permissions-20181225-150200.23.15.1 >  A c!efp9|KS- A(p|.3L;7;P{g`x3&8?{5UMI0Of!X3  aD dMO/d\M6CV7,Q) FEmhԫB/)d\WC>iQlƥԒZց$0u_gd44cc7b3b6e2742ebafaa12ba651d48581c9a00af5aae141faede90ec326bcfc2deb8ffcc7010c58096ecab93b09752a0c388eeaȉc!efp9|\+Wc #,9}5%3ܿb&" K_n{8oDn  a ōC'@19 deD#BhJDJTl=bLX4s܄́'tQNI ˟GTH` Madz&׈<<SGiCj|^K|R=SҷJ3̒fQ<8 f&ŠvDf+Ƭ1O-*ԛwFP>p@>?>pd & E-NW mP t           4 a   0 t ( 8 79 7:/7>95F9=G9P H9t I9 X9Y9\: ]:$ ^:b; c;d<:e> >$>*>lCpermissions20181225150200.23.15.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.c!eEsheep20SUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxx86_64 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system.T1W_uj9;@큤c!eCc!eCc!eCc!eCc!eCc!eCc!eCc!eCc!eCcd73f4760679880a45dce3c9cb05db59590dd96a4598a64a8a09e1ac03effb067422c5ff5d9dd9db4fff1a3dfd8d40a1a3c85bf2ad31959ddfe48b84a4d64199254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3bb06089354355503cb5ac4dd194f1060fbd6e9fb3977fc49d7dbdf4e3ee875b9b8629bab725bee1b07bba39312965005baffab12b82936e17c0c60977e8d2c744915ee760954bcba841dbf1e83438ba1caa86778e4e1d0f48a3f8bd48cdcb059a35eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181225-150200.23.15.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(x86-64)@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181225-150200.23.15.13.0.4-14.6.0-14.0-15.2-14.14.1c paea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.comjsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181225: * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shsheep20 1663132997 20181225-150200.23.15.120181225-150200.23.15.120181225-150200.23.15.