libsamba-util0-4.13.6+git.211.555d60b24ba-3.7.1 >  A aDTZp9| _۬8}lo n;Qt"}0[5u]YsDQ㖹Q)io(*ؼB +͠`3 {p>JH0@cYL]e8.iEu$Wn[-*J4: v{D_ڵvv^x8I۞.ע3T,®H/>*y]j3Z QEk9B{@5OƖpe%6y>(߂-q)d'瓺um7uN K w?^-`~oc3{iGZ}HP[8BF #tK+X?c}g,*>p@8?(d, 2 Q &=CLT X \ d   %%%(89 l:x>}@ڌFڛGڰHڸIXY\] ^JbVcde܄f܇l܉uܜvܤw4x<yD!z$Clibsamba-util04.13.6+git.211.555d60b24ba3.7.1Samba utility function libraryThis subpackage contains generic data structures and functions used within Samba.aDRsheep90)0SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Librarieshttps://www.samba.org/linuxx86_64)0aDRaDR06ca602055a2e342dc3f03173293babd61a56f02391ee04a0797c67687d1b02clibsamba-util.so.0.0.1rootrootrootrootsamba-4.13.6+git.211.555d60b24ba-3.7.1.src.rpmlibsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamba-util0libsamba-util0(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /sbin/ldconfig/sbin/ldconfiglibc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.2)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.7)(64bit)libc.so.6(GLIBC_2.8)(64bit)libgenrand-samba4.so()(64bit)libgenrand-samba4.so(SAMBA_4.13.6_GIT.211.555D60B24BA3.7.1_SUSE_OS15.0_X86_64)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libpthread.so.0(GLIBC_2.3.2)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.13.6_GIT.211.555D60B24BA3.7.1_SUSE_OS15.0_X86_64)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.13.6_GIT.211.555D60B24BA3.7.1_SUSE_OS15.0_X86_64)(64bit)libsocket-blocking-samba4.so()(64bit)libsocket-blocking-samba4.so(SAMBA_4.13.6_GIT.211.555D60B24BA3.7.1_SUSE_OS15.0_X86_64)(64bit)libsys-rw-samba4.so()(64bit)libsys-rw-samba4.so(SAMBA_4.13.6_GIT.211.555D60B24BA3.7.1_SUSE_OS15.0_X86_64)(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.13.6_GIT.211.555D60B24BA3.7.1_SUSE_OS15.0_X86_64)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3`v@`a@`<@`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USanopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./sbin/ldconfig/sbin/ldconfigsheep90 16318676184.13.6+git.211.555d60b24ba-3.7.14.13.6+git.211.555d60b24ba-3.7.1libsamba-util.so.0libsamba-util.so.0.0.1/usr/lib64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:19341/SUSE_SLE-15-SP3_Update/29f5bd08f0da5c0cd8a4b505126bcd3b-samba.SUSE_SLE-15-SP3_Updatecpioxz5x86_64-suse-linuxELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5f2ecad0642e3ee1e6c1a54d96d2605982886478, stripped!PPRR RRRR RRR RR RR RRRRRRRR RRRRRRRRRRAB8S>|butf-89020605862d4f6f762c336dc296dc449da02715d1942e8e04a957bed1800d344?7zXZ !t/k)] cr$x#E|<Դ4SϡZ]ZW?എr:a7݈QB&8ٞ\է1rMmLQքº P^-\v4<+ 3̧->8L9mGY1t tVv;2"Z?|(Q-H6p0jjDi%onA[wt'pulmx ^k8nh:9{?r q۪pq&7XJiyKba<,أႜt;W>-@d,`nZG$Aq@Cv"zZ#!rUjxe/;1Utoj- Omndr@ >{g|OŢDVׁ@..L^3ZOKHy$UQgO5ןאʷwa-Tfj>#IE6δ|]P+qeo;V筇4pO:.5=3{wƧq0w=ڡh_Nb-y.NZĈPÁMA}cd`O^u;c8 MQ_+F;[21.0J!S7./$[e% C6i,Y1]vu'9˵'M,ONAER"71+:-?IS&> k EEǽR %W2cY{WR{ =eqL[;Vmf$_Z͉9KnـTF)qCĞv A xE*;&3gV~nng:ӁհYiSؑwZ%w;޼lfwm*scέ;9'籏Wm&@ E`p/eT̯DC2A Α]A]efy.'Eet]~[NԞ-m,aerg\ԍ1qo"c  X&ց$kYF:ti?NyS1"? 1r$)- (W]M 'n>P_ :ı\[w2ܿsSD@Z:4jWwIU d/jncHB}h?`R:46OF{F ]&+ \Zz"R= g[;ޤ}\&x&Xk;r#vj`J]6f[*Z[ pˆ҆}۴D: 2+w`-|w3Nl8L95}R#@rP쳋B3p#s-.hQ%4Ws/"4,M<[\_O ͅڮ#.{hjls.Kf#Cx Aɵf55߷Z:LY=6zkT523WzAsk?`< 'k]Qi*TV%C{f7aX}F/2G1dE ZԽAQ!jdN!I"&haz7J%hӺꟴ1Ir-"gM`P0=wx%i@%Wp@b##y~` C LV*9Ď7&oK*4Sk"/ -Tn1d)a$Gͳ[;U禈t>L@8Zt6,&6tEJaT4yٗ+ȗl5' ~|(4fhl|DIMsjHixA}(qTӡ=ܷ{b-xؓx/Yoҳ`*H׶8o}kWǙjhliBtD8 `̹'uꆔpXw5hN^=Xݙ5bSvnFMTt,˞-};/֟$r[B[v$_5IYbߙ#\ʹ_ O4ZNJtk6N G Ø6d_NEnk_TEj$tH)N[xNl[go0ς_o՘LGk̰A- bHAurȦ}s14Smj.we_;?H_-^5ca+Ϊz_I"ur0ހ3 qɅ5k5'3=0|4v\ nL_!Z*'l8 ݸ+c %:q<R SD)GO]NNouzAt̩O[M=I6UR)!ÂT"^[\w@e>RJ K(xTP/<~=u¨NsdBc#o'XR;})VRl}gt:DzsjyRtJ¶ ٝg~]YF%r<CH{B+ˏUl k v\g8ڔ.Ѡ'qdpVgэDT*`w{0aش-I2D p0޾:1F2X)lVR`4dKkOPMLHr%C6 77CYf#/JOlg_!v:P5 o4X."8Y!KIN:>OpMYݣ}-լ%ZKB;ˤ̜ϋ42H䓃C(w4rcopl~')ߐU$XLHހ!ی3"'}gcڝC0RvD,h M&SqS+t$c[,&(ө3 OF3nnL58>/:6R:LA5e.^ǟy587hRR%nezsb®*h)*oL=fp# }&!gXo*`Io8qMsX髣'p>!ujI5U9YA&N"kdi(qL7nn8Ԭl{LXӗ G?Q|^TX*Ծs,ҰYje W$tMn jIejIoʔ3#⾡ acCH}Y:׏rlFOb+"[QZUTPN|@ El>o2}܃0}E=%#_n a7*rMm ^k"(){}A492x)q&>k,"W0 LBso~tgScN",R;"w,0YX&4P?SpقUʯ89HI9S [2Ppmui` ]#EQKW!ѕU35 oM_qӧQ;QBJeQVXA;vܦ ) 8ƻ&b䦒ڱ%wSܶgF `ꂰEӣEʆ CVӵӳv,xwM{d[(F hit=4H<4z;k9"t' l%B <orXd۱bD^ºp#0zEKFk!p1=PyB ɣSvJ )fNRH$L҈yltP .Y/l&bdZzC y?=#& G:Y5(L 0.(]O -  bt8O9v+;631MWL yj?tOQ;z&jN锭~M]2Gbqi" -PϽn~hҒ}?4x7-SU/Rаk) |s}v A"1吠SJnJ%]dovc!wnDGhX*#K]#GYO͝&[L%]9Tx6PO;WCG >ޣg g.1bV=""T ~υY'ȶF*؇)6i XC!yXhg-/ه+]P>=!8+Y6}bMmf{7 Y,|.y|#N ԂĬ2ca3p;<3"/ևRY.L煄`h;7#6-VJ%^ :kVv:ҋhLD;)ܢP,6 Df.P '? 遀4&n㵵M[w8mlG> WTe ">V=-8%##(v ]9'8耲VT 72@ʡWRaLƅ3lݠΪVѲ\g9zIq~3}3o$"rɡy0}@MZ+{63 bxC-{ZU#t=Q4_aI^f*~;WPMbh~/Ȅ?"#u lPpqh ~ph08A?DKӉ=jd`qV}awQOz`:6=R7y%Y)Ŀmn@*)o5_t2"6i*_FmɟdrH.jr#CtI ZRVJ2 `=Mo XtÖכڬ}##K|:BY Cіm9 R 5ިCAU:P*+rI콩x Ge$v Fef`%ynI VOs mquwgC-jfhOsmcD.\v}ZPJWmo^FH%h ]V&|>,M S=UE-Uiu0PJ2V v}{De-vn7Qߐ1urQ"]ߞcM-O.n,W2wX.,nz->M6W/A%?Fp Ȟ+҄tb7qI.ؽ[ lrka=+#\n"!Dΰ-Br̙ji,6fڈh~ -v.{oo8*#~#[X%,![x鿝jgTr0w6j28X%UocsDR+NHo*f!ba<({c|H2=wƃj2βeEFE~jdb;EtH|܂-'Kj/&`AXUktΞېl+\8ky19{ivm}`IOgboatJ!I!$hgʉa(ZLENe!FE?GW5t "Ѓ`ZdwzFQ251%˝: ݡnfV1)h-IR% O) Gc/3cmЧFxṁ^$aJf 5tCi7lm63%7S" i$POylUh8JG [[!;ۺC.qVݿC?cNyYB2/ Q *G^Nueܸ(=I]\Y5.R& T`R{p*y~XYMe{=5 GM) {r63j/"Ӂ~s+̅EQzli) /_$$z冕cap6)|yitմ= Fw ayIvsOyp o%!3-,$n:M(Džq^FhMG}A\mP1t`"ֈCZyC4Oˈog6 5Dpd9 ;+r`.x{3oO~IjԂ%F.*Ƌbeɺ& ?r|'Vw?YK5NAZ* Oƶ^Xo p&uSN8vRe?fUh]\ K[oE4Fe y կd4r]c8w+LdbfHWfRQ䓚Erެ<#if"xx(?ʊׄmSX,nKQ'9^}ۥv1dB#g'#eUWv#٘`}gU dtł p$n w2@܅p@:% W3t@eAS'*]qsFyXRCJL.B1zov@n?+fM[GٌI^N'#1_*Қzd{ZlrtVd ͋~8%3)7A^8?߶].ϟ{t)JT?A])I#9^`=VoGAҬ\E#Kn u!U?ȟ2F3 y}3崃*)*ĺh9bఐs ~2֩!Ǐ-X dKg!y 8WW[l>w)Niz efA[^8-Me enXmR% f((%"]EYXW$uY\)6OY/v-?76nKd]{kXS1jAY#Py5TLy9'|< feuuK,9ѬИU:Evz):[uݡ0 ,Ў^D6q) hH[b'j|#7Rig ,(xEʢh Xhv/?lO~g^P|Pe byd8YT} e {Nzؕ΂B椔%1b(Hӆ(êVӎz"1̆CUMBSPSéA>2H|7 ީt#ԕcn+ݳ/x_"kH47- FbՄ9tM{|gYo &ndbfQ ^ Yy&g8T嗖䫳A茽uS*ޚeZɀXhs9gD"m.cmUr=Ň9lQA5FuCwr'@[i3RNTp2t7HPG )Z chM-3(6W)DCDn$w0)d$35wUwThV8/!d0Đ9 x ǖ/Q)&CQLaj-LXUsjm_pW6 _ɔ<*j^{ķ^79%둽$Y&P8$2SrC"7}6B~#D(%Gjv̉W\)Sj ҧ 'o'x@ϐ*1m+k y}S˼Wl8c&\>%݁ט㋁fx;_ Y*<Ī'8^c5gvᡟLY@*g͈j 0zZKz{'! x{+d:eKB]|O]BvoS^C1cV/|8ή3SOvG>u'dAŹB)v@pfzy>. goYnt+5kJx+R:bÙ%px~gQTr9\/Lf35# p]ZIJ*+4?rTR(+#~,3 |%QkE7weJ(@ |BL; mEB,+^;V7T /U itZWm^LH{q{fȡwdЭ"uqc{9sܿ Uj0>/۝k=op &y ~L.O)b1 NAe !xN^^(Uȃ CB:>5j+.ACO1a-0_xxQqz>L Zj*)b=r8LZÿ Os*ҍlV?*{IIw_z9Ia}y92+d)mδH` G%1˕O~fW{ӥGsG%n4B'P# 9S6>!0y6CBV c "Gylm:*GK]zsj֦{~c"3"bu'dH&٦_ N>yK/ $a, 6b7 %P9OS^]Qԉ(?Т4zKD?