samba-devel-4.15.12+git.535.7750e5c95ef-150300.3.43.1 >  A c"p9|2B΁ق/-T[!8F0*K>P jp;}w,<e"$"i30e#ԻI&$d'm]K&Qի3g̀K5u;Ykq pv.u_|뙟z술 aos~-6rNK-`|7T@~[uֽGRɠv0f<8Fv {'ѐ3836639ee72f2c6d700e0135ad0b9fb318d9a4924eec0019fb7859fd42e549c7b63fa25394e8316d120716c4b1fe90aa7ed7ffddhc"p9|;DgRBV-:Ojpơⱃ;9$\NXۇ C,aPwPo'aʼn)"F8Su6ߤbh ~C) * n3M&N$*(C,oC|ϲղ{bi-=Yt'j|+gUń^]IG D2E Q*"@o$:C9P_\$yQFqLeI4 u^pAl?lxd* 8 f+ Aax~    ! $&(+F+-$0d01(28296:GFBM FNGNHPIRXST$YS$ZV[W \Y<][P^a bcccdd8ed=fd@ldBudTvfhwg@xiTykh,zll(l,l2ltCsamba-devel4.15.12+git.535.7750e5c95ef150300.3.43.1Development files shared by Samba subpackagesThis package contains the libraries and header files needed to develop programs which make use of Samba.c!sheep55ySUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Development/Libraries/C and C++https://www.samba.org/linuxx86_64( p=A@!1N  aF ENTv |H)KU +d`@t2!CY~W +g > v&HI!>,'I:l he Z=1y<u .Y3T4&{66)w+3'A,;BGaAA큤A큤A큤A큤A큤A큤A큤A큤c c 8cc 8ccccccccccccc 8cccccccccccccccccccccccccccccc 8cccccccccccc 8ccccccccccc 8ccccccccccccccccccc c c c c c c c Fc Gc Gc Gc Fc Fc Fc Fc Fc Gc Gc Gc Fc Fc Fc Fc Fc Fc Gc Fc Gc Fc Fccccccccccccccc57f48e6acfed5fa9841df0f458c77820b6e24ed8279bb23819c0698df22bbbf19a87ebf5c3ecf098bad8fdc2e0c08317efd3ecd4947169677feb755c5f86b325aa97c3dc8a6da5e8d196a73bfb4bae250089de7237665a3a6dcf5512c71503695cd7da44b981f9782081d3d97dc2d2f26726208f56b10bceaaae6e1a3b497bfefa19c5bf4838b4013a16d205238e5fa9819e04902a006a08044a0da795cbaf34f53c103d9d508de1883fac4df0fff12ac27300409f3a1c8edaf31c05c054340a1dc2974d9c574811447befbe13fc0f8b3d8906fa58ca173857f5b73359ec30f161766db604986021c872a81bc3e6dc403b8960c06edad4595f168293005943b8486186e935623059f05839ab0f3604f56687ceab73bf9ad6070e58a7161041e32e3a21a55901cc3c7a46d6560c167ecef63390fb04b124e508eccf8156fd650dbd572ab4954abffbeef5c35b30e8c5806501278b70a08d6041d8a5685a69cd65ef487680f99891e461bcaf8245acdfac7964fa40fa4a298184528c2fe2b51b3066156e28d7375c095735fe583c41fe10f68711a286dd7616111bd0ba9a6c39eca72b30f0da89b141671dac7d0b96636639545a74f12fbbcc745e7e2597d71b4c7bcfa6e9c2d3666eaf6fbe6b63194f9d4b8991619ced1de631f1d7c854271bc4d7d6caed90f3ed522fb13effd5b3f9ce1d10f57b87a233f8b1cb8bb000a06b812e45f1d76df8d2fe7405deea4c26e6e1ccf3951c59a55836952be0923e7928b343892fe61c87666774dd2e18e31d70da33b45c5986aa1c23a6a853a6cecc906960aa488b92850596697a2ce4811cd350af7aec0b5278c15b3700ff5759a3a9ac8a09b87e376224e944e12a2067e9fc485ece8ebfbc7d5cf0bf573e0500c5bf24c38a14ecb5e00e24e7947b8517b8f39a652b5a4a7cc6ed2dd04dbc35210090e571af576c5ac08f897ec08b3d0d2d5d40952aa94d082f5550483c051b99b33ee65aad7a50a60ccf805be82f6209c702e0e7f73a5ae774d0c68b57b28dd1821c1ab067bcc678b898c16d290afc34539c478fc1f6b47270a45b389de9fb9ec0042b98e789e2e76a17d01c1684441f27e27f5c54d7d8d1607fb9cede012344438922ffecaceea8800ef2175f1046485790f995229035a56992eb9f80f586460519b697827df8285c4ebf06595b743e148919677ae2a40442c80549d7aba0bc0b696ca55cc095723a52645cf7513c55934096218760deb28a607b5e85f82db7c1ab580e91df20133ceaa62399bfcfa07ae216642332bf119c5a28639f3e6841dd74e2dd515f2b48efd9117bd5054262dfd09a3617405695236094798559211d988a68effc888123ae63e8d2ba5b96004c14b3356dbf490b4e731cfc7a56467079075b6004265e32c0338f01e95f47cda607f72abd98a2031f32f45a1470dec6e13f4c8e17e93041953c7a33ac4dadb193dc843bf0dc47196230f74fc5a9c4ac1989654849afcccbc35c0a397ed9b8ec9579d7a3539a11d9a1f4db4d40dfdf2846bc81f966b17d69a728af436e405c6653b76b8b1b0cea1ff3094b88f184043efdeaaef078ca39f9c1b6ffd2a287d8380c0ea5cf53ceb43040bca0c4f8a37c75c1cfd40923c16ebfe2ac820e071af1cba5cae4b019dc46eb22b6fc37174d15ac7b72c723c10d44a520b2054944d0606d29c16714a4196910a433f607fed4e35d63918562c260077a6a23b99eb7ea40a5e790a7d97b17c8adc0fe8152598db810a35a439e0fd2184591f449c79b6bc5b5468443920523ea943440534df04294b940ce1c00c0a68cab9a5eee13b0a18e6e5b9d87693f25c1f804ac1878bf03800367d25438369395e7f2006fb647db68043d1590be759478e33b123ff9a54bbcf1dd70a038467eb6dd4dee91c9309efa27bed7b9d371cc936612a2998c16e815dca6ab2131a2f005b7837ddaceb2598db386c1d34c1a777baf0d741ea2d153c399b4b0fa22367ee1921737df26ec3e9fea81c7f525ee4076db13008901c9ca9f404a6db835aabe1a026f6f3e5c05cd08a28a339b762c6189d4af93a1b6a87f9d9483d5833fd883506b51ecca8ad6df0baceb27177fb6499a7918703b897a45cdc7605a9ec9315a0f82f2518db30b753b0d4ca10b18a94c382f3ec70dcc443437b2dc9e3ce610ac30bfc17aba981efd38215a457355b1f19ee2e93d26cfc3f6127d4e633b3d89ae70e214c6869f39c6eba1bd4d835c031b67bc5c4f908e60816711e8d87e6d93f84fea1eb1df4a7c2bb8a671480afe65f9dc7f671e0e15cd8eea8e37927520f3ac8ae6b63fe8f7aea81f7680951eec3ab67f4383db52789c38b254cd5a9e4766b17aab8a99813258ebb4b147bf98c9f0b9ac8e9e07ad86cc4811fd17c0ca05ad6fa67befb082b2cd23859d7002fa75a5794f15fad8157402985d19cdd5ac3f51df69a650a0ddd68f29e5e1ed366eb823883aa93508a4e2bfd35349482c950c1acf956f394afcde8741c7d3eb9c1f0d24e77ba69ff7eee8ba90786ffa6c5f4ec183f16ec4fc964c65b35a84e0be1b1f830b8494c8e895196ab132fd82e055cc808ec43d0bf84e5bcc059302e71c0e23a257f197463a9ecad24f59aa597f875a287795dbd2ce8b56438e84f9976bb4b587c364e2b03cea9ac7bfe92f670c4d88fc1b382789f66d991a6e526f4093a1972e1391aadde980420a1dec670f3549f87169c890fba90086de0d8498f0fb36921439a3568cd3a29c34bc8fd9c25772cff89b4edcc989ff5af4189ef2e0ce0e37872c17ad0196c4101f1dab6f2233d4987af03f7dbbfcad01f857b4576ffbb67ed2f4c6cbd9f0a9cd2192a7cd36f8201ae7dc5c1bb59244752a7c96d0bcd9f3e3ad075aecf96bc9006c8087a428c2cbf46832f58f5a9a8a1269d77685a6ea46e21b05e9d22e79fff5ff59e2f6fd5ef76604c85c807b4e3fc0dd84beacab1ff25be2672650e35fc5a2a04de281d9dc535f9718a0c12832630ba0008a46bdb263c2610acfbf6da60c6d585687581e877d06ac2587e1c560a57a924744d428603f832aa43148df878f81961c305f367353717bda17d2ab1d3df620a04711fd5a61149d16c19f34a48740662395d01a17ad400b8e6af775cd8eeeec7fa786bd0c1c686c5562fc60c40b7f0fb213627e0208eaa36a7262e7680bfdf38ab43a302de7a5ee1b18fb5e5a69c693660e5ab407d1696c7b4ac8f6ed075a178fc967e2e68e1bac448bf37478948a1f40401d26eab750f4c70faa63142713b1ca959bdea59f5c83e1d20b52792246b46127464459c635949c3f779518d0e830d9f34a33bef4b8d49477a4a648a2d279c88584caef10d814fafc233b2ed62e1b088b7b99fc6b8017b38dd73cf8dc94a4e97837ae5a7631da503521a5133a57f0445a4dfa2427eeb926d7ece4119a01cd20ba4acec5db90984ce61844ebfb044780a402cb880b08cb0e3b6d709b17117204b5ce3a21b987f0c33c9147e5197c8e52257325852c5c181908a3f4082b5520d1cf8599ee8c5ca7e8584f8e6deb53c1682692aec09dc7339df4507a69a44fc4e889663a695d0e42c4ca1819bd7e814f21ea857ca7a1cf61daa69affa14cb497273b24b2f9adc344da28391ae7e27ea058e1909f8fd85bf9eb7fedcd7dde1fddb48b6600c8b61eccc6409a5a5391dfba7e45844c4f2da58e90d275e42aac178717449816161fe77e2af95aff8ff703003f5691ae2280c0809d15386619c3aaf0620e8697c3c0d494cf0d6a2fbbde841699930bd1f5d8c43118be577f601d6cc6d9ea72bd4e42fa96b0bf03b1764946f28b3deeae86aea0bec44e3c3fd05afd367128b4e2513a6a73ba9cdc263d00d43eebac1c05313154d5bba4025f00fba9ada003bf6e08ec3717c956f9a10aa3bcfaadbe145f7723177bebe2a8119752430aecb7121eecb4e1998b5a24b456197855a143c84f2ecaf31540b1f5457c0a2fdbfd8f53f9b9b119b1918376d12eef6aa5248f7ac7d7deb71f336a52fac364750774f797c061e915eb24775ae28d1738bd86f5a5b902862b25dabfc4618da50b85e66272bf52218a6cd2e26338d04c25404fc53d