N_WJQb>G]ՂȋwgX35C&ݲcϼXNo/N\wURB$RS*|p*\ Zre:b S8EJȿaxh&L.] JҹfGcNQG@(> Gxp9cI9lJ[0(_jLOܩuYIOe>1S|R>4CZ#.G7Um?"e=qҚaSL,cjf iX;88!C5x,\O:l&`xpJk'%Z}`eZ0{4/im}>8s$,i,p$ory'{wRi $$hT ˗]/89IsUg` ,:rDu5 ڿVGN@oӆ,吏$l.WnX0&~y%mLj@A J"{Y(ʅp;Kv> ]5{GQƈ–aBd99axT+kl-R`9L %8X1ڱub]g'N{i&!xV2Lh7MнJ+6Ψl_h5dxYo>Iudȿke~qM*}T찰Œ`'&=Y,~a\簃dgFW{wr2t{1&;D' *I)cO騝)&CS$NXEy MZ|r=IHY䀢5N',mfD8;%=yD3qf 7>t]ғ2J[3=p%{(߼QsH>PsSt6xQMGqAcqSh6PnX1KD24Vk1w,UhԲnu.,+}df{z59VR+gSv|fҬ5IahArx37(Ra*<)_t%KfPNK9kWk8Cӹ <3m8yTg,vl`~T0<:f;6W2]/vL.2wWURsx3;Gt[+&f0ʅeXɺghU3-pޜ/4Y' 3x>=FAXU~vr1X 3i0`Pγ?K%G*>ۮ_׿Fx2;P#'d!vw-7^|S\j(T6H˫@EAPD{ Q0>ra.Q'3YDɿ( L1@~y,4 RAhOkA~xlA)a \`̍Cn9H1N]BwNoۃ3T<ܵ/I[RrpkW&I 5#yg4 @ϲ5i$FN˽?J DxQD''x>^d&;6e5%11+I+c9>O0'O]L2j/Q|d.Rm9Q(-sli>]872%"BnC6P#OtŻc?toMPb$e.(We>MLsH'xORєR幺F^>VPy#4ɨsW7^3wTfBAab}R@5?#JG5JP3 #IZDcdt]D̢,!V':|6a~ /z_?繠 = 5/۝PM4An.PÀuMn i\ݧ)7x4h1yko|c߫zZ^kU< ~_M]YWj0&lzlЃHr34|= ioT W2/&<>-L_P,?[/TYCJ 8 55 ->~gM@7{N PӾdN*L5#ЁBlT_U(71](*#-£6}T Xi)$J'qJZPAV{CK13`|v&Ktx*`YKrM@.ݙ78 -,2/{] *pOy}FgQ@b(|t4^$BN9yʩrƳ!-'5(zLubFk6gJVoXI=xFa_88-Cir|z6ղaLy`΍k, J[/Xri,EpZtȚ8AlLRqV79> >#(l!@9lRxW2rLZ W(^W+3E_6Usb3gQN6 $ pp; =AS*e;׃_(=V~yayf9R#;z1g[ M+3$07Mı4þtu92H ~ @Ca5U|uȟG9 /_Ȃ*kT","S ns[(T&"wc'bԏߎ$ϿsmY.фbQ4$0]E% &qOǙşVDs"aENs*fW,[PW/!}zםے\Qqr[b* SH͕ 6[85fXrQL:Z}D@M3o`"?6>bxF;#kaF};]k}Qea1YF}n`$a^ ,FʢB^bf0)7SLɉS2%ܮR'oEʕ$.!&RcV5 irᭁiG,1JlgfbFiqGŠ]F~CIȞQ$mLJ 'ʛ9CgfM>ҿ<5C, (Ǵ.q+9"Q}\- FګN^~n=& +֮(ASDz }*B4by3c\E'oD{\{SѲC{ϫsu:錒Ϥ_PAf3(Z>:kE64HRKK5. @=rA$P=?t}MR4ס}nspy4dO_/!z+ObD/UC[{VrzŜ$AMyIT'GJ v^g}R *RL5;fiNav3{JڏSܐsG+~}q nul%PN$C1@F(.Aa!Qr|H"'G 1wB>7z!C}?V9̻Q<>ѽ1ƺ .n51 N|Xf-jt6/{3thgU.xz'bd.