ɚXlMQ 3*_bծHuTPπwGP-RpKo g\iaD %L }ira#G[;s~ǒ\gd{l0 &9]e{p>aX2Rhu;ϩޓb9?^"&59I몑@ "7AUw*O&qQ@%?`aIK|ġn(di as3uB8v>#u*Ny [V}SJƄĉ7׳jajlB%F hxhy6Zo\..\QƿxEZĭVm:&`h$U sGpC`]vM0H|V_7J$a09O-r?O罊+G2@G0稜*hɻSuۄ힅m t"9I *5^yYX)}mqM$,ː3ܛtKZ;P^^}е`\p BZ`z;v3&F>0#B}?fx(+xd%5~$9[֜GܵxJDDoP6 _9*q۠i;{5/C@rd<蜠wPCjY|ox7iz ) ?dc]G-*02]ÏL~տ7OR%')5TcƷRKjCMپ[\FQ{e]XP&`9霭;bowECp58SIi",:`Y$v}6F0ʬ-7mV5XwXc"$lAʆ~4/X:mVYuL=|[[~yڱP"I#=0xN 1* N) ~-w fߝ䘵CB=Ugϣ҇ohVK&+3?kZkQ;#LRm!؉lȊAo|/%4}SݗTޠd2I[_kC9x5b@cu\;ު cq>u4[rrL3ŭ,)2h(ʿyYAjMY@Z4\mբjs\(^DsUMbzؖPiG@n̈e63T-Ck-|}%WNZ”^=TE'^I+QmW=Rȹ㜉sCL{5KЫ`02Z$}2Ίnz,)X͋m) 7G3^$TK r;*sMGbk1hW4`3*A]z9~$U& nx$KSI~ܕYQN- SkGbF܊%9[ w4$nHNdEL>ɘF nF]Mjy0"oxn=P :O0*[9̆(/O-gw@L+̵Ik<Ȱ1PŴQ1) ԓ=|}G= ).Itؚdh] 3ExU+i ;/C[;twW5eio y v ܪ|D5l8j>mw%brs! N #gpĆ沑^ iDαH-AahH#:LUh21r|,M,]h9jz\(Go8A4>eTvܣz?wy,p jY@\5%%EQ%:BW8mXݏXe`% n_'|;y/&$Oox"LkIJ(y ?ŮȀQk1ˋ#G?;ev! Rqh:`;ؓt `5vI;Nlga<)n1T4+e_G7swjk-G *2(Smto'sl[Cbm H sd:1`L/3F IǛGLJF,`u5jWuԏ!Ֆ׿\xTͬ3dЮGǙP!*NX;瓔UN2рdxeo );nPM NQ1g,M9߻uz1c J JLñʔ8D.Jr$hVjƛ|(_>IC!۴10f0 >2"Ydo#ܟ.9R0K_NoAJ˶0@kc'Z7N,N2TN$}UMzcWԌid\i ޞfpqꯁz /cO--OV˺xNVOZ2޼M*Ϯ lF ~g(߃*kIStq0]'V3׼hgt9*.1JSIf bAH0Sr~G>Q%ɷl./ HN |lՀP"3;/hs~|8nig( @+Bvcd35&غ{`7]9Zr ILc|K &ʰ*$,k߀nwy5v%(ߨ >PܨT iߗ{Z:]u>&zE<=" x@5>t˴`$۞IEدO29В;*P.<^‡A!Q8}muG6Cm Aͷv2ay`uQC/x?:\ٵIAˎEqU[ f0ߺVjY  Kt$-n4x:nkc?m\E5>ND4*-JzIAٔ64lcC;cÏp~&h+Dg߹_cQf~1ou#%uS/i}ER" *7Z M I˼ _(jk8>9(S0Os(#HtV5TsYniͅ 1;![9JӢxHb%Q=B1Jm@+a-IwL^әΫ+ΝbfQQ@TN0R?\F:VnE6 vnAd6Ixbxe ~Mx(OT^ hq`I;e ڋMv/5ؙiZB2vg^`+CʄRUǻ >6:0dXxT{:1t~k0 vvψ3Oo{q_JPbyhW'ʄ=s1n p$,U T -d$>XxsI!or,[͝ ~IU3eЀ?^#ߐ| "`pϘw&dZSCIUkaxړvJy{Ǭ,Who!ABL@5iD 0;N5aqjR.!ut:헪#"no/a#k0|Q2/ض[I*L0FhbBHXjJ11D? Q. m' Bn03R?Hl_{HVUi $@Sxjgxʾ{;42-FW V73݆ڥn=@3a3ڸ lV'7*7Y#:Ipsk<- fO!u#I"=-%cVZH/CV\g:n b^7uA+_t"9 [pfga-' w dN sLoh}V_ԃd 9<.siF-]>W Hz՞6'~J!4ǚUvik˓m .2P[M=:ePjOȍ甗b\-`,< '<ܫTADJ)k zr/1:i>GvA>2FݬVK"A?9hf:Q/!S75B7S@F#9h4Q t?"e[ԅ^clE??g~6[5BJ/^?>H *'o+~n,N!ye곪K.*S<4>˹m$2 _ `9ނi=&`ڡZ+ [##-C~MA-1[\z Cza;)S|USZqqfI"WBcWOhH^)M B\?xE^[{~sAQd/D'ڬ8Gk((:^ |JWW|Y'Gz7ytt.tQYMe,}(VZ1qQqEf{4hq^2NET+ب-$LÂ|/ gv473T%ZB\#PVBX'J0 TQ. ˿`^=a!$bf%ࠈΙ?^.JKMɮJDC5]ngV͊:XG% 1(%T"q8;R 6׉(%w5}LgMQ J h CKTކ"TxpGGkEk-0#qD=*p@>^Gu5ahRՌR `Ĭ r6?p8o + pƫ$u;s4r@,T DPb޹eXb;P ˸""&׵Ő< :Ba!)y l1_!Ö%y@5nډIAА}UzO z#Z$ў;ag~፝4#ϓ. 3(\XqrT7=?k"O&F|g ΩqCTkR˭ۺ%CjՊz1*x"}CI!fvy2Dxtx;D<6M*\\ Vza y LL6՜nfjoХ=~nDX36$Oi1Ep™H7?19A^/c0/g*ز%\6̲Ҙ:+k!ejdlC un{G=2`޴/YW97##0yd°yj_ט7qؑ#߶lH0JÖKOL徒E3ҩ{e*MmX= m;s7C6%OTzKVSeZ=\u!fn}~kzĨ4b"ih!:*|:VjftHǜRnv#nr؉>\";!kS?>;d+;HWKu)0uGJD[:ļSs6cϧ1j/M1Ny˰還̬ʤpT{mp7Ͽ08$/ q͓^E(MRR3 ңd ;t6&a2+Kk%<%O8Ć[,g\udja36[ۣM 䴮@!0S@ްVzK4g*}ӁQl Gckw̚1撇(vͪ|VU/fQtSCOy;/e<E3g4&xiyɍiK#JkDUTڢJ5wh5zR]R}DyA lK=8gG9.gá6ix~2|d~tNlDӇp՜M%*Zlƣ.I!K Ycj[8PD['5;n3f:.M/Ҿ1)]C* y0#|VW"T𶼯eхtS]Yv *?ͱR^R>nlۮa|pbVP (Uye8XLn4bCK*xS /O @g>`(*ih%J˙N^SoA/@}myX{R$.}L d'|"O;&9`5g8ͩX96AWNҍ@}gQ5"W& L:]vVn۲iXE)fgVI{E4PKJh9ʃUQ rlOm>ck[WF*+1$(h i>ξr6Z, 1B_Aڡr`"T9dDJ9&dV4" E1}@ SDʩ^!Xq;Cb~Lt'rLO8 o`8̰ 1p iwY0p0.2O6:kuѼ,1p+aIs-)Ef,)惓YtB~+ވ&?jnͭB\xkiY~+pdK@}i:,cCRC;?ȹ-o9a1Q6N-LEkoxSEAiR/%lGֆJW^ˑLyg6ҞS[xEF5?lyv̲lhO,6d\%𴱯F ]󊻭F ^h_naF+a޴}~4$L)nY%7 V v7du.`)%x:[jB| +KvTZfX%p2힓) $vRb&6Q09CKzaKWLR_8=QA?{qG|U>s3Zp~7*hU Df;s@ zKBSj?Iī8ۣ|Qb{ԁR(5\ԑKWj+%{+n }I+El@ Gz ~;JΝYl@4$| =myY Uf\рBK9C_,޸X68ZeDJd:`ֽo>HLmNwJu*0H_.O^c2a> v6%s‰6'9"HaUh2gg@_rRYvAqM8SFrF9pwobfSpya6-5öѧ zo]wm6f⾨E~fM^Y䌆괵ֆfmevݵÁ+k̊V?n/OLHǃĬSwŚ4GwR` Rv$XEPJxD=;Эc9@ SeF5lW ڡezbv VL$~cvE _c91rR,v2鳝( Zz-'3GM^zFpmkCY~=?~s}Ykh%bQO9Ճ9 4**z"+/zJ0 8-bSq,QBkD-$tpe[0x S2rP x0,Y*A6>PuI3ZƧ!2ⰗG~0Ayϸ_Wr+Hܕy{Nc6J/~Lbu~S{%}ԧG{*\[nWRRqVڱ/fL >a (":6 =8^yNA?AlDT.7҉*Qxd;uw ד$jVbnq_?_6x>TcJrf1XVcp3잢v6J*V~ /%"K@]5~P^.I]v{n`uriwRLwyrxxW)cR)o+(\cwִc㯘z>д`H_Jw{0,/U8dȞ 19QVEq|!9һ-tb.Nl`p"(+ SR5y(ɨ{t‡.oj&D@ul *oU/)( 5WR _v9Yv;oVxgI%~l`nuXz]` 4 M6usOcz$*MPHVmacokTByfv)K<=&xƧԩO^ PG*yƟJFQp C+I٭1{fC n9kY]fNr!M^. j)v264\i6V7Nuс <(u9+FJ^ܱgHԉ#7QDg*Mqt*B^+zW^úb&-2hk@S'7A5^}^M6i2&v`6'Qu%eLʗؐdvy;`_Q?`pL QysYĿTO) ꪧmjT{9P$ȚIOv6hub)OmkڦuѠuDw#pM[k$_'%NaP*%]|<4ķ DsFֹ+*Z27iG?U.٧Lz"fFL.s}vlC^Qkb3|36yQ`Uw[kvmRf01MpUp(f>g摕XT3haW> O0%u%;c g񤺖q{pB b[㍤":r׍Ucy0Uۇ|x!|tT*5S>X2䏦$8KmHD'?!H>dfa "ADx!Nl"9рȣDhgHvį"ɴȜk5te(:7B}: SNnS}z Ї_]cl*k^ `φ:w ~x]ጿ(\>.FAaG\Xn+iX`%pJpIOK}wpV>r? "iK5-jBAg:|L^MQњ"QO, m yjd:sY`KMaUk,uvaWbnPmn0s `/|r&A^y;}sSū^1E4/$>PRs>U49 n95b6C\NayZ[]D׊e} ?=4uE,^ SH1`n6D!FsȎylyeܧ2 =@_UŖre$` o{c(tto ߵd)R u3(h s4׼ v )o\ b 't}fBފ=>:lIĎ`Ao 2J=IcOX1E;﯄Xxr 8CO,STDRW BeLF!4;-lHK*ﭝZ^lMPoÝ,w_PLNћAEY/9EGkdZp|Ϫ@棙ՈR,&k|$*PXm2+sT8,'* DKAhe,5XQxatID䨱%ɪ 7RyVk ZA 'ϝ \/S}ۑmTv˻ɉi yW:$QTeQiZ,'FHe >\#]qfu$T\Jh0Vs(\'\rӮ'%Ӆakdo<r`F~o-SAb,?Ima\Bhq\Ysl3aDyÍq xwED#Z=epIG@2f4SxRچoa"/k:7:xz<@9SH4ILu?ɣ1d<lM#ͮt͚lA+[Q 0ۙ‰D g?h=+$_َkݬ<}ss0MXdGmMw-VI83z3k87رefv,  @T60|pe7~F>$Jζqz} ^%=1JLKï2TLf4q$uvNd }ZJ*_J<Gyoy'r7'UUS4{e_S& r5/4O)$6v/A~%%hj2ٙ㜋Br'"1nxMԍN;2$^vgχUdw4t T;.G:#M_2A"ۙaj5kwm=,D5I% <-WUvP3@=y]Ƭ9n]` tDaX+ptDa #.r\Q< PL])b gt4⇂Ǐf,>}cRBg$, 1ΆT}SsJji+SkpN7f䩔L'?x`ܴLֽb\_0[{N Yx]"Nko>!=  3!_ EI^Y읚W0 Tg6+Rw1h'n0τZs\G#Ghi:83i\ybD(;h+{L'rwZ{0afoUƬf7 >޵g洌/ĉaplɥ۠ fߞvMЪFcLLAb,>sx䶌@ TTjl'zXC|հ{?&^S?L u2Wvs.M|[&ȍ=QSmsO9Ho@d'JX)P:fV\klʅaNOvWNKC~}C0KCF[;?51d)vs>[ы|hV)U ĥg_ܿZ7LѢAǥ \(:(UUmJHؑeBohJ)l܀:PswmM-Lqg=+%TĊ c "i'W>UߴIK>S &:f9= ?B .NR-mѝ( y-5Vo‰~ԏhl L="2G}rMn &4ƌL5M9!@|PJ^J FYaC#&CA >K~%36~>IH+ p;VS`C3@3ޓ ol#-zB2xmoϾi3ƈinD 0i,iMA H A='aTc#',wC?9S+HCx,&/zOTnvm0c0e![7A%S,o|wSq6KյM%kVma("ZW&b/ݮjc =ͽ@J;׊{h6]WN'{rXBLc]v2BIOk|k*rSS}pUj/"P?C( ^PVoeanΡ>Ic޴0Jd0;WD's ՚ v%eVvYA3}9ϣ=\0#I<,q SB"J sz[AooNnm|Jwq ȝ}٨^x}k Ga˵*t&/Zۡɂ_3VFZ8n&" BqKݎB|yp`p_eJ\YaW/A"!ᡍd`Fb{ʤҏ՜:ǙɐuJ X `\ޑg#kmOI$ vɟkх,^Wɱ$7;#> A78b(0%28iw#P0Mr4 h=J ;(~"=b&p|e jhxȩ ѷ(Na98*Ta)ϲxrC R!/†eqvд@\~6ѕ.q ~u Ԉm!^U]/ȝX2y=a9pWF\֋Thu6ƵYD%dGvN2^wT`G:%o{&lN/vRa:p[]`֯ :ɣ՚<*yqВ~NG{nfc2{苹M6kvqx2@ r.^dQb %?,&Ah|Ҭ/KYeM.C*~Ş}qq5Ak* UX@VHml0 u~ _d@fMryvݓRz& "1XH]#C>]#1gX~55Tp=|wwCՒTr0HuvA:3-C|QRۘpup Vmxi ]ᯫHW9E^IcbDGPUAч^3>)hn 1 :$ CTr:\l2U@ij'8lAdIAɳđ'}kIЪ *.qk!?U\QE=E4mn0݊w>)HJ)jy;TwDZPY\ VME"XC0>$ul]wnWj >&gf=%My.D@ݰ&-]kUFVZSbQzAu"`PiVV_~G,mEڗiC0vW Ky1v -BjD$ 5Rߠm[b6nIdJqjI? 4V>~ށ,P_-$JQ:6%7,ܧ [3mSN3q~sYfj!Ŏ>bxmR46#vʴ6[-< [ Pvq~\%a6}`Q$b4HOr:;FO)@Dv,L1,*:FpCr*x$}RcƬv}3.EC; z@7]^I(5p[g ^@ejk4LCDmyl>ʼKug"[Q򺢛^~txQ+6N~g?t©VQB$N,.-{ ;d JSWǹ>MPT{ÎNVơ] IQ4rȱ`;C,ND}&_,Y֨]DrCS9)mIylm!wx /TJ224(2!lrs^,3ƱUnNde¯΢Đ,jSvRaz1š2-Elaf/6V< *a~M(«5@2P+)?yIh@@ŕBlka3Z9 }P#EZa4N] wz̮KaѸ]Ly :#&NvW-RJ9b`ʆ_ +J귫@>%qyЄ۶_s< iS8VG3"u󃚻T6k~wn&g:եͪ<ޤ=^~3.b>47z9WQ6tT{=Q&6_yQ+݁'8Y#u)޵(hS\M".BmNLo5/w0<CޤB4MRh;&?1*.ݤ-m1 зeII: AȓbvHFK(Pys {6<[dJ^ b^|3߱7KK-ڏyi0zhΛ;>RM twa]ď'ZjQ#U'.UE` .