permissions-20181225-23.9.1 >  A a]p9|(XXbMR&=XB?ϕ+ 춉h -bhK vwuk}zqUEfձ9.@1s1ӫy|0 Ll2|-C}b0u6fXI YkqaBiA, G- `g.~F6NUZ}4f#O uz^u +yJ^mG*Vc*yTFwd|96c992b25ce2aba9d4f2d1f6a489400c7b7c86c576a4515e1d445bd539da16e46fc6919e2da7b1ac318e3f1a918574dac67f2e50a]p9|ڰt I Bf[rW~8y3֓ybZB!{zq"}j<ߵUZ@0jۛqȺu IqXwJ c9[Gtiv7/|Tq)p[AHKu>ʆPpmK_9o =Y*2dSV8$k΃瞅#kώ2ޚHƈS:RV[ԭ۶ú1ĩ[ ]?(>p@=X?=Hd  = %FO e{H l  ~         , Y    d ( 8 59 5:5>8%F8-G8@ H8d I8 X8Y8\8 ]8 ^9b9c:d;e;f;l;u;0 v;Tw< x< y<z<<<==DCpermissions2018122523.9.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.a\sheep07RSUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxx86_64 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system.Ts1W6^j9;@큤a\a\a\a\a\a\a\a\a\cd73f4760679880a45dce3c9cb05db59590dd96a4598a64a8a09e1ac03effb06adbbc21d59625dd08c777981a37579fdc1d770dba133ae71044d05c154f42ffc254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3be186e053c2d66276c577c08ccdc467d5b4150a19c0bfeccd7eed528e80e61d425a096c599e96b0942e16765255528e9e346fdce199bb91cdb86759ad691289a0ce16d390fbacdb1dc60f754e3f2eb33b9a75a2e47c5a91d866d38fc0ad78e04335eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181225-23.9.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(x86-64)@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181225-23.9.13.0.4-14.6.0-14.0-15.2-14.14.1a@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shsheep07 1640258792 20181225-23.9.120181225-23.9.120181225-23.9.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:22267/SUSE_SLE-15-SP2_Update/4b3d058246c9eac4d680a0bb24fc1a4f-permissions.SUSE_SLE-15-SP2_Updatecpioxz5x86_64-suse-linuxASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=1ace971254562c730839a2abdcdc06cf3c92304f, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R RR R R RO_Xbvǒ,Iutf-8bd66d753059e550f74d02f04e3672c334546f442fed55f38901b70be1fec4b13?7zXZ !t/W0] crv(vX0']<4Эb~z6 QC'b*ݥRm9Ŭe"_-63BWpbWAΨu5HwC]PӣIռp\ja75{2=lZkծ`~i'K2H=u\֥M1+AYtK^-O6;ɝ>2UX?W9`?