6b230205d0351470ccd8809d4ec02d86007929edab0432c4386098ef7d1c09bdd8cbd6e9b0ff02a77cf2d3de460ded50b04f15ae58b86ce48bba579542df1b00f69e97fe1427fb1031f6930e7c3b058c09850bc72e8361579d8f0b97ce6c33df91db1edab5412d88550bfe89e5d34a73e8be26c6cd20a922ff73294bacfd6ab37123f9f6304ac62b5f3f2c020b7cf90ed8279bb84b70e146d0a47d12743138659271122b65de007d76a54634fb3fa657a0e6c8a3cd600d4be43800c4a74bb5e41f57bbf05d01629d0cd9856ca1c5cd05b52579c70d58b6328de9543dba02672487939e41e910f508c1dbb0923f0726dafc2b4fac411ed2b40275fe0fec3322730f62b84daf91fb23bbb081489863168493d1d893df191dd1a0597fa2bc7c08eeb7f3e7aebc136e2d47f375bc7a94c423e7e20323994992bb71214b40029cde711f70b9f3a0d41c1544600835a30018fbe8f9balibdcerpc-binding.so.0.0.1libdcerpc-samr.so.0.0.1libdcerpc-server-core.so.0.0.1libdcerpc-server.so.0.0.1libdcerpc.so.0.0.1libndr-krb5pac.so.0.0.1libndr-nbt.so.0.0.1libndr-standard.so.0.0.1libndr.so.2.0.0libnetapi.so.1.0.0libnss_winbind.so.2libnss_wins.so.2libsamba-credentials.so.1.0.0libsamba-errors.so.1libsamba-hostconfig.so.0.0.1libsamba-passdb.so.0.28.0libsamba-util.so.0.0.1libsamdb.so.0.0.1libsmbclient.so.0.7.0libsmbconf.so.0.0.1libsmbldap.so.2.1.0libtevent-util.so.0.0.1libwbclient.so.0.15rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.12+git.535.7750e5c95ef-150300.3.43.1.src.rpmlibdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develpkgconfig(dcerpc)pkgconfig(dcerpc_samr)pkgconfig(dcerpc_server)pkgconfig(ndr)pkgconfig(ndr_krb5pac)pkgconfig(ndr_nbt)pkgconfig(ndr_standard)pkgconfig(netapi)pkgconfig(samba-credentials)pkgconfig(samba-hostconfig)pkgconfig(samba-util)pkgconfig(samdb)pkgconfig(smbclient)pkgconfig(wbclient)samba-core-develsamba-develsamba-devel(x86-64)@@@@@@@    /usr/bin/pkg-configpkgconfig(dcerpc)pkgconfig(krb5)pkgconfig(ndr)pkgconfig(ndr_standard)pkgconfig(samba-util)pkgconfig(talloc)pkgconfig(tevent)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ad-dc-libssamba-client-libssamba-libssamba-winbind-libs3.0.4-14.6.0-14.0-15.2-14.14.3cctc5cM@b@b@b@ba@bascabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.denopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Update to version 4.15.3; (jsc#SLE-23329); + CVE-2021-43566: Symlink race error can allow directory creation outside of the exported share; (bso#13979); (bsc#1139519); + CVE-2021-20316: Symlink race error can allow metadata read and modify outside of the exported share; (bso#14842); (bsc#1191227); - Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- The username map [script] advice from CVE-2020-25717 advisory note has undesired side effects for the local nt token. Fallback to a SID/UID based mapping if the name based lookup fails; (bsc#1192849); (bso#14901).- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899);- CVE-2020-25717: samba: A user on the domain can become root on domain members; (bsc#1192284); (bso#14556). - CVE-2020-25721: auth: Fill in the new HAS_SAM_NAME_AND_SID values; (bsc#1192505); (bso#14564). - CVE-2020-25718: An RODC can issue (forge) administrator tickets to other servers; (bsc#1192246);(bso#14558). - CVE-2020-25719: samba: AD DC Username based races when no PAC is given;(bsc#1192247);(bso#14561). - CVE-2020-25722: samba: AD DC UPN vs samAccountName not checked (top-level bug for AD DC validation issues);(bsc#1192283); (bso#14564). - CVE-2021-3738: samba: crash in dsdb stack;(bsc#1192215); (bso#14468). - CVE-2021-23192: samba: dcerpc requests don't check all fragments against the first auth_state;(bsc#1192214);(bso#14875).- CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos; (bsc#1014440); (bso#12444).- Update to 4.13.13 * rodc_rwdc test flaps;(bso#14868). * Backport bronze bit fixes, tests, and selftest improvements; (bso#14881). * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal;(bso#14642). * Python ldb.msg_diff() memory handling failure;(bso#14836). * "in" operator on ldb.Message is case sensitive;(bso#14845). * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED;(bso#14871). * Allow special chars like "@" in samAccountName when generating the salt;(bso#14874). * Fix transit path validation;(bso#12998). * Prepare to operate with MIT krb5 >= 1.20;(bso#14870). * rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb;(bso#14645). * Python ldb.msg_diff() memory handling failure;(bso#14836). * Release LDB 2.3.1 for Samba 4.14.9;(bso#14848). - Update to 4.13.12 * Address a signifcant performance regression in database access in the AD DC since Samba 4.12;(bso#14806). * Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache; (bso#14807). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Address flapping samba_tool_drs_showrepl test;(bso#14818). * Address flapping dsdb_schema_attributes test;(bso#14819). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Fix CTDB flag/status update race conditions(bso#14784). - Update to 4.13.11 * smbd: panic on force-close share during offload write; (bso#14769). * Fix returned attributes on fake quota file handle and avoid hitting the VFS;(bso#14731). * smbd: "deadtime" parameter doesn't work anymore;(bso#14783). * net conf list crashes when run as normal user;(bso#14787). * Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7;(bso#14607). * Start the SMB encryption as soon as possible;(bso#14793). * Winbind should not start if the socket path for the privileged pipe is too long;(bso#14792).- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2.libdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develsamba-core-develsheep55 1669996806  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef0.0.10.0.10.0.12.0.00.0.10.0.10.0.11.0.01.0.00.0.10.0.10.0.10.7.00.154.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef-150300.3.43.14.15.12+git.535.7750e5c95ef-150300.3.43.14.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef4.15.12+git.535.7750e5c95ef sambasamba-4.0charset.hcoredoserr.herror.hhresult.hntstatus.hntstatus_gen.hwerror.hwerror_gen.hcredentials.hdcerpc.hdcerpc_server.hdcesrv_core.hdomain_credentials.hgen_ndratsvc.hauth.hdcerpc.hdrsblobs.hdrsuapi.hkrb5pac.hlsa.hmisc.hnbt.hndr_atsvc.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_misc.hndr_nbt.hndr_samr.hndr_samr_c.hndr_svcctl.hndr_svcctl_c.hnetlogon.hsamr.hsecurity.hserver_id.hsvcctl.hldb_wrap.hlibsmbclient.hlookup_sid.hmachine_sid.hndrndr.