օ8}[Dm00X#iN׻ LD(]6 n{kQӳc*azHԘ[Νa=gki +X=2vx&w"?H€B%UGt;;k7ͻV 8v~x3 3Cǂ8~ s ]dImVMFg*YޕHrkN'm8: -i_=ݙhYgnQYZ@F+V`Fw//ƃ􏔥>yF^6iN]=441q e S#dy3? ڨ,$&H*id-7}oH LH?;!$|;=%H.JY[k4~$A1JtY# bc6񱦄q|dfi_^iC7Ӱ2ğ_͎˓#bŤϺhMǡ@8T69lI:/ԈC-dib|dJ JHs2e!tha|-p`Q`?&JhB x[l#9!­Ho Ӫvuo?hUE'|"ҟ=$ Lflvx,q):L8g) 8 eeĠ&stY@G ZR@-^ZZ"aߡx1 {c$<7;aZTxk.-M4?vݤepѠ͠uMLѵv գ geOeB?p:!>k/P~"Ҩ=B;HY:K IIR> XӄNܱp&t- +STs &(<)?<5tM ,$T#}hDMNgDn*<w9!]lQPTd3&TjC ѱ " ŞWRݕQag>;%w8xddQ,x@X/\ hŘ)6L3/:џjP$wC! 2]Ɨ/q a N)f)q^EDe~j=h+)hR?۳ՌE8cn}tJŲ:TmeU@(c ê@$f6Nc0z)tuK1A-=MU2IЪb΀ZCJ!ԓ=Fvg'W}cyRYȿwd"ōm^;D1EͮR ]Io: kӐ3O# m.X#O YĐP!o=u)ÎzQ=lU4 -@6ED;Lpo\o^5r$d{!d+T`lkrYR5=~q5[Ss+ί/+nj4|<0ƿ@ ]RAo}G N,< f/ 8۵4`Yq3{Fu4?%?;:?! J{,px\/ϛP,u4WK 6_ۤWlC~ 3o 3qfd`E_Rc:O[BƑ:=z`K~SgܘyW=4麫;|h8R1r@? ?thj.m[+~7.YT&ZfC?lD-h4APlrMcfo d'0[D}htgUS{gP^o XTQfA3R/RxCGJK #(w"c,ғZSqԊ^35ѧЌeN: (LN vgn Bɢf1Ubn*TJwQFȮ=DEJuh|d8m)nOq5&6Z& v]hO+,GuN;_*n[ FHc܈՘\35n&΃gBTCabDf(hzk8c&2'Wzx_̋輵Sh"Lfěþoxw>XgmLb Fb3!)=(`ocڇ[ĀVOٹbA&3ل͍5m # ďԉYJ'q򈅿IK-2li@o9VZ|{FNsrJ^:iN;ǾhЁX1eIr$43YDxDδ̠:N{Ϊ@{z^l7V)X1SPIh6r CK=I!yv|Z=k7&&BL:7"[gitlf6Yz83Cu}aPRcY߾o7C\t\/? ge#>xpktU4K1#ϼn)ӬչoyPr_T Mc_jς}cpS vbCs÷~ӳҀ RN;Uc_# b=E MDP28\nvɴQ6ѕR`ۡpUU>*YL:oq3,4=/%;I>8` *{lWEd\IM^^7@m5IFJp-RoBJ*-ᕖvp| `S.uqN4\Ӄ #3֯aFP$!Nzn8 8C a4mfjJ"6ݿ{@e$׽Zt JGZ7#/ff/).TNE]NZ*~.]pEѾV&,]o;7b:<(J"%VVνd^,| R7kDüEgw&(1iXc/"9Z6f{F+7=ee&]"B=WP{R? a5D׊eE,a^WڳC/ $kΌ# ҄qlHdbK_%65p/hr{"r=Aͷ@ E0(yb|xvn (vjX^V֜k9/ WkhZ,y#yȝe3a.)_gZ^~XNN+%Enأ8c@yng w'WbOL3'ߨ00*O̊8!bLLNy?ϡJftp]1muK\n?\`ލ+Q9ZQKH^Juk|,=X D-$ìJ/:tZ:G{~uB[\Fwazp~T_#IΟ[}rޛz ԍ?!#CCƢhq;-~24^n~v{.RFS3է[G̔G{#[7>;əsxl|ip|$^ە1o ٤v*~v1/LSX>Qk1@u낺VS#/IhkM*]ݐx[f[/Cz$9Ya3}S`:Wm%q~is&(JkÉ݌57CGgR|])Ũr 0ҸJ2˄=E͵cV3N0kxǏ!^#W.>·8e ozT i`\Tzy0X'-IJ A:@`.2yBD/Du;KݜxIA ft!'#cTRpQz*Gbw=xײj؍r& }FBܮ#~8fjS\#f:yX.-ڱoJszq43MC|1 Y}.HK˿vT7?4i`ݸV4nۧf$t`50KntD@.WIkƖ)<;;WP▍|7h|r6 cxHm ' dZs㔼b(T8@?٫tI r>?֏w |(NwG3G7pSx%Ԃpw@TWj=Rv3EٝQ,A+A2 1͔ls_+YVxHNJ[C0ގUJ z7s>oQYXy_͑& &61-M ޫwQG_-2Vdı`sV泟&տq>W٘}tuY[]-q9oZlxۈӆ}ڕ+is j+|_svşO#7V 5@C #D_ȗ% XBٚ8FWLTM~۶-/g^%21]t)[iAKQAk,0ߥhSOFhE[Ɲ6>A\p2>c p*j\x{Ay7ְ-q,K##>as6ۈa|v?1=3B5, @;%XpfUTdÛ, 76@|Uc($nWtV1q&C r.3ğr"䜶lICqxyFE QO'g+AS5AYNoxx7hzX뺀 J׉R~ùfqlxX4A@>qv)\)huYZ(gg^ԉ>X;7qlgNss_? {J~)bKrfc#ڋēdt9_ +l:ڥ[DX#BpAMv{!-ن4pSʹD+9KÂC9y3|9JxvmwA4炿EE]94?GN#7tAf%h{XHP&@0xqAOghB l["<5JRs3" 6 Sd .A\ (GkNgiV=ɡr#Hŷy( Z-7*+;/՚*x%_jVfU[3%AȗӒo4߹o$,[!8qnjIAoZ2C5|D/m HIiΩǵD6/8Fm4+Y@8?Yab%d׃ɢ&˱HۇGMj;*afIx.Dvd2_O^"m^P6D2y(A4+<[/Tpx7[\H֭*1{~)ϻ$fp SFbrv3`LrhWBB7^xKgPϋ$:ulG,<(i;4Z)9T,tA{"Гr6ޤ!e yrVM¥wk uD"$D> ,Ȗ~ ͉rA #htƯlȿvgg"І`d)d'p8G(7Z؟ &y|ؚ o˞gBRpiSu7-n*׌ }<,1e_YTN$4u D 4Am3, ;vaNm($m6I+YJ_d2> ٍ69Ӊ>{_qſ}['h3Jn'3ťJrXVk'- p`LxPf olLD§鐴P*M36 (ee 7VLyyZ/|#5NA_U;nn5y=g=\oG.+/!xȯ@_pqww387𜄞O8q!8QG͐H$w|O, O[`nG0w%܇}RH.iMU\9-"%Mrn>:Bތ5Lzr8ۻs2P#1Ohzjv&+} pkHOoAX)*AȢJÌHXƙ?cyG-(f>(vbpؑ6|U-B~UJV~~X5G<l M+C._*FgƟ1G<[{xqŀ6Y5|94v8`gb"Josh8S`/%d KX*lZ'O{# r;G*8G˥=k`h Uƥ]P"h0n&cqw*u`WԹV`Y _҈bsYq5~oD1^n{Yhmv'LT YOB3NT(gNuay;%Nn/b׺b#;x4r3f5Pv{9dY&Q  \:\IS™![X`WwJ' sm[/F>y["pTpTDD&9֟.Vŗbke,*q^B_.Aߘ`q{?JC^=;M MYk/1\fb㔿zSa>,[qI `Ej g"e͞KlЂLvFꞏ^0\^ǁe)<_ a;ruh͇'l7G|L%Tx,%e+5ZtZhz)< L6eQlz>f}"M= c1[GffA >8]w_[>4,ێ9a:y-@J qr' AE o~P-@,Ŋrdi횎! ]93bJT1 NjZ IGm.sY>bH=7i{ãWңjeg 7Cz~gK#j aIؿAMYoV&z{t념wy8STq fYIYs\r.r_ݪP%Ȼ!)J TS`"˾)bU&vy5Fd WD+۠ a\dg#-ui6z,1'@  RDXԐx4##lߞfQiZv1ې}[ RZ\f YohyrԊԧsAmjߦ&qtn_I1gtcc+* /-y2;>(ӆ8BfevJvO0GW쟟8Sz;wEn}6x@SefGi_][!.EN:u%OK]n;EHtA6 ?B0R~a>i>m@D:?Z DGxn|'9nXah[ϝn%&sJUf ss*1$C݄=~fuЌ&aC5Ws2$:TsjСY1UFȐݶ{0u;aRLL_^r?cʡLF=n ̯T2O5-NR}ҽ8qH)jF()8N??# * (  ˸Ip`Y nwLp(k 'F«ꇻVD DQ tU1pHqsgWsլ% }ŵ)n+qm{]4) 끖?82rV"(Xj Q] s&Vĵ7/r%q|]aV&ɿ VSV0UwgPQTYNXb;pQ݋UX9t"ͬS|X׬;"Ur(YZHd2˔PDʚ0k) )ģ7aӻLim. A{\q|d.߲ofBcNNrvbUg~jzO;98h yeFyk w!U-ԵJz70SƧ;:r cEԃU#}U6C&6p' m"ҩD1V\"_zF^' NSA?E 騄2[WFRURr%btc aʭ| sKQ?I /S16A!_pHM8#>0<TTKqq *$zs!}o>ͻtivMo\L.%D18 cs<:n:R!'GtvwJ"4aJ Ku錳D_aӽ $zz&.G 7v#z{lέs-i׽6kK"V{pO!CGEj @QHןԮMvmO?^i\)J 5i((A?4jA̅szzQg&bv<ɵR)CYXyDYC){viv3ۄ$j.޵G`ibqEF# LKk-?V׫H/0(%[>Qi8%%[RS K-׏Ģya%U~kPsWi(;O@#"?y>؆쯪V7R8D&kˏ̞DqτTG#t)`fF ?~ iYFEt(ڮ 4 %jM!x*IҶk-*3,soe]PZtJ B'΃#:5M?O̪X3`Wi >3;جf1]*&9Oed`{AtYR6ުa`[zbyۤ As)&M=Ws-*<גpr;-Iu. (}.3Ϣ^.`[g-p~cK E -zǎ1ct]KT{nfau;#`E8g,?tuN5-T흧ٿI'^iFdgH[`h8>B[4G8OK) "b`Qd0ڐQRxRoʿD2׿~A2cI]?zڣx!օ0"2xCi5$ZP2~6Z3e:<] -*+xrE3z-9nNL2;PtRV8>ejӨ.OZ7&gYL RuN tb"H(I b/ 4Z]&ilTpN^5K׺F,=fM= L_2YrTЯEQh3 [WF%_N`oƝrՈu:>.$B* ݱx_BZcF7uthl9 -N]t{VC H]i-Bh +0 NO!a֮m?힀;L;Pp53(Z4}FZpH֯ K~%PO]/e4Ms0 QؔCC!-e*@zY0JlzG sẀRDٚIy4&J'=-%)Kʣgl;&%>:z`Nz9O$ @=2GSKp͉5uxgJ7UE>Ah URg X@j FRY̨}8. TeI,¨Nx&S+h,eTyN "UU]ǒq#Sw1%cfZ7SNe\nMr g4D?ukև<=p&+BFhq@<9xŶ"GA~09fNrsai_J8ʷݎ?QV#C m+4~h_En5%hOCF|>̊ZdY)\'R7^lx`<|M{9H!`=:h|fZ(-욞&K8.J/\UD:[+fT?U謀YZ\!z`y2j ݄m23lx9xzoLЖF`[5ZK>6`@Ti2JI9ds/pe`&&T[ƒ= tL¯(rYU3fNi֪g-;$ZEwo95r0bP2V 1shňX6!3۴`d`Ϳh"6\¢(K;j{DKm]L>7!ѱj9LbX<( LYIvAgz3 "3qL{1YzF[ ɡɧR\~t`vt[^vwvΙ䌄Η:=0P[\&-IJQtձ>& Iyk͜rCJz_/9:WqN{`t*Hw$t~hÓ+C(UD@Y1`wm0}G9e|1WV`A:&su.ًߏho`0w-R.f|2nay7^uX\]Kmqp%ħ]),Q[EHĸr—gф.]?➚Zu2<)@.o"~̇I*9B̾ÇK= ɝX!f$6J*>yediwI.5DF|WÇ2m2|'%g HsA>*-nqKe=V7e cE"{93nB M]㎱Vu.4>䨂 *F䙰UӼ$Wc7A`"Tb.,A 5_*J:gE:۷'ih$Qy΍_cu,R0מ n!RYDnj 2PYkn6ϊ6u~\Dn'W<bZ  'ÑKn5,};#=ڭJv_ Dzco.ß7EX hr/5q™iooI!2LH%C]8k%wR!`CmqY7F%o(>C~M4ti# Mr/ZZdտHncy.lZKv cpy(YSKoO -'4+bik5*h[Kr%]1.*+ E[}&vZRٔP|qٛ- ɪ1-4n0&0,M\w[Iܯǟ 4`-!Q p=Qw+먜>˾ϪMmkŻXp61F+ݺI4f߂.W%WP*Ӽ*=|e78x۰NѥpS9 tIp`)gwn@DR{mHZ\ݡmlN{sn|V1iVT629M҃rP9a<ޮ,0t7Dِ?BN!(y0ݦ7q!v~:!sB,uD*kZj=:܌-nQ6T}LMANxa|~p0]0YV);? f(LY  >L G.]Cs TQe*Wx[]FX4=L6^E4HuY$rjAWv3ߔzgXgasl7c=|',,- qhUG/ t 7x杅%pZ{Py}aDqATVyMq]쎵ٻ>Ğ>TKa yL7ԎWsvU:e쬘NE9u)QX1>^u èj5c}""IPp^CYs8Ŧk@Q()Q@KZ9;MMg]W%=]Җi<-QEٜێ0e]}U)\zA_0- 4F_},^@Iۜf~3S$cnwX [3dR ." !zPWRu=EdrNmIp x-x̨0Hm>oF<,EIOcI3FRmlS5/u@\B3VxΧq8TY )1gf o# TxѼ߭uALBIOq/CC G~Z"? b 9HH;E塢0h|j~77N)cy]y^iЮP3z²gmX1IT0O6gO,\s3})M 9ebVsCqw~L -3I90@k;ֵ?:T;B] m;2P4nlN:=񕌤v&q!lJ]K4C!^(M(C.HT"%to*P8^ HvEPf"Aeo vc_]: N vQ}טWڽop>VPuy= /&TLxpj})hTXTb}S7SkosQϑHL.ֻ ֿ'4oWRpE?5wSJhϾ\8lU) 'U`)>됉gkh!a| ||ny{ w+9M5:k\؉3u%2]M q $dn=̂#&Xމҭeĩ^õZ,?'eJV;%%sDl < 򝡛Q e]]Z1#OR7ӆJ ~K!:-38. ÀӼ/Z%o⚃'t&†(V.z>nF3\L;0Ic ,m)MwE`n;<ڲ;6Sœ_?QSQ 'Nb8 WU-UWQ寔/NW#A+)"CִU&Gظ}$#\:F:/#K+e=\'` H`>p̲r^,D(֮$X7cóuIЫ3l\ jO;旚kGԐXT%d|.j id(Հ;HͼbF(y [[5KۄjFz63h{1wk)ߨ}֏!(6+] tn>3p.Kam+w_4m\?)y(wsv7z ɟEA OZUdyD`5d3 >B0-fᤇY7Ʃ.J歇8;+N'"cfy!y|ϋAW_gB8ͤŤj aBGn @CGhNck-d2j-sKܤ'o"fΊ=T*. a^2pO"pKNC@:÷cSP˖L+a6uMh!sv JFnƎZͺ Fj+oӈ))Z.9ի 34 sFMxCRRJr閘{T#mzu G>H{J̵zm|_{xWVSBꕞIAB.hٵI,6H%D7ȩRÐg>[<M}^@1pUwSS*C} nܜaXp!* LSp+}tʡxqe'#; &ޜ61(RMF:(#P=(ڶ9"[q#!q AbJ.