permissions-20181225-150200.23.20.1 >  A cOp9|zOfrRRK_,k^h( (xٳoش!1341t'H 04&<~ʟcCOBd\xLz,tlJ}3\tεGPFgb # I7G(&Fq.Nɤ2`AIGԦ{f83ZVW2| }λEBw#߄s Y,%^5 5lo+#,x/Q9ݑ1f:6l81e55c716a9f2ce5394d331f4f9c8d7679fe28682d0703f9a38cdc29ba74546f0fd7769d6d68aae710a9289eb0840c02487b45d9cOp9|xH:*UnB÷ 3=v]N+ƕOeE.DaTzIJu%6YCN=^[S4姑x#m8HM2=vοd|<26lts"uV^} #Tx q9O>$[DWGw0!a@'HjD|$x?243a}!^_tZ*&$7F!;9@>p@???d & E-NW mP t           4 a   0 t ( 8 99 9:m9>:F:G: H: I: X:Y; \;X ];| ^< bGPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxx86_64 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system.T1W_mj9;@큤cOcOcOcOcOcOcOcOcOcd73f4760679880a45dce3c9cb05db59590dd96a4598a64a8a09e1ac03effb066be4b9c2ecf15cc16f3e2259bcc566d3712c5406255130fcce31901544a0ac93254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3bb06089354355503cb5ac4dd194f1060fbd6e9fb3977fc49d7dbdf4e3ee875b9b7fc9f96753df1265f4734a0c183d4aa140600ba6b4bb03d808cfc651e9fe01fa8f5175bcd05126c6aba8243decb4d17b44054cc8466a3afab709ca5ca8e8a02435eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181225-150200.23.20.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(x86-64)@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181225-150200.23.20.13.0.4-14.6.0-14.0-15.2-14.14.1cF@cEZc paea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comjsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181225: * Revert "drop ping capabilities in favor of ICMP_PROTO sockets". Older SLE-15 versions don't properly support this feature yet (bsc#1204137)- Update to version 20181225: * fix regression introduced by backport of security fix (bsc#1203911)- Update to version 20181225: * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shsheep53 1666157212 20181225-150200.23.20.120181225-150200.23.20.120181225-150200.23.20.