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_nbt.hndr_svcctl.hnetapi.hparam.hpassdb.hrpc_common.hsambasession.hversion.hshare.hsmb2_lease_struct.hsmb_ldap.hsmbconf.hsmbldap.htdr.htsocket.htsocket_internal.hutilattr.hblocking.hdata_blob.hdebug.hdiscard.hfault.hgenrand.hidtree.hidtree_random.hsignal.hsubstitute.htevent_ntstatus.htevent_unix.htevent_werror.htfork.htime.hutil_ldb.hwbclient.hnsswitchwinbind_client.hwinbind_nss_config.hwinbind_nss_linux.hwinbinddwinbindd.hwinbindd_proto.hlibdcerpc-binding.solibdcerpc-samr.solibdcerpc-server-core.solibdcerpc-server.solibdcerpc.solibndr-krb5pac.solibndr-nbt.solibndr-standard.solibndr.solibnetapi.solibnss_winbind.solibnss_wins.solibsamba-credentials.solibsamba-errors.solibsamba-hostconfig.solibsamba-passdb.solibsamba-util.solibsamdb.solibsmbclient.solibsmbconf.solibsmbldap.solibtevent-util.solibwbclient.sodcerpc.pcdcerpc_samr.pcdcerpc_server.pcndr.pcndr_krb5pac.pcndr_nbt.pcndr_standard.pcnetapi.pcsamba-credentials.pcsamba-hostconfig.pcsamba-util.pcsamdb.pcsmbclient.pcwbclient.pclibsmbclient.7.gz/usr/include//usr/include/samba-4.0//usr/include/samba-4.0/core//usr/include/samba-4.0/gen_ndr//usr/include/samba-4.0/ndr//usr/include/samba-4.0/samba//usr/include/samba-4.0/util//usr/include/samba//usr/include/samba/nsswitch//usr/include/samba/winbindd//usr/lib64//usr/lib64/pkgconfig//usr/share/man/man7/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:27033/SUSE_SLE-15-SP3_Update/f968e6c693d465d247e96f210be85c5c-samba.SUSE_SLE-15-SP3_Updatecpioxz5x86_64-suse-linuxdirectoryC source, ASCII textC source, ASCII text, with very long linesASCII textpkgconfig filetroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)  "&(*PRRRPRRRRPRRPRRRPRRRPRRPRRPRPRRRPRPRRRPRPRP RgQ^]ed@ݟutf-8f63aa537b4e965c640691c4dfe820f3bf495ca7a5090f704be903a45cb4e0612?7zXZ !t/] crt:bLL ? &T6 Hs ;h ;ӓ@i0*Y w^5F'd [`e|hLQ&OT_42;ְH>cXbxk`W3FWEeB|3Yҵ%52<5XA Y\/f$'y꼨)GVN0]UFmHӖ-Lr~@tNא~FW_~PgV|g: &3M//`'AUEiNyѦcME\)%Ci>񌠿MoRrn^.Be+{T̿cKލSggdpȀ;!0RQL%K%ό)fUBQGTx\Ɠc ǐiPT٩1KZ\!y$FJÒ?4zym5~1{łp蟯 n:s +jA$ae][o:()}4ШHq+mȃ/\32Tq,ن\P7$jwͿgUgX 4'uYX-ЂK?"Nޒfܧ6n0E.ieoABń_[dMM`:\o~3`Wd!2C<#ޚO.\̅u[&O`~HA;ؗOVKsS;fN*ȧwcmHnR8ƬF܌X V_F#S׬qc ؋Dp-1, 2RB~(QLؼ'~\e*Z Yi'xLR;dĵXq"BfDLձ,TJ36jxy\~ t]`tej6k50zRLJe mt62_WjZNlJ;SGdDN[tVb('Zz1W*ig9& BJK}2DT HD˃^ ħ[^$j5ɥ:r#t8 ){U-`<6ƭɃ枟/W w|=jNtє4 `I4pyϬF.ݡbk1JW$u-WYrc5Be(S)JEq^$_ХT|ahS*hʊ;vМ1龏2dK-x|/iMBR̛ܗHCIC"`]?mQIa&;#Un3r}꾳)"$V7.rX[y)½3la5H qذa~ *>wMh[ޣ < iIH zF@iH 96DgN#Nr>o" 8Z pJ ~ΖLE'L#-=vseś5 \kHWZ\"BNO`<21G%H4yAj^hgeʑ$-kpb)2x'̭ ;l{s>WTU:Oe|V&O\2s|ɺ5d.O5[}Pӣwd$Jq''NXVQ?OR!(M(-' ]lX/;VȞހ>9d4IqV{td/ࣼEg7AZ{kI-fN;<|ؠJ_  @la%8fWU`U,Q̀: G_2ETxu4,k,Up>s=l#cK\wm(|F4Ǖ쌷S0ޝc /H*hR_ b7ز,`rVtMqx 9GD{؍6݈AS7r Qg_ag;wtM߫J!(+:m+xsͽ\dl ztmL G#k%31Dt`|4pvrʼx h`5tY>h"*j=zNgȩ9`* D߁Ey\*k6N&>sjf#F:xi % o?;>ʜŽ5b\e^23UĖY.f! .ugpJCL? #`d`;FA4B۟c7a32YI3.@Xm Уsˎ}K%2MQhMRx/G8}HADY\. >טv j|ʇ }{@DʮU29~\](@+g)7A֞Ѣ˖B"9a&3 PƨA bd UŞإ`#u _ i38z!Gs+[0#]1/R/8IL^F@UpWd KQ֧~՞0:5$fسd36tcZK0EJJ5!5(4<@uHqQ`1Е,Fڹ7e%-c* ,Ɉ!yT5u@$ˡ_̌(tR"?㬁Bl{r~?x=Mn 8"d*F֗Rmu`z:+Lw%>!C\RL *B_ePdBfII;Adδy c0͒H8]dU "Fr̤ E`FR^l KFt[pPE@ZkRԿNŊ{.̖D!XI?bZτ5S5>pC{_c(ZQҳr4 zuZ*b2' I5$QQ?P _q?Y&f[ 7U 8-}‚$yp ? p +ZTOf{pHٿS. uWE =|旼+KfU7^[|]QvVmad^TY[ђI)"}4W11^[e4rd; x!mJ{arH2.oؕ} 965.?W6K tX4dz+}`Ѯ0U$0Z6SiD+E5-[a@rcY%B=MVSBl?ai(f8 }hXKv0U-=iC)~/+:, wTѯ'/2QNn0 ͓0}0O\'0>?O:,HOXc5&D̖iV\Ntϻ>)~ֿH v1Hщh PQ'A SӴsGև*[cBUC2!HycB1q3нIA)M%{!a}ccJv]]J̟E{c>+V1V|3Tհ\`nt~s*ۮNEZ%%%*MuBƾ(J:QJ{#rMFjg[qd ;(X66:AH3Л In6di.H>~ܒV<`^VKӽ5s# bۀ8T~*L$uqKE ZB0z"-OB#W̹S%|$7L1(fVmG2., A)zVzka+0Y`BTUrP]Sc௎g"`֛> V~"3M-|m]Fg@AZSe{C'[COT?`ULVœ0?y ?70Ct|B~/.>Ne5Kw1QyT'*&lݭ7)4\_~(1:(h$Z#N$hlp9K~A>T_6>U؃!ϑZNH;1a~%1JU;ge%B0T`S(hdւ%\eWgք1cvh&͂R98Y9MÑ'{y ʟRr}ȯI0;r2F_x1Xgvl O)_\Hkkn7 k+IRzY 48bx, l:EY,^y"C1NY2k7Br 5(݆PnFC+gz=Q͐yDK^1KNmV8jJQ0 / Y`\ .pEf95f>ڑRsg@Q2~jQujZ/FV)>$'V|!y,ζ^OkN[8N flђ!*g6`cz~~0ƿQ݆B~ e7QÝI[+!.ubխTY߼DV >|/y0ʕ;y,VQ57بr tR".H ޮ{o'$ڼeIA~1]C@4D2B"ϭe'QmAQV?IPRMOy k NVtyjbdd%rJ簤,`>p1_<+g-9/[*jfW.;9!`K=XPm|vMbWaAos1m__TFun0B7H8}Cf{>ItL3%ߗWǯJ5-eߺ_$ 7VR_o~ZYOZ3/M:/40CKDž;=${3iD!YP.cRP7,>jסgK 00* f+#|Ur+h0L%C[Bmh+@݆$g<^1}u~{e'vOBZ,(W;*_ë%S2+J P#XѲ겮E,S"kџrl5ٓ5҇;`ֺZ >2o(RȅI;E.y/n\yZߴ<Ƥe\+Y]RV;!h8F=8%# IVZs僰 U1DeWlՠRT(:sUIl_YپUK(UCȧ0׿؉E>A zY$s&v[PHTrș}v<zUfXOsC K$QxvOMs&L$Ij$lR? 2̧B]xY5vikWI*!UKq, Q s(H_pn)4l4?zs^/VicϞFP4?${I&?AqȥoF5ɁaHг"gɭ຅+Â#46och}B &Ă3٪:_hMk§m  cYObޗa|w-wԲ30A7DCYwrN z)l}r_mT{{s^CX'i \j)d'xC8J9XSA؇n`LS4Tj]reګJ!Ci̥T F,\{_0- H<P:AӓI^<8CH{;E\@ Tx6ͬ#ϸOcPL!ghf*u/w#|IKS!ZjU jfp羪 d.UVf! eo8C;Px4?- "-AOFe:c] 5<0qU5;|A%l D[rغNt#N?6T!\- t(9x@qe:2lrdگCŶfRIotTtSŗQTlww ,N\#㞙6DDo} l) J{wJDc)HU{ZXW+ X̋Qn/ `\t4D/<+lqTcOϱp`RV(i%z|b5tDy6~[דDrn KREDm ;xy=w.VΟ1A)߽2̲zSa"߂#zTWPD!}STb2&kxRo8;+Təl$J48$WhW?1SM#b*÷j/ rԱ7|rkId3͉WZÔA^r(KVU3(uƦ{{dG%8,Ǫ#;.%Jަ4{~.EseosE[J[Qx;=8Ɯ&Eu\}}q@ۙ&n>"5.(Z$D 6|Q; |:RhS'6ZC$|W 6ã xL]%8Wmȶ5i0-DJzS4%{Lw ɸ Hc4[= J/3Hfm'= 4ѲT}+X\co5oMhҺhNrU>lU7 .ؔ0e(<(L.3$RݒF6+A.G|ɶf{5hdK\]aᵚHةlu`7 ]^ckZ- 5g3Y6a4\2x Cy PF]uhC3?aێY!W a:vLW6%I٪/hK6;vc򯯟>cIc#cj/He}rz*WE_=RO^0YkXw3"o#9s& q`y"SO*.1CCt! ߵrx{E-餋,D⬔8r@y~ ,P? ϋļɍMB6ˢ}&dˬk:xEycQe%9x kP W'|+b|_&Oބ"KiP)&"nj/q;p iji_pu: d{wy$Uo:4)|5wN oIEMld8ar㣭%9lsFU;aT|QGL֕S 6wuPOiQ"^ 錤T=a Q441Lٺ<=p^x1]h2W@ٚǑ]sܸ)V]sA4Vu.!ŷ AUQjuBiabC+c;Th3i&w*!6J+o;lr#CKI9N1P=3mjƊHA>(kOz5} /pE_RͰ!/ԍwYMKyѐRtHDo|cSl=\/ f\gȒ<*`0Z8&"^˙`P<8ز㬮c1A" J/݊])ˀ)-yʥW$IBt^s&hdp ^Oz ?F(s:wْތAb&s?:rI4&Mt\_vAEVZu{3F[ dGB|#=c/H2X p v6}4\6'Loq:Ќ rƩɺ@)I1`i>w ;ȿ&1A{Ȇffݚa ov9TdgeZaeδz]OcD| áT>>hlMlS}7HGŻ@OEz:X$uEKF Q\f N^lv S#82UZqɮ1;'xnTWf,T(?^B!?azM882;Z{ǹӡ~j}Upzd{Wiv}pu؝lϫ1Wp{Uj<nOGorq~ڨrn* ‡vO7Q}G}FwR1c0Ziaߕz8%W{ciߌWiаvrbV)Ā*1NL-T#`@rxa.j2^#Cf_MyQ\ %$m&ضmpl )+:B=h DQ-mkТa[O`[slxoa.D~LvNhH=4:|R);RMٝVEF\<+!Z|,%<$  j3v-X<_RƿIsƼW`|>m h1볭r=t>Uaqsk_B&ZU wouK 'k6d6BM:kNf9o& |RYâ-Jyf#paqJfZJ(Ŕ[?Jh 2j~4uQcbȍF}|Zm`>!̡.->A|A- O'fwUI"QoCx>2_S",U8#(z! Ev1u 6.bʣ0P{QЁ "8& wSĖ:RjTkÈ|EE(6ks$xu#ᾴ[`|+߀:W 2‘Igh3{A&@WkS/cjɸ'h{4ry9ExV&NC?H$g郟/>Ine)1hz;VRob P!XqZbg0ǡFaoitͧ%/`Ňl UJtj 7cL$@o u%h$">>^>d?F tGXJ))2lPo&I2vž(gM D x|Po;w5(,J6 V;q"眪0 TXڏN^IGђXsԷ%Bj2ژ^O7Aaݐ)6V޶;g}Q`^8;,G'/.'ظO5B>/iL$uhO^'LPN þraYxϪFü1Ć0I{4zSlwP'*݈IeM{F_@I4,kuFWW7zë{bf&η)aen*,'@9/γU6 UO'E\,M'I˗ uY_LJc5ZM5K8 |`n,pS^Ƨ]G$6G +УT3i ^KRЊ˟C; ;YE#fTCG ~ 4܊~5~6RMVG8dg] #$Et^R8粱ۖ_'eXhM^H_H 38?yzΞLU!^eN(guWRƩ}r.NtYBYnd[7ҙbMt WzDi+h^p؍dMw\Yr8ۋ>@eh"_#?X,A=`αY9zOع%vv]ٟ+i@$3e_aOD{mM"ThJjP7~ig+T^}Ȉy.G{ȕHы)?j[ el* QX\{JB< f1\ш brbB$+ljE(˭Cx'3.Tp2dZR垰7b*r]H|4kEKW\ [-7WI'z;G1Cj 8~PiVh30忼|5bIx<̨Е P"V<wA``͍nοV֕# u> _R}G߮{XS:$+MJ*&63(iT v 'eEm/ _z`)B!14jԵgm ^V[dqr \nc7RYdlי!Zc&O)0 sΈT~s﹕yޑyFR&6,!D!cm{ͳT8Ũ-XAz\ؓ1x.6@ *[eHѹЭg| E㒫QFGyC˽b1thۨQ~/2~H$lRU?Yڻ-JϮfCxR)һ SbXej0䦔:w 9f#t5l+Ða8:Wې6͵R|C {|y pPZc~61~̈mPh@m";sUuYUTX;Ц^ر\AsN(Oǔi ]Q}FT{s{:u[ŀq2.EQmH;0(=H__*gys%vQE05iUfWKVa!p //50P8ZauAo^+F6(v%O@*.' >;O#C;EWqKR$+JO_"ER/"{c,`A|.vA.I,6Jy}O!0pkϤv<\6l/N 6QyqD,h4bWS n vD.ugw۸ަש( 8R`*CKUe.!+`M1d@*~uǶ)zFUĥ&B\0HR:;BDO0& m(JgJ^ kBE^.+/c3/ c;aFї RDGMunՑdϘdjMi-PN  %=p '*/+YxS椶Pn3Am#"tPmkATR"QFP>"Ģ) @ 3@֤˚k'dl)v+f?łiL۝zcVf>t=#,kMErsE6ilezqOtDG V)@O*e-B\5k,! l4$L8Uomf(p5Zn9/ས*H**[[axPPxKe`ҹp-KdMMy\iAv_Pב(>j8h&vz{۷c3~G[߅@%h/ц%v=ҥpP5@߄"R_pKfP^ɷ6;..ږ>BJa$cH(W;,d"q/.uu4Zr3GA,R~HֿĺR!EKU')aԏQA͗8ߒ1@; E:\GڽŠ<2hvϐoR* ~턐ʇW;AW41VP21|n옞F rooE-p59cAkQD"=EJ+xau{% -L1t5ϴ tL @N:K>JT*7cG Y- .CNMm9'oȪ4)GtkCF缪R/2!`3]Is&ajy*9/*Rtk%Fu OL4'(VoW쫉)wD t2Ya@wJ!Zp;gWyÏES P]94QP.8Pݫs+> ٣qť03kW:ֽוԤO3ϓ2`&!Օz @(C H |V,ܕV*g1ȍFc1R פPmo1X`c D0i ~ԛq*H{?7LR8r6Y9S9Hb{͊!u@J~_>d8&|n>8i:ª WzEr0 ;wʒu }֗2.Xy] `.EwH5o' u )gEqYJ\[wȉLU'N|`-\W@4PysNr3|-^!g'y 3P?vGvе:x!:9W42?OoԩnRe(4N{g|'ӪEd*fi~д\ӷVBP{Rchk?hs]]Qg(4P3Yl([Ce V* X "@ Wn !Y@lDСⅶdC^*xF0!.xY Ooc>TrZVѓIFKsJ0k ~ D$wtLEr[-BZ:m-^;UYdX!2u. #X]Zdcߋ ]kMXsS'qMrB #pO;jLQt-zPxu ρ/S6+aJ_kJ5rj]ے!9͑5qO1ag^4Ң`I#t1}z䧨iwƣ]lp~ϑ)^jbxӋ%fs5.