- n,"+IY䱳Λ݅E͸w9|$P!{CMTJOfF))H,@]?͞%<-E Eb>( ZοG b#)i1@Qۻ#{p;IT=JAug*?$)Lmԗ|>%MO-J$"Ea#.erku)]Gqrԧy}:{P, 8>i[r{LX^5r( aht ` l@=Ղ 6$19) i҆q3:?FQ@-tXif-`FuگP}b7R̻"pO*.Ȇ==׻V .tjӡJdw<%ЫY}M#;(Yk_ QrS4BS:N_>d?彤ժ|\vQ>6:~k3_iSC:9Ad3l2gPhiMJ Bsڠz9K8Bȿ" U;\jju}gY|딘 _KWL @> D}Xk"&HNM UVGN.ADnnc@ ܫāwR`a#Eϐ~k_l;5+\ OܚU:%"?*DGNZ/m\'$Ρa?O>@ؤ^&X+bToiV{YN]pd bP= F" ٫)R甘 jc3H :,,isdLڈh_<_䔨9J:qD:" ,ۙ 3൑ #XiX1Y4(#v_\Q,ߐAW)VmsK&_x8[Ǜ\?otw79tQ5ؓr9{S!7 }x(x#ȗ #2y >:.>&UpZ:]q<'M抪]֋hTAbmd1,D?R-~qn XaY=-瓖ۇʛvvʄA:ZDU8^9ǓnHw6ݤ2ق2mυeSŏa ]9s?Q3N"(@SsW-x=rVAަ5H^?>͢6{=+hp ^P?7|50p-["ǣ|D^v_iLqxsedzl "١Xʰwh3̀ f}IՁbWKΝ`WUZqo*' +hn}y ~rt׵EH$ΧdIRF CgfxW._ T&?!i4KI'E2ȵ_S"b,5*!5|jX`ؿ'Cd-=]yVH%&E-9t9x(\,~e0ҝ߼ɺbb u#!B<&c0BkML`ɾ㋨yf UF/q1乃0}K)Dq:fI|s6eþWAm߃F\ec2_B삍ёkjZ쫞ʈ+qp5ͩnE4<;=e7݀S:>"-#ǃxe89DD1gzmpf+, |q,5NZj_,"b"Yz,4&S&_ypsD`F3x-3sKׅ|^k Yyywb@}BK2{#%חPAi0N<;gH_C 2Nn'wy`ҙni@կy8e` yMIFwHiGՍ`eq dg1B Xnc|1Ѥ7Z$ zJ'Ds ݤdG/1{~"oKq(q|<-2hc~!Dz Aꩀ2{ XwM8+q3JZ(CvLpy<{@~ʖj|67ZƤzZ}!SdlOݷ%6BA;o'=Ŏ5uH΀<TQ%ܾOͪgx zaM$wNO} I|M!C,, 3"fR(SQsО:3bZWw+"1$7g:0%h*q`+;Xob'.!&q5S1,-7a 9㩐TUly;f}:e=Yysu"?a[IhêQ ;YP+ͺk{3`Q|t(|l.~WT,=I'G`hLf0Ǧ]ezQ;1&v#3X(x8Y+~[/GD%*$lyF3h#"c?.@`X´Uo@:!"5›LAN޻/r/91[1@ I06v, kt!k/UIRcRE&a|e[ 3Q>*˕ }!(naOAƙL43nRa#[[w(}^A.a'B"zKI߱Ҟ;atѵ0czȒHRw ]r[''hI$VrEzM6Js?ɑ3{‚r6g; d՝%XVQor\xTb˲[8ώZ4G:#i=לn}>6|wpY"Bx9-g@GKxbʵė?>65[{ NV[ F<=T 4J&OzG k #p!HUǾz9:<@p*̧%#9Ꜥq`OpKGt&AP00S<@Sm *X/e/K?=&;M-2p:Nd@wW#  ˬ}<Mdq`+U+8԰*EWm۰EH@߳3#Fl&4-Yk@cˣ>bS˷qLg a#:ˌ6[M ' 㾉8f2u3ӡE.HxD#-mNz $ѵ7חt[YȚ٘ \gBzZICEj5NhA&sx:G~,J>鱢&*a0eFQ1IU#%TU#)`L'DdD.gTsP_1 Q 4}p1)n1ȣDbF[9zN_S9\sReϻMTi/c䌈E$twN-CUuP !wmi*]L V*́S0Cg #V/[[~>iLJK>HO>G&P 9Q6nߐX>]fs#t\i(^Jm`@wYnKӒ>kG|C0bJZVMKjeNN P"/d$8x3|%I9-zf: xYu'_ϏN0(5.A&e%k$I˵?L"=Ad~YںqI`Su Ir+\`PeK-Y#+IʤJ~QptV?YrݑSIґkRvbX kʻ/)L6vF%^[Y%Ƥ xkFg6*35+J^:Y:kp?@ivY bd`p1*P\NԳz" &CeB ][ e}YZtOI,fO#Rފ 0mUgwkhQ^K4LCjw)]xC>I2a;sfByS ]Nt6Ԭa3j$MſXUϔPɍbl^݅؀" ߧz]Ё4/="GGM0$*`=8yo<%Bk 8ʱr} ͍U/蒿0˸pwGq깃_3}^|3H8&) \rp:d~WX K<[Y- &0i UAGrʿ$kkI' iSm^D^樓#2wcp6Z8J)j/8Lx9-DR=U8^girlcsHgew!%rҢx|p6ɃPw8!v y}jE7 ^/o$W<=iTs9r.y<12/Afȥ NkopC=dd@.Ɍmz,B:KuFtwG DSӆLZ7daLp,ABTçWȠQrܚ\R%%4?"'=>+x܋Kb0zX~&S|H,'K91 >U,1(جdO梧"!t|nsKܰCR1r<^s/*b=ǻGXG2JmM׹_8%~mQ#<ϔN=@|b-6Vf.eGrԸ1_f*N,1W>0>Y-Q!&i|xc:ceèeR-@Xu#8xS۟Rd&g9R98%sNW%euJC6%Btx~D3/B3-aD]qʘvJ+"]| =EN;U3=gG$`#}HoUS2Z!Xd)Brtn^ó69Au(ͮIc5 CG,TCf‰@<.fl-[Ie!(w㰍&4 v 睽aHWץŻ_p"Yg^@Oz+U Syr9TM=טIBcu} , !< Q Mя4tZ2| ڰ{lkvx.5Ee3wW^3#9֟F&-)9,{BDpdECX)|nbgq舛<CON] 9Q^WxNoMOc̞.|)F,T ݈gT3"qsd7m:M2v:m 9X KFҹ;k zќ@mB;IZNȲ\Pc*r,53WؕH^E%`K0u;fp#DQۈD=ھ뢟*,8|GJ G1ऱoo)IӧTk}u2דTȜ8oѿIWR;)|f]ZIGFhuwʲS$1%Ȣa0#RpԚ 4=0w##o @p6>,W`B&eii 9dIiqxC 4pZ3u*mDM6ꨜF,2'UGf%U%C M }Gol!yEdz=?N8|xqƌL=[FU*#*se* bMO{rC"IXx5<0cXSg(DDԧ3.$VY/=>?ZYax\*qAɾˍ*7t9`1#?.săUمM2rȘ+&h\S5} GS 6mu &9E1Y1y/$Y}N%N}庂"`ηi#$k^rjGs4Xoh`V0"a)!ŏ֛Nα(fG ~[c2ΎdiЏg_;DZ0'?G *P7q &ar&ɻT>f4Jjf*ɜmC&RR]Lf_8[L[Vϒ0ͅҫp-4֏WWWq 7ePjoҊ,h45ҥR%sө xO@f!K^h#\f) nKU & `e!"~PxRRHPHj U1ƔyXOi7Mu`F<\dɢ. !d.xdyv Hw➼ݵ$b@L_1ݬ$XdLݮw/޺ WAd M_&l8d5q'3e%cq[`ȁfϒǴeCmEgљ"Vg^:>D\|34r-7l߻t4my>r]!f0+M$9N㾢݁z?08!׈}uҪYszØ%"q$ ZUKɝ ԜeǿF`1=wrZ}i2'31Ѐu\PKwAV׮JdQƁ}yWD'1m>>e5ж3[_ϳ#̩c:uz]{;΍χ$(ǣL_صz*䀐c(pjLm7$+|j=⏈hѺS96L7H9qspK\djHvVomԛ=1߳1n)\R6gx0eN1}2+x%+.Lk2Y^a"=HCe tCOסE \%7t ah`\:pDՐlgxSүٸV:)tx,טM Zu~иѤĮw`Ӡ{QHVE::aqYZ* ڢ+$z4|ˋr|b?3iu3_8g*Ibƴش9hJ,.?Pxruޚ[!4zf[j@"6洼]!ꬳP#+.."m-"NP [FeˡfB*PvoP{x|M4Y;䷝?QJ9ko≷6>N*!R4>x@*S0 ɅydU-xQ3cbd7dz7TO-iׂ6vUCjB`0TGz-}-=Ĝ͵ďP7DZi׍ yA 4*B{f z:O/11:R f4JW}X~ =!U9OHUҗ1MVT[hX]c~Pv̊SX&; 0g5 <.ҲE630W" T7_KaFk-]@%9pI]B`(K PpzA3678۸7h/Llc8K{ϞF%ZCgׅs*/1͛WQо?{֌Q,,f0r>qXFF!VLx5}̛I7Q9אgn(iBbgǀč6fC.=Qy);2y-HޯЏA#Agj71b#M@1$ob,Mmei4Igj狎d.'M |"0e7]-Hs(zW*O?NwnoBЈ>`Xʓ:*^TF*YYf(,$=Bqaj>ֺU(dfW3i|C~<_h cm k'i 9j`L|&[ԷLbh{؋6ܰH)PcTE*T^!Ҥ~ܙx0/y~,O`л$ssIS=^5;b_Ĕbhh{c5s%;yb^2QY%, Y r?bО* M3Tvir-ذ\=C1 hR?&i#XFl1X^%oVdM<1".Ϋ%6٦]svּ;WI1Y$!j*o!jKSS)}LR"JGfɯ*k5 U1 PDr]`(7ؾ\oRL_Wi04CH3C3)^j&4 c,DϛWj" sqxu={[lOj1ފh"X&xM2!;ZfYQz\ 0. yIoLW,<< eY>< 9l @~=*[I1Ұ e;44NeA`&Ĭ_6Q z^wzc,(gfA,.Wx.uhO-ObCQ0˥ \=\3q dteHۑqʝpNoiQNvJ(= \@,_U$r:3EH1>b/l埱0Mm|>_iطww Km'&ogmu |vk^OƾBhgd/#|{X⢈M ѥn6S#8`cͿ&V88@fS0ꚳ[5#mp^9FevƠƥQ;_g֏-i86)g/9G&'l5(? _0* e d@ Od i\:YŮ(%/#V/v5w?yVm2e(I@ʯlewu\ tmwz[!Ԧ)W,kzH/ t巆@=I| X%yJɝ}"S 9f *r'?$zp-MWތE|&]V:/=!tQ'R%QT:)\5—:az"uA'`'P'vyU)>RؾFr$r4Jvp%%f.F+=4KtiVS/~db(Dyw(^v3'XM#OHr,`Lp}I1zOJœ9KO6HؠLr0JCh]82 5Ǝo`n|fߔ,^7"!,Sq $6j{' Lz&u'" g?-> gLڊg- x%!ҚpA5K+jK ևJ*hY^ʭ^̠H]dv+5NFMd'FRqo9a0#i3KψC* ,?B8lL .ӡ&DrfĊwxsl}Ϸ2\jtD*C/1uQiH%b UaD~a5qGx'k=xO^q &N YH4(D7tyWÃ\I']e{-v|E<1c~:2 !Mo@l<>j|t[Rs `WP ٚbg%W-)w.oDYGojwMX\1^3qʐ=L\Zhy&ϓF> ;ϵƨIZ(6 c)k皥^ zTh[=%SGK2*N>#b:Y3cqDJXC]F۞Ce(,P%I!\i @r@%V fd5PC26;4C&ul %Rщ>p<â{|ğѭ L[M2d!!]G)`+B9"7?qY`If ՟Ʒqs?c;7%;L (>#e,u5oڤ= W0B SSQ~&fLB;z=~leb T륱4NG\' M/lVT S]r1uI i+XJ(rőg!t<% ^m32$ |=IC^ KN418:sN"xu1c:WIionKFfY&IMEXTgFŇ`O# #7_:MM ۵T9G| WKYJ?V/0 Of *wDNd#ߑ@mZ•u4isq;lE`i- U"Wm00`"zdME%&O1tn]i΁97kCY-?,)g-rl3۲^AH;ۻT /Ǡx9@伬;ޘ q=6,*#%3x&!aS `ylKqAEG2a+/ d 'xפpOȾvvn eZQ+$Sz6^O9t ,ޙ "}`Q &?#Pu55\j$)V޶l?W?-od`,erMTpv/5< z\lNy}etY_%v>6xSX$=~g/~Cf+Ge)VypzQPEޚtw! "RL<ßϙ?U,NO5>BuJ t'zڷ&{BgsFٝa;"xBҖ+v=t2&R*䂲koR3ohr<;zh(:c[. Xx*Z-u֎gK'6ey D<ѯz$F-{]]=lYH)sZ8(`a64|D&YU9}];Dz)@E^)ؤcTz;5FI zZ[wyqSy/.%J%ܢ,Z)[ @v|M99NѝJL鹕xld|}&j/{q*׻̖A?cdqS&S+L{,pn 6; #q#LW,y\$8}f`z`)YKG)- FP~5['y]&MXC-seX'v80yqR?k^H3ed-Hy4-q1 .AҏQuAcqL=y+:b\X8]@W ]U=gk[("M=G<WzOh!'SId&eSمCp/VԎ/JP/F*KFqg9 .7iCp7AbI5:Ԙa.r^Ա1gl&nWn4uȂ;z>+X̓MI%vyhLc)8SXՄF ̆J}?^?|7b™aKp%J':INfh+q֍pzDAwhhsEPl]OŎ/2XLߪ&IEy{/>V{)CZ(ZR[Q6ؒ#7 cC?lr\haJ>j T{o!Y'W$kb!dX%3APO2,y&d;e]xֺERBމQ9Jbe4$ >BxpBQ<~4eL8㟈ƑOQE;1XiuؑÜoaCc҆e6}1c ?mdŃ.uN׀Xc*OM:!V1 !N$ۄQ 'o+}QmR3;"2z`&0wBH:DU`#$ "2ɧR&#Ѱ7o'i_4Km/"Gf?Ky?z1f -T9}w?Li"u]\KS`/R%nADl[`šx@  \,@O 8 Nr.ןWX{ k&`z:@>6r.m8\Y8s Ov7iKOGBMF1&,"p嘕r rLU I+H3w;Kx-z+0kwm(6Y7tH5soä G4v&kYEkH);byP}z`2StZD1UmN5Hfb**[qոCցa`M~jg8a' qAShdqI"PȐY>XJNoy9Rrq|( Hr 2r3Xt5%Іwc7HCErXHbUv튋8M]I%`T%{; 9'2/|/ uegO!BVjW Jjr\KvOlXm0xc}q` CbuխXhFSUf} XSDnżs O)^H-.y|XsWnexH };=Y'y]?ݺV|Ws''A4҄ހTE3m'uV 79KV  dJXwm99GM(<&麴stC,/cLڸ",J"-f$9t=F̚-o+6vTwN8SaT[x; v8*:K{*2>ȀQ1&C\ g Xx$T8껜"K|ΦqwJ_H)S ~]YݠH g0fCtPsNUݧ%Z1D†(%҇ks[6G)d0[pWDh'I)Ͽ~8&v"pˍMK,[18/ 'vAq>̶b(>$omJE5 >{П&`Ҥ93kk4Q&p']{lX( pɔ'Wf]gCHnǵ~:_GHAXBeK*:ס;&\Pt4OrW&s z-cīlLkJk./AR?(p[ I~9oH 8gN%"O`=QaW~uW?&w r(!`pͬG++RbYZUX5z{%WD.&fN쏎>CeSOgJw#+vhG3{GݙNH&[5ZS\#&mԍ(L@)C>Tg#~fl ĵOLϙ2\d@㦰G8sxl7#u;DE_VMe\ЏmRl/E8 K\{e ?G]ez̼DL)c v(gfixc )v]2ԍ2W Gׄ/ل͊x>51M2, WHѥFdz &% E"^3&87Luod^t,"4x"q%~ zmǪw%dBJf{:b1nژ͢ 2>qRL̟1챡45(w-Sk7d1癕dO YX:9:[7w[v[ l9 .