`/ ޖ 0#DghL)tWe k0 }e :_nO귷K?zaVӥ";At Uiv±V~/8nG`SIx欛7 1+UfLK3ܔkU1% _*.imz'KS|/3E^Hi'T_f=;VKwu#(zo3nb =LzE'|G U0$+QPcDyl_rBC$*BmC,c0# ) +AvCO7TߢHOD) ikT;/"SMI mʝ|;i%oH0ծ~+(ZzU-RX)UW,ҖIwDž2B^{9qa,iJOԄ0t!d2&^\ڢ~8eݘphܫ"O V!B/4OݾY"6XVthXX>XhMH;ŎS=c\k@VG&S0Wc5? 2FP֥ YA&hV10 v'.`A[6sPV]jŠ>R$x|&a,"Uz&} ] M JdpUQ`'f+(x(iA&5[abb8*]3rUI܆"5q jS-,ҫzڏMbW`3/rE_* NSp88 O@};rq3J^m殦=Z_vGM^w}|:Yi;Ղ8[2bX3!vQS {R/mۥ%"% ] F(e Puf05K<1V~M$`ԩXsaSge5?Sh-fAt.w@w?Ҝu2jdx+w2昕量T^/xZOe=,cV~>ಊͫQ~_w.V+ZM17&9_0N*`}{h6UVQߢP={PxyJˆ1o^`ǀOP*I!ዘV!lP[ajF1i gÁ6"ꂚr1|$ȫ&5_9 IR M$q1^ΗiDb(;0fPT%&/ũ'W,! ;IHEXU@kt >utyMI ;Z&Î%wgTh);;PJA/UԆawǦH05Ǯ0d͖e UVasz0x57ۨOk7ATE;Jv^oeZo&GV~S_>KI T78UfK?x`ɜ[72Oej`EHu|_*׆JNVU\:!,nj2c'23ܗ|@uF~n^*SN$<3s{aA K V"= zk:V`<=<C^a bk2J'UӃ5/n=ݡM!Na0n/2Ɯttm:¦+bYBtHNfH|) x]&_YR;cr FP Rh`{*Z,i#DG"ֆ>{=Y G,'ifb\+ty ̳JO8!ЋߟAJWi!Vg,z tySмojXl(@Z(ďr6pc^3'R.83V{:KH*QeXaRmI`}Y#t~/nWJ?vT&]~[}3GS6ǹպa vzN]!^fh/9\?d}"I8f '05\݁A+#N\y+F/:yvZJ]/t?Н}o2K4$ƍ"6<SA%%V?B**l6qkUI)tX;a?5'FЋ;KKp U;yb.fc Xi٘ñsKaL>\${*cA@>5.0%:3wVsq|菗tڼYRU#.wyVx{ɖۇ gn^:c'vǂۍ3U{d;Qӗ}jfr/\9U{}r#L/28\K#Q%˺3PpB"N/G[cqD8״Sy5RQ]D ()n+YdoO9^9q|zA Úd68CLʦS+kf$2]G;8Dm-MpŹjf KnZMn(:,ʎS4t(CQPdq|'K]־4v+lu uKE@W5/)+ܭ,ѩj&j{6wAg plqc=G/ٌ;e~"U]<3y{D2wUFf;zLl= %~E.ġVO_ʇ\@󴇶4a~4j3Qnc=uPLs!6 '`텰]FH:)FD^_;eTU=So٤^4|A =$k޲'-;QTիM 7?#=txJسAoЏ hUNc6%`\B)?6U= jaYhҩ6'"L;Gp$ x3ۃAyxwMn3yUIxo,4WV$ǀLn/x@SMO ɶ}Ϡ\ c{| :8p"ty0>gQe9]p((kCRg\ ﹏%$1pw=/Yr󗎋3;?4 G|ԝ4i&0}"/N/᫬ /qBzvBX?4AzM24c&Ike 8*lm_*Q ǿZ&ONua R,.Ҙvm…enCI(` Btz5r|$%ZͽkQ1lRAP[?