ě UY G^AqߢcnV7}LIVu!;Jr B=&3BT ?FI^Z>n.jl 1Ci>j޻(L^hm% Ok7.66֦Z_#M3i,J\1Y9{R|~ nR&MTk11d=|+zCHM|#hw.|^٪VOaE|Ż z7^/Fj" .cc *hc ddž̵8=Z x[1&Rn!YE{\7û{g6 }?Xyo}rKL=Sv(v)#3$܍6ˉ0Pzޅ6i! Y}Wu8I[:w  ʍE|԰ c;E|ƪl;_TW!\1Yr\{lJG5"0]|:2Nc5*K!Ƿ+c$uETɼ%OZi7A*ւ3N_(,7]z|T*C% yDd|ʽv& _Z h'XwfAZD St% `%u>As˄h8ZIrQsUj pL_~u^BF+B]+ߊ}$uɅJ|3KL;k(*mkW4 ;dO#JJ58bS ;c}s_Hzy[?t&p(ɏ;%2by:FU($ pv{gكM,XWj?*&cqwu . Bز%6"x_잴.Wk`Kt x \XPIܘO8hy4A (AmprG7SUkOܘÞ>q ȁ;)~}4+ (fҠ\bx~_?-m5ٹ` 㾎pR%u9Nͬ8'-XW N[ߝNCR>xzg_=x*5.r+]8#N{#? J;bix׎Tіߚ}S^Q&U]Q;r̢ -?>hPI5$/D󇆓!Lt?z+cqV_DqQ6&v&u^zFo'cf:!L`Nrgu~˼nz& Ci:<Ϭ|dz[j[!;=V[_Ć)p  ;UAe|ijɈseJ$I唚h J{? 9,[.ŀ{8N%:̆8pNlV+VᘎƼWڥEy-ρTHaRMЦܐ |JK.rl"(_n]T.av m)%dPJW zg9V}ue"S8Ǫ7豷8 o1+ihp8īVmp7]\dRݰN4KldB.hI$KުBYW:ML=5Y 9;EZ -xEWWΘ#JcB fLdb]z N/RϠS,o±˳(o]Ms\z=:27e~$٨>@xy9K>zê ތu =d2/mh9]_=76σho:3%UZ"hAC3.[ MGD TP|f|}0!`&I|F0bG(kPԃ9PyB;?TZ+P0^2T ?䓚QJE'^1{:`P~|_6 NR҆H.ux$7ePZ5# r>lTiO\[4&`舼T⺯}ytfwR,T'04eCsC2&TH˓Mfh򎣵5_eK0;3L؍I@fz}l5!psv(9]عjsNU4ІwyPƍ)RG$ dr,Gq2=s9R؜!xwnHK+NiމtTZ@P"?NDjUrp%Tt5'hNOAcA.0BjKȲkS-˙ ;2pD;rHhKhvݾ;n*z),H50e:FA9 p(CDÌGCCc>Ϻ>3kݙpҞ2&دTsMHGM5>+r'n5CTN57>5xo ؄iDyx̀ n%{$sjx귑0jo{Tya< 3.3>*{FOAL5z>&ި*[+ޔ+ Z7c(U}UO,ɤ  )h>m׌ƒuN(a9sYQO:gkDk'ŪPxYcOPNG[(D|d*ĢL(}5 gސXJ:rkV͸M kU,MnhmeAR}Y^%5l*Fk6p12N׿MU(Ky⽅V]+A59T)+_  wAڸSgWwim3VY}z@Hĸ]ճr7LYDyX_qם~ oI,$\kO^n}Ө/Hr|l NQ* Kv`Bi<G̒D^Sg_U:ݑWԴ>nɜKϺRl_){4|Gz096E\J G#4eGM +}#uO3,;A;F^5Zi\Yc߬@k\h% Hxv'$k#t1c 6->=6ܬRE>eؠp~>$T37q!9W VG^B]d(+ xF Fԍ!+∃S }E53:jx|}4<0\//^D"x<Ǎ7$LbqnۥM.*}}&_fBnP%I[&!>G>~I_wF' xF}2^3d(JRTfA.BT^sxΦl tZp|{dpIck!ϞM_2.fxWd°yw 4>MD6mM8]4^%`* g/`}|%/OͶ@3kk悜O waM[>R$@<xxU7U A %Όus$>ڗ'nr(LgsBO3xϞZMtFFe~n"}AnG,]pĢeo䎆ˆ2ǫtSM ꈔ|+V=Fs%ŦX061;&5B$'66^JA(`]%>n>D'j3qW5e[ !Y>d 3r(LBmy> |O/ !8l' K]o9n-]h7&g-nPW=<եs&K$vPͬϴFhEi-3(-\Ӏ2\&~s&_R(ƓnLr^a#rAĒ@h miEg!96Z*𞚜|S){ 57wc3l&u:CSh$hfQ{ Zb/}͋ <)!10Fgenϓ,TmA>k9?. h ÷@\&~OGu }v *H.t&>l +0UՍMǼ8x eI7K; WGd^$jPU3Z&r@Fo@ oh#^c9cz?w0Z;Ɯmft+/ vcmL,KWR%@|v `>-U l/.'`~LxiICQvGZJf!u8R Gi/&BsJHo 85wK₍QiIT]XSMAa+4W;@/r]İGɫ%Z PdWd%@9n3G=Gy \%m=Ň~9sDOP * e@k YD6ӌI|1*W3PTa *Vc drQzrB>!CqhbqEn .b*<(RV+FFGszćG9bve&.ªu.v)pBOe >cm*-S4d`,>}ecj-fb"SCԬ+'`!Iv;dq+W3;3Ă/mk Ga [^CЦkch׋Ju:+c,-יerUuz4, k`%mOj& FViejGs$BTMP)L7m#US. `ίװiF-**%7`BSY0TT!S4(#Cl|ݎ f5TCcel*kH| N*h`F3HX?ٹP0/ޑĔSУ S_7DU5l{3+/@ư&SZ߶!Akje\ y|6" Ar#̀{BJ ƍhՙ!\UWrϭ 2}c Vhmm5TAh}JVbh0)Q?ΰ]6iDT9d!0x(&<4htX2Ė;ݢա ΞSظ;t_|GCNJbpoƭH8)tNۨ'0)6}IaHe1s'8ng\v]ץ-V 8e9™4'ѡ[*HG%r֮?`k"杭hYBnA]OO9@yZ*y]p,hQ·E./1wC| >++1yZ5+#gDŽh~X}Xw8- iJ<K8-> u?RU4. r(Zi) '4LJvR )ʙTE{HFy",q|Rua}d,>+brqvPה (dڋ00PW-thw 9} +7NWvB:R:t2}lr;b-&eϺid)mxS=]+v!@LoixŃ?;OY  VTHKɹ ^,0=A.ЦƂTǐdظ T nH%ZxHr(~ AP, }˖${O[;짹-i5(' 4AD!ݺ⺄:5L3,55SRvDMin2+2/&hOxW|y(,O9SWNn(T^ݡk]>D>([xN۞yme>X/~Sle6~}ȲJ$DDo{~t6jrax^ꢝ+;KU͜ E oa)LH#-mEKLcEM}C}‚t &*}hZ?i/0rѵf ׄ*p)?JGwqzI.}^eB@ο`ZO Nw`!( zҞD".vR:"ݾIS9s<Ҳ真$񓿕crA6(?XމJCEK/l`(\XRƝSaKYҌᣰ(U^li@Xr* l e0vmw:vY\|c0gӁ% Bn{ȠCBoh=i`L`~BP.Mrf/YԝV`(*UZ2e EXbp}t|6?):88I!z yLELY<- d/|Ì2q9(w|?Kz!@> dI\ 86E]dMkp!8{ϙ\ #Su/ }$ o\Ӊߴfeo^_=`NX*Z B\ypv=a f}!g{ z?$p9y602`z ,Y\4)IraV=)u~OP20%LCpsz9M0.4@c&^suFĉl`sEb-ٕ5#]xb/G?0f d{1~]vn/~߰ק=n$f-N^~0M&=7}WTSr!HqAP>+E LH{ ?v\Is (')\/uokǔ˺OBWJP&x~&1-c/J.k_>Ǖs>ym4k={˼}8CFHvj$%w_*[تOg]`>^ܱL)7ҵY ۳}A$YfY$FQgdV?*m6[j6eb̋8.GG =<Ќiq?1$*@#M4XQj3Ded#4[MlZܒΪϬTo /_!4>VۏF  Cn( >irT4$eɛC_ *cv?gT`lqS^ zi5c6F$&_0^4+Lg\$L|RbCŀ/Q&\NT4I64Ӑ/-`7:KW)%mf._ OqAj{1(FZBXKn,wۏ?R>$4qX5줦!&e N0X /&uQPp<~ :;@xz,WX/\QuФ- ̶/t18A)[7Z:2ThPacjCUma(xY-[~@pD(2(|f/eu\5m+!g&RY\063' C syܨ6%μ(m3`P F=z ^ך2()߽,H ,,Pxmx퀔x(j6cٟ1NOS}cQ3u 8!Tml5cUޗz:?b7Hy'*hrKLAh?+tP t[Ү!0:9N V|E'$*itpn[˭ ϻqU yͽea׸-gi;ǂr]*Fp󕊣ri9>Yo: F vv"SLU8n2. \@u_^ʕ}Dׅ*%]1!8h;2e;Zl[W6)Qy)Ҙa$'X\='ɥvdR] g>V"tQ]TJ[8xDGFМ+[>{ނo)w$4 y;؏%\/YE;w :""[ܮ!@*ohׂ"hMṳ̊Z ɹ+߽ϋѯX*= 1Oc|BS20l#_S*' ,l Z倌hҒ>QfLpOt> )BXHuhm -oR◺n3hĥ(@9B-Hc7玚8xEXYW_RS^GnCyQM=_H#"r 荱v㎺+/Ahg[,͙ږ;Y54Z7~.+UysΒMBj"({!(_KPa s`RTK8&8%?VdιCG+}OnKcՊ%oHPe=9'<Ғ'v[9JDj4/Y\<Τu!q$_hagFi"XEdI. ~pa!x6Azwt5FαTwr \S;OƷFYYzg/N t恋"XQSC}?',_WkpmbI8:nM{ ƌ(:prY.ci*<(^eM{Z5kmHㆥ)~*8Smxq~&Bs;!IS0Du=2Dʐ%Y`v82Q~LRA,3EU9R;)83D2R*.hE$X4ΌZ[t*(PS %q슁4b wx$HUt(-A{r3LbPt08bLc 1'I3ȹJrGWr0?{Ҍqߖa՚)dLTw$ P )5K^MwMZܤ}E$T +&8#mfKQ_^qvEEDQ+ ksJ -PYgE6P+6Dwe -\:,$f,Grt091€Dm!H0l,qڠlpI[NP]ي,构B.BAZ3P $L􉩵!8*@z 9o(ff֪ 3$Gw,\WA(T~D4 i\W Il'u Nb762,ߴVH`p D?P08 y`D;Nj.Fo)[oōqg3z% @ ~ܚO%|Ix*+V(h84eln"ВrI60EU[sh1֗'_RcOqP4<0i)5s}Y?ԺՠY =@HM橪A^I@/hh\[h"RL~;ޖjg#C4_kZgCuz5 >| Q,y5_,GFwv66l{kΤ$)'yG37F w^z4&f3:T=F'=5L } I=҃yع9u_"B+j>X,V aQ54H8^sbx(g)Q_wW^P\U\g1,Yz޻wgy &Y4ctKq1JX/98ky 'O.T K5~_T6@8N5a!y,MRA-ȃ!b\saO$C^p%XdžۋGD'z:k̸7(wʼnxnsJn'tX=rG0Jcڴ4Ƞ?&~HYp瀭7{%uL qJl˙xMK,nd2n#Y26׽NVş&zC*Fn x//I3YQ2{^7}ANΰf[MqR,6{@U`Nz@c I.ݢ P}D*ꥥ~rjdOS`)Ss}Yѡsf 1(W3O`S>QZt[KMOZ`FO" LϯA&G #%J+R/R始ZsXX@{xoNѽh=pOmO "7 {fܐD=wM8#:0}Q0 \,Z ijZ(n ;?ŞLMͫuxwN aQ>P,ljipu`L24͙_a3WP{/VUSĄBpO3V=E]K>sOq=r}KӁ/_Ko0X? ¼L`x30e98D/xZNX]ฉ+!_wySIyƍ<,/h]@)z_ޜ#U׬w-/ܔ<Too(c#v2l&1Q f;>13? į6NVRyjë ?#X&E]hɾ}NS*U`n(Q!+#`-c3;mͻ eG'Лpq臦h/iO;)@V50LY{I ֪o0e;@Is`bڼ2 ӂ0 G|ܣ!7ت#tL0,(8];NwkunH6<8 a<-yPm?1-H87%*.* g'IcՕ}7PKoK[0DdJl9OUPYjĈ! і1~8UO2NUo$! t{՝Ɓ'2ӝ.e6o+: d[QTu4eugY CPZ6YJ}Ȧ 1\|LXIδJ_vyώI3 5P5Q\;ط|뷬-~MC+CcV!=VL t$ fMfCRv.{˴sRtV%Ѝ[K|w>'p wwjHWRI/ۄt)T2qBU5-W\5-XhLGfdcdftjb Gd51s8W=d֫EiؘR [Nx0Tf魳T]qE?y;M~ KÏӱ]N̰E,kAZdĿ`n)fp"ċ\79(QhS=Qɴs|ᇵZOW8i0dq&0~FsaפS?dJ&zU-5!Pߕ*l$ ,8,@cFZ>IoJW f X]2޴o @>A#;9]9&CIqƒgT礌^xɑ*Ah98==fury^Ea^\J>/_I+e`YfitEZɻĚr27t<7 j8+'heSpI;C s[ۇ pa@j,]Ư;džR -@#}'(w*m Fk- (:H`_huSdʔXa/R_kzY\c.p@yidT~bc D1iM)]8Ŏ!TYY gN38:t=bMOZ͐}%cCx%R^a=pTƝ"LI+5\5ҜO Sqx&RƕKKr脯efؤM`\3V^mP; } I3$ts̾|wR̛ WuQ `8 ֪*E]EK8)Z{!m֥V<3;oGft?*4M:)`׈ 1FZl]I7GWfiOq-IhMu4~Rv3 Z.xJLs!>Zo"Sz#Zv5e7G;{+gCoSRKct ]^J|/Ezu#ܜI-vN?jܼ 01[$K孑S)ٕPl>p![6e)ľBTE?rA@4rIڝGK9!vZ [#ʊZwfҵ9瑳[ٖ]4ALt;WMo\~[A,P4]yU5 ȡ$ei3W?r1]U4_Ys7!ph{)BnfQ倔lH1 _M*&Tm6>e9km'bm$|稝 D>&sp#M\gxII=C;5rժ ,۳|*6x²7FVR_g6b% ؜?$sF"z*{#w { SyXquW# d#_y7rm}TJ~Q8{JA="x7QP-- 4#qTMv@Gi7{YP 6` &w(Zy3kcۃsoY+k";xQ#õ;X٠a0 F9iꃡvryFO3@Q;=*u#B# /!>'[%[p Ie;=f\%fypL{v25mP!?X#ÂO|Y\«= jl| ̲kE>X8ݪ7^ly)j*I"VL :"]csI`wpDAp51ʲoO=&ekG暕EHqFKy} C[h (,g@vTA_&OדCܚ1!$`,>d&[`lZgZk# #K#-#x Z!ј7y=dP->޳C':8e8iՈgeL샶K@ڀvh Bjcʼr ;yxY!*IJߩ;R4-b0nΤd-   >(Bd38TtPq{> L0BEcc 5skk}^5|_˙΁l֐rMX>C26HG0&ZI`G~i//*קQA`1 0c3P-"(c~SWѕ{wi$x]bpotPș nc`g'/aġ'5 + b(=Àmba|Zuaxߛ)q0Շ2_:IKxe^-YWXYydf.טc’gnPT܋oX%9H1c{k7$)[4(}y,𳥺T!fXM qh6L7JS89G.cp\ -!Bشwo2,: YΡpzTiPcaxAa_H5bbfB{=dV·`eҚ؁>."".X{57 i2!eUW\ F:Wa[5TwGW\î ~}y37|FoU8yT*$|TɣvCp LE%n0Y-yŴɖ1zh]dli~3̛aB7Io! !ƚI=帞˰d~;Ay`L$Df]1HN~sN2SL,yJ=-}[atzS`#Ee#嚺E!$Q>$/8Rh"yLך`9-ALv#Ff'!`joGnOZțVndvhbវx2R  w$p!.ORڰtK6H5s~HibV`:IZj@&%ŢrG}<9l҃)p*u$GSمq ' tCXf&9di1?w:QPiV穰  J88 pqz9)6 iWt},+dYh$#"6v?3 ǎzAęz=ezN Q\3D/&YJux>f?v*-tg;[Ev#&Ƿl z '#?kӜ3M6T!@"9xpy9a`h:Rbbe8Pf"ĤG"]3ٺuID[L [~-i1R>^ٹgx?}d[ǮS43Wwd(ᖧwyv`שQrZz!wӘPQ7*>q'RAyXdܡ<_SanTS£6x}; i'rN37Ln<jz_[b=-ƅ^q9{GF˩ʽR["w9SP(AEQ Dlr?КQRH!T3^k]ښ,qKرP۳qu %"f hɆa`{=X)k!b$F/ާeH`.˒?\B ݣ;JKPD:ޕbŧsi'@.Ibti-"T ZC-!;9f/FP&'~f%׃M>|-Xq$6PbJ<5B mb%+pįP'Qn،SF*A""1rVee}{{i?4V*(6 2"iZ6#4c5"nt,7" Fo^2ҾzIN0cbwݯC*MzXS :6e!URp%@oEф1`X#s]'vTlhr{x.Sh_˰8vomAe{g5Xw}`lV9!S(8葸e M+{*k(@ubADzt@Z8 SNQZpROXp̞|\ѿʊ!7<PO0 Ki%`aNʲ-PdwTvp'f_?e#\D19mW?dX,sYY<7` ex5@ish{ķteqd2 2Aэ-O愥cK{"4 e]H'zRW`s:ǃ 13eti=67*$7=#(v QKɄk_lk5P,WąjG392krڸj}OJDw`-{vA:TASr~|iLs_EW6Жg UB(T+jet c"7F|1NxFo[֎SlOTSͻ$$0?5=7Y"Xa/XpHو1nV7v~j &uea.6I2} B=WVt/"mXP zIzH5<:E'GfG>μ,BtOo5Z9RQ<Yb2Dy8Xe1^aǓBhG6"Sy`^ Nګgq쏬~o$?