ر7nk}YTB4 SCэ+TUPE^JJ%Q9LS:dD#`y%s2ifKH,3g5,_:=U TnI͵ 7J# m47,otJ}#Me;@5K~|]t288[GK~k,>5" 5  hdy:䘕Y=l Y|$P~d  &TVчhKjW|̛k)'^J<1RjfNp sÏ5,sqhϸA&HKz!%# Iq3nCv47kaV8  PA /bôBˤ?>5'Uʌw9*a]Au @ is}N#$qR͎\mi&P/\\م^\ X?.Ù bBwep¹EY-Zk qȠt)ٵ[,*0>QX?+fN!チS0Ykfv![(6aU20k@5.W5}!u|.ϥ  &冞dr]se.PO-i 1xP6)&Zxe.R.}lRV_ S`3=`5- &e:]}xs]Ga96.XY^ըbZ%-ۣ[PghC6Q//ojZ\)<hwH,BKUq)P?Gj]7 vdxƎEY1KO~g='Dm_j=tq|Tdvj!n*~MTL9?$@iwcV>[X\J y}jxDԞÁƦ1~MV)LbT8,_F& HxIe;mu` RuP3Ls?(K)"13/h@F{M>sF_IaɴR#sþt8*L"Yl j={99qC&S*0 V<#"@m=Rfgh8hRę}nDoO;#4YUX*e9ySV9fŹ8M 'n;x2/A9G^H)wBR'申{g:3qw00֦l`7;7 RFi 1"N[Ee'›A/8S"۠,o.oF6M.$=3 3>wjVn+ZGP'D_?!@9,CL-{ ɏVsi M^b‘>/د{KxZ> ߕع|ؠ[|8pKhŭ \1ysBD6C!qmh m 3@a &-߶M$}$.?i 4eY`2ӷX>;obG%އS0|Fvu2.JO!V^a-:_2vgHb *λOL{_MiځYط_!-Z@[풯KW `6&>!XxjQ(^/91*ٔՍW^}- poGHGnB&26O!j3aDF*GIl,~b)PK>/člZ=E,EQI9Oǵ7APYn'o G*LaVZSIo\jĶVTЛ2ZU~lzDuq=/#n"H.x!g8<}ދ19$ ɴnΦí%h֭ԣdsVxI^L ~ 8/ 侾2MC tB 1@LXBb&rθ~cNJBϻ?+mjZZy=iGqX u̥PfSV7B}9'iCEDD.qA` 2␻XB$Մm@7.[!W'mq"6D@HKsOɠJah8YpSmyƲJz~a^M0m:ǍsC&h%VΚ gW~h'H Zy% {poc'ȨP1ȅOaY&!RP%}uDTlG( Wץ?N @S{ M8.N 5Wiϐ.ޡsOghi߯h g.F0?ތ>51K\ 6 j<]2+}0}L&fr9NT[-2adNM{l|d9|Edl./wmPn6)3MĸawFBK_ rұ*e}LAi& c$&p]NHAؔq{GKmjHK%.Nϕ"zQT1O8U'u|9Zay Wˊy~یqVXK#Ÿis0R #Q [2sn/ xR|4HYc)R,"['>?ZF&F v1D\$d-8'|>P=l>SV?D$BfՏ:X1B?zEN/!|0"=)u?r3Ǘ_%: *HڙkKٗOޜ;q'DK"x,QP3Ϡ.5|<ưdjSr'|Ȃ}lB}'X>vܪ6VA9x- ׀nOқM<^)ןzR1sۛieK {K t&Daq'i0y 'u,VFuK'ňДl/ 㞂y̆ʁۘQ5fO ٱ 3{Or|i&طaj/>EΆ|o';+Ҿ36,Ц]+U t_G-L-cGf7o:c'1E7ϡh|y`Ra0+ˍ폓̠=q#)IrbӽUNz2@[8{4w:k1R/·MqO3Hƭ>7$(~~ (ŕt /tbԢhF|̭%ŵ @ tannϩaH+{Qm-D6P*6+w&zy;tŚ[ؑmloN/WUB!|c\}ƀкDZ0|ôtpNpvy30V<_sd02& ! + k@kpA!C=W8sݹvy<ΑЊ%e4*Ny:d\K/dnzH`kp}p CASVDSxD^*SlEv.2WsL f FF,$,ǿ-  ? T)F*"ӑZ$n=grSXvֱ> "A|оw$(T ~1Մ?tjHwYPhmu%'X:w|&ZzbBƐ-w!?{-.2;ñ*Zikx_?!lD.?fyvx*Sn)")w;Q*XyrOewKp7DV&KN*bAyE+y_MW/'nN^A4=_ԟLǎ { f[s9CM 0P&*I0;TsȧcƖZ>!.^bK-z3AXP"gt;oPeL DW;gzYͥ7kރg+`;^"}XTʇ{P`uɥjMfztd։F\ R=,RcHDgN%$%n?N2H=g+ޛ((^M:oQs2L!g qEsetɶ4XһGwepl? ;#DBسKCocJ'0D'#9(c4x1t̳[5fUKQL V@khϩAB~C/&2wa+ ~sHц}#Nb<-Bkh3JX5kX&-Z6 /g}!zm5 XnEҍ' bC0͉ʟ AX[rl^E7Ne4~^O*3…i~N,0,")->[VXW5Zeg#pB^q) JUTGA,$m`@I!*SKԒRUMh0qjU+˾w41̨+OAһ̰ kV/:i)|L c0CL$`gZC&wcJ2peqC IoZ63$Co흞dzYꏗ K2~: x\p|(!tJO ㈟zh$ u iPB8 Ƞ>-qn; oB=yG2skOFHtxqw2ơQ,aYR"x?bd4߈-{,E.pcľ ZƇWfs40v >u,@AroAK w:9~`0#plD~ 4iƄ>qAii`ovWRy)F31ek`$lk"wQ2K ?KH/;~|ϥ#R$"zCa#Jë^Up+ka:N.մ,^Of~68 wGsd --Aws9ɘS +oBgoj;PbML6jf12K܆@pp۷mf[Vɫ"j\b ٦E} |ѫrz&}y8a{1iq󅥈8x) ۤaP F}݉DDMĊwv$ܺ27S`}j^菝6o2E;\\ȱ,ӡȪU,qcKajUW?(V"O~۴Zi;<1b%MX7v͈ 0n2zvH;m3O cyC*ЊAWCau Ǯx: >RLa'˪1ɍ ^Aa{- XfQy^^'6Fa1Ce:XY͝/G(Ϛf_K!K l(#ŷa2|ʺXF4b|!ezZ #uHE`D,AWux>j$&r ǮC {bԙt6v>JSN0&rB_\viw0ջ(yRp ZHr ),J,q4;pch/\N\M Û 1JH^ԧiULB&wkec3iXYa(oYHvjÛwbKT cjG/(hO@p)^8] ЩO"ČwvFyPp@\M*dw-dzP{EtJIbg_XiA\nJ*c6~baFDWt[u|{ p1G<͊lxQ;`x]5PT>.9pi1D'hCUXvkYK~h^0 f[0q} sa$!zۈ_8 =Kq= {VX= f[6G9i@ y-^` j[nWSBJfaCP3 5o'(EXHѕqzJ@Cw/4|vϓ9ljviFAByh~FP͎mŏ159"h˵F վҽLݘ+sզİ-ћb 3S5@'.]`B99͆ܨ |ͷs`Dܝ>אfV:d !'0k&wB< Hh;Ծ')Xߵ2 OGJL^0ƞ =WIX)#g&|e@ /n|$n="`8Id S:$:Д5bxݮk?U ˊZSb'+Pݔ K {[./f@k$ OuW^8&8%"zY\0>Lˎ'vBiǬ%pLa@ kJ]BZ`MԤV!tY_ۋ(Mm:,jtUxd.9א& pT:1z20&ڬ_9F'gIDDqd$ KXv.1' 8Ǵ~p9X+k]Q C>R^*ĸRdWZ9GTJ3{G'G,RfG5zԷ%L}[%ЗD{:{_{iIWT"--$PgBO/\|9!8..AW,Xa,LѣB_??yIUrA@3ЍyIGCikE#m%٭zzU7< X[,:08MY:ygkη4 D`J`R-e{b=9kƒv1S[\ҪªϲqSfvlGI1!ڊ.e0c Zgb Omh7~8-BElل%щ=s#|)x텗h-:+x`|ڢ}2] &YHf)v)L0]gΘn`xhB飻nUijṋl zXS_-՘ӎcv)ꭁ%$=_@-okcö4-;ew1]Y4D[)uEVJnKK ϐm?[KVarq|ζ8d4H0fnٰ0_T輦"%]?}ވaCYCӛ9+By\H[k>*9ծ"1g# Y`v-TKABAءy z(<|f oZ"n +)0ʸќH5Y?m~z "쿇/(~p ܹSNZD:SuI19Hb==~B#f8ae&p-@d,W}P ]|;bW²5ODf5r]1^PGvNgliK:@)Au*{%ۖ@\׻P%nr.v@kN#S 1H HeB{hI>Xd}-R Dߔ& P| ~T|U4Ds o9Fߚqcn/QfYK5V`'j=l=lN&W/[倥3\p a*[^`1vff3C*wCOm&gYKs;UG&o0i#m82DNtr_a PT#W]W9z|x {lxD~.7ǖl5tb]ي̲ӢCGq\]D:Wf՛m*w/ojrk4p0;HTNn*OEI?{D*@UZʝ6 /O@F]QG/ ky@K <(xb#}E`KQJC W( 0^5  knD/=ͣ2yc=o"\ a[։acӤU5&_6< Fm߷%NKȍg{uk( tޕ3fo_ٻ5\{8E x@:+nI$HBz^d& }tD`̵+I{m5ؚc1 tPT+@RFS>z5b?xYS9" y:e`YWm>JLن5iI8LUԘ`tR#$$QRtrvŕ6 mP L |fZuhGVͳh-TƝ|q5xM97Fg\A# P\~LTKvT$@F8O4.|Dr+.l (:| +ViRlNzA8PUAjI]W,ur4X7"د:*W+ LEuHo3vq:̠@PIM§xP:' xKmIbmLIMHE`|-&SK6@6eepBU҆2?P+KGE}#08[qF'"NO`8n'_A"_;Y2[LbI& tO6Cl$T{ʒc/xIu.rպ؜rWqrw 1%&F;<`QWľ,!V 3+ԈK.[]tw1*L6vHٸ8tN'/ϏԐ661Dp_xX:fwW8&DwL߯ucrݙqxRaO-K0aCs׵5yޖfn?D>>|O=xqUZp| o Y:˺Mt]]p2CP,Cf6?N9u31-~AY"Z`y*T: GKSAqRCAvz`-*㌽ژ1IAKQ![$smE^Rcj-. vSTR&i_| u=0ۗH׽t?b~qdM8{-~!|tZ^χ\i LJhRg븒EֈDKEmW`ӿ\1O0G \"$@}vPCƨ LraR 1}{Z4YT{5A7#/,ZYny8ZOlg)AYҥHD-%jA2wס\6a -]B/f4l6Ƕ㓗bi|7줶Z^m7@4 Ȯ[!@bGik$j nHa-8h~g0IG3XdBR9ldUHŊp2[$ޯ~/&]Hs'Yv`=XL"rN%#TJRN4j& 0 mtu Gt>puĉ؁^%pl 骾Ӯk؄{˚u]!Whi` NM+fmFe9dĮWȖxc"SUhrhVyE:6.նO6`AS|l"z%3-r QDM3U'ڝt=#b1Zw uIM@xnT {6$ﵚZ,rn,=PȌⰞ5zfа2@ȅ/'?vn ygtIӀy3U*&m ibYyL`Oonz+_a+@GY;CW&y |o{`>S^zs$y Ϝ"-h0ʨ`3(0}mjC]>֣yv0w?k(a?:kx,dC8v3=9\P )y߽[7|lw+F=͆N=f&t5y&$^~ߝp50%֦<V,[P8W{. fDS-索; \?֟ҏ^+9~0#c`ODN-8u=GpׇNzjA~9{IX:N(p3HkVŽ| :]H@]II5ܫ}z!Rŏݢ.[fՄXh49]VVsޗ$ @¤/7`rёR-G5B .,'7{j(3E. (>.rrmt|mo:NBO|L)<yR|6QI" !rA#@4P/4x£/8ˆ)_;*qV Ho sF .)С?^WYEZQj]sOI$hm.bH̋a >Vҭ?p%݇=.0Ow HPmnʝaC{.)yHGGq^ pҍf=>n$ DŽhwE>w|bن$ f3ԅj B$rߓI\p.ŌG6ԬjQ,zqQvv. /togr"~s<;qc^k"NK.N a#ʛ \Q/  H>YFa;`Ġ.PTn~;J!ׅ3{aPiך@/إQjL9) G:0 ,HrUCH|m lV{ | MVV2kAqvm̶NZv-S]x@mmm ^ƶ$+cD2K̃YNIh}3e+m_DzGBm0KSId/rK?K6 -DQU2-|YN2ygmK̨./jf2l`٥$t߶UMN$Ѳ$v+㓮gc7"?/3|/*y=1׋oziE2eHߨ{îGmcſP}PY:ж u]';K6k Dɿb:B"ϡ 1''n^v(BmG ҩu͎42  '!4#?f9~OV]owWu 'GBxCTۏ]%G ?=N^ B[=3k.q=i T6)ްt]/y dYg68βᴜp,apݴc R\Ap֨]gٸKVOM" "v ~=/mpJ2OJ_B.ek.̾‰+ Hi.3n?,]"HTBK PYtJ hnCu4g͵ 7}`_92v_t?B6)^ 'bv"'O.B3p/$mTgL^a@|B3\b-g^]RF )zGGkJ_mްp2"MMB6ƒ(.D/paSfzT}('#:j hY(@/NYH|^) #eMev,aYۃ?aS8մLr <7] `_ɫC2L=+EK&l<`n!u$q%|Ai ۤ#LP,R~d8$)C-eO_%C} sd3IeV}2Bݺ#W: Y>qs#/JҢAgFX+Z΄=ƚ=, 8c0i޿b. +sYA1~Ȅ愪d~ A;Fvq"#^k7Q~ؽZȄ [TuT̖6B#Ӷ'YXna؎_8 D&᫃џD'/N.uG* {ji%_Y~@3` AYptpb@D%A8:\aftﮅvBѶ߮IZH$;M|c&=Yu,$γ2e' "m{j\,IY/ Sꖴ=qDw(ȁU!#; _u8rr :C@/:%>n()NoIjʭrX;ةNGѐC!1r:  ?thg_e+f=RN~fԙn$M5>Ǿ0&F`Էfd{V `" 2gǂQWW `Q>HI N6SDP_Qoz>[eG/o{1-K"82l3 s5x;C6lI?V(D ۥdiJȣ~91>*DO,^^A!urc(,fW 6(^/q{g1[Y}).v@늢G]#zKgيI)FGm B;Be+.s?LKi6{6;3TZ۝1P/QH caJ!m[#fpnԈ#ӆ=+/%ZvRg֘MOvهIؖ.ohqYanfRNvxc%`n'G~8i5 ^[ڪ4aO?A) ^~f}rFJ? ,u-J { edbi2`qSPMUh)2I 0 `w^wMoA|l0FĤ 2W"QO3<yA%3(֝m'Nw '&)}z=F>32jdz~d,ogġr x|Q8vlỲۚxuR_k) uS&E\IL0[ObEDuqmcG$%ѴalD/}¤44V"z;I4Uuml⃨*7!*bsp95_Fg(R|NH3mvD&%t=6Yd46&qTLI (􆀪 wbNB-+|88Gu~une ԚitN؏?&\A+F3̙'bQdqwQSKɜ?aߜ's\ڐ dEFvN|ҽƉ`qb}bbU1|Uf1/@93q d-MA~jmQ2': "/tstoA.1c,[u;NgH3"&w(Wv=pOvCtf(¡!ņhHT6'̸/u; F7Do :U^[XCk|fZRR4r1Ƕ4㎢ȼi~U'e[Ewc=Un6 4x\g)]~nt_܄Z'@m1>¥^ky{OBalm7T|{!Ԥ"L79CnbKư69"l2T鐘 Зy1wFaYкnǜ8ڞ!}[!:q܀ .>ȱѐd薶X:VUBGA/_6!8*S7)/ـLu|=h&4@>;ʭNXk|706.SQ?TS"X" ʭb|ۀL:8oI$Hta !xqĠ͛ޓ \(Vto禷r%/XaI!V`R*˫هۗ-Si>Y!nO)g@_RK0VVfsZVPLml-n2nP0F`u ƿY}0geA*ho_ӕ*'`$h13ȣl(P:xЈ}sZ9]kWrzՋim4'˹/1}紂|zϢ[$.lrG))foO/8b)#9|룈N.