ẍ́NBi.w q0}8Vٔ,K)X7PJI?Jz?-;TAUM0En~t徆wrODɼSuJ8@&K2ד`oh+x0" ;],7{K&%?xh }hԼ?BbZʵ3.&WۇOݙ%uyo1oqA m\ ֐چPv6 p?sjݻ}\s1Tq#F Kƙ)bKNYX}٨:V Vɜ` M'gwo㏓%آJ@ f-(>hB`;D1enCoX@3-P#Yin,%fq` >a&C)?cZQwc9$TJTqzгd &w"`m_h.0`?̪}Sw?;Lo:dZrxS LiUgHo"d02 ̨ (ycoI~w\#K|h6]Q- d/zG] ﺂ >"ո޻JeJ-Vx[iMC/b*HQЬtRiud Nw+b1ʆdU l%x*ޥ$ τ-`r♆5*76y8$w9h; Cv6$ͪ)j۽zkP" xy#dd[ӎ(poqn0RMk{e#}k* ml4AHj}E̕b ー{oZdFRHoF&#.flV-*Q%YxNZJd;Y˂]K%̊$N)[8#O[l3mj4;qj Dt;쌺QiQѴYT&dTy &h6h%0AЗ[L8 &p)hgN㩑.ױf^|xd_C¡WPȑS#Kg2RP׿Vxs9Hg#qYꘀ:=YmI rZ8HiqYǢDG.CM46kٷ,WDLa.~ ʥ8^,q\~󖺞F :ge]4_1eFhQ:Kk@y6JU*T ZZUUTl*[+PGjHc TI%k)̕,d*N V{S*u2#:_V[= ftHr\55.Paȁ{Ek$q HZ*k)Dh5Hv` m%`-X¦X=?:/3qYC4}j:]_')wAۃRS6}nq-xcS j@NMyfgo-*LoTà_n|kKosgk?7.ٳؓVJӳh}`7Y۸`Q Hlf@n£[R""# v, 48BHeIxS Lf S L):O3̨^YY8LXY ]UNS$>8 I{aX+&0 ̽QNj=^!zFڴtaOUa0Gyżim-=5efl+3k!i-0@=HU f>0s#>m1.WS(e821cT۫/P2hgllGѮS3z [Fbѫ[@2Dbk!Qz-vCjKq+r{5G9xnY[MQBշA5<ݣra`<'LLOe#$ zlEUQ(;A- nA)X&}|Z1!ج~D{FN輑b2çkv>k lYSĠhW;yB@tQ5UoFBo8%AI*QI/LE]w3?u2`$U׀5)owr;6}Si ˪~Ýj\\4mHx,E|{ /]L#_[]x3n[DҫТfEZ.M0fz3 teH=~kKa+(;} YYD`&[ա}* ~|tiM [PUQHgcփ &bi~cO]1NLYQBv;޳,G2״KXV4RW<ѣE [ˆkVx:ue@5G'Y7z@8G?~@: E"pAl&6?Dt:Ʒ xbCzt n1;'D9psз&,g\)^ZF A>oay%QQit}CY py^!nkK^zqSa|*'SG2Nϵ?[2doI2.yr8akv?Ox'ص|+Q}}k˔ܥuvZyJA^je$EWd"lnހq) ֎U9,]g’j:#Y |γ Q;[aiJ{ØղfqHDp;-ev exaz 4[y_a1WczG((8:$"zU,pY bTcExz%9 jʮ{p1gN乯믫=O;>UI$m~6!8TRGG1*0ӯlq^twl/_J4\ =JEu<9WKZl(P58H^ԥsqŶ{ʾ>J1%D 3;)cn Ƒl撨&AA]V[sg,+L@C)ƴRɰv8ѣUGd=uf8 '5fg[T7EKSm}Zїp ~G~b3ʐYk}?