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:25918/SUSE_SLE-15-SP2_Update/b2073a6e79212dec5a376adb0f1b5388-permissions.SUSE_SLE-15-SP2_Updatecpioxz5x86_64-suse-linuxASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=077d801d74d392a5fdbddeee3091501414634f2f, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R RR R R R X=(,+Hutf-8a11ec2221c976f4f1b9dc86ff5005ea6dace3d1cbdd46d288231278ab3047c0a?7zXZ !t/OW] crv(vX0MLc+N,@\7B@ZC H(D /pDvSye29Iџ[` kΕ$xtŎ+O-tT*p[ %t||bYA"$)蠽nwLtP" ZUU"H 2_*gWmhͬ@̔!`Ft@;t=Gt?l-aq"f*#piih.Ehpf洛z16hX5?^ Z$|* }Z?7 V58=yOK%TPW] j1Juw2C6B́Hvr}!qJÊl+Yo<ҒD.^[ȭ2'!bOeֳ " waΏ1[ wWT"=E+evd`]]Ay)El9pDC\qN6mKFUvدB]9&]l,\hS'c8"kK4A05juN-Kz^0PEMU,:;y_BDU&7u&6y?拠S{w*vvG9-<{2q-5tFCwunrR}⚦;Jg9-MB?Z'3QJu3TU#Y74 h S3,ck\QSS(I[Y!G}/y c766LwGSMz 2,4s8ǚo1kgC|.;r}684D:I=`UqjG~_q[`%2U0–sB1i6eu|{(#%rWFiN)%"2 ܨ.>_G~D*u\K2[M5?QXN¿]}4y_VO)c@1=݉yBo%A@*n|uהL}x^/)e1Eh4Hْ bݘC=;SM5dY$/R~1.rR^yų@?o#taGo߸Þ*ཬ`߲b Gr.5>;h9&n}^ji(YzWVP.kz(w'1ߡ `ҏ2gC)yA/@A³V$~;Azw_TxXToRmVlke_@8(kPǐiT]yr^Jv\k%}/ͮ's;ٮFwibh]U~=6M'_5XؙRCDO˕#%o? bNހK^tK~j9[EW.7.(AOXG{0=HNohˋRBSKE8ʰ ՝~dLAMA(/ &mKT}/d aȓqr#WO ȥ!֣ j.?8c(.aD,mH,N-0MUkҦMSEvz >(O(+?(ῌ~,j%T[τRʝ.5881 Qft[6k}腜(U}Q]$Z@IUyDQ7LA g{ 7DFWugPi$tK}~7w#THH-#%={]WAEƂs@)Xo|zU^7ͻ~/%\'l0&>X5BC{25Z S1PeFn-;^k;C ĬRoAѮvs&'^߻E=\/n&S Tvr!v3܂173:2vr}E-<<`7P-emBbZԊ#FKe2t7u^ Eò<7h[n~"fZ74_ƫ*eR z(G%aߔE949 lzUnt׉1ji!%F@J) P{ю 2p$=Rk5IJ _|h6rTxtGRO9}һ=V֏:`~MGǾ o?--yщN4HZʳ!́ܩupV6} YPtx-"H™BN+u+GZ辱c![ub"Ks7!$ /3(A.RU2Ocr?CL,|V k`ч EҁOߺV Ngc@Ctd [/qh9߾u`]z]oYEBL'o]vY *e6e*4@yJJl^F:( Mz+qd`OS\gQg5)!| |!jSF(y`E~eU&w+/6㞱h,DҮYYrH@6]jnHC fVWx4 >:DG>˂C#ً_:phÖ|%,'5`&'Į H*#&T*gG2GVu2"K H*(KuCs(Ӯ^眇\dpWcbM?uzYR|9{rNX:' W<o#fJ{Zzf_]ݚRNUVAl !sx OssYKj#!L?