~am I5hy`ƐOk KNp)laA_לOg Q0FvweV2V D(5 N%W0@2~(\Kh*aB}qa"*x .jant mIp7D#?%pT$8YpfbY\#+#tZx;.7l d"'qVYDBPjdN]* E[% rIens׭Eo2 m\_dGMys=l>dzӹ&G3CYqw$]{?t=)ZrEK9`E"ǣ?3Ngi Ѩx!J ,7wfY!>l-YF85aw-K1މavJpޯ|I΄Yhҳi0X8FjwgD l:,і+n ƒ ŷӞ&n6 -F.!-XNTC8{p4`(r.grt޽Ɠ)WnCDSLS(9P:|ݻLb^E m )hG{pc^@U鋼ZzRٻ%KG{D3;(!; #s.e-8gSÊv\+v5V[ބ[.^bd5@]syZ3yVx䚤JE0! Kzs#@hugs`zavÕ6D]vUg\)K$|r=eTŨۀ1s=nō!ģ!G|1-HxXpT$P~[[=Z|S1m{H;v/R^~[g%jR,W,*-~-`R4yl-_ڦ}D@#+NEҚa ,:R|dfQ|vgǪ K֌Xws.V7غ0d1eڹҒd 7zAFڌ\WL+/rC0mj$${Ow;[8,Ͻ,ΠYŤ1IEEuB9Ч8Mۧ!9׎=瘞ʜ]ϟHOZ?c6*hjg ϰGڐ*YC%Ds}x߾/^eJI;L"XX*/ ֖\+SUkutsvOYϹw/Rkək;"%g8{-;rZBb!"o|o&jIq)xS&z# д ܪ3"xm l+f Kk>Θ GsՀ|hv4ۣ|^s [M,.n'1hHO~x!*JbbK<<ʞxTFaUR-bSI 6x}1֊J($WR6$_JnnZ9k>!cǡשCk(B m51zb8G$E>*yNvKa*4۞l?EC"0;N|,l 1p2z37vmDIZAKv˥)L3h%b ] Z(NDr,AÞxNԇ1^AŋʙKx^BfqGds%|x ; ?Y3ѫ Lޚdۀ/)HoqWX IVϩoNcWU4$4|eP%K9W!@3T'1K=SѦĉI܈X("',)CׇQKB>"^+r@Ӽu?9dlmk 4 4 5. rh~/m3=#@/(A|mR~nUTX_*TUguYhu RLWx+ 3J"bDᷫVKX3}ward\(v1eG HB&W6goz@li?R/`)< 4kI[$+ 20 e|$JXx8 gz4̀'1Ts-av%ָ j)\'|&?h[=Ă"z|7UFB]hm\<.X+#x+őaR%!t  ʽn'@OY'3Hź% 9~^ظ= )'ih1:HG*cI] )T-erJ k9 $[4Ė>@x*so3#SN%/~ ^ vrf Xfc\$QO//'s.8QbdK3ה/K <%V%$/Zaoc5v]+Zxo=<°P)#:‚nTZ`z vLQS@ )uZl7Z^#ls Ff̽gSq-i^Xn˄QmeߵiSy細l:*;) `=~ mgl:` Mu 6؛ۭ`Pn5;4;g4p6+{vc-HM˷Ț|x/(G% t_\_⓺@'_6F-"Ⱦkiu6gO򻎱qo"jWGÚ[ACG)m7=D~G.q* E,b׷(д(92{D- \6Zӹ-(9{ъl"]54$FB^a-hB5TL*j1SFGK|15i^ C;~j-C{ͱCnw|"5R?ƢlS-"kqt-DMY/]qaN FǾȾVlE36A GT1(D&Ε \$S,Ý@.qu[s}I1eFB ".7ܨKy- }zxpe);Ɉ,PL@Il elj',߭+k9"~F8_کi;1uqJ2:nx/3x)dя!!Âi>+(iW[NA_L7mQǂ-嚓JFr5%_Q;m8Mx{&C=L /Yj(w1Ke |䥵Lѐ(p&+[CŘz,0x( |S2Z ]>\)TYv}? En*pUyu s;$5v5jgF,o+n_<;Hq LRV R\VnԐœ$2裚Mʗly!r vbrk%~G_m\zV6Qx,@%_۹QAyCk-x{;H i?ַn[mMJu(X_*51alXxyշsTް\#@{ /gxDR揌vn6Fh?4PE=d0F{o=[S}/R@wϺ'i̒g]:ǜ-4R_HʩW݆QdSc](YǘXKdп੖wY6=__}[ k'5ϊ>/H\[aEzRPר]ߔ2sМg~5Pփllz3^]JFuD Іk N`ɜN3K?*㗥4xj(Y- 3qu#6dA0 0:$ȦS9G%t>|Ux< vagTd]xgAu}R$5]'p}%~O((,?g[VӚ训>`rāT[5let"'TIn&5cxr6S&Rp;Q|_f$jinBzG_hE]iH+^ O*a_ O"_+,aIA{^Q#S'Pq6c'Nf=N4revN60į,(kzW)rzjιh< 9k{7eR+o2 |`6q',,BP6DǍ3aK5~,ҽ΄[r7LL-|PиgC U lg$0LWdMŃ`msXg P v^O6l(nZﰚ]9B?b&CƬ@q#OUfkŁ|@:BeT~qXlPP-  f>:;}a 2v9ڵ|B(ߍ7r":UnjUXsim7[ /V* >MGv~"CQtLp !I``JRht"JZi ^agS5wB$:N4$ *j=pB萭B s9B3@8_J} &>)wp㙅৾>WEO]+;= '$NP0֜ZH(,ƉIn?tN/k|-vΣbl[Gjpͻ]+K#q+GP~"R6d0TH~ֈYӶmn"0Pލ7~pq*"H KԐ֥! (J;0t*2;K9 t9/YAʍ8vBבaɈ6ˤbm7(EŐ+ c1Y^nWRD+[.[TuOIUrRM:-ftcg&4).+C֞)}.d$RV鉟jg4Ygq% ]e ahyRSmCY՗b,$[^Cjk.29lKy:Tr43(%MNd RKAi1Dک<*DpYhVțLzZ/?STڹfI497YGYrZh81! "75(}>")]1zRq Yh[*"A($Nmq<1eǡ(rZ1Bۛ b 6ʤ-"A3*١,T D;q%5dҀޮW"yEc,a(VތHq<}ЙmϜ2ދlM)^tP; WkI'~(-*$lŹ dLfRkȟo=n)9}?)>Uf*9~VyD:Junۋ"rQg[b]"G:|hJwt{{-Ӯgf )YF7qʩ^ữ5!N~wI\s~th`R:~@D+~dVP$5`?+L̪ACNIK8ʌ[Fz2l)ӁȤʰ y$Qv)LO :ԭy.ZRQ&cC l#8/)^DA1c&'V}aa6~"=!ƥS`l- @#@L5߈D:Zbyǚ(/[~Q 0FPI՚ EwS/)P!J yf(;Sr3쨈4Qqj3iɺL܈(C6(q>AHB#K9<rƻ.{DϾ!Pេ5SQ7C Hv>% U_ ]q=yR[ {s2?m7Yq -ӸmtjZrJс_$@ Ϻ3~21)$YpO9,_*Vɽ4O?Oelj W@غ^4yQ8'Rh.QH k DȸaGO*%0mRq)J2E yQ+0 Bnih/y"њo<ޙ+ô굡q(.$-Ѓ:M*8DFdd;d7{;V47xs=ӽrK%Zhw}D}H(9J ˆtK/v|aYe}2_ KG4ɔÄtѻ|eGJp}PXϬ\Ub(|}|x% 3Hoi2̎E틿6dz&0{<HL6Aae*T kl٭<6Lhs+l tOpo<kỤ[V@nfٽJg+U~RHWA-lF`@i((9& %~˜' #8 .jo/p&M {IO6m72gCcCHMv#BL: Y׬PġE4 k9U!ËNz/=uh5g? $m7;t&ztt>Gd5G Aj#r嶅䎞0xpu6jwaolN'9Hc>!؅5q${>A~\-4eG#q_hpHh&OCWAG*͑nj$84pny .*m}wi4Tڱ8r$:*OiGB">7KVb3oeN!@%Ig<[xk@1l ^CfkXKM_߁S -T^ד>'}^CvNpUp`9KcׇI_=FoJim"MUE}@sV?Zӝ5`!MЮLh94yz=&O_ą=`#zc PK,c&@na\*'Yˠo~S, 8~a[|@N<12OwtQ}8 F*PD(1L>s"GХ0=54pJ%_944q`'*1%FA!^+@qDPv p0jȰx[.\6mO"T@at7z>ÃhW/yv6ŃqeHV2\H ?.d.~¥0jGP]~뿂+gurRm[(G6S0Yf`i۶6zdaEx ΐƴx>x(HWM#3jQ} n[O ˘؟Aǀ}SYTrv:3 bKdwdcmsTSfg`)- Y"!<kx'Fx-IB5AHpBsPӧ3]: kc_ӄ`Y_pK zIQ{?l?Ljk Mf+1(%,\) D@K2<1wSU0Cqp4"ف`R?U+1k٢Vz?JO񼰗31 hs80blЪ ]L@~ַح}؍`@, gW~gn1i~;GY| *S[*2i*E綟ɂxU~ya4+eB^M(+^V`P[@|>zlnB u4K(犠Ӆ$qyqf)cʉǢS s o/ܦM ry^٭ۇ/ +w6n Iׁ('P2pʍ"]nsvqú()S$%7Fmʛ\Ǻ[)/x{?J;KUKhC!l|.Gu /*S yl ~u8ҫU,)$״* S^*l 7BLehg7YY01yo^|=;,FRIa =Y0nUDAl'6`ވSdJfȄR9jհ.tqμEDxRgCePZQw|vVY61?Sm ! SȿS:R[AD]+Z s1P5S'FUddxE=8F'Os4pMbwm.tp ;찋Q9j?!;'`#,ZfbP־ MMfngeuXF+/ 3֪H3c.N6LyotX);k߀w|K&82Ԉ3A7hXGayt!GntY H9L k0!""*!/z#n9,[xQ^=x.㡁0]Pn[;|i>ϑ}#I_>ͭɇ V\-1SlQP oDvp$2ͬwhǶzJ\d}ԒǒJ#ӿOm|X d҉o]"Kڊ̄3g1X $CrU _$Mr5:P \6%T*(LUzc3c%#h{qj%,TsnL U 9m-+l6:w7*f|CSpX$d1h z>!#G1K€48 ޺4ި:um!YkUJrJtq;` ?rrގLRQ܎1$i5aLhڭAcz"=h|AgG97`~Yp GWF' l=gז&.ْ6mK揅{Qydu RX>ӓS,&ƐXҨGzn\b-^:~ַno=:;WmUhX1igh,|/f9H= 6H 5 ιd4 Ŗ#-tjK&7*&5$2OjD0sA` >nBfo8V4|c[-% ! KoFI&| \X =&WD(02۲:Fd F^4`ɻyCe箧lv-睦ofܾݢ[_E'g'TܱdѪ'Y ? E%iqa\c)d4qk y!bJdr-;"2v\3xL Ô]ڳ:$U0صP3?g$qЛ zۺ\&wo,LCuOY)0E`l漥a*Wp ZUN7 %y]W:i7K{M#+$aOxoa )eFm4@xTi~zvluL'.J:oY^ZzGK5Ze\p[6 Ƈfj.Y,;WjI% _L'ϩ1{J$9Lb)/9& M1vҚI3wF~;&?k5(IQIa5Kj-^\I ~GgX8FiZF̠DQ ›?cm}sbIH u5pΰЂO%kr \D:̂T TwȲLڦ@y@a$UaK?USêw;݅&*`X!hUF%$ \z33E][Vh΀L~d7kyGp2HgzO`81)|`K!ŽТ4UofNdk͑L?5BaM75zj[[?HODarT9Skl2!n׋вA6dZ].39"$x^ןDrYjy9ʿx5}(htMG}$׀uwZ5S (97Ug{| `IlIYb+ INN+蘁.,\e9FsVlS ~6YY( .ͥX@:FW_zEHzgiJW\V6l Y3vJ4N.-T4l`eCzMWbV$ Х他G8InD7ܶ~в 6=#ƭMAFM!h'' =āĉ1qyp[_h0CjC.&sNg?Ւo7:I +;/5`F|2_|9Wg Sp ?* |֣KYY\(s1zz 6\ \X=R =MƜ@e$WdllN B52%WSO7H)"3N]p.i;N en.7s!wiU_\ݞ ڞl<*P/ ZQ]^%4$619N?[͠Dp'`K|0nqLeDxͫ]Y.G^b3\d^tdm59dCk8s0Y2Dn(N܈F6}+EwͪqMю9tW>ǓH)N'偔F>(%''_=ǛM<ar ې>V^e7|{fŐBGϸGCmt%Q'6Rp>Z`7֑qT"|es3z2B:Y:PΘ]x> չ"D^bWD@B?`#\,m9@Y_Nx]WBP n0h΁jypaO5$ 8""İd8 fx'< Cx NݼA㞕!\=;,kX'5\>FWK?=o7jÕk XiMb#,*Wb N S߯v[ᦂ_`Z>pj#[`Vh^JcP{6oV|ܕG=IYMWwzUwLp" #ܮU/ӽˬYnc[UQA,8X$W,8W SIcge*4},F>}ɱ\BV(_R{TYڣh |<d&ZڹT’lժŏY}(UԪtAy:{uK< rrttͥk0fι^`^F&(| .͚ǐqԀr(G~1@Kنf`X=/'|V#&At)\ @Y%~<eOyCCR_?lEyӰk]1 cb '۾(6S F>PUphWxXX'6wRs!@lu֖"gF鲇#ׁ i$7錨Pi-+~9unUm;kk!Ǿiiv F=L 74Z4Np]1Y=s1ʊ* C@31U mGFR3O&MZ[ɠxuvST `nm"Km;$~:v&G&GMUi<5RP)r Yx([z&HD%hO/b4f1ZayASx=ˆ!SA7u$eÄyK<Wr(j\LdJ,Z%hi2b8ǕmO7fy%z|VLԸ (yyW͸A[x\dx)?@ol~騗ԧv,y2ĆrIdͬxcM<=3q]| }yU;'Ytj&_s,㙥Y)e&;u /-~sU;5&"~$s7di & *2v')jᅘ[Jg;-+?7RcugQ1ٌt q m+•l-x`L=4%, F@w_tMM%;Q!n"7(Ǯ'0Q C]OXĖHMt\CszW|N~ j>㔖nsbXEQܘ>9S*tx[* 0O,DH̠o@Le'Jo ʂ7c} &쫽@g8jֹR$Lϋc}v{:{ј 8EA]EN[ޔR_\yɯޣWA˥N8,Ol":$6ڣ,PU߷AݍԠ-/LB$~N*57`F[ EaF[d$<'968(-轚G _94Nf[SŮw (QK}SQ5f~F>1 ´0cڹ~ն\̎BWԎrLSӗ~5$A_4ID"o4D!9ڦgxA99R2y R6yxoeэk xâ"HP&`,M (@ŕ{xCSe336C.vb̂V)|5Sӊ4U YLQprlNG`ךi n{a?M-=^e.l:;ˬѥ-&ga|4y:}rnJ"ӶzφZ_gff7dW8;)lx1Aז8sg,bL1H 0]5Pc~5;}"B9Y֟LB"{ y)e5L;r"-"_P2Okj+l-gHI4J׺qN z,` @a(+i6$DwF{68.w&<2@@%qj;:#&S-R<ӐQ>]m;m^1emS$ĄCltԮVC~m?ď*qU_h4V/>p\y&QbOA 1dBg5{y4&"|&h]T}@>@m@'z CRFy5d3i]šE|`]*BwLХ(蓍G4 bgD=~`~=Fޖ%b?}?Tۡl?QkVfάCNޙI{Jf5J`@D{P^<ȿDʰ$b Mlk&?СnE{7ӧU1\>!1+ǒ=(o!3֘]*@TQB12{raɇk&LNDDiv0HNMB"E_'1^aC96l]?qߊ@ (jGiTnTUXF)n 'f#ᾥ(! @q]oJ֥ŴWu=f_R50O#\qyi{H RlbK̯}b#t@m.51'FhD?}΃X7\j0fLn/vo/Oв/QɵO/4`Ң(?y(glʃCoUhYgW)Aō o^*JPu:X].uUm8HQ]Q28M83T/M[!2@QK%m>5Q"Ώ:#*C?