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:26483/SUSE_SLE-15-SP2_Update/6c460f7c6848dc3f6bfdad8030a0d406-permissions.SUSE_SLE-15-SP2_Updatecpioxz5x86_64-suse-linuxASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=8db54037fc063da72a5f9f0c6dab7aefbc5c010a, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R RR R R R-;9DJ5E?T/utf-83d828e390639d8e120ae579dcf844e34858c25e8d2a66270c016b42fb101f043?7zXZ !t/?W] crv(vX0_a,_m+jĸlK鯗qoZRx9@a_$n@YFK0d)rH⥇m1lA.ggB{I'gZA@uU5m]h&B-ҡ{MnUsg<ac傜ŭOᗩuOӻg^hNJN(=ͳژǵoZww}-DS'*-.0?J}ez+J \jmEtS g +E(Y4Dz݄'Dv[AҰJATP|g,sm1 mxli[3""|p/|Uݡ*jA'Ӹ(| g OσȞU>1a[Zź2z5/2?kNk\\&={:VhWc{=mOl9-iLB~f<DkNȥwu0体O$ x)b ďճ*bׇS;RE٫Zyh N(D{42 Gbӵ| rKxʙ=T8l2 nYG8dGw[~ʗ؟D <ĆHe_Qkb˹+)Ղ` *oi Fezok$mC>N~, K wy I !_wY/$zDR=; !cv/d~SݶCMSD(;o}ȅcW=_햐(7֪'刿TߥC;nGCie_#.%-T}'[K|M6{$gI6V#3_yR q_8O|he2yi #T~B>irݹBӅ 1E9>`Щ'amm7jAOu݋(,cB=~0לJol8]Y0Sv>"\[SHdVSPUԌ RYE\,62AG *EMy+ѹ%ˆJ;ࣲ9sw,!goHbSrY\*߼!XLoz(5(D/!XU9$i0-P8jP.:un?-sհghuMlDsnld%c~^Aϡ^] B(]RIs5G HQ5OFH9ApF֡+:ddd;?̵ꨢEjz1 <~£ u=G<7T%%jx<|HXsڬuhd"Mqj0GR*%M8n ɂ^S*+kPT:%(a2'xR5ԊWMEͿ 8{Ű":V:WpIx9uRG˱ %P n7 b~va?Е˿'dX\Jk5& ߨRCtbna/t=9٣uW]D.?QIжP@/dQ#Av0?4V3h@;fb' !O9L%$cXfjȖ8pAmNpZWak{Lo,Jᘆe! YIwOi0s؋8I;lɤ9 0nJCO0b[|3pZU*=m6G/$owVA0wSҵ"Z 3odmXW71|XmVJ/~䙢JSRb5Uf׉7=\IR=f: s Tfu4r(_O23^U|v}կz{Ky\"`22.Rk;Y0[D#N( Su`K ij_tcxi!Ɖ5 8؞ܮssB ;C8HܿrL2z%Dip<|TpX!+}[AFoW= ^C*٥I)IefK6DX)'Sݞ7&NsDeP(< %{)v9DR1/7! e*ūSJ̌Vx fD a#=xF DSkAC*\:7ۘ(D\Ҋ2D a;Lx r&AE9#K "ƕiV `$'&VR1c5HvM9I E!;WXJ7.֦3dA]M{~)+e4Xf 7tKl$;/]\GyLFu$1:^*[XY7E7Md C…cgG,0Y 'E%^E= #:Rc{&{ J _ 簠6MripMV/ֹZ'eNR ˸~;I͑udُ $KS7-,.VſaK)$[EyYc{+T81)U3{jk#0ƌ|l`Մ%iV%ҽ(Y>5W}cq0+LniʉF>|J-73W~k4I}E0C u^[ kc BEKl6.Mj伒vɝ UP'ʏϨPv0Tiŭ `IJHmeA=\;nDj}6r?fӬouUOǒCJ7 ﴄmx!/%l.[5P-MAC[ПX#:y7|ڷU`@U9[TW;8^ 9L3K>HLgk"Iu@띑AxLp'圱ߚjL j!UKvӼ;Ogvz׵\Tgڂ}ܝNbrx|wJGq0V\t-LӠsFs~o-35gf311] Lpl/&Ot8D7 FSSC7jD9s3$p7'2UqhVHƔZv-@v**&mjk.SRdEibҘypxŃ SM-Glh׺^$hxyo.##+/1'RG 5BU5R. GRm^f{x5jÈ*{o"?j2䞩&mZk"hngtao$r)w.CGWb:G 8q>s엻 QM˫p0ϔnpr X8е$†֗SݬQya %nxHqF#2pd+eG9َ x29$bB=t Je]h%N*~{O6=gˆ=!ׂBP|cYϮ3><Mfus*ɪΒ/ubqoŔ{; _+̥gw8ZQ;(d?j 2l.߼ 礈Yxv_$+zB_JG+3 fBi߼=ـRD' Mo(kgtavߐ?U1h|Ȗfp8Cz;uh=3z*93FX*+(V2ivs&=Th-zua-k.6I(bfd֮(քG_?aw?9kmXT9&IcX[=q HL~2[dCvi+ՌWYPf.Ak\zUMQ^ KaQ4وtU&{P-l[f aRž{XBpG:?OR< FP^vtH4+ EL`\tfzY#ͺ8*L3f\\$O{xmc[RF~˷_POIkdČJ-#13nr2`NRZ9]7hL Bjdp@{_ R("G'`n(lH'/3'_)E؟