permissions-20181225-23.12.1 >  A a/p9|Y$5#noR:T>,NY6&7=A-[)`G`pO _]zFIrwr$&o( tGx='abM]Q* N %if ȁ[v8o ,=Vf@uE Z(gG~Ox`EPsE߇4&``'Xw31612421564698e3e5e5ce3ad13f3963b6f5453dbb018f9c2e0f3f93263aaa3f48a36dfa1c9709c29b961f25754b99eb281b5c11a/p9|ZbX,u8\j!}s滉֪\Kg͍UI)"PZTNP5EjexjJҁZʜ41eiĉ>J.9;_O?!"( ng$T]тJE(kp %\gv#Ѩ"h hqF|QpV)`QMil Ŧ}"̟rJ+`pMS4M-mE@3 e$DW@>p@=?=d  > %FO e{H l  ~         , Y    d ( 8 69 6:6>8F8G8 H8 I8 X9Y9\9D ]9h ^9b:Oc:d;~e;f;l;u; v;w< x= y=<z=T=d=h=n=Cpermissions2018122523.12.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.a.sheep07SUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxx86_64 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system.T1W_uj9;@큤a.a.a.a.a.a.a.a.a.cd73f4760679880a45dce3c9cb05db59590dd96a4598a64a8a09e1ac03effb067422c5ff5d9dd9db4fff1a3dfd8d40a1a3c85bf2ad31959ddfe48b84a4d64199254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3bb06089354355503cb5ac4dd194f1060fbd6e9fb3977fc49d7dbdf4e3ee875b9b8629bab725bee1b07bba39312965005baffab12b82936e17c0c60977e8d2c744e4734f90f01567652ee3869b842b19323d3e6e239a8b504d581b18818071712735eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181225-23.12.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(x86-64)@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181225-23.12.13.0.4-14.6.0-14.0-15.2-14.14.1aea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@jsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shsheep07 1642409716 20181225-23.12.120181225-23.12.120181225-23.12.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:22415/SUSE_SLE-15-SP2_Update/24af69c0eeaebf90c0649074940a8198-permissions.SUSE_SLE-15-SP2_Updatecpioxz5x86_64-suse-linuxASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=51fd1743105d16c6335b178193bac0ca1d715029, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R RR R R R<¨Dr6utf-8e8eeea0c7a7004e8cd62faac077be393c5357ad10e4d74c89b8b809b57bf9131?7zXZ !t/?WX] crv(vX0oNRj0Q~(9Rq1䃩V.QK#JhB q^eB-[0eHC`\KVR6VuTuZB$Eqy lT6cN23)/iҾTsLZtbIS2e%YN=wSFW"V9eĀzekJTK D~S]. bZQqrZ҄S]Fxf0.