(=S];cXAɷz,4m8bk>WY'֬on xbա) [cb|F=D >8L":adhj0hE^캸ˣ3(3pf%cwBIb=SUBmN˨Ʀ6c)/JgRjF19sƈd)P~{Um$ Xi=Ti!Ch῔ @|_$vlMV4^xKjY•=E.Y@T0v+ft5& Ò gks_uycJO/;3]U7B7ﹹ| qtφ۷c$Nyℶܸ@} $(4peٰwөwJm)*`u;I' q/9/1L,ʦRR_x'J"Go1L}8wp!sicѼoD 3/. <1)qzC@M.qAfyN&åd"V_[?K7@^gݥB6Tߕj \Yl404[߅mV #^ Weg@D, T~3\-H$jt3ʰIb~ [0㶗. ?cTfI < º])(Ul)tws*Kol-ֲqLBfjGz.[$Q2uۊsdz >Mf$eo`*LF%%clyHhVǷuq{J-ZSvn.513ŗRAO,S:2d{ߘ/$Axh'8g7Þz7m5}ճxB`SsBh! CaHzOfʇ`RNka.wyOA\쐸we·;QzEal*JeȇX/Yՙנ6%޼M13-Q6dY%b'Nu =ۨ}UR@:ksMgxRn'p4 bۇP=n 6˙e/Yg0 ZFh@ѰjfYlυtΗ4iF"'ns:c/0I B}o +<8k~U8Gk Η  n?D"M㢐8) *! D(9"4Y&vR䝨RIrEҿ( t_~]~qevbҽ#c){CJFB'WDq2=h 1z\4 I0vAImxkLf޾CL0Ex!c]2aRի4[/^3 ֺx Uc}*+t;%xsK0Qzq,v|K+fGqgz4 UMr)MVpfܑI#xCO+/>".ۡ}#J%r^vb(}޿3O{ $;)VI3>{rIy[Ʈtg+]6(lKI&te)_~+8-?93sGV?@˟@dj* ݍh1QCcCxR/W7wrbf0ft=D,4)v"R]Ҩw (˹̦'.L5(D*=Bμ:'7vI՗&›zԪ򍺐pkӇCTS ʙR9Eq'Q󷯁|ʇbaןQ$RqP59i}e؉n#ugM>8fiq zgV<2W>%w7yCC 76*oNGK֐$DĜA=Cb6m N3Ga)uhORĥ :jAY7CLlErнLXMdܢɝ\Â^A_^,BW [1rz9$I,W^v(Z$bqN 0wAdH *eqjZRBR E4><Ϙb0ۚ41bê}Z]IFzZZf5pG#ɟBA'Y+.w(e (E DN[»wB̶_,a/bW(S̲]CnǵtЕ886m;ۀ?VSG#9&!4@) F @/YT0H!F246\a5nN|ɾ͜@PBTP6" Җ:2hwf*]=j~N[:[am&t)-sPֹE"JUQ-ݨOPw5Dq@xPP3ˤ'~aڶj!xI"$ q ~@=JED9yY AOqݓG7PtNwd(m+ x534SkP_ǐMY8]^/U$|A93pyd*6{Q.~P:aG.!SZݛ_*ěQ[E6 '.&L$;uI lz9|g?Q?pѿK+QJ/*9;G8a {AV4=9mDƶwϹQ_ ΋Og\R ,8lO\ %Maܧ6lB%-=52K {8JA.h%00AtxU\jN%O*\MYd. M.`Y 8*볏\59 `Sҁ&Gjjxە*aw|5,{=Onfr^4Hta4(Epء=ݒʩZm8>1$*!fM?XڗDR wR_߬<\ӡ`\c"27p)mqj VŌT%P,?Χ$| |FkAٍH>:~&o9]B| !i˓\0Y &klpQ|rZ`[2!Jp=a6n|N{ ebn@|;5Yܼ3J(kU s ePl˥Aªb1f+6LJ5iRxjGUsd2j4ota,uQ4=ZA:`@D4! TH`srH{r8d]HAvr햭j~Hb"5rΨW9r*fYyc[Ķ"a)ϏqP@W@uQF7,P}6~VkR纞V9O3=ƕ{ĥ#&1ymGTʳkeFhItv7qMrMh%:h'6Q 8c&4Ntizlـ-zI3yQ8 2VKSo0՘" _s=DZnfxi[nJ@g{w߬V\{jќޯc2ܮ+_?yWg9Nm =*b9,O Z b0!8g/ը+.F!lrwaS)(hԡON/M+4yo/y h]e(ɧdQ=V|^ 7o!WV\"KH'+NkohDhyh[79D*흨+0Euά7!D#F?