ѭFH͍a }cTeH_UZ/.*D{aI ҕaGn5IK͕ b3 L6@eus~rr ".q0U@IBc"{tԨ4Ȕk/VUn3o:y dr%= IG/fFs[m|JiUtUOa!C0ݼa]G(ֺhFGGk<,jeLMf/ i85s$BA:O!Nd랄_b>YW1,˄YE/).@jn I%!kāalReVA'?#ꢽ 5i-ʡB*\3RSv]E!7 =peI7DpK0Zߺ}gDP>dt]ThۅӽZHxv~C|B4E*kMJv^<j꧲ }ˡ :O%4NCK]Wѷ?R{3 d| z]}vb&!—LJԽs oP8L7iXIC!= V5̻j `|OK81l)~s'"8=G3|~Q{<Bw6:=3߁^Kon+C^TM]\ 8qfX%hHKFD۽͐٪L (EM,s.}BH:ͦ u8F[ً zx |{_AwXeKsY3ϮW$j0y|ծiU((0Y[!\76i(RυqL>.Q݃QE JF:V A@{K28L9> ְu#Qdijf0=#| {@oJ(I胨l+zRvfCלkWi+wq+lbBcє+ާ =>CE5`rgS+da<4AsjbڀjxRiDLMRHi~`x_|AtlP.F;M#yvN5z͓ﲍx1j-x)!xACXt& +S'" OƮSXO=D o9"Wf'#.b9ֵ&K *PEQ}'uhL,!CҦG( x3Ex)̢Zcf '箼{_ &`5#p ˌߛDdxZg(/j%'[ZJ L<4 ؊dEddfX|(t+TǧRhgDSL}BY++ՒtUZ EM(#bUkOD$ b>y5rbW̽KƛA Qhp6 Yh[k}u3O7rWMLo&NϖԶk8ۧϠJM`vݽOI#OpW@{|O17#k )gs\f _&gzCniwVǽk<nJħWOw~淂񀻗gF3 XĹ# ~t^673RE&`'QDև HbSjLjXB3{oK*p7 qahs;!҃5YRN{8F>6Q4ֲ=ċvDyUJK"?): dݝzɤ֯KPldt5Vtʟ7"#~K T̤Ffb:E ŭn[s\t\zT#$fN+/Q?;b-aI7,;06h&&F; jwJU*@,mDEb3 v#K띁ՙD +kGK'OqQ(OI@pV9H Mʲޔ| 5x9Y1s? FQ4'T9 ŀ3ch$SO =5b5s`Yp?)[pzc82(3m |s{Q5&y9Et#jɓ?811q^qTwYt4+6s$Y13_$'IW(h ؒa+b瞅Ke3䢡t##{F>CSpKX^C>I o^JkD`&.jVKt>NUĢӡ k pwޖvh[=NQ PAx a+^v>{v 8AA*(65W"ʌy6 *_kun=fAֵSj0r߄YԦ$p\n<&Yd|bk'f=츜 Q>hmI-YPRꪼbLVv.߰V&)gj)|C;cVIHpU w݇zϠߤȚ$ɝmg_`yBFj L:ƣŘk10s+\,s%y^zUxuX<aUq?؂ҎfEYx;*@"Bh,&&!gfL|0Я=%P_+[AytO'9y)k厬kn{f ?NWt:ci1m骬$i0M.s͘t9uZ8~ sBԷuN 3 џLcWˋ^ӌKHk&v n") y8> 9 umx"'ZxՍ ⊨dNz:WZ|c`숦 YR!58g=AK{-A\Y߬y.(e.esbNu!{I2&IYmCtJ5&Lv۾\ZJ/= "2tH0qD>UQCEiAPFrnNBa7,dy;h&8vJ$ab*.feԡSOc:tsf1kB,瓫̧7$XGLjnT Jo'Nw%O6PI&I!nʃSa&,O]8d- Jb<:^I"ikH},\ YSLwEi"oJ IiW2+5-:,ᨱBs Zm{3{kfoWH.B9\ߝ֘" "gVhG˖SYI˘XM(vF *F" QqnEU-n=:BO`AJwHӦr+u4p՗p&J}K݇ⷲFͅ!u ])tjuYD<#APl|k1MBۍ^,GIRn0kr+IA]œQRృ~!RpHy9tjBhkSP;Ȁ v~߶(PHCCG=?bX3ԣ·,}|3~uPk61F0yÁ%ӫ9<%Q=ES~ P@P~"]+ zWcJvt2ۙ?wE-.`_N}ϵX:u$+,u׀_^M^!R{!EχUu }ii4G cO8%<thSH5X)Ty7J9a k=O?lBՓ wےi5KoP8)O=XOyH_F[ 19$: 7w[aV-zeͰh%.NxNvk+a;@Y&BNd!}GQ.)Ҽg%亵o#/'  O6EG !u:~_2g.0 >1gr]ױ`Ժu m\Bm=Y; I%pO[Iy;g+|}nq4T2r^5%@$c Sa7;Q=qю,ՁUe[GQ8b[Ryu'+f+̖%ǜt9!4)`yٴ2GRzd]EVوvzA ?~{ `VBҶ&l;bt=.^&Kgr"`dϣB4|jg6LT~E?1T/9-٪dazu:6dm@נB.R؄2҆i0+T2K,j0A#~iSDvGNf5s~^g?