([xZ!~;5oNUy ?ƉMO R5 ^>#n}9o@9XT ԟs,vl1HA0V?q&`l`TGp8DwR#SK,H/ٶͧ/Ta/yE$}w)ScO$FU 7mkfC@Ka|C԰k%P HԶu8vY33^b{j-F( %>`g_LjL=09 ̆XId;d}tn $ ՝є\X-uEgBW8N^1~n`Pd,"Ŀu 32تYNMPc3BMOiAy-ЩrW ] | 09:t)-dr<([7-x?*~wz:1vk}={E { Yf{W)ORc 8ńԓ=~f<3%bXbg-lA;`@"C;c-? "VT5%ɣ2^υLV :9s 1ֈlW\L0}>P嫭t#[,XUc:6%H*I)-@5iݞdڝoeycbV (%r!W"\<' 08 ϭҍ?E${4Mx8C SP,CM؅Ϫ.6gKɐz ś銙P-&'}=HmKb!v]kaj+אQ`M-[w4?ו}{JE'=#DG| 5­b hD*5i@)b?`Duc,qOSBw_F8Ka.L40jRf4I Wk^%LRІ&5Bv%- 0jst艭lʤTH|c 2gzv/^U= l"+iΣV*^3Y]/%>!X>^cx$]~n+yllCV4 Ʉ@ll*}34 &hG(``M>B򮵀,7#NBTBՒx^u! _FC /N"+V 3J/v];49:| AwA/ ߇6R|nӓ$>ڧ *P %U1:y781)̅6;UXw?D i&Z(wݼW9a\vFعYY2[!UhI33܊/RijU9<7viD9[H]PlvۣDzSMzSQJP4Pez/~7{$]p_j4YRo{E'jonN鵳*pc4B,ҞB2揥)ȊIۖ0?WZ9Bקz\c0A;|yl:nֹۅ4"-[0$ M?TQm-"űi'pz!G9mM]N@#*+61A!n7fѐ #3Dsbc0?N3\R = HnB]g9V%y0E5@\LQ5ʮc(n6dFL ݋2k׀XG_6>4D9hZE',M|%}&w ޥ'KBO3o gG-CPy<8Gi1Uap_}{|N.jPxO9d3kiaዒtmObTGůQ7. [b:nRNX {&) q8+&D'  kpSH!hK&f[2ڈ_'!Ƀ46hjZ5F˨J __TZ/+G nrui779h @$\5Zb*o<In3ʁ3SL]s\_~x5zV-2[({jz+|m('3L;S|L?06)a=lWo% |wf!n|H2T! n >+K7h7 6DᢃX`Z.4_ _ۀRBsҙ-=x#T )X5Y x gNȴ Kt BWo,H#ohufJ+o&wCEѹu񫩤5AW:3PH,ځ ,#!{|t^DaYl?)mqL 7}zN6GJ). 1a*)X{[7C+ؤh=i|`XED!<3RRΰ̎{ۙn?Q^:N%XִHN9i@4?im IAKpRG"Y LЈv6z8֤]-u}pLͦtwlKhw7WCrZ حJ,LWOLzPVdfH3vO6XPIzWw*1&IG4i8or!4>ꕿ%QGDQ$x9D\ x٢8a2TdEaO_kJN:wȵo>ؓ`H!-Xl# %M'F kd-R+D-@>1#d[&Y\ B)-V5ys7~Xns6<pbAuķ@>/8FEA.XW咵d\26~žP`F=A:n1dTV$LX Gl` f H$]\],vz!&]S= ʲEiLkX1z@ݞj6Yp?1s?VxO(CIslG,˼7<kVxڡzށ3f?N%pDޑ @xi݀2\@l2yӥYMbGKk0ó꼕Kl2.ů&,LdBi_(.ǚ@NEy7B#ol`EqʭvNzoĆh@C $,%:bV:.g$}6e?Ek]`-`AL`FkA+/V@3|̌ #Z9 &e _O47k%Z~hs)clًP2cRѢ`NžYɀD{yd[N5ܕlCg >0㹂 ~Epa$WCx"rʫ߄JzY# p+ӛ8 DjmMȝ1 L&$قY/ fVםD1e{ߚMhq铘\t|K[D`wuU06@&,I󿄇4)% 8¥pPW vjܒ FF(I;~p^BI S g2|x* `RFY kF"dZO[2q7=F!vɼ$AXuŖ+Td'Cf<,-/%!x͇ }ުWĜ_?o`4tL6)L|,j]-Jj6 dP!#Nc FBuwm?5TG$:9P*X#i*4)m>'caw+kȿMZBFܮ'CpTn[+"䧆ä$0@"7>xLӇEfv[>r'+6gh48 DBWS T6Π-'`bd1,"+Q| !լu#8^ۣ,҂\v b^+-S$$.ase  iԵ'zfCD]Ta눚,h1hmr m8)8t mw98^ieFV?