-Ep+!2J5B*w $0X`yf9n=R@󰇔Ĵqwpw8"%uAt€$BiT!qsy'Vf ryHS" lԪ`&+ 'dj?MNJ.)LQ#ǭ.\W = v- aPzٳ^EaL1A+ ѩ'[MߐФ$=ZN7>:!,Cmꎄn}nB Q;Բ9-PȕY'?lTVv-&g#i<6U0ߌʔ v<յ0}up/"rWxIK6\bS EuYݎJΤ]d:PBKm^qg@Uʥu }Нԙס}2;ݝhe="8J5t0AKe9bOv}GI gR $`&V^TTwC1>$Mz BQ$v ,lrp9XJUcFb7hK.N=$ǹYr@2nnJu"ɯҔ 8w4I6-ey ;gJӐ Nwv \TrI dr&\&^8ICӌy+c>7 5֠(>d}0Xf2vIͨ64?K^n7*w|^gP88v %"֊¦lFIU_"ڥF[\{#x Eb3{2pvM͝wجSԝۮ1]Vvj*Q++ֻ4Ele)…M3C0EN0hu/,M[u:)B0ÕakkK0Ҽb*&LAY;#٥,p8$2iB6XiK;?w&ѝ @ͱ<7XXW b&%_|'ǩ5C':'bļ'3)׋xq^KM ,S[7Axմl!2kǁJcarᄋBC#E BfVټjo劽"߾20[a#gY 0{ |wd -˜-/,ICX^sV8Ϝ\rPNΈZC7cKk(- q',ۡDkAs(Dur=^h"J`|($r͂tǬE <<2B\X,PUgr") 4`eUd- ~ 8XexMkmqWAGIT3P^tmxj{h9MXyP\ ]E6Tڞgm/a@TYR:k>{'.Q* ԡ&D**oJdފ<."S:k+mWM\H4"Uk|le(YUFmy.ڃ}@}c1ЦXFNNn=\]Q&iS=0o"#3L# ?3(L9To=N9vLcKt~'iXCsX-gc.L;e ꖔCa5{9$-`zqA$ty'Lѿ󊠕 Q:~rY1?1K&}P'W=tKqT3?3R\cqe;.[v8\@Y]0,kK{x7'jr/~mL# c>^jrU!3r0}3 h$SLеyP_Qp+j eLrS*$(_[aYpj;V ޟXu hC/e+cDCmBkD_eW݁*^F:[^MPDOD[TE P7U2lHͪBD cr2{*N?zBmj =*p&nH@6^F͙kgrc[*F [ɐxw2[XvKɧ5+Aqf7 ncɍ ͡Z\n I ZWooEҰXEK14rvFM[5OVMYZt;RHCmG DUĐBɆKvu~)#;Mh@ejk< Ӕ%E i&ź}0=ݝ*7L&HpA#m|oSsVJy8Rz gl/Hda2W!f~JKP4F3+NQVH=t^у*mF{ )bK t|ҥܪe4H7iL&|5W# FUnw7fD8+.<< R 6ʗL7O4s3Ivz#cҵz-E ̀GF}s;jq7׮q9߉u[|%Wd^Mֱ"CsZ_kb($uC s6g5N\ M5q ;p_Gκg,.Nx*%S::ez>enϟmGS),)?qʸka?ՓFjdl+NQ: ?R !(=#Fȑ/z8 A ?14o^LOžN s~@@mn9)W."" 8TyvRqo );(g.C5<# U- qMm +،58fi_5`_WU?d_tZv>?/ΐϡ{=A]"=J,bx@`'P9i IUW ^aT9n&lAs- #:{cR P7P 7h\(:U;/G]4{^|tJڄ)Pfwx-9$8?FU?',2jK9LVgidT-;E#ܣ& ?8fT:V3"s U5 DtFKlpRT;79L0ލ'>ͺu3@ w{UVp'MeA:wJp7//'jTROJ(\L 'kRTXmY;j:3ժ!hTP2 f|HlԆ҄`ZqK@'4 4Ђ 3Tх\~BΏgTWSHa,nK\b.aMkދ:9 ӸQlUĔْxbŠWGV^NO[XM{mI`)w6,Pt )=>F0I`rjiXH?,+5 Ps+yry$tѻ.