$y x6P)TjRp=~#ǝr\9b2|zT4uyP,[Hi\72X.=:b9 }%Ƣemy%͖x5-$TR:hI޶#H :]s?ɠ!cCo UwFH2]C 9N/]p)M(nEv1?t%e mu#P,0D= 7Gkz)Y U 4LE^'s+=T3QF-o-8;& cEZ/&/{[F6E١1nȣ@ԙ ݹ>dѯW1ayREbhܓ&Y25?6r6窿Dp= 9nfRu/mD3$gȻgl8kukbՃD}4ΏTϘ Z_,;lƢ!*oÞZhkjajVO ':(,[- UsT?; zrmi@w ̜9j͎u=EϠ#C-_* bP f 2ѳguc~fxQ$2*]U̟]6s7mg3^5-XSk1  5ʴ917+7iٸ&|)ܰ T!$F(x打E.bce>٪}k#;{,Pv8uN~D3|&)Vߺ)OleURnEzӛp*3fx"*lo{#,n))uDXyS8!u\ZKL #i7B91w9I}RSBC._QyN"/W~a&*lx(3 4Y`$HV` D_h^EK{ D'w/K\ȂI.Wv';}aHW*P~xZ B _dyhn z(;)ZɎHZ-LBʯI)9+g9RR ؗLWvAnH3n~/'c0~Rk!q\?E**k/c En>6m %+еfEY0g&]*TK|l-A M$zkHvN`ӽ^h8K쿣 |=-L M~Qk'tX=F'Z怎 aj`VjCM f)S1[9Mq+bcw}L2:@Q! ||YSn]^`9Iomnw~oea-u#Ňs|j< XkQgkm|V"jer fUt׸ozjŰ{ A&e(XuZ"fzc\$ _sBCCW:U%ƪ8%1Y]quEqRK82a#ZUatXl$2_h& ǞDrq ezx|r?9;/ӕlP[O~@Yَ=Q SeKSܾ`>?!{gCR)#i?mazdw@rI9yӂ8ek>D @* Wf6 ؘTh6h x+5ѹ#sEV7~:Z ( 9:k.<2"2yӄJTSKd=uOhDV1 /=p*̰mtQIIس{bG DdB @֫@~ffd *G:(wE*5Jr:Y i7jg%$< .-].2͹]TTv!nČR( ZJ$EPN$a W]E4w%IkN~VmY sVuK0XALxA |ImJt`b(U٧!'r'j+v9N էV#LEKXw+ZE <. u7o8B\DіCsX2簓,yG٘x-W ]܃hdEYA%_:J,T)ͽW';R?*ei_iѩإsP~I"oa ^(6tPoJxEҠe Z 0VcL ?{ɈtnKǣỪ OmiH:gdڙ=>%K`xþWx:Y/Xue1v.ANˉSggOr>ÿiQ9~ e8i+n:Y)@9đn u>}B,DюmHozfoûuu 7k~۷1>O1׽D)dIOU9hҐ0ex1yZςk3&脹2_ct8B[ᮺt陵g'9/zFhpy}s vLhj=сW1tzıG Y'~SH_A>k~qXFP Ӈ{W eש_/p>JJ.P Bor3ҪMC$vy`2@D1-ONbY P6~d[[_F:$TM]K-+Z?Σ8!1ܯiF`]&,<׾3x3,/{F^$:"IQc71LDNSLL*n(hT7(F]clĉl-d%)F7T+A2W3l7/luup  ẕ})HZLzp~]Hv$Ѓl0s|0@eQ2 qūd^SH՝aBp%i4HhL_S4p"B}ӊyzJ3\hmXݰrmt{~ cgK"SGY=5Gbe!|XYڼ]%8="ę-8r-/`e~EwN'>x(ԕZ K2.kW4֩Vnsy]2sf@qd}W]vl{o yܪ]Ta" ) |Fn_W=BUnQWHqv`zz XX Q^O8K}5!wE(b6+U *g2O/f^p<"MBG_E̾ϐfm[UP'йKFԎRjN ⟲7ޣOdducP|| 臵n9Zr(O4DfrbH!U\1Yv75J!:ou' ,0EŜ~b8~iC\^ PVhtJН!