ǧdU)z39gL p,d{@lȭ"}ZV([99c*]OZYpvjA39's/7"m(ԗFB6Cpt64aGң ~s.9uWnEbSO%UAe.6 %4ak )y iV {ln$M0|ap 7ݳ :h,8Blt+Ro73J.sYmbaF;5LQx$O5(DѸQ :&Vy5y&~0آ3uq$_ )QCOAequJ8Ivݷ־&G gn=*8Ƣww 35- :F@e̿L v3B<%x}KLx6tT]!:$, ʘF.36U]dߑW[~ަJ.֩c̒ysX98SF}q}b@_s oBP.$ x}E$ ޅIgSb]fT dI2$lZ eaHiqUD# o_}ڔ<_N.2>j')kd ѱX##z :ftPR֓˸1N~~pPcd^+8*Dd}v]%n$*tRKAǦ߀^倇AH`{@QȢnf8A*A'`1i,9қwm`j٣&}Brozghj$"l .'Zw4@WFAȜ 4bVoK\\ J7X8֙޷vLjc'o)͑h<"'NDL2rœva3(C*6+@g_p/vI>vZKXe[Y)VZ+ `o Svbc64.r!h@8){{{`5PX<< z"Z]X,?BwLXҠaX%*0г7-psD)an O#T 4DBz[a^~ȎI{ ><:Qq]K9^$Hv`iWڮ"qF(ïJ61&!qp6<+7 5*# Z<7V upQ>,5L@FĹW4][-3m`CxMX:( Gy)C8<'A:-?V)((*?XྍQwsNp;U1,ͻ.Lbun0@R r>Z!8W!\SW#8.xӊӎ nY٤}|`sL0zp'NVX-y7gyT̬{ "_JA&\tYtiX[(gMλۍӎBʽ荧3d&!xJSZCzjȬUge0^wfX݂;tQxWjKthL͍pW `}`rG܃"0EF8Oݤ_ZGlpflݾ%)1DmI4HY6Kme L%Eobn.a_w nȚ.'ۇ+CI^mӈlZ X16Xay_͹G83MZwQ{DiRFFs?n1+[[rNI(6TĚ.frS*r8 9vͻja;xs~g1#-M XU(&嬊 2\T,3o+z'hc:#+#tJZ8ņc\P}vKgO ^Z_VD e8dPJ:&jf99Wg:mc)XxxsВhWad5dm ;LZ)q 9幖.W$^jt:,5DH,'܂lt3c~9dŮ\q.'14v\NN?h08ꁇ#H[r|< qѽf'plԷ4x &=`1c/m&~k:@,*DNJ {|8 PJJ񇗒azܠvIPkffiÑ͈>C!juyW<@ODMJ].:JyTrs!cśΟi41|G!:6+WOC&ymTeA1NV_|l:s=zD?͍"ع>%j9PK|T!5H¶ޯ bMd J;nkx_⁵t AD%ltb#tn})q):8 9[Mf`G%UtJruaOO>ߌgJPyke.x.eFw%I$*ٔ pqXd軦oc;4r㘐eF_!:! T&m]蔅]yZ jw[/=yRN=bol4srpGlr6/F7]fQ0]ba'>%^-JPChױB6+(Cs{kE !A~3Ub "_.iW|DMun^/ɧ*E}G4VI{JPOjK_eV9nLߨT*`kƴ7(HloKMBg&y{B"XD]X:hœS]T5iF9ІynWDF[Jg8my.N].',NӀ1|ʍC[uϟ?u38w,XյM &8y٨z|&~6 ! Eg(c ԈӯDvM^,{%F~Z55pڇ JԘn4~G+@.w  _nnP#DM{q3p4] ~Ź3`#a5ů{T\|T:*5_A l4_Nz2u!RJBw" (; (Jhrwۜޜ6 Iۃ`#R$M*Eς2+0J$+.IݢѪHqJQ7vGعi»SqIN}WTHr-;D:+NW #  3@Bcdun6(_'m)x j۔S)aZAXta?Er١J}͗ '0S@-!h?˄vθ8$n nڻ |FXh_t=S~' "y}Bm8-fmAi]jrUliqx XAxH9~y.$R ѲOM!OGAiN_[Nw6 VZ^رυ o W3Z,McM5W,TyG@s4 /f];8^TM{d=|Y%q(Z[Û ]!na ;s.rJ$ux^/Cz)fDT.k;t47UGj{E`m1|>1+7 非=MR,{'6~P};L@ɑ2AX6,R$1Կ` $u[#`mRYRc(ڽD2 rY* tqNb\ s&Y8?/j`4VH/=OaWVM(`+c(zh~i}֠Z/;ϣ^ݷr59mW1rtF0*3+FEcGKv݃b2Zߞ OZ9yNaZs,(U*08``?j>{g73)'ӥUy2|5:7n4lHAB6fVbמ^۪#XaY+;$ӕ}5~ّ4Pv bVKQoEQ3/!QFfONj0`98P\%WGd846Jm~S,;DY]pc+cd3T?ᝈ&A52z0W_ѲtL̴Zξ\ȑvf>]n]qߋ' ߣHdnb'и:+cLz3i6NMra\Nt3Jvh‘^yvu'OL(1EZs U?MMXbʼnPٜQſVEʦr.]J) !TSoW3V Ũ@Dp +M(ђp7t tsJiݑR3컛a4}_rUHg%lڠ'GWCs[&A8 :ģkTk y:GwfA4RR&6=H(.)q }HЁ&Jq[I ߲#{,jo\pfe,. 