Е%e?#z#NL{3UPoGm<$u=Ww 򺢢@qD\!_JO)+l/)9iC{!x CHU@9622 Bi-b lK 9@+JE}f$ku͍>Y ࡝} .<ޗWue-A10ܿ4PUHeyU^FH %d:Y˿xAOT[4.>RP@?p(}﫮1%ci%hk  [؅4QKMp}.\q.y!6L:f'IrM|O3vBw.=KѸ!R8b>UJZ ESkt4[9^ ɸfl!0?qniZZBǧ%wmDYr$O:3`,uHn xxH@q`<0ΊI (y6˯%E f: _4 ^)h@ph5lZ&l/;+)~Tұ1U2I^NQ[Xk-Mt(Pg 7-* ($U_f7}y ]nY R,Wh X{ߍ_NN,@FɍඣѠC>XQ >N/˦Vg8D%:״ֆ < ֨!IeȝU*`o{k0PIWRY.b/qx)Ya8(ro~^#WLj}Ȅ“RCF\WGRBpF-Y/?,_Y[{FΞƙ|whfs?MO izM&1rP/_Ni r{^Ps X~-Wr4{[b;0Km VJhKs:f$\/BR(Ud2moa T1%\'v/qi@⪎U7F.F3{09 VH |!-15Q a{5*@t4sA]pў^~w6bG2gAV}TT[mˊ)bz0@ge͹} >u%Lܩ>O.T," V.dXniCtXR^AղWYEZIJ|칣Gg4NELQrWTHEƱ$v?EJQ{Xx9TF՗vP* :S WőiKܳ_>#{8/:aE3?$羀geڢߧ|b'*NԯYB9Cw 0Vt#:0H7`)'53l[3%W'8?cbfQV$f,qKm4%];ls(07|&yENxj˺p5[TĔ)e& dMC m%ZR_Re bJhsj̍Ϩs(G0Wk?-0G;InuGe-prTN8`D/7v!@UKL)(xK!s%4 3DH|bJh0ELb׵&zr5,WLBيr@zhVyaiN7%o;G@|2|-N GO?zfG{Eaoli |k2`dd!h^E4[Gn0N},K^ї|[pVi0:y`TӮpt--cq\S!Pf\HNڷHO>y7hY pJ 2QRY$DijUZg촻#afOB𛼽p/j0u0WcU&`{Ȥ7%'" yMe>VS-EY=i^:FP8P ձ<Mw o b"{`$ΑOP $Z }GԷuHdAқjYýE>@w" cՎ_Ó4 8˜C.9! K\V¡sINZ+GO;|2̾rR1aqC(Qtsu: c6UGn_E!&gz XNMʃϬ\@gnzЗQ$eh= *1"S~ Bģ⯪U;\'y%AmǹPN59`-ʯka/yjlVJ$u EFk_g-Cc{tڌ:/X3V[Pm#1[@RhVv›v1@Nn;N<^BGhhS_Y5nW6> %|Q{P?}~$f)P_ tQ:~`b)^aU ,QU uoS^k\< >>4 #&x"oϵ!i jGD 4W?nFlփ51oTJqK!5-wGq?0 գWE~c9qǩ7'35 YhUdg2Ir^VF-5BH}q%P}rZE7}l!Fܤ8 ZR8[ygLahDw*k`eȿm09k#>:Xf6_%\{1m\Nhp]4!PS@6V\FXk@63%-gFX#LV ={D9B4Bw>i./pnue8kVc NH{Q,^ ~,yw}g% Bլ4~4^`Ԇ̓ENRf)X!ʊ$ɃEӅofS%;3H0q@n/qh0e\7Is!uLxK!JNֶ5H-Y6N;k[]R l|}?+H[D3FC^uE@R43P=)dB3haHlWٛcPnλy/hoPo=yn46 &' >`kmܩ3ģp/1GL=)Evm g6V TpRR;HG~ұ$;i"5|bHvSP%هB%b=B! lu s.9,AHR#ݳ7joexF̾ZFr:7MBY򺁽 ÑEXy//H\$|Ÿ#2Ў( @4G{ۏEAd b= ,Z#kV;tj;&omѣfy}B Zc8%; )1Hަ@0E=0[cr-Ҟ ydU%JE:yka;dF¬>EW6cqI7(#u5KG1Z0Gf G'Mv lM(e U\ Yrmr{sn95hl3E7#mJb4wb 9sjRF7ob) ڪΤyNH!5R9LdtOZ+PMblӀ> o>-D|c;U,M GsEj;KAC @7F\E%R;A_u#TbנҊq-O0⋄-!MzzތQ$5W <҉Cj^l~3I [)Vf`Uznq_n5J7 S6P50vP Ӫ9fr9nc,LUӊM#e6qB{ī53۹IfWMHu({- #>wP|OM mmtv*Ƣ|qXƕNC\.UbmYo!5Aɹ?{|rtO$3Fm,M6C뮐_ϣ.]+(8~Mukj=Օ1E t9 lMQi?mb=kwG!1ȔhՅr8M_ 9fS : !:rnZ\ c7"`r,t[N_^j[yʯLuhc\.2 ~[] q+abzlYh8" >NwxQ>nQ]D8<Wx'!ɨ7  ˠ3eѵmf0#" бPƕk4FO-s9!6eŏoݫ-,rh2neBy=n"ߖfN1`+"R1vJ@*w$LGqB_PouYL(K צY4mxGְGEN͆ywl r,0#쀪N }eB&A[\Mx&S@7B>M!o;]Y`EJnX}eJf~XN? )C#{H}ƩI k/f|`i\ނ^fbhۏ8X$LdCr cO֭3?`BHSTU)vh.}]-G37Mo (=%p >%/|隻!;* &n'NSMeI_Zn䓖m&NM4!Pgʑ0@s<0^]U3 }Y\.D"pPKkjA?PV4l b$3beX]z6Ϧ+>w&*^Ș4@9u2dG^`АC8/O +>hEJ^x尲(-B{n,5.y睙lTplY%rg ϦY)Dlx25]7&+r^dz8 C*gќf۞h<x9 `90dePS@5UC͗RQԀ0/4i=5hDM#8[*Sy@IT UK *mЦ͎cA$$ sfit)}jڒlvknlXQ̲8+ԧlda@Xu$q.{Vn\2ʻW(4E۲jmOa7hd0 ݪbf.ßbWXhP0s<XW%i8,_sV3骯~7BYPIMQ`a¤g\~~F &<Me8c[9sڻ^& v鲢{fdo&|Ă%Q$}_(@o;R^0OQ}M' sdg+^ʱ Lێؙ>6I" zƙ'Оk2FU8il;<ե,8zxgN-pa;c[d|w(W P=skF޵l\5bsSGչ/qdyGz7АUccu~DN`LxB!/%\AJћCi{];LMP|@L^7鲵(L_m[ur22o:]THCd 5e`p7d"e TCD]ՒK'isU;H,CfC*jױ\™{}ueINmX]u>d&ѵ.hTpܼ!6͚VưJ L'~&ZQba޹Rڃ./ټMќKw֟$wR5~En2!M`p@Pmi[F(adԎsHϨS l٤b:޷m.Nŕ'HmM'&NQ}w8{}o2#IIs!cĭ=3 8hs66:0QxbRkOЯ}@@HS,(S3NHUb%AXѢ[2]J)*TT̟YmTpr|/c-vpK&ed_'q :,-~wNhM)w4G@ f&B YWJ*&pkߒe_`vlsE (9\gbe'?p٪4/ ")/a&;:K2ojl{ 3,GN^I~7jsQJ7߯.z397?d*򷅁+r>$MvneßߜjHڞ?=dGiS>_iλk@aɷ(lSZɐgBx "I~b%FF]"g䬸[w<{V^C)Ve8`,v,''(p!74{ɕ/js8VKv>O8tYlWs6޾S2}ykg_{Ӷ #4qÍSLK"en}b{#9H=~9B>$U8A%j^C%eZlU&FeԑhCMs4'VX"SuؑeC^-ͺ>d2t/kb.UqCrDе pb%$Xu J K1i^;`1xM;+Ρ'bU5Ix @2| 0isf3:"=*87~ 9179Q&vnt ) P"5 'bMKL1iR{|yDZoE54a? I8O 2P NYd񺚇+#ʽn}nG\ψY*cU{7xh|AK(UP5μ_2YFIPd!,DSQs:AxԽq') Ff'S[}~Jۈaba~~;edW90/fjh`F> RWi !Vq xtA˅2icn&"1H+kzc-¶4vG'2ẄOlԦv+7\":2Cw!qԜtZR {Op&B$ jߙv6zBy17-@.'xQ}jf~տOs}Yl&h.+e}D\DŽ> ?DD?=-yGR&Vx $d#-18\Ap0 wM"=Ph"nip3Q7֕2l?" M[bz}pt֓*YMַF?D2Zff^PD[ud8}3LaWASh ՀrRŃD[R6v*"{%KsM`ӲLoh9u·7VpH/ NE2QL*cl-,nj8ߥ.jꨩA^C.-!rGO [5q+E$}ۚ|ݝP")6^)\D!-;4a2(90$M $t4JDJ[ߧ/vyL̈²$2C@d$q?&.q33qЏ/V~I>!}R%vOEzEn,QPC_w:3Nw0!xn|!,O  y2Sr>%"Pi0k ^.Zglʻj.ӰUA/r$ | +./w o5G.ܪ[P1n1HSUHbT-dX;,qpE"I~hȍ0"^K@"1kFfCD?1"ޥxgP:^v7!b}eJzܿgMY> :$eg1S;0C֊<cKрN~nqhŦ?" c[Iւg-ٖpr/G?ge p,rEWp 2M9d.roW!MxIR,P!Lx1p9K۩1D-O̊Q Mēc ޽6eY;]^p-d|2^G%64nvJ)l_B2>@ą~koB>߿ENWz|klmB^h0(!E}UbOjs4ջѾoݾjjj13=v.;AYcfR|N]P)cC|.Lgɬ#8Qe +mRx]aC}V˷E<ވ;A*rGN8갛aXcO3;mlUANJ{0_ڲz)ZpSM[YbK:G鋟:evBY5Վ_ alR8Uvw A<Dzib͖v@N_-/`z#nqTB/ݠE\*N8F]Ci NW i)ܷ./k11b5SO묾._.6oUQ,Tr~q^kxO }*y)mʦv޸j6Mu0XQʼnm1MPHѣRĝ_jgE(TCozsosu. Mx Pg*J=o@K~;ßB`Kِ9e#}OU:LvY*A'xo+Xt*.Rt.":“ɠ-7>j(*:zN;0S9/D^ DTbﮀ6Gؗ|e4:֚,u& wg*pHd~?,.Thm_$lU\wY2ŌY)Ñ37?I-7q䔵d8&99eRGF t=I,(> % 3|&#&@~ۢ^6jҽ-yl@B㨾0S.hĬ@PJwiTRX/΄6JO<{P${.\VZpwda:7S.9D879u:3>APLHPA$;ؼcۚqTm O9ڔeڝela*VN-Ӻ ٌnpo+8M2E0ClMeá!yBCfLz "1yFwR7o<V_z:ьy7U/rc93^E'&U짂QƂ1Y"68oc砠S_LQߊy{<ꩵ84n2pd3o6'/aӉ104#;P8TaQ46"a vu~p˫:l[{mQVпhf<~,= qۨ$lHpG GHш e3Wd^FQZAh+SN)\ b]aPWG)kNNNz֜<цac >tݯƱcT.zl=]B]ֲF!7 X^1Sd *z?ƕ7cOnABǟdg"66=4 R5} ^2DtƧܪz9>ԣGg% DL?}29 -ZU'DTFwEye4 JH${o+yȩ(&Z-1sFF2 Y$|(.?(L"oeE$3w3fGu Yy* Y{(`S{RD+8 B~exDf t5 i]Dke\ץtyCkQ"|jv0 p3'2R|В*]&G GS^2n'<u&yB2*Vxn];3>E8 igΐ>^J<SZIb_S& U/ݵ[.䘝 ػq}iX4XCjYT!x&YY#mB .$d8IZ MDK ;l ?*Aw#Z顏|?YʊU$/dB4Lww qA=uٚi$jޝ#W$8r*aH[_ ǯ|șVd^ːy%pWȐ$R%& XrykDTk&,\]xqNOJv&)ڏFxb/- F=}9g,!܄6uAHIҋ>c$yH`G uKHw[hVN # Gl3\,hЄAi+kk Pb1 =:k8K#H٦<=tyC+V/^!9Գ?G]ZQ}P\4)qآH/z*|GM52ԌAt IeyTK$-஫ͿRw2E56"E6^}vO G]i$%X:\-Ƈ.9MI O};7km~cMË4g %[ÜBke۫R '7U.:D =[oɰ|{U &rjFuwzMns@90>םUO渀zm%df1'1uB↿^4qULpj\lzi'\kMU!2[yJ-.)73 KnRK@SU&%cN\UG%w@):C; l(bYx }c ^ex"SCS'Dᄍ|T4R6͓Ǥډ'+>]8A#O1%;.PtL9Q(}lDbWc0 UaiZPJ^'n>j@|Z2SS^jhI.Qd<ԸHG%QӮ(Aɧ{ /ri>Z 2f}eW22i^s뀳~|iB,pN}|xآd7|+G7z\b9 DomJT ʆMN;7~ NzHz.Ɨζ﷒ʒk_y.8T p ,]*w/\'.Aw?k 1nk5'Z=OZ|F;_%wnrQ&4dYM&%rM]Z}X& .9Z€՘49IBJ+`ν4CvQNu&jdaPJpf^e(9^jnbvf}¹%jbXӉFQ2@HQh1`wn;D`c]ɦ/33ՕdYɄ8pEi7NUS~'y-|zR͂B9[6D"Lbľ[<%P4lRȇ/{?r8սfm>7a8bE0$Χp$[6*O8 vrL-W}K (EAnV*PZ9O*͇_Ӕ7޽V%m5(Tkt͔(/wQJ`־,вt"qCiYDkIy}{sE2b ,M~SԦհQxO:ACeUQ*ɯM>k}Ӻx+(By|lnKvMRH^LZi-^JB>|ѩ{dv~Yaq5\e&MЊjh i 4XT"=0#λ*Kj+Π4CVOţ ۴&H)H9_BN̺VS>9,N"DNrl#?fLPqrhma ʟ)A=u.ywh=v^A|hA *ksqŸŘ-cC = _Y7~On?փx.}}5rv'0/[4 |aGXsХ$v/LBi,p VxʹC)̷q=>҄ +tLp_"!2\$1p5}4%iTڡSMNy>X,8ٺ .QAvA˄XB!jT+A~lY ]W9C`=U ]H1$ X#"}Kd2juԉ$Hܲp\Hg[EUb&AOgWS5"4Xd<ugJ%$~Δ%N \W§.R4Qʎ0RY깓29ciEv~+{-x  (_@NYPݿb)Un'ēꧧjYNpitPRqR-v-콾B͒x6hZdrJ(! =3%0 H"cup!sȯN*ƌ¥Jj2EF޽j3[] zVߊz0a!f Ǟ5LΐmY:[٤Qa?sA@т&\p12c+ b`m>˛jmn'],.e#ESk9PY]f=v9X+EZf{pX"fm?~s{'Y:t ~3S`φIeic5|uB,5rD] XpKJqY7i![o'܋6VL^TmS ~֤8Y ԰S?YAc8?wk[v &y 3n1҄F 7M)켇ulN1{@5C?ق?R:B}e^_e',DsJ0]6?a5nCqkNF7L2uȪYx܄e " t^+"YZxWG ii Zxx߷?>EKs0"0T hu;ұ.P!q*hdy/(U_Rbjx}\XoڹZLeɠi$|F]v,YFOC/Z}[#\\:H׷W j4y#-\1CG!\dj:hQ =Hܩc$\$S+ ؃Y7Y$fVco y4(]P(Pغv\VR__^`St[F @>F{n~i"עʇ~C>յ$ {3+2bPVgﭜ_<u `w[!l>C\5F)E9&aZgj ([}db|nPfjm6AXW䓢mg%7+-4JKrm1ܕ|r>*D7-Zw]q8|/lڝvVJ¥i&U:9Ec&኿ E7`b,cЗDc~Rsv:]>I $^*^'+og0W ە_/o<6Wk7.3J˴Tl(vw/ cp7'T'CW"]/tҚ %^F12k%;,9lѮ'qk03<3؇c!ӵYܑРZ 4t={j]1D7o)%gԧsIz@eUT_sZTVM~#*j䯰z+xWGIpjȪwݠyqzx8袩I`~@КLzjj%%S6& o?}l7,L3: :w16i!E\\E4IU*׆^T<7ftzs(K<)K3rg 4NnɄO"v& Rd,JS793quiz}0OۃrD!k"PC}.L$5^DJ'͞#rhuʈLHUMchk@0HF I2z0XYm { ip{BZig XkhtW/oOc3 D ) V k>&cЫƊ? QhَCuI%ݻ~9@6U+%{w "rx+#Ќ*!oE)1d?&[ɰ򢻩e8B="KB;G:RT Ⱥ)_0r۬lB8czt.<AˎW}+𗾷SB#} ;;eYrP;l[I|߬jRs-!NJrDcZsBys 4zZKL"@;D?nb-jHzCBz>)(ëcOByrn.$:IPT)|BiOJѽ++8z{"b};qMG H6>n;r 7#PQJYL0A/ _(WL`B pgCkTk@~T47ic? OY+.-T'Y( [BTtDY'\J(X[הK6i&6|zl\0ץD*Aץ"9TTiF#4alO~"f+͎k\09ś ˢ!bc=TsdIGoJ9l]H?HiII֭x}kX`m8o Dž*s;'vbċn#dq^#{HW:^*ZVE/S#MY"C9V1%و__C\J]ϢzUjT2܁B@%Jh2j,]`yD%'D׌na k? *pASiL`uxw4=\`ٻ8ihp~IA+(z p1Lz޿$> q?5xкOVTxi{KR*PFiy_31.Z쨑UY|9[>8i;|w}"wB˨58Jr+Vmn{Gd=v7(bm ZA/T`gH9ql(~7)XRn1E(YQ8L ʚ $"b7)dȞ?p ?