{azX1{X=d7ZfX&L4y[|0H鄏+39OV_-6)*xe܃:pɪθǴuz!$V90Ab7C0^₺{x2Հ©$x (GS.H~MoeŠU.@RX楱Iަ 7J _Kz2jCvZժ3mBX5F#i[V$0(~ɻͣ#B1Dm#"+eFɍ<6&:D!?kW:*脎h?)R:>#F2I.rv/bU`HW?xɼft@w &d0 ǕMTs7\r6g moӨw32勒rmԙR5Si*7.ieú>UV~IDqe,?ջ&i9 udMQW9N|Rͅ"CA }C WDOp=zR8| ˺yeeO^M6Lt߃⧷I^yX9j53VUQזlku^83:IUxƠ ͯ-ط_O̒y9kQu7ZK]% Lqz5g |,>_?=OS I۹ȪL*c}O]D *lNVtw4P"XƩ3j?11@9 )emB b|'&2"6MѷHBqi[d1f$Lp3]__zUmp:.q$8%2OCH23G5vaU4}eHX N\!ZvZ1r|}faUC{ gr[Z:'W*&h ,)e/v!lGڬAqk,3Ld Fr+Fj7=}Xlg[uBHPӘ۴bItu >dwBKH(H:Ӂٗى fF_t6~=Nk⣧8jHƥ h;&}BʕHFU<}1I`,ͱ6Y$ bL8/ e=_XfN MIe%pɷp Z <_^j=ޕ4<`$jϱ&]kQ:cP2 od{g/MFJE>K'sE%/"+gx@s`1S !Bv ۛRzWܜRNdF$j?=lV(֋*As>q NHҚQ` !'\%lE᛿ק<\y=Sf\ȏWaUcBeV6#kXs؈Z@NWޜ}iG:80a`;+U"h"D/IQ!7tf HXNڵ5).uO* hNKKm()' ýE-@ZA-oG\k(&Ӷ(Vc&{"\dlč`Ahh &2K,SwY==Y8qB?Ѵ >(qE /9m<צΚ9l >5OB/"P7"@NP{.T ;z(7.>dSp[#_ (t4icǓ Gz|Nh$Z!֊dڝiaG͌CJ#ړ6\MRնmxܯcc D6BKq-Ns}בKTb m:q壖Ecﻁ/ZBτfnW nYìB JY4u?1SBPwV+byYWxmOv)*A"H8łdў+Ǹ'5[uwxt;gaa/c| vƾ0mH5s҃cYUKtSƙ ;LSMШ <8HoNAi%bBtcnbݦj%y;׻ zLЃok%@6oZ_&o g 6lKr2O/r1JID$}j+z}-nxBxKѳ<1G^rf/©8UUCޝD.q;FO<:>vǕVN,ϸ&N:9ImJ yryqrͬd)o5.VзcI=n@̢ο7‘xr VH=s[vᴪ//77hFy] In =Wb掴ɂ`lm׏ "P qd{}Shuk5J0}w"K0bdO_|HxPjI9*'J-\kW`ymnإB{Prcw^acy(BP&lֵ͝G6p,s oB@-]Kt~ 4S*%5!1riH\}{^MOϛFHֆ;k YVo勄paf$+8ͧ59ΎUv3:g[7dGzf ;dv.gY6љ&FF iѦ[K5C}vBU>Ҫg~v_{݀G+&\7!6''0v%kG3]yl-8Fɨܬ-R,Yt_LKi28,nppyUQ \j!z&sfԘim$Pj0gDyjcӓOKF^H h50=*IIYG{юhRIZits-˝pܬ#TE{b iNrkO3Y+ WιahT @Wkw9_r [řiq_J~d<<4 f]& ·*3e5n-:25oybjVAΠzDoᇖwkiLM9U}j@dyEm/3B`%Q#O ݷEk?(UG;x4{v1BUR†r3]XdvڳRḽQ1*@FIfia\sF<:S6)H|5 # uS 6)Hc= |0SEI'n)3MA:В UY#VMi. -X$p;PW0̒#a%s-ؖm-aRD$iŬ\Ciם.l98A E2. CUd_f Kܸ \i0?⎑ c8k  ʖpJ6.6r{{eupI= *MH3'vO|9o3$j f`ׯbD1xz-(7{O ŏIcy"s-(ZM˭p}>qgiMJ=`80Rт?? lIϑ/?mYН׻lݸT `9=#mNYo}Cʙu|5S f?OG\#OezKlNEB fx9ɲEò5D מ3 E/[/qJaF4Hm#9* @8XDRO<ڎC~C7YAd]JTYLe:1v>k5|b+ L{uWtCjmbMGvdsRӔPZ|yPbY0qs¹faTez̅PgGZ1ߛ0x\j@J"eV129޹NE͌: ;]V"EJ:۪_5O=?d4͵</LSXDYt|c! \3["`rP3=,z3?j F*I۠6dQ*'gכ,V<HtT"a$(#t <"6h"0f1_>q}cE.5OO֐sO1!N^7^ȓ) kPߡـ-#ٱ}*EIceA"waQ O؆oq0yb$4R%:N?