*^aہH{tղKJջZh,@l;,,7E|B'ڊ.([&/x~v5թ +,% ,kwsw*ҳrݙ˻$"s y<&PWzGI WꨧLIk4@xTh#1WEuKO9n՛uE>L)LοGHNҶ-&tCpq*yr][9VIT+Dҳnapްəᷫkүe)37DȓCXZ녃*ݾs#ͨRl wGj*yʝ4WÃJXᄍDշRx'C'ɗvT! iu0| *| M)P3-eǹSU ,5RiZb bgd0D0S;~~xa&ZbIEz3C.m߻|gOwoⱁb)FY?]\i&U!no ɬY4k_[7(78ҸJ I,oN T/upGdۼ-|'Ʌ=Mp֗ovUH3@@mqW#%N q7Jm?uu5r5*2¤38a}I_ceP:i%.qaXv%LrsQ4;fM&f?o 6pݶ.Paj[nD) P7޹` TkUliS<;@b!, p4Ya!tڐz.$p G>z pJV@Ļڰ6?D ݾ7|k 9W_)]I} {)@90^\c` g]CLʜV?8Ђ 42X8>>Y1({9T2r3g{Iӷbĸi[ɪEqIbHtN gV)UУc XV8r(oC&efl&3^120ٞOYg+(iWntyVE-DzQxyWhKkΡ5D}t&yx'P"zwt9e"!Mtn& tMMb/l5(3B+VںGSIS,%ݦ0Ӂ,T4mLa^VF6Գvb1-QP|Gx1o3%Yt)Ôk˂sksciI[·Q B'?DŽڽ۸C_R4AK4#m궏78,"8ۖP."ʼw{ q{>#Ӏ|bSd;e2G뱦%.j׈mա[nJX@ؚ T[?{/5bRb LizΦ.N&mRQr,G=4sze7,1]P>C FMg5ZU餗oӘI@0| hUZ"^;su0g  ƟA$;%R(ͳ;YӪ\| /;#[Y3K7!W=yei-UW>8Y\(;[I[.Ya%\j^ `A=h}vqWP4샿+ح3(5P6oDj(#v쿅%0Ӧ{=*1Y͝*-KHWpx×[)˘]"U2%qg^ "<1?@"L3Jj f q~W쇺Ebe8Ot)ե?&4ƾsR,Mr2zfК}Yx(_'G`s5$--~uc*b@F9Ĺ7InEd(ÊJG,[ N@m9`gz=n%rX7K?|pyJ@[.N+H)~C&hj0ѕw ~ k]_x3 A\&σzQDkiMCṥd\ROS编Q@{eUߋpd0QLM8uP Őpj-܆o;w[Tc=2u\(N U3QQܝ~ {*^yr7IR;mL3;<,.9KMX-MIϦA1zيTÜfNNQDFjDJ`[aI[`o! V J@sQB7pe@ h)LpI4R7d8~B*Y]&&] zlߒsZ8H sw]'ʘRtA.vSZdi4ٰI=cZyNҳ"wBٵK- `q{HXJ"Ih߼qgLm@1J9ʹ R _Q_r}?k% -=?P)FG}:2ž]Qttq̽HbF"NƝT4 &#ZS*,S`;UHW;d>rۮ #N\2a.TZ`*O3̄J:@hL)sڛ5o<ߎ翶|*p5E\U|*BtsLP;hQ3Lay0%te3½31C JlzCz 7;V*@ݢ IKb8Gj7LUli"h` ˳8闧%rJYHе2=mu⹬n%t%zy"~a&V@!!QvQ )u1b#rS/b4Pl֠8Gl[QEsUf(s*E"cDI!1aYφQ:$,3#6w9X GdB=kk-[1l-~\Hg"́>'WAmr~[ ڧq[-F͉1+vwUL3"^.lHt0%QHƟր BT(TGo/t!btX*qb%y>^uVM ;4mQs +~=^u*c,9\X |՞"'' 0o9 P 0Jб갞޸#R%tx <<b~/ǐMXeA&(,a6R,xb-$HA?޶o!xV؅K`-a7 ud}zƆ> Q:xx8+9V 8o1C}B|VY~b|Ep4.w6adRiC9Q.# Q@U'OG^TiwP^mn|jIAv"zdlKVHr`Cjt_'e55% (!2^2u+O 0aK_Yǥc*[޸\'߳m1򶰞p2V;>ʜW>L~hC$O5^ȥM`X2#>p+6~dKڝLi E͡>!Kt'r$GcqUZcDj|UQkm֪d ڬНZ8tGf?6V^覰%'&  gC )r{ydiC%ˏWU׼D$T_h tĻg?F+ojxrTTNL|*OqoA옿mW,PArC0[mk b,U+ c_;Sh/DpDuDt?*( ;Kf NbZ&8˃/OVп&,=}ÃB2EEy#m~7|MB'XWf;Dh~X 41G*,]F~?~skb:֊lAc$W>g6jeY>?(VBlDx5m!ZAұ"}ڙ1o'~\ܗ;B/(NVNɩ" a=IshJ{!#WoRl(#:[fYZiE*4XdƓHs't?8d|Oxi*cIn9?a`C͝:]xga&d0xRz.5eqS]BGUwlLscʤD]u#QCJ[5{O FgH&>аp↍dsgf eb.s/zzO%V%,U8AY.Ni y)`NNtV2׭[?iO~#\5m캒&{C`zYN& M4?.9G`P.JEŢm%g*ڂ毸gż.8O3AƄp]3`B?uzpIMiCOq>N_RVH=vȎvu^x\Rjt+`^p<4t"螱zNoh +"I;lG ;Ӫ9uZŇҒ) !~w(/0*YUW-ŷy 8ۯV'cj){{_9\+?s¯W?#M4;Z9!",1 heN|WӚP+ j2o9b#aì}^S5H(EeYc0:X2Na#𖐣? 7y dUP]g&l` i%tP&'یolb< EmxKrFGJ3]MhDK(4#̹"M l9_:Xub;9{z\nxhZNQ[l`MbE|ԉZo.YRa;Mz_Q Ui |h*ϧ į15M+1,XG$|Wx4Aetׁp!0"`al<ǃ.l|T7X0G2@Go4EJIHҞ&Z M_$- B=#z. A`W/6Yd? fg_eh#BK&dW=cl~ͫ e '\1]8ESWL@d-ES"ݳK!ZnGPy8; F+xݫ.DWڟ6H;=4֟h9z^Uвq6@{,sy O/f&pӓzC+yJa@n9ԒoWGn./4Ǔ䖇!晌@S}Ee҅ -s5_u'ֿU6&$٬n2[ZȲ!MQi g #ڦ.nd`$32A2ܥ_dD|@$!kҟQ㪚*?^pug'he{XAHgkX Yf+)L:QS$M2rGCc~)E D 3oS@2{jbsaMlR=;yNkzWzf2 {Bzuɼa1vd|5F O؈Is>|otd,:Iۜ\KtjVFʟά(z@֬i^귛N(e-?u ?3Y@jhc9n<0֮1"jKB?6[,/t9b( 2Kl9"LRjb"ʅ?rC/ .lq*: E9^gS9 Wwg@2BkE?Ͷ&;y? ivj.`,b~IC)d߻*eG=+Ow@CXMȏ؀Lٙ/0q8=~NS}Dl9 T:L$?FTiBg^@۟ Wo>&DꆰeHxFaY1Q?n~'fܢK@YТ , 7AXpLh@{w CR!D~8!8LKE 2jD0̻9 }7GXbPۻÕBzkz8-^׿SC!ۑx o엉v^ڜ|$RFݑHDO:O\UuO8<=[#wvq ~$ Jp[ܬRb&Bl0p ͟mRkw64t(SYU| Noǜ2sqE͘A~Cl" &G|Yd5;n=4HJ9uT/%Km:S VJO M ,ST; =bgA4!5{w;L<)0"6ي} =qCL&(c`q 8c@GXA#5nmR,VpJdfaYX*m^1o"Uq`U6n>*.7_54[} HMhn[Tq .LuqJ[ 4:64z$a ._PlH4Oy;YM<>@Jz1M >\p'V9ζ~O;1Pۃn;?B@z~aiǟbUEZ6|\6'Bs}駯m %5WszjlPhyLl>H?b[qs4Q\Åd'PM7  _2W]g`rmn "NlehYPOUISGropd6MFCD\T@$ fO7l,5wyS[g#zi~sn{ Pv̥<?+*g38=W| R𚫋iVn =E+ed}M|=Fs- vUmhdd5} Ze홺D},iR:h1PH{.m6/sk6vnmT[N*8E?2;c7ƈP QMwm^WD55&(N`rqLV:~Ե}k!%k,ݵƗ´xpi, Ĥ}ͬ2oPr)5Ff>kOg0NZ$ᑎaR6S ӾM%$yUc8%_T1ZǦ,N687B΄~2, вl؟;:ʉ?]/E\ ,#;Aq-[Q~r DtRA@ptksp:U$ PƾRNR_q,*R~b~=9}2w׋Ȏ J'jxKWU1캿!_LAĆ^58؀uc(0kT+HhM7YpsIR9,٥0-OV3e)K&!aJ^zׯT}Է:Vm,:V,2Y֜>t/Aa͕g*pXKc;Z][BwI(} $H29X96]xgHQ,AM3ɴ5F/P'Ёxk{;g&x"-ܤAcc_~MDU.[ǚs3(%Ĉl3%^E(ÖO I4`}<,ϩY> dR/IL4#TRI2uxeٖkPpU6>¦3ƻO pƸY|T$jhMc`SQ2œTyJL& rBGj0nu.UnW3RvAK_k$w~q^.-U4?FuDZ3X3j-^Q őAՖQ,iK 6?uܷ0s1[`XĢ}l,ܥ>y1e9 '*&N5Mgu]dkD奖 -i^Ч^yJ4C27-mUb1k98Y? Wfi RI#V@>(:ArE;[l/u)IjhKTBn*ŵ:'rbL݆riOlJ%Rˠv6C +Y)enXq$Uf[n?HDgѡHݽ%=_: M􆵭 Ko^qduG; q@Օyt Gr+dzHR=p܏P4ƧJHcr e \Ha(@hl/ `%w$dyd5VF`p'hz39dX$kF}h mcg|Fbn)t {(L.-0z}uטP\;[|N(ei1?6TDReb :Gҡvx Iuꌁ0X}l}#WG>忤i^xczn!Aq?/1I`uA@Ipx8+y vSAUϒ.zC sHLRkIط06{L[j4F?~H58O.p14P 26N꛽Pp24@#Q .c/Ŵ6M}YI2U]3#sc{Fe5n,ͳUoNH9. RPcgV6?h-ۧƱm֎A*u&S#LGMT[M3sAMǴ#Iœ&Xgeiu4wC:sOYdA7۽Qi1 b6H[ kYm& PF]=v@psP%^Hsk{_Ko/"O+t wGw{ȥVK-#;: Q'}jpk]qߊ 4 $REp/<2z6)3&\9pge'0L;(l68f x1jJAExb^jw@PʢrU RFQo1~?s-en|ݡQLƋӸe n ~Y* @XYyxauYpQ$ x!&_H̃@jk*>ljTcqүmu4kl@zPA.({6Z|lrk)]{P9p4[svHnwweWfN0CH3!OEuVͮ+d t@зC _r De;s!GxrVH M nzds(TAMR3S7h{~o{~^$@l,ŶuS)xW:D bCdA9r͟n5,u!mqgXP[$Ҍf,d1 [;`;l[19>*gtx2Sx+^!>0f" ^)z(S1]ŽI=osJ@mY+W9]2AH9L<|XP`5_L>Tk@kIc nc9A֘y.DlBv(4#xM#LIr&sދ9e2uC1ж+,K`Kϳ -O#7n|flnT ]X` #m%HQOce*6H?)%m2b\Sv1`]3?jk|z'AfkL]BLnH.{>oS|&^$'^櫸l5S0sȒ uoiV 4+c8mMNEpK]P)OgJuuh ܟ؄:˜Nʸ xb jB#}TjTd6R,\B %sۨ12f2O GCeZk"f۲E^ܐv@|F߽wI72 bhz${(o+ˊcQDOjM\"'S1ݝr[gvkTQi M@pwCT`hv0/u HZ#6UbMKʛQE"`uFoͯqσV߻ulNl $F#\yX8dǬIl&qh l?|+\fqPhUlZ?l2~#TO!Y98 :հastDzly_4)`4`*r&U3a kxg10+gFxg ٌAJNdL|.+y|:*,)Q9FnDєuG9ڟ8aw0Yu! ˿XG hb,V #!AKOԫ=[}l{+1q{so˓x~I.bMs_t2A |ɱ$'o@#7@5ə,끑`z+nyܖ5oRdjlChtM̕VP!dL Y28XK-!H\ Q #O?k1\_ɝ2!v3~Q]M8nh p,~@2&-ө E"qq<4 @VoH3D}tɬ!:2Érٗ>_ܪo*oրIX g&c?AGMU'y 7<7-4;2DzlVD1zvki|󜡘>&5g8Vп깂^}i!f(K)MT@x{t϶.WOԀ}G'_xռL4SU֙$毽f9a+(ts,z?Sh8/T+I"%t朤O H㲱ZopiKK;VkrޣP321fh#HMݹEfA^TKXhǒy( =c|0|vW> aX>牏QWht$JݥcI~s7a üC%BIqL *4qT1,_ijV>txBS p\JafvzLMm/ aEp _p8/m[q0nBHQd|EZtU\<'w"ᖫ{n.-U=ds%| ;#l?%1ig|GyfI3>9j.}'k[ #g0.+|HR_ÌcО=N=d}:aZ鴗P1C% MP;G<c-d"؆g1SH^Vt8x,$|xW47S^94/ ҭSD+ag$ B'Ȱ\LZAOkn@ v F;B@ V,)P x6j<$@"i.ƾ2 tpwcD*լfwq>)#CEGL\wӜ ֧.-1moaYVZ7=Sֿڠl7^OU!uQe^S-|Rɰ7ӑRҶ-O`= dBj^ Ǭ?D6Լe-ϩ\CavJB&(8Xk.o~-"Ħ=Y-p7>3 g,Q˫HEzEoSk&A̹7J>ڦ,L@]|`R1pko/6ͅݗ %{YͷtL4̑"ْLq/}J5D|iI >ykI{.}X!2k΋fDZf{^V,Ą`uT5K1wol= Nh()@CW.o6@M:2^urnŗz~͔2V&M{us͟4 L=WMB7bҡ3eHC>DwWe/RCSthw%77@8-AE&*/Eۏ@\@c`4dS4A]f,Ll{RGg3 '>iQ[ ܣ7 e}^3mn)RiއD+rLcn."RXv8::(wBqeZMݬrT (7g%dZUDZ>xugJs$`ɴU> s,p:AWLߛS CY%Q#0V%*~@E-z"Sg 'xS偄g]CxQGj9-e{WT#PۆC0eO/IetOaԴZ@~߷U< iYFB˦Q`Tsd\1GӶ*SȰdz y٢J-XޡAA5smܻ+@뫶0\PPj؆!o}|:Ƕ–b^|TCE? !ٳ#?mId^Y*["X#ٚOTvgy|E-aKnpST.> _kVX/w=mﻞ]Z\54,sXzaH7j~X-cR߰ԍj9z{,U͟Gǭ:EcV md?,t}ِyi +Lcds!Bqo%gtSCt'ӏ׃RUg4w@ǦY3f2JЦ}ѣP,_; xƧɘdRNP jSg [Q)^LIxl@̉ ,1wuVy!;a[x0P҆e*p 4Zp leդKpeċc| cERisX 0ưO)՛SW}-0o١);>g䄋r΍"?VeⷴL7S(uyC1EY@hd$Mdd2X},do2s." Ʒ.#%!CXlAʔr2ѷŃF 9Sq dd| qƷg`]-[؞>ؠC N] .xIK9:]4O,8&O(&t ˆ7= C#Dr. )~4זPC^ea_<?TK5SUq92~ YG*GsDI t^&E(!w[ȼB oMKs杸,KAk͈Bf"}oSհ)pVw\4cEevEt"XpWI?$ұ<3g^_U/gQ.A:1.Dsn&{JOBvUfev0RdNgyCgln?פ=1zw/Lߋ+-N`_ynE*~"DpJ.#R*:Ee_c+ 2C'kg(jjZ;?_jPDp *ClQщs]q[qunݱy/D ^FrG304=] V1ýH.y} "H/Fue%1,ﲯ`apz3F, FGL$rM EQ+$x<9;F-QX/XhY0H3L7\3W*()5^.