՟ 8S9 ʀ6޼_ӭUsOxlFAѤg]wN sf\$_KF8@|'OɥC봑tWiP%lJ.6^q('qTIg@KhhCS8$*l%vcG[":(gՋkPeGw,k4sE*4y!uR,,~/A G#}˶spVFpi 9[Bܖ::_>UyG ABQܮ2kMؒq{2L∷y1U:#]+ 3$H̝36$k@ ɲP"zՙJAaArԄɜ`\Y#:?@p ?gbd-3~ae g_[U\*Jh/g 1b}暗(@8T~RT_xP" HԺ$/!|0>K߁Hw f6'BBd8^rW"57.yMsۃFD4aKGIgxT֓9FO¸d"g[Y͘Xm˦jޯQ;6vq*<4 Q7㧽09M4X֓$7_n"_x 3E{Ύqm*D ߧPg#=9zq$j5E]{=j,,Xy/la@1F X@?RKa0=Yt'N CXpdB,}tY⭹?sGWr;Q`ʳQ^*hc ?[1hIi.P`Vӊ P8 u6HMėYL_\(p}Ro9BcY*/ _)yd 2*:|]<0(7 _f"e ~/Rt(ʋɼd\u)~L#쥓S?|Hұˬuir ^wwtXinHɝFqZ:X4h_}oyWOiliP_ݦaaD>MutGsͻ[T[TV$8A/oTb211]4ˀk׏}kdL8]xzgWjH1]:GuLp|=wp<1gSSf >pm}tNC{G=, DlmǍo35r9NӐOy&+]?gBjD(5 ?J Kc ow^܀*݊wGpl :1"f >9bmD>/"@P;AC z@+g#ёjѣ >X.?Sa"`L1d{aG:(yp?H|.6dOֽ?h&J̈٥Cp&?;>,HG~) Ӥ-K5}y ]𮲅c}"acQ*"dy3KD>;0^%" JME$|1ULV{^UYh,~ Va߅-] ;f]JX >4pLRªپErk EdadA\TV$04l 0aBHEW *((QE~m n0 L*Jlz6^`ޣJgɁIGʅIh3Qy]9^rPdI^ϣ*cO) j?Rt5@pU/XE`*LhV>_+5\c7yW7J=%AKڭNB d&pFZJa _ Ÿ-)^ۤY30A-Y.]r4b6X>iw:k^e;* ^Ri+B0ghG`M11UP~<.T?P xݍ#ZC&lP*MfUoUQ{!d83^\Y>c;M%׎&D" %H=W:E&zO|쇸wMNu6>xCvXÁþCT˲88\LM}AVR533鵡b{;>1ү>&sdXyfC0мiE+q4֮}[tüK"XZ* wW<1 L7]<t>֞Mճ7jцh VoFjIgeu+r8@>8qʲr!S@9~uE ( Ig [ C.&"ϾegzE JqO3%){~1* Frfv}JqTha[o2e0L1<*+|yn0(,)B-v4v2;O+C\Y9aO7A5!ueQU4 u4&4,K[8b_蠊Cˉ-Rna/9b:( rT%a?GfoYv0T4bvFɒz&+ nhNI/uK(U~=be}Nqؠ<%5I{[UB_)xO]>}ڼPY/wW0riu2!)@qp#ٺXX$CU7c,zYbC~0rΘ -oTP+s:2 ˨fN;Q-|S` ?}S0COx&9}M˰s^lF;y~vsVg%9R?DB޷&CwI[2qG^j1ʉ^Gy=\Zc 1Wy|Uyz>6",) QƢZ*`pc$3GhFF=ȋk#;ۭx{]SR$bMzKG{ }'2֤{k9LmisEsDfn_ӘVX%FUhw!R 0eʲ}1Bz,bGӯ YU5 DCI%ZRv(0uPU=17 3V&% "鰐d`KPvV|B[0q4XހWKJ'6gA7 , YZ