`O'5ˀT~93(3/יȃ"5"\ɐEn !h A13Sͦ Q'\ckz}|}l%ċ2/6; %e$Z$n8^&g#fr=AU}/풙ڟ[t{OW :a?Z$LmKm@.4N Ţ?+M5L 8ZSz^#}k`Y ud0^2*v{ N)T~Vº/T̺Q&:03VbZs3DwYжB%1 L;qP 8P΁, *sdRO\|6ood*0pZ⧶A(F_d9PAջxsMh> [5y8q|Rs^wŐm?q}?0kE tHxI wѮSh ~#p[ ^ޫXUer-:uDԼ(ՉVm+0#{: aYmD\q2o0u2\!O{]VyhjB\}@ʯ*?Ie}q#ڼ8ep󂄷~u>02~EGxo)y墠+;mRS j!^(S| GMc)cbx3 fx0Y?̑'յ#Nhk[2} p'iN!Fo>u5!SHV )n\Xے"qz+yU/bF2XR:,9URe`(M<#c'~0EY"so: 7sUPb6熀ұn Dh3jo[)dY$740DcjRQ`Gx'3jSUK<$VK0_7 (/c^B_37.׃PbٺBu_. 9Lgm=RuѧC͜Yvxd83@1B4ȭIP@?R!݂-u5{Iq,6É]p% u3v~oT]m o/A} T@ͥF.}ڪb ʪ$NH+5p`E=NwKB dXCXo}n=߮=^=ag/5PG `UGia3a{qJI(x s4 Kij c}Leҹx1 :+;_OB3Hh( ˁ&U Op G_!KnAu hq^#'46ȵè4"riyVM3'h_Y(n1Pqa)ֱ:%}S-)0 m`yeR}\]e[~ mhY9ғSH+0'챓)Ch^}O6C0fR>X2HvBt6Fف%_0M&U*LvTѺhJOD9&fKvQRi~&?uQjU}@5Di;eP26;ـ2j3|~) -+n0샿Z[KKm `@] QK~=<&l D 1|Z̓cxT~CahNMh 5aTΫ73G!/ixӢlRL1XJ;MhEL926Q0se̼$=fJ2Dͯ8#]]_qRɼyAmy9vr$/e󸕵xa&ꝢA8Ջj˸U=>e{JsKk-q?xe8M9:sv`-eG!y3 E =Z\WU0A^ AgKk =+L4 B{j_yQR|Zu )R 0p- ;QgYl&Mn ,t҉ P{GL1"ӹ~9+ܒ%˜A9PMSr3kixrC:Q,#SԦ[}A<>T%[c}KWջQl+{0O򂫂ݷP6md?6!/:*!4kPBXQaݯAִуԀx,Oӵ֥ F( 8aPtq3:`SZPdʲ 0B4@Ԗ,Bݨ+qC_(a$PLcs wL]] }oZ0]ritŷeglf]wU_|@z\cm~ V//^C ̓"4Q) Vt^1 IWqQnq˿k58XLq+XFTв;D+3:/ i KQ9َؑW['γb/{۞ eFkbfq!=Ylc:KkNdN#Gs7HlO+NX-&x0b /#'xI푯&nN)enݚ*r@5ns.eـ=O c*g^_o󵳡Q2'pM0 N97[>ٿ_.,r {VT(as(.."ЕUMwaݽ Xt^mY_ʓ8AY}D11{ԙӠWkkx O= R4˞LKpdR@}0a u$ K܆75I,W:'n>hUw*)RBkBMBduv԰9\s^%V [cEC&3(1ɐ#1ΈtTf]&ȑգVn(j'Mk";r)"TnCv2>Kr-A-=jw{bm#Q(_فQQˁf VM;Ev1 AsQ2P=pg"f;`~/5jBs$*=S8TS(pmZl\[+֢ |ڔ8tf;lzmBO!f[xPOmC»b3%.2!ǖ A.^䪓 fXG,QvnV<@Sv۳kZOr|HnU Ɓ p#>HΨG18[: lʳhi,cEO>Uji-LH-AH.TAef>33 vR\8ls?t LŗP6EHlZpTveKBZ.=!)"Z*c/tM޾Y:[ϼj}bQ!zc K^tDٜ. I-XRZT$;9!?j:g_iiӤ/O 0 gG?ˆb..oc+jӬBK++%iUn$ TH՚%ez~" Ls=ϲR2HWoC8eݪ(\0,4P~N=ᅩ%u2e+qߟk%9Ib?O]<-^]5BJ+fƢLjpQLM7oˈbv]m-¢^0=ۡGi5eh 9%O@$LH+Cw:x6-4 `(Bc1 O,릘Ϩgj@,o_nIT"9)u(6[z Tb>7y6|Qwp0$D*a[d!I|^w8TvrN}ͪ',mL))ץ2NZk7ΛR=z ĈSjE2E|dd}!?Q43I>SjHAXd_a!wM<@c i>-WUSսAr@HF )H2QΓEТ3zi9}/ ICjCzo8i`NtљOs,7+nET`UcpXWTVtڻT׈;_,JaR $vL0 q`|VnsA^CQ)hunz^0lŮh`,}ZF$S.Q =i{5O.}]9Ava.]}*Hӛp 6(o2oY׊dht]mm:7kd89wjvAQ! K_&vxgWNV:mC[g4D<7"G%?m~(?BZ1ty /i;h+~]`騋fU9uGkɽkJҲc!W%#7y*`2ެ> Z(K`YnI˘vꡳJ|]!X=܈qϊFޮ1P폆k1;Z4^v v:#.S{hIڴan`E ] mwO#eƸa\XC5E~?TX̺1aYĔ ˵~r=ma詨Tc1~gYPA~GG61R-@Qw PQPK\Ǻx&(TT!!؁m#"/C"^x]ݘY+֜mDAv)F`hDJuW*an+ES D}ᆓȃT51@Vtm#b3ZlZ&9:GTp:gY҈a't\Xfe<7=rqM,ޏ!뇝 ~]!TC y"+Y!fQX6~c\w| E% 1Zu-/7=+cc0FÙ>9j>o!蚼±B[܏p2Ct+:ԐʇvW-.T%V?a2b/E&ŀ@@_d%cR2>OB5EYJRͼ_#vJFFExK7I1g6#dkft+ vAPwJBn.ڌt~g<0]ݒq\u9&̢ XXbA7h9cix^&ypӍw-:r& GoP.x#~9}#LԼKCB^xpmBwiԺQsy؈oSN0?'>C,sfGQBCNUzJYEZW1+ɔ hŎuxTvU[x 1M rk}IǹZ4w/=lYc-cr М2vǵ8ܲtr9`1QgEZ%H%/d6~~*oq@̗BND6{2F{=R h:^ɥtϴM4PȄ Gz~WdҪxIe[q#l[YB{WhI*vW]ܓM &1sIæ'M(`էu.}uF j_e5s-᧨4B#:TL-h)L x(n;q{? [0$ChW i.\Oe[(_10 _u"sZJVte\y~pʰ(TW9ʠzv ,w$>Q \&hub8.*:i vtO!w( W;dT-SegGhv^ (JA$;Ֆ1!iO؄+AWZ})؃92Uk̺h=ޔTl\+S7ע=_ЂJ+05xWVAl*H6; !k)aw >2t*…ÅGhkA8&g4蕊m0${Ojld5rDCWą1*^ƛb*245g麛-SLL,,z %h$\tI/37|COۃK,G`\s=1 ;H[56h +X^-3/ &6.,_'iڶhQK^mEF=1Kc}msJqm(R %xPģr3Mb.D]u;y@{[J+HO+Ĺ<9E0n , Pha-\qpƎڵyta|HэU+)X½ ]л8!pJaX;a~Qq~SP+vj 5Yl?%")䒡*p{63c,uGKN ek JA%H VZ?Kj]6>uali^7pqDX}-A,67hIѩ~ALs~F/d}IqULaޱՋ7|/qT̂?;c߈6[oa4q>a\Dr_xaz #qZBE ?x*o̩k_Rg:/>+szy|Dei\1q?FBU ק_ӄyDC3Fè']$H]';VB{}{0`C`иP;Cf KKKC>N"W[S9`K^CVyTqçGFRs`GY:s ++`\Dg]@W䔮fBw I@Nڲ<[z)DbЁ޾ҠQGaM}@hXxaN+A)z" ?ۥ+2޸/˘\zK[&=5@mVN~s, e{}TfV Tj:t$4χPZSJ{\> /(v<Š \@^wg> N@I"D\EQ}}xe͔g"D>NB{ig.w2Mwal-÷KR[` jܪbd=*]*am<VQ |vY=~i>` 3JDq=7~lxGO]!)6iuI^GLb4T[jESE˩9>R0+Y4݃%wiwʏvqJkp_E|eJ≣(c5n|ˠ"N@<+:+{h90trx=V́˝Jkbκ9FWߩ$K=NQ4xv[qbrRwFvkk6gY[ȘnaNi=&zYܵG | t#4s5:P Rs1@C.J1EߓQOM ~WLISTJY%Her2S @=SxS2/'<[X9vx8{47+Y:TG2h<$MqQ-(ύI$};ue|lHV6OṪv|Z{T\ .>.ǻF/њ{esZFxU!~N)TPt`^ZM`\\ Hq.OrS^ToꜸG9#wPma65:tFd$%G@~gا=ɟGK9Or 9HoBw(|jiI7{}`O bSW&xMsHLymcZ.wX}J(FDT6Q} DN D;lCˌ՟C?7aMUiI3Z&E|xLHG ϱˌ2OaՉ0SBQZ*ozlq|@U:kXkY4GԑPa6A{~2Yɞ+Xcgf9z\$|+rJ %vI.WqN.30@J2:-7. V}|PL҉PJ9ڝ aW>r)v]H U-Շ%_9G-`d!ϐKHquᢅ2hz}^߮)ł# LR@-OPǴdc2-!@f,1зg\:>zQWd{؋/|D3U.P^o, ̫?mD"Y#hZ= yn4!lpJf#0uO詥Wk3 tܴ& ݿ(?7$kc!} ku:3"I|>BMIBF-&SBeq_46^(1}@-ms1[NP~G<@p gtN Gy[ ]K#K!]v$f~c ]Eq'KC's{\{o& `xWsi9n5N-)ms}ٝ=۬)u뽎w<}c$F3y>/ԌJA{APCmEixQ.MbUd9i=7u+dn$8䫼H.E?}"[ڢDO `P?%bx8eRR`#t[zđxWYY55s|\ VL71KJ +5b1VRP޻+i u&O`KJD`ɇZv O"cHټLά>tp~ݒDz'FvmYyCBnT4MH%<'ל"+z'D21y͇inJ jq5|/f.֫%y;bT3/;"TZALO\Cb9O)؀fDv LWr,.!urRп %=*QY#=g cnO?ضr"ֶa*y-w40ƛ #5V?lBױ39max1!% /.Mf?MZ8F,~C6nK#t{] V~%Tm|>q)}6`%ekݽ2nŽC ]ۗVP~Lc lpiC"Ie<ʊr3H܈^K[BIfJ11[W=KtjS2 M?cl$rb0aؐ"ďmՕ:-/]~f`c_PVWhՍ`TL5;={)| ? +7\@Tz@魏fQ,-_}_j|}9t vC:|0e1j2/* \\!!:&@$F SwLI2 E9sĄ95x` }nFe:MPf;j*O-!XpaSt_UWdm5v3nwDk3 |o1 *YQq OU,}`aEQWSi9ixye)%vS *(i$VD^_6 Ey(Us!uEḛrebʺʺHF6-tCyV#ELjZ-jŞ~!|*Ûk}}G7{hU!-Qei"0Ew#,b6<캧%+b7Fwz|ƴ5CO~&5Z{P]E_bZi苗ܙBG NAJ{;{ d9(1" ɞ\S4?ϘHBq/4wLآO*szeZKF6;Zg]wZek,ܧZj'>6o]+wYax{?ETd@\$b& XXlHԵv9楐ˇopYh-] Sd]FQbَ2(lf Q  }3Ĕv`Wfns@9d|aL3X DXЪlL-l#t+a9!1TY4OED'(cDhMqP8R=r96N~"Bl$3);u[XR|) P@$i^|+N޺S,,ߨ+V CD7jl"˕ʾlIqIpm;xN* ͳY6]cna Dg>&g K n G?<[F#A2s L4hUg`Yă|"QIG,N)xm;eĀc.<>Bqn)__b,sR2@·Qލ@HPU :ơ;R߬f"}8+'CRK b /)ҔyK{$隵7ҲDKk-]<+.nHv$^WdܦSYT@(Yz1$;K@?6nEH徜cA;{D)\ %y@$$/0=M5Ag̽( P3;k:HXv0~+k]\]uT2д ?CN9jMlE7CEtcXyL-ϡ;TP m3n_zڣ МB࠮z2xw!Ye/ȍd˜I5 mZbw&rMkG!G\]?^ZȜF襝sr. ިl[ D ]r A&aWqpkJ\pef` ٯu224s: !f4\ocJjW,>殚<_.ǻݪSā,LCmXr殝J1'B9JiT8+OH| GV6;w/.AUK6 S)<[W5l'% (*76I7wtrmnL76܏.673&KEv aWU<'~NN7v?$aCJ}ݽVD}O/$ffwb)xr }# й@:`Z{ٵ{;CkDbaAJ$hA 3J5EŻElg.Pd6ڵC |g F#nI-HF:he.ÆRСKQ=c {X9Ng.fC >L>Ԓ 9\'Y2ثPp"෴vRq7|˞ 2R"V%y[[𧚄"0":me܌mbzu#[|:9l#D6mYl(0ͦG, [=FEU-ajv-\KRôOg܁h]Raq%D6bJy 7ukTJxv 0_{֓ƞGd7a# Yi0^Fok9 ~bTt,x푥=m@9PL!|SId)E'DP{st62x I(@ґyWW'czR,ɢO _!pHb ?=ikdEvC}{sV_}RJ\w9,D+1.pߵZtp/l>a4_`OiQ7v Ԛ`oyyE ΃[2@`3;EK26XC6z)u eO_Ra#6q^v ]Nnv4e\ NE_n2Ou = sؐ`1sh]=e?Iہ@ aRW=%}G"aVMD{Ri+5"OPK.4VzyqZ,(w2# Ji3)GeeX^˩4 D Lt|03y6P1X鎧%F1 뒙#(.XscC$ydҵJyd=Y ;׍\hĻ(Y)"8aj*2G7ȱ(gZ, |-1<wۈ8` Y~Bގ@X9 d4Xr r*2J]rpA2?)E3$EVR{0# M/~8xdZT%mO4NMG{t5N 97F*QА^Q]3jD~ћKCC17+^?'F!I eP{SM·I? ]Z6'\oQϋ$1qe<䨽п`؅Wlmngoy-c1sb@EF rS11mDZ@S] ŲW51]J9Sdѷ2ˆ ⸹*DFl+jQǠM;p%c\{i8nf1}?JpAcUNLuh-ZaLf3g Xjm9N.(PqBaXH.MC-&_PdNAVf1WɅsOO:ETh~udL2pTqdܕ|(Ga@*mlFWШ#ś>B!Lc,b9 ~;mK@{ n4p9.ƸXxUA (3x+SS&whϿ|XH\bd^iQ%WV6Bb 6@SZ²#lƅ:I3`.>Ne(ȇF(n4Qɣn#_)gq֤&l"YVKChh-H+HC4"Bp/!}OWmOy(BBcҞ('rz3 0JB|n(qo%x;- t92dv/dd+<˄^0?Ok7cit>) !|Ka,ĵ'Q7(|Lb)i 2uI#UNƄuPNŒ+  / [$SOVpΫVSIN~ݹcfH3snK:Pk*kVxAŃ)SMMLy `ndP$ֺ+[떈EB=b&%P4140UijI#feIj߼/!㳃Βkf1sp5@A;W\T,yV cOY؈L!zԭ:j ?y%ȋ_SZjہ F6J[-a pbq{$dvtK[pw260\{8(IfhxXu02Q=3#UY]Ʉͫw\깡 0DI<^OVf]0L6?&އ ~eif}rq~BD vtXϼ>W5kmmxP\W>؅czɨKjftq' wWmFC{+=VքEy!yh˟vsڣRUۚp/6YͺG9"L̿sj6v *AH&ƌ]ljN0 ~JZ ,kɗ6> nY6,POW~l+E)r-eՏ,r_lW@M1v/j,~ 4dT+~nEXvo!KsӅJgK^ L"E<ߒ銐36OH+^9&'r7  { (<"x҃1V*vZkd<Ek}{I#1bȓ'ȥύXڢhm'SMqb7%4M2ǯ-6pGe.FK[zd~&ev8=KZ7Y-✙`5GOx>] xIOwL#b@aT\Ꮤb{@Cr/ވf"?~ Ѱ.l"XK.W큄}|kW#0ۇ~t458#Xw'uOF:&PΤ3A 1~b Ct Y(öۼXYJw);y[nҋўig=AT摻*dg,ֈb84_C&V'̲̹:kbQ^@yh0z0x_d$E*v>z:1mORϮ#1Dd)1%֖uyI+Fl\\p' ]uI1,3po9>+8˻Q}?gӡ08.rj8NS|Vŋ05٭# 9F4F1I^˞HuS}zsm[ {|XR:4YM5x!d%(=f6(WƕBi9p>Oj+8=`^xCף-+X6ٵ+ApRT5!߀c O{ lӮ;`ORԞm1OA>'Z0qdߟJmv8c61[ G^m7mȵՁYj `+0bU1-!l55ZD>-nN"FEC$OE5h8JZNA֫tyV8?Оi&]ZˉOĔ5^8QlE?zSOP"i,Z])?-jb x]V2#,SWgxw.)PcI?b78Z%/%GIC?A#Yom]g]PGw&q܌}bgAȼ'؟ [^ƝPy.i^US]3RHEf)RGKaspw wc!:ifQS<5.