=+iR<([hѶa?vxaq4EI~iÒ\􉡉PrJ2iHCu*F4Ou- a݅I,DrXUJ|V2VzpӬbOpM?5-L#eJ>ox6LD Fx}+֨*vNixn`F.N7btJB9JG{prRdX k7F UGYu+<5)_\ Pvk#u㻿ע>Kju ۜlm8i2U/1gl%Ǵ 'u:A#DSZ 6 Cɐ\U'k^ ctnfFl8%\e1Y9H 2f aqOz>_J9+u"&OT"ӈٮ)q TҜO, ]m5ĈGfl;FLBfRj@ n T1,(Iq`=DJN=W[,& ,f+"X TIoe<%&&%І3BeUŸ7ې&dv(&K+e/);zZK7m]eYQ9B,aX;񭌚ANG! ':*U M-03%32ċ=O`:gJa![H458Uw`o0 T(ite?k+t 8[bfej>zt#h6Uޘ_ j\Fp@sZJ Q&R~4|5|29ڤe>i}cmHܥ8e L$ngIC#(yv /kL<~1.ArCN;@agP~Yl6u^kΜTRΘfz% F%!t0.4Vs@;VM~ve^v+7b]ɟ |%'35F"fog |劸 Ǖxjh)\Y_1qqꃙS~!;"\ph"+OTg"Amߵ7@9}>BγmIv!W$U 5394υ3BL3 4c&5w!-!ѰP|_ 4o4+;I9W>xU'T?8F;lӠ2L~Lu58X&Bt4%#|K7>BAᖁVKZ~ڤA%w7]*(ẻM%`8(:/E2AאYC"hhzd/J̈́`5mvk>aq->OLLli, XJ&TZM4k<3*x:?Ta׌,l XzvvB ec_ =~R59fm6pΖ`N= M*tSV_zt)%O}_en&WՐ}(c$ߐz Cq-k|/j΃ 1Pz]XAF=h* 3`,j?#$wI6s hR{o(6ZGO;5z&0 6L+Tˣys Df¡[s6^̈́NKi8FTkSD -4lnYV'ixe,D.R%Qa] g zٌ#a""kEݺ(2@|NcqKb'x/ Gɱx@|uZ[BvdOޣos8B@oՖ)^i[4T,.0AztK"ņ5<̐=RJ : G10qv&86! ~ŞTwJY?CF||N!@ #k@BRCPO3QXFě8QiRB(n ..9L~!CAITpEPcjowi iK~ wo{xZA8{WΌ/Rbxi6Wݻ&iðzUH+2\ݲ=FѶ^YxԿ y~oX4fՠ|A<`5ZxRW*6~vؘۜf Lӱ]F1w2W!*[n'БKU@DISmI%GLOJ5Q`:rLj Ek׮EHrZg`T&<53z@,BP&[;?c>IizyP+\۳\O~7m4)xU$RΠ;j3g -7Iw;֛u͎<{z$:Bַ΅Ĵ |c` ޕ %GI\Aպkr@'gЋ'v6^?)U x*1)B#r~AA`%S+xq)QJ֎C|?6E{9ߎqZN!l:wwTe a=`۟26 /P/+\/jjlCvkظ4fwDdxpR_{[>~#^9@j>DQNk" ZuiFWRGi,g'AvKM{ !5'7Q" V|AR&B Fhi2'C`p%J-EE}lԃ>m? \pq;R Gg]3N96`+=Q~8~kŪ Ng"0&~BsMġ`ώ|.}:ӥȶN w+eR .'E#j8ow:ҲFy`o(A !,!wV 1YnZDbnTz߃AkqAz,o#E%2CҾ_~MPmҀ-8Z8@bM,*u86n(yp+%fu5A =&̓l:V%tq:! |=٩0м,핖ؿ%NkUN*Fٻ >"H/IDp; a_*w}iż9|9fSeϕb[j3EDR+ =2HbgZ+[~X7c_{|vAцYp]^džD_>'W~~JBYH~z_O0y2Zs>ю+*ȃMAaf ϝ^WfP6pgj~,I“7EٗVU}E5׽aYVf{)J`'0)*>ks+rQQF8 kP_\H?v/[4-VU~V aټl^A]k|TJ:G>T)7Z&D'2,C zY]JmNKx-D+n1%k~"ޫC|Tlj(p*3GSSU^>+uiP) 2ѷ:$YҪ'K^^%dBp{y2:b˴^R^-} NwjXA]p4AҊ@D?g{ǃ8Fd샕|w5^K$'Wn}fִZ酮~ {?