خI %7jzh`%S<.vyIeݝHz28rTPdul6⃗A\D %*opvah : n}y-20,F*Z߄a?6S}`4KIu"h.D8p2, 0sWkj+-J C"c ן7W 15U_P4[ ?}u1ˊ{ܸ03դ\jMHՎٺ* CnOa=TW}<xڪ< ^ K#h[[ٰͧl*RccYw|^ lc Jm_Zp[/q'G6jTbtu)z?z\,i:FKtm{ݨ(us:UgE_L;4?I&4#,MFF$Gv'@,}m;/O`X#jKsJb [Bn&) tfܒ1#%.UiTĹ F;ۂ~fvQ]NSoŌFP4"hiI% ۇyApBwR;2'-SpgC^ :sP~b3s$xD˺d9&%H LdӚ8VEDE8-́<&)N!<'NL.Flt: |͙?1Y|(%y8ːD-6YGQ[`q)8WvI"'%0$)TrzOTPXg,EfKƷ/dG~ڦ{>7;:O ,vt;UN<a6!kے#bQ3{2r\3 [bOΩ5•5,sUi-X!SձZxhE/YK7Hkaw4VѦ^(R;K֪ n8P. 1*fa• 1}c^G≢:rxi%WsFQ2y6x)zE6Umt]yї q}^ҏHe;<4RK2~?8$[ ;✼6]17<fiZ}J .rM0خf?[L{N71AmuY[M0i??2,y^J*ۙIX౻Ri)qK˴\bkO/^0] G@,5 /em9^wK>vc71!BMك4;a7ۢ//jv@~E3R[-F%+zS]DzFtiE~?j(_Yi-R uP^~ߒ#Yt|DH*g-cb+3igzf rkp.g#aP@M Y;!#XA =vUl8: ;MIUи6n|8RF0hv aKBEN8/UFQ~O70vV3yIhk12]+2.{8crj1/C7*<+Y@y}Q9uITGh, $|{:38`MX~Qkx6LG(b֮8 6+L~00<εMȺ#?6K(wp0KB,Jq12׿3jۺ'/H)6/1!7 ac` Z=Ã8Vă Z71$PS;jO,?,.* ,œol -h!@^ե{O3`73q/̘ v[]Cte[Qr~bI\iTr'U'#qQ] VSlPҁX1-g>Ԕ9, 7r@1n-!?oe*1u~?@t29>JC !j?m@7X-xGd}C/18w.>H qK~Cꭡi?Z[?$c%u3aK]fV54o:ˋ_5M7Yxk2Xd˱X! {r%Vvkv)RJ~rtgT(M8o y:R 2%л E<)Z̕xH8jG!V2a,qph$>8L(FR{Er1Pba`?-l RdڶMZ[_ss y*l0Es;$y ,:^8z  跨u:o񂩦%IQl."* N*@ Hɰ;) J adh:ȔV41ðF%9ą' 1A8ޢ`LLs&GVmAa&tfq/.S9O\dYD.׈M=wf˨TO=Y' |[B-渚Z%mDž'GIu fN 0=u%,/v057 qc/$U4( h`r/+ĽTØNGP)ȵ15Փ,#l1 umKvS:c~|{`|XwYߋA4k">*Ђv1B~|ke{p5'gԘu(!"}kҙ"mNs%]ןvp(|JdE8:>K0:-u8P j9wvxEfxB/Bʿ58vU[ɞd ;Ĥ_IkD.ym*NqjVA(S{}GN.m\g ̨xUʯ[~nR@Ĭ@4L uDA)If) .P.TCL]Zw_nrp9kT\ljUEPgQVaJ9#*,OIN$=5y]T#D8?ȃֈ4'B.q#xa66Pn?.uk|lòd`$AV-e ',e-ect-J׀9(nX mL]TwJ0dZ[kau,Dp{`ޝj~'>2xC ^yxBw:r\aj=IIJvdM&li%fHk^ L]/UmD-J7j$KB9T[w?>+QJ4h,SԖVAT=Mߨr*6\EW]nG@'@gq#b%]o~[C}/ǂ+9%q~R~L>q0ǫ)0򋙪Z cM%cˣ{9L5ON{3F߳FXNh:tbh BFN{Hj'r9] #m%`t*BM yX?