\KIwQ^s )t:e5M8ɰvBKԞ_qs&*DˎW@_.BpCC l:?}b_RgOHs`7Hk6:{_[EmD܇sߪ2Wm#_dk'~OyeQ 0ǽt ?E17|Cu(:Fր&>g2K~#U`2L$з^WR GUƦ12Hn ErC1IEGA;ϙMq7i@+bE~RЋ,/jԅQ*=60[k'G9Y#5m=gSAnXń-eˠT`vCNb&GK(?'8M/md?3ts\{Ñ)ͩr9fXi98zC^(9Hn },}\(MF^ e"בe8?BQeDxlӈ^UHhg=Ƨʠ쬟 S_kͪ3!\Cq3,Op4Q8Z}|G<VH@ U'_0Hfad6KR ̓b| A,Ma%R!Mrj`!ٞح2J. qtY$6Lɭ.L2R;[d|Z>ӍDt!kF eN1v s""ʥ} o)0x ny2<6j O9V^7 cCK +YsfJ˴ }c>@lӣ7;F m!$brM)|82D([΁;(G#xޛt &o zF;BA橰 f?1}wD[n"l{eG`YBu[Zg 6޷$qa %sM:Zaӽ$iE8"{gI4qq(AQsTv)H1E(3x޺b7*]|m0}نz@""ig}OYUpQRHgJrPY3'K?QGO#k(,Wvd1,50#??w<[}N|ⷡ cI+oC|'I!9m7UMIפ7\cRVicruNjq"7壡ơ*pq&Sܠ|;YC'G'ڹV2BĂIEwC}f#KZƠ#8/sz۱[́inmdށ"OkhU5L2{@S YZA %ƥ9G.Od@ G|*1]enPүw 8v(W7Rjщ]PS& =';.GT W] "MWi蠟!n936bLuţFK>E7X^>ja@H }M"CL!7$V2t8XpWBÂ:IPKSSb0D ǩxIyh05 Z[Ҷ(w]9WI07 fdU )&%8vD&5|{e)'ie{3уQ2C(pPzi^t^Jaa|TNإ)sU6{ 3l3=T5`sbh%jVV ϛn9Kzh~ڰ`Q F`#"J +)+/{Tw俫ds,L_?f~TƐ !-)뤋4&_vh]P, ݊vEv{s(hhG-m\}c1v/)7]oM;8'y.A~Id6Dni&i| }z X­ ӐOJd :D-8?(0p+ZҴ|σmJo=l_@v;77TF/׻;_ұ5_ &dkFߧa4Hېפ{|#+#<55SQ,p!@Q<ʆnzr]Cpx O+FY檝#pӊX2U /0O |Lļu^؝73UpϪ8y.#IUj˗!x B4$V.R2?@xNFt0?y.@ӣq U| 8;!M1Qk9؇xYDv}`l G⃗!Mԁ̟+G7;"9XfӰ'{bΑ+F?|(7]qA=;oG}HmՁꎫV.&eKXbຈ rb FF$]GR3ZF'd\x>$FhQR{3 ޻6\Å3!?+᧭qO[yy]!J2p'&-XyB2<>cϢ,$onf2J:˪';őפ/F2 TB܋*,Q>/50%7whZHKZ7FO?{@Zل"B\M'[eԁVUH ^79DHk`KՒMw·VHu>*Μ3mq0iw:?\]>-%ލ!1 6z^Qw;Ci8Xa;m {Ҡx8Dw, B,>8 >vF ûMrhMw_eDaa\|ꇭנJH 7"W՗LHJ0u]7 TVՃB<14SQ_.whhey#8z)" SLS^c#mN[y2w0 ~&[v2^!:efIiwNyF:4;8+((UJ],Nk~&-]v #ˊx+ n øyW L3~*+0Di9(REtk/9!ӳN&]lsv$jO]\J0Wo8omW^}m \C'W"d^u^Ib6FɵQq(#KN!1蘆mﯿ0N<]&o͌荘37qQ0lͼ|Óq 0ٟ53"nNˊ/f/oX߸8%R3S ic'GΒ/"g%8 93@+ s4uuJ=](W1>X-J K{Gh룸ϴ'fC8g-XMmi\5Zޤ'#AKjVaj{%J}#1.ɈsRAy{;wl!(]ޑH;5 /GЏ2'i*wurjBG5Zo6hͻtAIqVk+lSTatf=DGĹ(}i,m3E @HiCq57(--_Zݯ eGMFaR,BHɊDCRj{&mn  2ea`S֮# `&qγy!u{^=ܦW[=Ya!Ƀ̼; 2[6I/!4|<YLk.) %]6S-_3rʤ2s+ʒ:m_0jos9:hH `*) EY]}_U',G-/h;VlU;0[h IEHW2Y>vx5:+mջ—N󾺔Q 8ޖsH-kżj^tG]w;mqPM5U@Qp@j] )x R;D 3`EߘxGV_Nl64 40+,) =y/-ҝl>8F`*#4cK̷9y?$ZXQj-{e3?>l}Œ2ydWX Yynh.`VS]H෶1.e]橜g )י5̳cFhrWowqN'O_i76LG/")^|Xq72ˋ^gل|u.wm'-/paNr#W6p ퟈OF\cwil$!T+R=_ q}欠qi!#&epot.Af|GW咵<Bd]x69I ^$Q")Voejr^ ZA$y)<.;f'R6G!7QAtk.w]10`V?Znn2ʊ--d{H۠vyD<{ EWOǂ)t)`h88 Ɓ v '9 HGF&G Roe%xWo\BMrOaFl`( |;Cbo\ k֨PCP?\/tp9>>"UdMB5M[НY".gbou;qfL_{V:I!LHG"~&bWy'y9],hIǡ^(@Z 4cD$bUÃMs яl@t7p.nNTװܓwpݡL+ e7D?7i!+g;2Ȱ .R.2,Lk- E quW02,1ea1ufPgN3c>zu8KMG 6ν)Dm]ǟG082f,5{Лv)n'NۄXcg\$F+x"S3-|U#X:hx<._ Q LBwY_Ga ґpf tIr8hQ 'lwsfbTFIT$ G?Vq̢#P;_34nM S>)P? bs?zTg<5/Q'2MBډR+y儆`M =J8'yt 70]fd籡8fշ<&D,wyUب9e yLSv"I oOjч~'kcNߔ2y$XZ2Wrk PW$4ۧt.t 0uB)##/Q@_zb;*Advji3о?ӁLyZ$JTSAF[Wp|N-UBH);z`47tՂvk(s"fZY}5Sʆ}129̷N!.%$>VYT(n=Ǐ@Zm?WWdGVR\?+GS#3o!B`GAsU%Fo8Y$m6^Id=a* doůLT*܉mݷYY'; 3 kxP_!3EV3EU4 > }ĵFTTO}pӹqAy;И8~%&LLm"b}wՊL4qbQ: 2U}0`;KTm1yKMs iP Hc=zE;8; IE W8P/YAi-D=mD-F6*c_{ jOA.6AI)}cF-y֬0 ] 3+-Ny7ZIsY8CdG`n]dQ\W*V|Km-aK|emKp1 xBۛ,F?t, 4IŰO룞rÍQ-w1C<)_za(=\ǚb?!]wYڵcѲǬME`ջ{Q^Za3zEDo(_c`ɽ U< '[ S!!}i4,fF[.xXhkJ`.@?L"i?%t%sBhL4$/콝e\\'eTjK 9)Q)iϊk^hT}5)ٴeZTX1H_{9f7q@b2sPFOz9'VO;4.JVlE'ЭDJ|O;^BV: һ,kms6A6DZ3E6o; 2*踺p9?h*}JHR\K09 \_m@WÞB2>|} DeB+VCNBevBbTK1?e. F@5V`_ݼ}\\_O0rMG$=T/gF9. wBcbpcTcS`/@̋&IjM즄]*1i !Oehش=jY֩_6}Z+3J< 7 OIn1d+OUKNǹK !nvfz#\\M7ۙcewL%A)H Ag8@I8 >x>A6%A=*#\ ĽICCЋҋISG@W][5Vr;8ˮViirƛ~1Rmq\P]mt?rW #Ia =fR-B .|0:ytn_c6>ӎj .eB;T<S!W߽bQcMfXC 84V  XX̰fxm8;FL鎥uKb J6Qv Ȋj"RO5nܮ':{+H~.[x:=ÕZʣ,b?}PT/+:q|“>X2/'s%^-,zv|F|ox dFL\DM (͚]]%2$U& w/xt@GOѶD2F^ c#f `蘎MaxeclнW84cg߶jw\[50ZE[TE]:'3nJ%`j7gk߻E>;C$xcͽ^iL+/^7筶b`\cjZGid @MGZ}AqSr9uP@ *| gƛHP+~@*l#%N,n\Pg>EbN>ejx.R(x~aQ WO4Ě&>9M æNE_VQ*q ̥]M0Zj3t}k7w '(CPԨE<3ڻ %̣Ώ7]{1byEoDž\;1)+#>rvR}ijmTDlte!AE!-Zz}gdĬ' δ5q;3U8fT%OucRŗkLJ} )29GUɦi TdNt4@]{`XKS ޹)M^oyc u&./"?pDKY?ô&H}D"2"QA1ʘp`UQ>[a 1Q4*f|6'rg`$xdʱu}P)9 9-}$ZW%{Yt( A2%Q  :7;J54Ի?0ѼlkϮ4ى?AF4aH5ɆA%3pI6 k̀áȆ߶"gOyJH a_"0}A[OL+Z:TzXU2BZvf걱hvSpB'v&Q.3s"Vڝ'8>{/\Zv7kJE,Shuǥ_YDӺt:4vw>ʽ]~i@ȀQeSXO$e5su#q>KhA4x)73lvȲFJbGFyM+LӃQⵀHڲc6ue^;zʥ:Ur-6 '}jj2ǿN͙eQ  HOWDRI7D< 4oNTNǔf,ۂ^m*2W~z#ܮ*.^׷Wc3*HC_P"4<{h=0_+!qVQ3'DA?arSi6Cx M~`Vʔ&^ E&#% = $fg䱄F!Î=s̖ggqP_0͌Y F?TiXЉ _bD7V 4։dHEo<mKx{{Zv K%}j K-A+i)UB{;@)bF̄c[W֟'f+9|DžzM4a+c\¬<}aE?ݦ3G>!}*fFT.)6RMr\oMUo3瘨e'xr@,QuO2O +eߠ (4Ӂ7 , +wjGaJL 93=lс-)h ;fj?XCI7|jB$qp |W꒤jn =86f5xV8:=b'>H"JGk}1HCݏqDFhƷX cD]-oDɽN (tpuR闈]ȤdOUs= zQ u!O*//'vf:܀2;8>u$! 91rR2E]c]L\t4:zIA{I{ 촜&0@ 2uh 34( { fB\W1#io\"àiU=Y6L8Xy L1 @p aHQxA*56%25p!p)L+鋉۬ SҹrPT|&qa3/r [?in WP$SKA[t}"- }UF [ĭAwB`g5b6;ktj}ht~>?eKP;ʙ$a{I1'$oH hd@=>OϬYۖ~WPKCGe: # y(fCW$ O0)w$\alZZu&x2Klּ{`8H04- ҠT|KY][4. }bUͦ}C ET}3jKLnVTf"8RE7g|(/RxrF|W>~J);sR)Hր@͘\Zo9ZK:ް#F%Gk܀F&19 C_y;DL&YW9$ zyۗ9 z3|㽖ZUB9$o*,⎆?ROGE$%kUsX~5AM7mCGѻ Z6 uK DދaRx@=,fl0ᬏ$e~=Fo  rٽ"M@dz12[w$T1v؜I R+ U-5YKi×> E >;…c+.`Mx j5)DK#|Sx e{Y\)۶/Ì~0î^%'6FXPs>UduLNC/L0$L X&Z+Z?&ۖKє"Oyn;\`}v \ Cs&NYs@\nֶPGEYؙKKWF`f]S1y@,&\N=Z(w118f_)7)pCm27!*-U=x R\C70SueLR朧L Xi'(;|T3xgj? S {3zp/S:z<gR!c:)i nՏ0oa< :^oVQQRZ#N2Zj9;9Fi>L\g/x~',v8w 2vy+uXG;i<6nBKw)Hf[5v$^Z)Hk{ }[ In5PmJ%iT>G& !zbY*`:$ɛbSHA%X31~tg) 8SJ;eNʎlُ0C8H6'44* 櫄}ߚ#+P5@r@ FKrҮ.HrAG l?FQ_5UIϭ- 񢅟>K=WV,KɒŅn>s!+mDХu%I"bQxI7oU[4gZӿ^TGv[O?ȍ9FMA+L"j]ESނ9,MadPO+i܌ z=*l;aZ.rCԕs0Tm<"2 .=NO}#pؖYNJ4#< <9&$s uvC2:fO/in u׌sOg80t 鐧I[ڞn*h\%%j=qkB|cΧ4C4#,W WffjF'́:#G$cc+k2C۵L=wnflDl.@eTi eqPL{QG{[^mk/x+ ;auC^EX3KמsHst{*>˜NܙxdJpf)@2D3>FTk㭕49/i%!d9q}V,TuaY׿kE)Sb^ {Epټ] FH!tj8v,U޵;EX|dOk{$Xq20)?VW]o_A["uYmԹiW%pIvcgcV9'Md 22y]ȌOLj'7A bs ^]ٿOp(L[R%s;$Kl(pno{-UQl*9z&k;;qT3"J3w5'SſI]U]aq"]]TpI]h!B}V0Eò4:|[P/qf7{#y3H9.=Ye]Rq.ʢ`hh%jX䎤U`G^ MH^mʺO"xOՉHki# =ʼc*7yX<\x *p3K逜i3Ao `UitOU{w<]aTEeTc2٭^9N$Mi' zD=tb d !C S|*NH?E{Ji"$?NVlCC8xK0YS![>(_^1z_RɇgcN%͎Yn5zw~D4>xhKSAaLWEFR]Moa%Hv_].Eӎ 1[QwXj>P0i&\4GL 7ޙ+'N|"\Cu^CHSՉM`_AR=jJlz"M4q3COhqpWp l1BrA|sP\UeUr1W+l q䋯l T#)!azJܰ.Iն'8n̵[y ![7:jխ0uXDuM 2PxRԫCM]p6㕥~ dT|ٖ\dh2VaKV,|V6fUGǴ0NH5SIPU]QdWX'P5!S3g~HTmr^oN[΋tB;#c*Tc-|BRbP= (D 9Bmx#dd+:0#6@B>R#ԳY"[xP3С;Z]ĂA2Ȃ1&Rt=V8cOZ+챕.uJ}f &Ncw5H ]:|/t8kY"5F\: fX܊Y$;U>HiK47+7>V_;]t+/ZޥQc{@5,1S` 2ZNfIToCGB`vuv۱OUis`noCbٛO=HWV/@&ݙ;Nǂ҈&i':xo 3-W^)sOWmKjm9.%wя3AiB1}@;́˝'ԙ/Κbjw;ո5]nn/܄=@0=Ҭ:ΗuV( ,͖,l!.'3Ftʇ/sˋ`u rz*эNMF0Pأ aDMzZ [%YT8:u#B7+(tUWR|NO鴰35iX&<=jojPPZab%Jpӄ#{2*Cxk~DžP9_s/foL M0U?!DyU1߾iwQW pE}+L{wR ]LNL~=^%% Bc$c_z Bϴٯ1 7i p٘%'%FC]"3/aduor8"7*-3Au$]ib@0sõӕ>`«rLV6$]: 'DX2pĶZ8#nWl>X\;wܵG[mJyy3mVŵ1{yKt5u)6^l)K\'wȇ_d,FZN5?X,JGO5C܍D9T} AGC!oR@1 I~\5 ;^&-_\f%&`J/@)e' Vȥl6٦M1EДRC֯MDo>v̛q#US(+% d.ud/KBvő}WN ʝqU/^#-H؃Vgɂp^jQ×⠳^ȭZɰq0R jTzOUN6tO"%i]2Qw q&7Hz-[[ld#W'F*?Nx?"|iyaJA^ Ғ^ScةIϼ^KWc͜gva2 >3Go 5BPts~Ӫ!.2KȲÙ@){Őٙ߼sw{*ǪKd;\yp}v?90֮Xx@ĤCco4T0zGSSJ|L=]Y7VQ.騹5}d@sډ]k)ByM13>v Kw߯ ]:rjoz-kgv迚1y%Auş&ܘ{VbWlm?7<3BCYq N' dJj YZ