ٶc6-o(m 7 |*V7ai'AZE{Ώb 5Y#l{ …_z<+~$߹F y>=H3)\Y*+ȣ.Z )q ދ")ru2b[`3>d.\pz2Jv##`eZev4р{{tAS[rGf]WprBkk:C=bjD/]0$G?0ϸ(e wqOE86(NZsքoh>p3ng,Wh1w ŰƠ \?YמJhq%#s)ln!vdq;شTTk,TEׁG 2|HꍞVJ=wWwIvLpWe۵3L;_*cj;H+jȓ mG `#z^eR+uri`͘c1>Y_%QT{AuTk=f}v]oHK{a?>F]^Dk͔iEC݇Mܐ5y5B:r@sxL..0p-@y<\y <ޥ`'2ErB[~7,Y *pPgkU~\**Z 9'AQP[ C5t 2G<Ce$ؤS}mk_Hb0\Mto;E$' 2b݈V%**%~uӐ=U[EVHz~ u&^Δ:5^ &,'R=?74gڅ #X50X#L7:g˗ҧ˺QHG5HА«S8knKpP&KfiSk7$4Dn_~Bqa>Fo*EdCmx^iFp Z^L~$ڸB{d-"hC}YsYKWCB#R̄ x'_Di! v,o[w~^Ky)s3_o+A;Xĕj1y8ZHuВՂI@,( X7px'LP)mm?K/"%Z`{9 P#Ʉ+np[ ǖL쇤@x0I68g22+Jp+SǮO܅̚˹V&-2}v]Қ{J)(.`V<1Nx'v}D\y/~Jb"vU :@P}6p3L,'wd{/0lX?AF:^ _APGR0ZqJ/WKEC٦O񵩕:U=+GMw}g.\9<55{gC#QIhvvtHwc -5hv{ߤ{m)܋Nx<)1_UeB׍>"/'SW6\ƐJFӪ: D5eM'pйzw(1ueؼ|dBBH2(nn%=r0Dz΄E ry8$㘯K،?T|-bzgl1z8@?~C|G.供͟śɥT]RV^!aFF 8P΀q5byq~r-PzuDL(6q~Q+-=|L@rLu@ LJ5LAm9pJT tңMvz%5mUO[OA lbc4̯jt}u٫/(~g˒N}-!6|_Uk'=p bOBɕ%Շ!b%.k,yȩk{t]cRmV2xI//#-ps恵[6K88q7/zpީ<@uȽ%]-ZjUa#LDNٲZ^g`Wd L<<.B? Tg?k`rFQAV*1'xMdѮ K g]*bԙ(+mS5s>dEN=*'|tJA%$( iU 7YÈdT-`w䢷?x!Hp(o(}GI^iAlD>25K A-eî 6.챮yyt@Xb^#3<xZ'],zD@2@u%kjgf0 %e{1NIhz G*,&L\hPJdԵ䳰VϪx5NLFh060~Z+q)P/@*4̕F\( 5v 8$d {sa+vy< $b-F%C0t>AoCO8a@ :,tj?oE|X{^En㋇EQXrA ӡo j3װip.bP!;n_4xVb)z'өVb:/+n3V?Eq宅KJ pzJ8Nvyt>m-@ҳ`g+]q7V\='}Q9tu<]x=fs">~7{TM[sǥnX8N`R*H8IVBaN{s|xM4 [C ؘ`6~ Tp Ss[Pzҙz7PMFn l4J?؉!}_5Po_| &gE{ED@DlxA_ 0?X?iDtN.|]CG,W3=ݔvg`-9ÕS@ec#,)D~fz,!ؖ2q\44N n[]pbL,K#XezK$LfQԉ;4d9?[*- +23cqQV)Ocڃ"*[kv%Y{2:PɶH3jr[t Kt US|<}îD/yʳ<$v@2 N`Z_HH}_Rzx2Q*B<-}6>ϦܥXԓ6pJ,\^jG0~H)=)M9y"W@5.bC 42cǂGqtbyzi(p=MkԴ(M][MnCRҼܩ -I?h C&$cf!3(VdX{'?bcFJ^(ت & >>B^, {6 ᪒}89^.2,̚?<[6غ 4ezs.*24.YMF5 J/[B[{?va +>3AfSZ_/ri܇ kढ़>͎)X,[_ٜc.oK 7DZ>TEB!SqcWRzƺU\ra:Ϻ -"=鯲K'T**ͺԪYY^%yxg<b=RZ=l5z.,-Q_>sSS,O]ݯ)&Z]Gm1Uzaw_Ӽwֶ}_sQzˬ pk{-mJaK7rswbt[A2:U y'z}eE0v2*1H}&pi*Ѣ6Qky@Q( Y;J#P,W(/> /B!"  k9$73,Q4]*:P@q~ʲ5O9@KC< ] Z3D:᧢KƓr 1BKS}UØ fG !@Y&JkԿs~^H ~{vbJ|ٓH$̆d@[qXd7@V?/gVAG 7FQ/UB'V![?2r;&(2<J]Ǐ3<-UK`zHk Kd1}F]ܱbπJј(.;㛼IX^S9|)`wk?! #.d 4muIxަh=L+?QzXE(K6p.5XhYf,.Df;3yC]i_q;[F@c &V+nf7:MCEU۱Ql)&vD!]L5o<Ҁ*5cjkύ@~"hZ 9|oLsh7] .5shi 5GTWЩnK(P8 scm#"o%ΊnpI0锦̢~cI PxANh\VTu(艊ì]i4A2b4-R#WhZ(PwS\N-9\zѼIԾrj*3Ht~$" myU^[K۵!qy#J=\(I*XG/_O.< Š"9~9Ϟ[?v=P[#2eC琌R'Aa!JW/uC$3\H'GrV2]Q<8=y˛R^ /l+|*ǒVIk3GF!])]8*2` )$/%/-]iwVqGfaʔO:+DO#/*#:UY>we $2i T(ʄ#s}t׺Vx*7"䌿lk аQ$f_{OmKO5uMᒷ5s01PXҰlaH4v֗<^wY?ș7INI4njp_RL[PH`_ /(W&GԟSrSM<@7 J]!N_l7r)sYI 0(sIӳ~~PyX8§POk~9=\e*h 010_bHM!’>+"C J[k~CGE6V)uw@G@ׅ9_~!uNkvm 1ӓ#Hs|6mO 3#HgKuz]_yD-JIQʊ@->M_݂z'%I 4+Dj4SDxu/r6núne6Fu**Lܖi5Xw֡kcDu723HJE^[f#nuջ؏ɤ{$Ϙ yf T 9C۰XHiyײ=@Gw9 b㪐8 9ƍҗ*aT%G(g_#>Vym4ilHGRYJ(X7l9&{s`(Tɭ&x3VsboxA1P'KύQS&7xd|hn+g2#=x(hhˁJ%:;e _!m KT>PE;U l+amm|PXa#7 \1LS $PooB!OLZ+ǁ>Y.:,|wT0ص;2C&ʸ`҅Zr`-[trXx;5>GgŠnVdh \SŽz'rB^{kgY[7%ꀍ\hͨUke|v^W8e"_~}Cu_'@aj_l~ە_))awLCygA{ӑ}hqkC,+,BJ;w8Ϗ8@'̗K~W¾NL.0J%aPpÕ c:㮂"= 8AaN䂵!GR[GyOzl?o>qPR:鞫@Ʀ*&1c_No/>= /4uPGS+͓H:ʎyM~v45oh71WcވG8:E3n! g9#͎i =̑gr\3|<x&rf6z_rr_Z<1%lZ$[t3Hu#q^agyP`Qh9,%,\IO!3^_l>N +m$гpƀ[y*}9mi-8Ϲ"lt|ʖXs6Aڔ!,GgIgS"fv^ ?TGÙ"~,uxԾ\,mbf.7MN/ OW><űF~@f1zA#Rg)>ha|9ӹ9В䱢`FɫDbsdqra'9/\[ ]cV}iL \^gqƊKZ2>Uy0C&2/2N l M'Q/!g~lc"~RIH}aj?Y-rG6j+i٢.Nji b0iYcC[C"rXt +D}_3"Fi|mTg{|p͍mC:dt!rr`|1Z_$O>ĬˋQRcǸ+8EobT2H[  iݭ uW,3[+N[Pe S9#_?_p>,W+sFYp0i}=o/ (n'^x5BW"*[+Vݜ͌3BUwļzݏzdp1k&0q7*d6x-&vю?B9ؐgeꠛoj6_n_wWT4o2w.VIF,Ȳ&%T*wXd[Ubm:w&eI9}SN8˗L*%#vLPHc졬mx8 (J%5;l>UVGҜw*ӽ{ 8DW+~؆o|-s,=p:5ՓqzI.n\Qs+a<פcmk%l0 cOcwK:sS=Su-3g'J̗BgvYѽHGICq_^m;N gm0|5T$P$|ej`ꄵwe[ 5L׬sq54G8zȫX5Eӡ`\]-˻5Wk6]ޑ~AgڝvTd_/ 5Uv嗌郔n jN`;ֿYl5#vh Gco瓛Q-;*PN +노2|ά(R}SK7+ގ`P? ҝjp"&[ȶfQ H#򄤚WzI|c6Y}B.+ipC[k4ATJb٥% mՏ vp_QB*bI)h!Ƅ-Gz{4_v5ADTX|h^E,lD'ꅽ_U0[,E,b9!+ aV+0zE݇KzSMπ.AQ(%m0u7T ?Ӽv?|<`%$վgMCʇIOc+' tVnɳ]ޚdR[ ^嚴"M7J!N?ת̙C 2Jp,8عI##AH.ӥX}]VӠP ׌iΥdjH៰f̿5|T~8LưX5GO:gH>b4ߟ=P"N0'qAՇTDE%:Qce%;? 8G> VΖs#lM4$! 6s(Z[%fX& T3j9m}kyP8iCS]tWC{QmGl׳2b1\2 qm (9 i|Oi|IfK*JBl90 v+# 4| sGBjPRj\ i׶5+2l/J5v׋V'+lj(Y޳wzA~I j>o*z*BQ b <q" t̜"]lZyܯx'F[8&o\*ݦ1?߅wR`!dFіS2f >v6M=yxp]]b&U q\ Щ up!8ю@n`ŝ5AF-\'ƣIAZtťڎ1>^*GqV.wRJ!>Z{fJGVMR"Տpk,ri9 QD߃TqtPeivXOl-={&Ӝ!]:< s ,8Wn&`9vѰ{Azn#"Ӊ=Wrs$2rJ>bb)TkQB3guwo/[%J_`DU &+uA>904?[`re|~868U *u DϫxPioaO䢾 O@L.j q9ǩ |?m]>п3s 瑞B+沠'E]4 wLMڃU\Euc9YFg]b;,aN%R7ZdDQQ s)+)A2" |ge\L]TT Io4pm'GOQ2kNGN Uom:+ۙcN=d(8{^`q$cI47#>OE@-Ȫ2#}Ho*fgwua Icoڻ mLH1&/+VPޓDaa89-{PTV2I8/$UwIVBEɤ}'ÊAj_:Q,̓9&w0ԁlB]8xUx/&Z~~P#f/e~q3:TāCgI7!%↧}YeΆ({Ӂ{4ψ?Zgt94xN)bJV[]t"\n`u[@܁ LB2tĄM@ >L5CSHaIWv6"3fNe~$5{2|VeU]oF1 2A.n"Zm-Rvr A!E!_rg$Sl];mDLv3|$eK䞇mV H1& 9 Hy2vdDو}oTcVeƚdJ| #T:AEOqQ\xQZO0YBIdC9o,^*2AYВ+l3Er\IJMl*K2'~63o\qSw[Dӂˤ>KyID@ը2 ̶n}xUTT.l 1=d^DCiWu (q٦q@~+oǢ1VAAX^a2{B' Bfj- Sh7ؗcY@ ;cMռ,~-t,ѠkϔӀkCoBUSw lv3T^]Ќ84i =4rDGww(hKʾ5b"U" M^6C˟ԭ>TJJMӪ5i9IUrAv2 dST[haî]m]AV+!svKНA%U2o;5Ox3.S%{sm&ݜ)r &\wyQA wy` s>;D.B@"jNn_&UezTy ɺ894n&nE\u?BQ=h>ƸG'0$%b(B>?^vUPgNsfذA' ϴc($ythКE,1y%lBy'+W"K:vlߔ*_퀺2KrKm28nZ0cNqȼM32(ePZn^, EX⾓ZP>)bG 'Ѓ*S ^QdӺGiaaى~%;ɼ N9dr0.Y+&ҽ-Td6 DT< U4"/@ǡWv}}|FI(I@id Vǔžn,u+ȧ oxn wlkZ}Pd d /ةP,^Jw dI6f֋H&wZ F:ݸ"_W%&K7$s^|tARAXk^BW24W9äs)y QWSP3od5r77o2n$9A}4|[^KO)츋I#Hӧ(_z L$n 0fsiMhKD T{D p@w0p&Qy~qU'J5[KefF31aF&<˴i(P]ȀNY2-\{dVO',6/(LGQJ^ h8#?;8,Pĸ~KsīF9' [YPo3|?o(Y%6W5;m9pR:% :U Q4B#|V͡KWJyq}xeIf.dT+21f!ʶlݔ`&{UG?H=:FcXKG/%q,-j^s3Kj, v>e rwUaxpkKpĺ.8,;=6OceGyd K1ZaPYScZEZn63\n*-$QՖF_!;IZ['A`ۜ!yu\.Bѡ]=ջ曼(+7h/fx֔]lafȀZfX;N-*I%j4:;z|Üc`"opLj~mvvǧcb-kxI7 ~Gtr.[w CXV5k2@?&:)?KO& %bit/\˔PqG_YЩ ~qu>j_kibjSr&knTRZa|#EolLSLY"]D=М? | Gu8VprC"á\ʖ;<ͣp1񋿷rS*<{֛2Ec+UR*Q|,kmM`ފq1 c>C4l# %6FG+;+ߙr Q!G)8:%n󱐄gE dv4Iu}ך~&ͨ?oKcǪ1ZKuy&›~Hn~,"ӫq#GlWdN. hȫTa}O0\|FJWa-8D/Đ(HDw5Fx(0NCPY_MfpVԼCꑤJe4bH\y;1}{BJy낑|kY;H_iU;m$lO< 3Mk8Izq7/8P _Q:ʷɬ##XP_sMbmfD׿CVZ-5i* !R:A^0׭?YCG2=vIP;E+; J^E[CK<}A 3㷪9ఄ'3q7"ւT_FI#`4:[_W_{% S}K(ȩŕ 'q&+1_75DE%? [t1G]]aSR:NٻdoFlqli?cu@ԯ.?_! ;~P]g=NMA ;VJm3q>{>ÖVoӓȱs0\/p̦Iq Z~.Qj3P2,yw&9}L4Pn14>^akt3{*Gl"8Qn֙mcUvDmCc!\q>v У!v$Vߩ{onC tP?gSQ DKT%s؜ft {&p?)]  $'ޣ b7뺿#ȚO\oNJu#G@ CFp) 6x;`q[ەϹa#_iu}/%؁c^NKώP5Bwo<&\g6@Y(?of8ƆTZ Lnr!ya<6:v' <6TfFg쨋P6^Ȭ)4Zx&B9lBf"uB0e)8f%"w8iM/aGL@joՀޑ0((-7:pYԝ/|9mm u}!Q5|Z$"KkҝN׷u%-ɩ,ď #BRAj7ΧN6 ?k ]A?߿l ^&1 !:2ȉYJua=^| yWQO (*j?-7<1p@2qg/}fզyl7go )*x ﴪ\=QacE3?D E'ˑ\;i3's1w&G@m[7 ʑhϼ (ɲ vDVsn4T'F ϰA,g?6PȄ6opv{-4ѨWvc{/ÛDB4P2uEUQb xW9*y֫FOEsߕ"$صF@t#<TNV,$7_e) t+Dhb%)Մ#G@-dUr~_/v1%9Fi'BW<?֣1X ]H4 N>ȸT̶;QW7`I<ƒ] nZ.q㬿5\ɾ2Ic6MC8?L>NkmR !A#>"[ޝx۩Q ,b 2Pdtܞi~2{Z orSlgXlAЬ38m i? ^;&$jh .y" ͗}2Ɋ9kd5DܸG[Ev;"ea Uᚔ 6@Y~$#؟x"|hwc%^.cC!yvؕcf^;./gKhQIah[uP6N˔qs]>;,^md7wC? *&n7nBڡ.YSx!'0R(t&zYY Mda# )zņ=!彲|iVS*+W~88>= }M-9for6"%]p-VqoFX>y^Il6|9h)_WB.ՄgwT}&>=.^նBAWO\&L6.%\ACgD|o"`w8p`erZ(f,$Y^ O5Tߊ NE"`Ly/upY5M\P'252Zܜ+@9s4P7tr>!잨'd#X<\ΌßFHMƌQ"V lg{|!&Ot: F nl{U6Uim"9Ӵ ZTLz ͻ fDŽn;F#`?{bJt'*Hҳ-5|A6u .mf L], GΑY٧!NŪvϬ@ N}cNt4l]r-2%V'tyS-S|v!*ec A4+'% V@.mHi?ܞ&Y2H]5\_I#?*0;{Dk@v%i;ĜNnWnƦr7Q5揨p`G1<+W8wBzنyS^3q,( j/e&57X0"uX#%}jOELn+Tв/5)-Obj3zGo3ɹ|PQP fԿh" ;K%A2s <+6Hpۻ6w43)%Z~~S'!qhGC_toX1L#peyg%n,na2x?Z;Wph=eQC)IM(x0{7#X1(el"SXyAr80{@ +@jIS ¯?B%aa0nKLl6EO)WSF!V4/kZ$֊ 5N+fn,UƅRk39΀rU`|LiFذBK60Z&Ȍ;v %;3Šr`hGy6mQS_[䎣t(?l qd>B^E|.S@E\GNGU4`N0uQ4=ԣGF!5"_YGE~ Qm/TY|z?ţzk9"{&l[Pw@Pg{c~uilȿX_ʽOZS"ޠ[ e6gy/WC_!hKR#Y,.r$({Q>ksDZB9`P^5DN_( *²{:f"Ww?ؖL @_Bs$ qݭӫhZ7?ihMgX4 qe.n,{'gكeKz6ȝLg>@B){pf.nl*{mg9~ {Y=Ѝ]N!0"/'*NJ"FIj2BQA*qC<͹dNd&է@H&ci1ƾ6wxD1K^/x2Lb҉8D@e(K.0lBC"v-IV>{E= Ng.