-.4yvN EbD3fndִqQYԺzviiVCzھ:} 2j Rٌ`R ż|S'25Fi6aN&4_/ٽ`9ewN>ɈΜ*CbW k"Z@ȳ)Tyezp~NOڔk 48S>Hb%#bn<|" GXGzr;ͽ6sGԈ#\ɤ})ezMΓ&Ϗ>kD'Uz_4!y^L5 |eSKp }٧,垵 6z-7ob7Cs)6f|-Yq:=i94ׄ>8Rjl [JIm ̀PTm%KWi/=F46d?r̍Fh( lRrMU.`C2,O 7tq6qIjcŕw"::N߄Sl >_M8 GyZ"F$=sujaA {$A}Dȴ=9FPەY÷ qDA}<RP@5uLψlPeW/B$Y ߊr*ͻgAv̞J*ESUNY%0jfd035 pz^iql0cIZ!Ϟ%f??I"!/|/˝vN|Oek~a ÒOVLCZ8&K+աyp^g>ԁccBȱQ,kcrKh??~Qe.A丙rI_43葞6B׉Yܧib:(ʠ`ܮ,sU[x1BztJSpNUPtқ~FQڊ#Xf Vuo7bC_V+~qM(5:l:뷰 Ua0G5A}q24G`~*ȹ4^w +ij3;'Y0xk<)?Md~MLhf v[N@)/~nħpLK3+8H[*_B"JCK1;N(ɁC{ZMQ(/k?R،3fgӸ&(2jIB[d<&xwo׊(Fi:ݍbD ̜m+ߨt/IoA/3bbJ8g2=G&ḽȆ}7$"YrNr 3rXq[0 SS.v}I(s<[`+JU)r_C3MTr- {St"s ȓ+~$B1)5)D} Bs#b0AYo=xNj bqQ6nψ_@@~yT< oG&F;33zW"NJ٧#~zjdr+sL>?Yps=r6C"isn{x HZЦ!«6n1^1 D/HX(9 61Ek&<k֗:ǔF-T#oa?2,5ft-Qlaq&H VfɻTI2MFFy=GjHE^jT'ELt!"Ng> me|Q=0N$ ~Xz|BrJG÷8Kh5i"W|f _~1qK3p:RIẂSX˥iBBJyJo?~VC%guVc[ciY)Zr>p'X.ۯƈ5[a^ {X5g2&/zUR1㤵 بT B .J*bJ?/<>;c*xT!,t>v5Dʮ-&Kاt`5;Eka 0(TI/Uå@#2FJ"Ь5d;+TVjCXU)Jq4|a zVe_L5I@qvѸ[JvvGCKƱ-WksŁ7Pl,:_%H Ǟ.eLlsX}jІU,dž%d -ly#@@<]@7oguk2'z#S˄,߳μOW3YqAV}ϲb-ѢNfJ<{:sO-E/mA}BfuWȮO* >bvCaQ:)u$JB20r@k wS_о]"ď#f 6 ۑɢGf/K븷BZt o."{hɶ5: *zYzQ6>& U.tqʺ\=윧hZZA=[?#ԛz3%#E":vTCJv G3D=RbWJ;o4"eU`VxaP{[Na $zKu HBo x[S3 |=OX^)n~Hc86ɡ=xOrYKn^k) kYw&JDzONPHI&W| L\7`tl`@\J8x aZkOZKi&fJϭ"։<| ߝ"y%ﭤ=֌B=p\:'ZWowh.p _ [AfLxó* h?R BӖk>R@ciǂΨI~C>v4ɜJCÖ;l Ȝˣ}6 H&P)OÕL#У9LDNHH0ĄTY:N.{CZ^"7cIf:_>_'Qag9y jҨ'.Z`Lc\3R ɽ5+ivфTF6,[D=8=m۸3Gn Y[y(u֟A5 FPO=YǷ|Ry?OpBں_| y ?gSE'A8&H S$QDMD ѳ֢7E36՝_AsR\նb!mmt/s(>odBF\#jj\ާ$Gc!V'LW ejg6"OIY:Γr7S-"~6\@g֡eÑߍrb ⟥5&I-e |yOb}~cu׌5Gfuz$L#c}.UcF{_}ܰ3Ա=g ؠf7reg\S섟55(,&o((LwsmʡęVALPHHs6B,W !ࢦr}7iP3 t1\&90L${h9%&:ǜSmj 'i0*Gk 4t5<=bd^ZBT(r,Znൿ(;].;ԛ}>/~1tHz6 jk*^uݬIBL:9&QjeNHOi0OzyK9ZV~+oT2GP/p_j,$@bۭBкoGt|"|o>&}wbZR{sY^g3'<ٯmu{AR PlJ#Yjԛ$ L:Lz|\ٲQ# A c U׍ %xio9ڇ3G5i-݋R]I #'vIweQb%NWj&l:k1w9VV{_"a.E;]?