7uZ)"+YFR$0I7 Oś$h "(S0,uk{j|)x6qpq\aE#J{È@ڟaNGuۛ 眴ǿ/㭅 ;,M#Ԃ5>zěsz\ 6xvdq=*)-|I JE qչGcHy2׋ͤυW3P5ڃ ]7oֳ`t*ugExm܊˕;i<Hou 16=t}R|u0mʺ(BRXv(Ű[D.xFM V=š(=_ @b{b~gAđwuqٜ崃뻝F2]ZJ@WVIi኏~Tc>S;u6voE6C8@%#ψC(40"Y /~cRO0j1(|,yѲHhΫ&* lkm3Hqi(Bu/ߟC~ COlHT#PtX>i,NUamw$}> _Fˁ!~{\>o+z8E "=%D|A7]g ҉1]N9hzrdy Ѧeo2rA`.w;vE* 8VI-4ðQ5r5qIJc*1SG^:8ɀ"0<zZO!XQlJzCFJ;b^Q=®[ ;0l~W dWЕ0ŷY!"1)逋lW\}!v.E( X2.H RN??7P{f`:G }}RHu?d[J:ߋsrhyz\a8b-}OgjTKz0]]srno#iœR.8@4[h:Iz#g#roGAW|W?LfB\WTi܃|?6Vуi 7cX- ?`eN^ZZP#dp+LG[6 LL;\%ENߠX:p!$;$#ϼܢ,X ?*/D|ϲ) ,t`d;-`Y"U=4m{g$n=֧zd &on&ɥ{džZ};+]M] b5q Tc*O"sazLY?DXoOҍSU|[)* {jmh3+HF! {4a՛0c^1^R8Yn9B\88rUX0){NύSz)H AOγ8$EiQTǣ-^IPF]s_ϽTtn c5ΦY{jG?Q_Sg$SS{BZ>P) \0UTiʒ܋j.&9ha>|eg%pF#턠Դma}(sף2Àx{qGHeM𸜬u2?lp_WC1C>h͘1`}$[)#^;.|J LLj]+ogťduɶu} V* 篴11׭Bh GwR>o)))E 'lYa/RUYCA[f~C0#!*$c۟?ǦrT͓5' aŻ wš"Jq1|]y@5;ohw.H;o:z8 g5Th<f 1DqHVnQ 1>C6ۙYNT`_]pTOzOJqy\5WRԯuTϬ dxmT^qY%B-$m~9`ObBH"-^}YY*IRo@؟<DAǐp#vZTڕd<3 wL:U-ԣmr8KVqΞ+CKn@]6>oYADYHyf"CsdlQp18>l>LҗH22AtB!ˈ$g> mG_̌jo^zxCF.+r=PNkKWmo8IþcO;0 q,Nx Шv5y㳩4 vAi(.2n8f\噋VBVdQ-B]|sz }Iح$w-0>lԀWU#< g9]?\^]1寔O Fy jP) Б$<%j{n0_ 2w9r2$_k `ؼ#c=2HMqqᥚ+C'Kdq3'$apZ'MoHJ j?,턲=p{]\lxęDGn7.]=Ձp쓔v;֣XϿ[r7-`Z^I?k0Dzy@[ J-q3߃3JH4t{wS13 SgT*OtmMi Jdͅ9R|6?b~\`19omb}V`#3g er`8qngWU90&+0N;'wWl[C<\vfq.CHW qd\.inX?eZv==e&\^Î.&C]y46 +0AGz(|v.Ж{BOm%)@=R;o-4{&):2D6G,Ig/ꑃ,)fOC"e`j1V!gq+Z,(7~ KBΞϹx*pN A g{'s~'&)Sip I_糠]͜h)h8LQrm6mƷL 3{[%NP/mC~p6I\U} 5W|!!(}6ݣ⥋D%?AiM.q8#Vp!MHYAQM&h<4AJp8cB~% pd ^Ag{P,5oXy}.0I:WifPڱISWx-I r3^P. ~_%7)@IhIdb ʙY(B+&|љS751O liނkbeC']ig@i[~ ݬDyyjzmsd#묪SL+rCiV˟hC_$"no-+'*ztqicTNA݂ۜJKhWS +=$}ԨHBjsI?zs0㲊ƻb:@LO56(n6 +YU^ܙyFYY Ҏ'd5YXLXŲB҈V5Lt)+RԈL?g(c[gw? ]k|'qkLfY`'ȱL2X([4rac(7xI,T (*75!>73{˭KZ,T߁ߪ)I@D뜀>>"¼~Vm6Ѝ /|+'CYJ0e_<6,пCLKiUrUͩ 2{D4 6.O Q˴ {0ީ [UwzO}/_cʉC@)}1/޾ʋػ0܎!HqSz GxaJ1Zp jp֓T3m;,4#S}|2&½_-דi݊Šnh_i`ުȆRrFݣXq`Jho7)LxaeQиcHZE!w 6^e;C:%rL.<0Tg)n{Ej8sm deT}xS?RtJ:'H[\d Wo0~9 ?&:3'(IK YZ