=Ҵf&Mef(!4\lQhGn ~/HRkZK6T`:dVPrx@܈^Ζ{^նh坬д fi,JBFwX GŊ NER],l >"RX`rzt=ׅ!lAOY~lϳ6=Y=pJI'|JC?rA$>YP̕;qΑ؜de?àwi_(?, dvÑyat%wëH ]F 1) Va C˜_HPCWvYu%i F/u.&&} W P ú!**kpھU5^ zx *aEs*ݮw D:V^LYTpd.G鴐 !@Qѧ UE !"T= M;U‡#j@a(E ]j=LV$fczOi{Ɇr/6*ǀgs-pXb4CvFwdLn8ZZ c|;sg.@ns[mN"뼋4'%Å,f:>` i5l _j~#R-'a@.a{pi3z_,Dv[Ozn#旟?nUP%yQꖭ^)y%lAUH R_^,CFRC6}f`2 ϵf>hBP/m!dZb"$^ւ7fVhViX(®ubLòOҶ*d࿉4%tqgW!Ccrަظ(",j!_Wp3`k_f=8\1)߲Xt\ћ^&4m[X;NՏo gčE+ .ryT6U1%=d T6! }Hu̟lǢ6QwG4)]2nU~iT8%Fͫ!IM1?8Ճu9'Tlz'Zвq+.յvi#\ dYCvT2Ius,̏u۫ќ}y_=od9_"tp&XoRZJ 3 xE(h+@COM E RcBl$;FU} | 0˻  ʄX/e^%rn)0z8׳;(9Jo,⧙h9 0W2W Jj%kMNmptdvR%2?tkۺ;CSj,Mܮ*Ka1tgdsL!^0F Q=ݜ$p;%0>q )|\zGD?0xXC;+Uw:;`A-+>D(.X .4T^y7 ձf rs4e $06!!߅1",ш.?Bt./:p"%i <X+'ԞؒQgW|(7ߡӢXhu2DX;/vhnyx,Ͷ5AɖN3-K!xwnMe-;|(ԕkc Ru*e 8:uVyCJvw(:XmԪ])ɗ%>1(ZU >v,)2hE:=]ψoFٸnmHzQ\HACt!n+zp)#?X [A6Qmk;ޮhG?pj؝ڄeZ]:o:avoyNf]D|~A!͊3 ;;4't{0mu,Ik2u!8/?/ڟmxHjs0N;i/5q:Ѧa9<ӚRb{i|dϽ5:`: sGGE㟲~^&W6lcPYmOQbA\8aOEB yT+Ć;(1S98Z} *j/8ϖU {E]cfT 9!!J5 ͛?l#0<4zm$+J0 rOFb6:檐1Ǖį]!ԯ 0h^Uڂ.x_IysN@X 畣LEid@Gߩq1IMskXYk]e`JTRwl>`@Z+7Zo PVXm;twRۮPi)vre.ɬ9T S.gyF-<]{$HaGJLH :9|f':9ǰL=|P)%~ꝣ RX][ػV#S1 nlr+̭fnQdF^KU[?GOJiPq p0xRZ\ZIɾX%I;ZpgbM6l2xyZK@I1عm0/G] mFS;)bQGĐkbajOʐ, yi}V?l&P"k{ߨz%P.-1ݣq\8>ށReyyTf=6"[}a6*. ^0h-OQc^pJ->"TADMXb*p4v!H/ u_u9qiY)ֵo{9t {]qa\4 ^۵J%Y㺓R=qqi@cupN}2ud(ҷIQųyRQXuixф_oiLc_jB= sC}FzRAq)ꢊo^,FyY?%[R~hy{șB|ۄVlvE2Ry *Ja"+cj 5e+T|ֆ\E%p:8÷4.<2̑vB[|"o>"%Yv^E" C)[>>rZ d(֌u4)khj}Y<QQ^/9QEm#[E~L:7 E=MU ;4OǰV88jWp=S7lsTWD55XRC/ kll#GlU_b~-pJp9OFMZ#xmhQMr@`hi[P?kvMު*ì}YP M)*fd y&""g':4LiAp^\:v ~ٔ" BHsaq. msJr;An߰_0VZBlEjJn:qΊ> 7E')d@ h8,b߳:(s4RdP.YѯA>H&#65aa1.pLI}>S=kw"C#Vb8NU޼^lj]Xǯϊnɘen&պ_oBh+ tՇ*HaiŽR L4Dq%-#ZO2J#OD|-9LaٞDu:0./x1{WtOM'ŝY5 +,oq<_f{6'6JcE,1{bS]C[1+@ 'i7ˢ4d`_X-lJRⓤg&"|kO);r'mOBעƬm7Z]);cS~5|JBЈI{+ > v0?ϛL PQ,n`5?qSmi C62mϦm:*\۱eQ7r\ چ1H\x YZ