#ߢOIz3sql-ބ1EǸ/XDŽ9Fscc*, 8S "v6z}&?[! ӒhJwp#>oim_HDRZLP Hu|E~!|Tdd 6#oWau{'T&Bkn5\qZOu4_mw=j!6!~IdKjR<ჲe\, u^$dG.m rkh:onD%6Dlx΀ږp /ZNwt񶈮/jWͫ/ly޴n+Ur,.w @جuL%/nf^v4[7H?с=yF-_"ݶ {[m Q؍KzH"ńҋra'5ePvKeS]{#8O(n_VQzLH wf->9Cd"3Fv8Q'摪Pt74|s@}{;BQH s^Q Ü@XI#heCb.fq>- %&w7+[U?lm1qafcSZ]ݰVmhF'u'nI9#b1،Rׄ>f_h8ҕX:?)@ ! }ejZ<|Bw:, G\R%6bbѾ,7O8,;00^ȭvg^ly`}K?]^soЪiY~!hW=хi)m7];';B#̭9Aue>q.47^z#is 2"#\gi_\ɣF뒐bo8%CMo͟ HSۢ7TQ\!ȁu1`Łԭf06"bQ;V[AK#ѯYϾL{K0 NY#R*zא{}U$˱(paG!([H8uIZvHuI5y&͛vp ]Lq+xO5S?X-pCm'"Vuј7%b>1q.U_r "зI]7FHHR/ S|{jKrGRgOlK"Grwi3:0~9ɸ٣B;daf7%7D ~QlyY*Y}qo)nv.&X\A1;shs^q~ni9 o+ħۀ ReCW6{==]zb{DԳ}SʪMׅV~fޮMzoBP6 "GjESI\,J0}Wr߶Ϭ6 BP.sVGШ R `b|WȒGHcauӻ=WiG㟨Q.C'f!8\Mjcب`)Ctl?"_2+c2䯷5afW|pG]U ĭĚ:Qe$6T 5Í^75zTk.c<i ywg$?<8줆![ڗ p6BW' |֋* xM~#x)GZ-#b,SžvէxG>c>!'E-/yGJ]bD8(+ &[S+0$ _mWP8d6FmeWC9YxlQv76&+7xAFj;K 2C[ 1[^\0M 06rl8`.R9Aў5L .MG\}%Wc^IM `͕(ל]4I%YS0qlˆ`F^b.:X@BZ1=+;%?^ц֌A@9[S2<st/,σ{ DX"+h>wsd8E xnQ2n =v?,ہbq2PFܨILPЇ %e;qKRm0p{:zs {/z޲{KAw ?=g$:h^Ժ UJz {IrbZR7tq̰≆&w a@@]C ׄ-0<<QU+.2Ӷ$3Lr7ǸoK{St.ENt%i.AqciTl,to* c&/B'djr}>|ym=<[ nP!?O@aN "0 {u 2yp9k"]o ߤ$RT83}AOT>jՋYT,ۧz#_%+(C];e!:F]vR LuLX9qCgnkp*avݭ&,X7^cJR+o*_MS^T|NnQf |zd6{MO;hr~Tc}0Ml4c]F{fNh,QpTIBh>aޏ1<&s_׹ QioH]7f=׀Wy [e͂]$< dL?|d:t5u]lg@is?#U8=^$Z._ $)E-C9YWF{9 @^1^WaU fviݰh}CN pmwvLMi e,YrrIDb[kȒsz6][qL[@ %84Vјg3Radt-o8)s\Ҡ̮!1/Ewr!B5))RP_kf`AarlU"AV*pLSzK ܆﷖Z*]yA^&;$]뒠iP!!"0ݽ|mĖ-]F ]"U3$uaTw|@z>=i7/]=9}z\IHg2THnR`l& st#}qV3±#jKrbBMiWFÏE>R z<_P>H?, .OO tSK[kL7: ꣴh>U+ r4*]<^fKNMEA1\ P4@ӼtB99c,EmNI"g@udY5;<\"^iUyK[k B`T)V}$~훜i;A* rNʤJy^!M')[32G6ISJ]fy#b)uAb3>M j׬fUŅ-0PW-D,H[#M@ʎOaVv !#m㻧(uᥢ \ O>RYe!(+4?[\.KKi[tOa'/_03LyKfdz l)àYTpPdI +v=ލTĐZ ћ &`HY]q ]!̯˞E6 R "BGmEBi?S FU|_ >ݝfW[ΝV ^Q?