%kK.Y~sE]2@^tCjrZkއL`P*Kӑ[)s њb-~VX`rn"'݋N,wbᥖaYȬfP"4"7J"0J(x^tl[A?W#scoEy-Av̕C*f5@|H]dbA ]*0FhՁCz 丣#a pϪT Sz7?`fAjx,NC}ЍOa{Z?ϐl$_gn`j9ėy~&Xj Yys?{>p$]Tځ}ԢoZ.}#4;4!9 YLwI3 ꝲ?ޣFq\cM ɇ{/4o^=_O?:3sӹ3`YlUt`!ZEv4#WRӸ&rP-CgR;%\Tzp@B[u@l1-z7fD?FMC0n;RbUhKATxkJU9WlUoK{[ 9}i kCT ۄ&73XJJtѶ^gp\N(K޹N:׫k+;Dpkl^ʓ;9`cTTy"T3zS<|j(NyRbRIjэ>{ t¹ r]zl DKԁWV4m#I'FTR|}~5PT-`%Y[ +=M+V2."&_ȵ,X5[fq]y(R4-`j.:.k8-72H~m9jckš $OW9ء1v;6c1]8Mpag^;w~Kd ¬O \Ǘb'G #,@MX><p#fjgggK#4Kdc JԴL;# |)͍?ȿUD_w|xlV@ Z7U8BHx51K:=gcK! {k~USbpƧo>oI2.ӡM*bPl)$N.<'duD5ZG«h4mIK8MXO^ yO4psWAlod9PFаY8d3nB75[=ߝxul["#Zn6O~x9"Tӝ7: f7^VM֦м瓚xzelBF' ZS;8l~E\`xm/wvs\ؽNWCZCv8 ! J;\X(u3h3ϧT]n3bǼ05P=0IF'rUa5wf2 qXjFRnz]~< xnnoCT.E=^6Y)핡Ug 7/fȂ)ɾ?SK SYxR& #;+l(y0WEZ]oj{S]˟Ӟ@6S*e N|4IIoF%ʍWDÀi%5< Ϻ!ILn`{N?JS+.Tϱ40츥U :fdIc\ Op ӭV%;]@z^P4at V]Ye b/dj5g[l5bPQ葽a W)Y/v*(QuJ'1ljªͷu ^'Q) [}mv|( (I xV+g֎[ ԽF*mEc|Vʃ" ^`AѴP9!i+pzurOъ nU_A҈w}rT_'^ܓXk>cA|SQǹ;tNgS|B dSP[Y𐹇^ i-^$v3D.}#ѕF L 1bƹCr_bHk+ r&?NxW /bXC6fRRWw봋^W҅VɚUyퟟϔE]hWݵ֍v&ͨx) D $TSMg'6W(`0bw}Sh5.T53YH H X.':OQ6{}?/Q@(˂ DMt\&h]} ϭLL;ݶN}v3 U0Nc\o+D `^UHĠ!I)5k'LTxF$h|I]{d :뢜⪞wr\SeP<G_iJZ?Zn* (ȵҽ;b \릱-g? #$5+wi(q=XZxʥh,=a g卌NCǽk;czIUio}H@B#m g׈tDp~ )]Z!Cd㗇 _f= EV~x[5r??"m*Dxu /"mn*b/=>B]9MznGSAT7jfe݉ͻr%A"NhK&Bw9ѲZN,pZaAJT1vgvW6r ?t#}0PC W's_,<#A_3l "{˖KeWDæI5D fOdUŠ3+މԡup)47*ﻬdl͟NGހY~߅tk9nb01Rr/ Q SOfP'wmA6 4zìؒk{*Df*B?Tߔؤ>,`$N'ףC1Fr!p\}\Y,L9gYgF`ˆA6No2RnF`[]މ]4\e^+t GU&sNMF4ܚZ>fˠy NpR4,VePDB1N3-Κ6+XG:a@Y۰pjAm#vuK͗RD)/54>Q`Yb=b:ͽrmԟV Tי[mWF4?ԉ*J䰽 枽kn=} ޓN>#0he|z)x2 dz*U2`I2ep怛dcFS2NS^HZr`.a A*p :F/cBc*Hy (cXidASgRpkU m"ݓ@N5#Yfd_/=\:dӗЏ8v.73dՈKs~#^RczP1kU% Rnv8E(X_c&hst|\Bx?晎an )l_~ VC1Y\'7X*h:<*!2^!r~=Ay| b}N/K$ GȓlKĽ0+XQt L8\%"rȏ^ a76<+uit{)o5n3W)QpE)lsQs~6V$l$Ǚ>PuOWrb4MyjŠ};8Cer-޼+H=}i^ou uff/G!hiϮ ^(0^9Eiu1>p\a{%Y =]BŅQYK_={<7p}Y .i]kJU=l619TY eBU ߌ`Mˇ?ל_{!Ȉ|T)?1htYDtF`y 99?as/etFyYHi)N'Sy(i F|[v;dxdJ;>&;ě3L $@ CyPb_T{3|%ě9&J3)$Lʵ`b}2S{̳j潓'C &r 5UJ_ҟV*Z41:{w q"&̮:N4 }<8*HN E2  "ƌFV3fƑiCvx H ZnOqKT/>0#FZҼ"tN,WzD "  ;I`/Aәa4|NAr{Ee34!% >S*v[w%jt{+e@ -<}Hŝ:NE`uC-ۯL?~HI#|$BYDK4HY+A !zxUЬ/ $+ߕ 1$ }$d+ˡ$"w5[ dx宋BBה]6 YZ