}nOBgҿv1BBFƒjyvAWʏk#*qeka7ّl%Z 6쀔)x8 h]2ȉT(2㬹|t|T줮K%J3( m-^t KaU⹮ꂕx;/SgO*gf7R<!c,߫7FNlmٿ)o S|x:h3d !.x?^`2XVӕB1\nZWٓݖf"ACnXMߎHMn/Hmវ7*X8ZoeߧElR'Q@Bo6׎V}CcC1( ͊1u= v&bZ] p4l~_G-tZ+1v~_mv"Լpo&Z"CtG(kF>Q!)gb{N .Ng07UDR]](Yc9/zJ({a ѴZ~Semȝɍ4"c dŊejEʬT[s#=V؎-bB]3@j6G8VL*ڨ0V͖qbSc=:L3Ax+b1S*0-Q q`ף5-P?QѬl MT<@UR,šR!igi>M*m/Ú5kHIejK7P,Z< h,ܕNP{7gY#Ǧ eB}0Y8Ey#(X= FzV1xt[37U i=e[1Y]Vɜ~+S`ԴJs*`ؚP DY&O E/S0j .r%5q Sw/,y "D-'JC>vh6`h#0huP`6a;F;TOa,|:̺Sb8VҟzXݞ'0!~$Le,O06I 1j:dVȩ4camc:0{yLKZ+]pQ kiؾ\f!1P./'/W.McۃۤiqWj9$+e~Q SrW1B7^_XP޾_,q{ZyiگaskY -C>+;d!,Aqn\=YᏇL$v@թ%>g@G,Ŝ.'}i,e8Y AҰRP}F(yZ6Z 3A1/Sa`Ԋb4|3!| p}AEd^5p1/o,͈1rG2c2[`u[/q_˄+}@r!G:S61T3&NW/o$fMC o:nJzmJs .{g*i^TI}a ^{iWf6 xX,AP'GӅ y1'v %Wy]B&X/buIDYpdH6q64{.P5M.9*ܖk{)pwh /=J޸#J,N6k~.e kmwxv.Z:rMދl݆V@BnBȍY \mx Xmă)*؞2\N,8'"7.n?]Rm "?G\\Z-;=}TJzA;$ґNT5u(B6(#V/(A p*0sFzlh&y 1` .%a/sVmn&s]cj:HRZB ;XRFl_@IrR=:)󗒃>RFAM87}CHٜ6 Yz^5i MW[9p9JXS[}FTa?  $r;l1B!ZP3$ӟ1"J Oϙ<9t2x?_k7[-m(27)k(2iV6rCk"Hx!2SSFdO`CB<d @D-vO sЏ0!Kkܔ'h:_vn0G("'?I] ĞԴلSb,ѠyBe O#jP7 O\➙AU`A9n&ǰ}Pp5C2a Z<5#_Iɿ!zQ ٢E7Bp ,[Ɉ.NGMF .q{~mKgڼ?H+"@."#}4Ƭ»tk?()" O/"qb0ùM2T++Cg A؉aA{i? r"%s `FR 1zzq975 `?;VQE+fNQu_Sa c9]J5<) 21)%@U) 7vwzZ?8)5ċ=$.s鑝ox}mZ-QCOwLC%Hdsq/2ZgH_ ;&e} /oO1(:QCPV;xg}Lߧ8*`ҭ _mH\*_Z|'F9 κ'+6=;~9HB6 eLFS-dWVxEt)L G)1P ;Kk@,v>:tG#uK?zOBڒQ RFH5|L[g\M,k̮^HUN<\?kH%|غgK^.%Jz 6 S to},Е1$$`&TI X!KG4AbۑŘ7}ڷ֭tRdCږW(aϵdRl޽pRN?:>( Hm]QWWMS~wГe#U!s(ѠulZ(\+Tk^Y6On˿ό+ќK8*VдRhAWX$-(S&w/_mvʣ)U%;mpy>kĚ^"Ac%:ZD}۷d1]>%4jƞ{/i<=كH eBJ|юq ''d@SνmyW@9q,=)_h=OJ\Spۄh/TnM\/Y N)M|:EO:*K᠍Dxs_Fp;2~?pi_q:f Ҙ-|G`:v? mURt3W%$c+LX%'VIƾ蚂JU&U;WPEtQZנ'Xdnl2vc7>b6>ͪSX_C Qb,:"epV+:T* r{{*H"ewn_+GY?ڼigEզLcz 9)Rlr/6"qm US4F3JX1U[*?s:n;xnٖT0a8GIJ.~!2W1n [bYw/xך `,sߡl؋{Ҝ̘(] zd2.<}Pg~sRUNS` W\KRE\iS}ODxe|əKW'Iyz" R\k˓Jo%tHx-ZҸL J2/|菈T PڽTKV6`C}yR`|W6e Uʐ#ghH쁾yĽ}FxS1U|}{M%A̓1;<#Ŋ7 D5ϴj=.-[]j &)T1 zcJf]|"*Y0K3+o'i$뎚?>yyۗ䑦IQVj("u_MZjsҭ;EDI\CBIqB`&'T|&ŧj]^=x೼$_yq4jhp?(' ]> R(|'3[42+3 m*X.r` P 1BHxI-z(QFɾ`:wNH!HAVzw~SSVcmWGg)v? s3UT2Be#Lg:kRޤ ӊm>(;.íyWܣؑAA["žyo_z9iFxjyn7ݐO;VQm[@.}[kO&wuڰ^2A_R^ˬ׉.qj2KkmsA"/~ٴvpgi*1,oO=q8FRv9mhE斥 dASY\Ҷ~_2sװ9lNLEꈤwg2yYo;8Av hXc(i.uٮq-+FffQ6ToA )~25VN>(=L` !0}Z~6 6H 7& %釮\: bA=m(Byy)é=4N&PEfg辞ֿ4"JEЮ8kw/ ɜۖ6GG{!wz<Ӧ0=ZޑjJS)U~i+ĸ3SC6<&< F3Jad@LzBQx|ej3 W3L9t;^QJ%pV;Wu:C[!d4  ^'i +vv*{珥tEQ?Z uſ#->'Xml] d_ vkK$iSc3N.?mon;x]lYxNmgSY^7ˑ~p)/{ /5gTc"ɪ%&W,_!y^DS9)qՑr)vdyoIvPB%!;B ~̘nD-PKmcwF`SIfQċAv,i[.e%>=i9Ba.QF(dUa V7u Sqyg鵨ŽL8ON=iH*EU~J'*#z=wEcǺtGxMJnkm1%hPk{L{T@/VrjTR[ꗈ k%~mu gLZM b+ES'괩_vzAi_c7Ǡh0B1mN B\HhB7i{@5JpZ8vن[O.͸6:d2v>fE@SzPj[C N֮ǎh]{DkހYF $t XNB2:pJEHSXЩ6>8$4 ىeawtl'9}v`krn C1 pްR(WCL(6Os5vs%miF7&y$5px5bG6*$fLsT{#m Hc0s椡Z@^U|(> %.wwuy(Zt!lPYFcn4iZGNO}E)sQ#hT$~z]@^2oOƙ'ʧ^Uݒ\ ҥ)XvVJ _a{F>juZs#Q_-FIjNgmos!>᝺qZ0_G K1:oXBuHW:hH@1:s"o4^zpFSS'_Vq)n`Q őRXK_ 1RYǂkuk[  Y~?t .Ɩ%x#!ZOS@@lZKh\Z )?ۅ(ލ8|=`CL1ٛ^Tj%L@6U_ (5hPulۃA̝tqLΌ鍭li5~2; vtB8/H 46J]^'lHUpvj9#,k-gcNcke& mz|j2 l`Ng̗yΑ`%@ 'J.Xh)Q94-] (6tFq-g@̫ͳQϏ$gWTo!}+(GP #:"w9VĚ!p~Y$Y%c*@Ǧ#F2'/<VwCj&MDUQ)!B&흐[G[V}NB`iTx0!OAfg/`:fN'e)D*,>>}Y.N6sʉh@E~`'bP.WTT#/T+ZFe7/Atû0;OY󃓸r,/fR+M1#}zU L; 0紲#&eP~[]R ZRwfF q/l!dHWʿG$'%$ Xru,Oğ9/mW+mlHZ*SW3-&*ho>o`N-]wPu>/)ݨY+8h˼ wXzH{*Lh"<5-V\YkIh*fe(3vg !],PM^a%ϐ"l9Gf4hZpA9ގpL _7'#<-(t;Dn]ltf@͟yOw NfԓIü"EFqu@|tYE7] ỰdTxLyrCL} hH> 핢Y*Xa˳!%mR9xD1w?kQ 6'pfjVOwlqx}XB2_@ykCFq{Í[Q̻ɥsU f`O0#avVeW]D`שc+i\bm,vu> `ewIOB\*38]:n)B=Ե(Zm7BplSuQYd-&~.>gKC׈s^&c6ch }I𽼐uf{}s؄YOɦ~ )q? z"$a"QO}ݑwBJ=@!y^q>Ŀd#ԲU-dv{,~) 5Ɩ8iw5EQ98O]7kXT~>q?DxbgbP!JN^Tձ6A\9v&S= M\4J[,*>DW0G{y' $UBs\U^}"{}>QP*^E=&aS&9 fsQA驉:ǶSBI_6gze}XT<+F5&Y$]x-꜎ARܣɟ?=is*Ml3HDwP0??^A:Mqٓq'f IF}2X&eA_9l؆>7e%2,תl"qЅ^~&|y+0ݱ"K+5|?+ؽ-E'ok{=/lz,wXǟx+i8'b[%4D۟t\iRprr&o$O3_Q;O({j{FmN}2y vƬisE?&*gqHF7ۡ9eX9We2PRb[I?-U<҆3!6}jaJ42\zvG~Sax*K1(x ~l7 ύr +ܷR#Qv]u*Vk="`mHBLvged#`:bjRѺc2?h[k5'@p9ͺ0V0܅4ѹTpL >rN< 5@4ʔ]baJgJ?/.ӿY3S(/W~Eg*HNx^\K{*&>E,[c/6EiXnEt *WjQo7IFO96wND$IXJtY5J_T0ظ@gW47BmJ|),T$`cQnC:$1FtSiOƠE*ݺx=k(=/9e{ajaj+Pm(֤ Rv!WH7z>KynND#2T=(AHdVuqKKD2`ۀyz7¥G{ʼee;\cw?uǚL^۸þLCl^\n[w`p_P1K8.@ƒeʓ(ao߈m!mnW=1] J fmm (EU\{N"c0)b>efCn!qэZQ9z..D%s:R?Oat)ls-’+SCPl/tx٩x@~m&YbQ*2CYf$̀^ աMA0)KIބ@9(3K]x Jq 3.q_c eR6Nᤡ9K6VPpZ(C:w™nU8\Վԑn#x(E"0NG%Mr*_Ҁa+_(ش~dyɋCR!9@h|`%suvmFP~0ҹyC F&DD~+OV%\HtiHt=ɽv4!3,r4ԝ96$ǧ#K:X[,V2ٮN'% 5&6(>&[,T;T3Mjj`dK:jfU4fG~nGvpGxGxW/ H[le5]7Ka:2'w`Gˠ1)v(y.@@djv'Պ{|`|8n7(3+$4׿=!  ߾F=B;'_3&^B$8J1:ƃDhi9U6X4-˜0W|ɖJWs"*cx* `5IKC8) 0D17cEM3ybb3=("C+F^)yIҮDm#ސx?7eYy*X9L, >:hd Dq+łjlim>}_(u5R]ݠr}g/,)#!S,!=bp~'ahSj& Q#-@lG䂷~4IwWf W6m&PVUdKDO˱n:Ex3v] K0O8d$)8p:$x^DJ>Q㤟]DWH']^acvJys:T\J#l&_/ɏ1@,QIZFAeS}(l[. (R1ucE<ĉYٔu S^#z(D'T5 :aoG Uk 8)?ar5{8˸[OyY+piG4(1G7)IҫAE+j 'Ƹ+:p9Q~ p~^ڧX@F{ڌO 瓹݋ir"Hm}A&^k{s iDN8@:gYvY["DZx>qtzGFJdx8+6"gʓ..B+U#V0װj0I$: *7@Mf荣H'= =Y~I(v/4M3` aV>p9 kf{}kwH0Z&3w9locmOϞ x)x2Tdsbk':hx1Φݳ,óBf[S;XWi9/^[-ЉF0TLO}GJ':?aqMm|vzԺnܞ3lE ` Aß2Rui!^n~ *4HNi%;xZ]Pw"jd^٩OBhg Ug@Eth̕n+1! 9;޾'-n۫Yn_f+hMD_@dz`W8Ot,JP_B\Д۬/R(۝~$$P%GokҔd3ryʳbaR.Y.w1 0(\q.M3ř 3LS9C_%X7?tuPO6^a ``|qR(Ksߨ[3E^H;Hn eAE^=b;O1fXTprl $Z ClM?fW'C. s18AR+UlJFD&pN+-jb͸;Ry4:XgʦaZ~#MolWGpo&۫cHKqR+2L>RA5q](BݛDz\o96!57vy} XᘵA]F٣GN7EF @S 񭯢Z3nˢHs~ֽٙ~/񚺞c-lI B|i OXB+DH LX4p%d,B1PD=ǝxXsSj;Хx;]ҳ+>xI8E~zQ!ZAUtϣo\']JB>`֌SkMoD/4O'9\-']N6'f %s0DƇ~_:j9U3 T$xE;{HU6E;R!%Z|;W?D ˷)QtK|/ߘ8MV1GBUlSL˾c&Փ>0Ss&?^ Vւ 5DdJ(( O]_J[m#Y<jrQ% )B}6Y3QW1rwnT怚k6=K^c'm:\tvl$ur5oTVƺ)52δd1FOJ#!$Tٝl 8lћ:y*jYڟP( 0^i \S|' Xq>x/d!00aڣP/:-Dǂߌ$s (dpҌk&%~ L홑D9CP1`J:eʲ]k:m;w8To! \ɞԪ^ףjɐEVMWó]ɻp6V #m,8Lpy݊ el8~B9W( I0l #ˑ0#m>p>+;qЕl,Uӗ;e}45To&/|R84ʬI5!)!Y^~FSRQ8,JQ~>HjJ~Z15fl־M< Mͽ E ]\f%,s E,avUid iR6t- dpr`kKw[ogkGC+ewr{S 7l*}zG>vHsbЇK+.,Wj~:[UT/[!Se4N\ǩ͠; ,Dӗ:cey#xs ӣ[=n1[[t $YTaa{{I ш1W[*ԣ嗔'0{X3 cy³ŒɲBuYPNf[\}IAP Rτbrcs~B"9@$MQsbe"#|rAx;3Z2 [AftF5~P&+n: C?WH+HŁ^ ANeZ%Cd Lu02qQ4ņW Ifq5((A(qGE|1gm(;d`BIB_\t{o)Lk`Z,%;".m.`k#HF޶BTM]4p\p[Wܯ5|=I6ި``nOIY٬3FGӓu6ԭ2MWۚ b~JwP9^vۘL_x$B^Km@񚾎AKKw)heGtݴ$P?Jy !¿́dz <ɞtR^y\`_8pe,DR.t(_jqfb8R@6cWϢf$H 뿦`ڴF}:KX.=aHեrAM3ͪI+DFJX<~}\Kzk:FT@N}/Qǀv: +Ử~Rl!낣aPt`9 d^ :D{q\8r yGLrκ'{MȀ,He6@[wn/ql˝O4bʫDg.I5)Rrώ">n\K  Z @=-v9)Dݡ,U۰'&fGXB#'Tn(m 8 r#tg td!6MFqڃjD6#E &P⑫L#H'IrAkݵr vU1T51-,ΝU-ʾ>kXrg\r7m7'zi&{֐AhOyL4(a:Z'=U`eⓩG@ތnCwF<҄0EY mݩ %J߭D qrWrA3jw_hK7$ r`M]>۳5vM2f*xɆ߉o̡_AfMI)P idC{+_O ]-;6ڷ0}rgc;hPY2.^VzxR](2BsU~@L0Xnea`9"@EG{xTK6ʻC#4u:ifLz`orj}5pi+)͑LVj.>D*d46y? 6FwKV[ؽtBe* ŠjPs$ܣ B6k3* \J[LQ/ rOrMGZcGtqGF{sw2bNsdd`Ѯѐ4R x/}q"ހ8qFE~5#j eYz.@0v R6k_I*.ێS~=4l ) _}1'.c.lk':,g4 ze}&IMEJj)3|$9qͫΙs3AVgH*n!*b)Npxsz?/`1pڶ|LKQkc-Rʎ6 Hԛ|KhMaGEM@㿨S(8-:ݫ̆bWۓQpA*U:wj3&Qn]lv,א:Rͮpy_73`lSƂV)3)W7e^4zY t8S''`m #wЉ`k~'jaIyRVT~yT岇\5YtLvbN:QCT6{Aϭ=3Gw"]u1 aE]Eo9I=F < /}IB38;YK8/KN1Q~3Z*d~rU 7_ ؿ勸&vѸhO"O3W .WQɱsČQ {I-_tI{yNڤTZLJO׉_(rԿEJQ٪.Sa馮6Q>aQAOV) RRgqeW:a.H0cʃV6Xky0Zu#'O.!bt!2aZȥ;*  nżӄ v v_(0@HY3 =Ң:ܘ0/eaTk'M ع#b:?̫ϖ*w[x(w"@rW46q*a3H{Gf=h= {vl)9ϴ6BѝoVP2u.8`NIѳ^X"fUY侊fpxwR{H~L\%~3a3UN۝z_N4R/"\UCҽ[L`g&F6;ĺ7N3&Wq \nk¦F!%;w#0t.'-Js/;!F*W'8rgabf"/>zx#'1 /YJE [Up@ e%Sӫ;ve4mp+<|&LukxHؓMF71̙B.*-6 =NeKfՔ D q5 }ʆVi) V5RX]_WeYp_I=c!u!K̩{Z X[`j?=%}{l{nZAkF6&]>ovq44QڱyAkBbHole]`m,LWtj}Tʧ\Bl=曵QN)Ԇr{҆&)ϑmⱹDqC.p'd} p] E@ՈhI >&(͏C)ڗ*a%f[yD^G.$cBZ(ϾGH0ƨa'W" ͖'HxG* ڨKi〭"> lJS0 _h~snofi3$eh^]t^+Mz03]37~ѧ|X~n 'ܼ܅׶+r+r;yvѥ1{8P4M4?tc518H@Il4ZěJbc%GI$Gv'P'}y B@.J/ sG(g,<8ZV?Z k%I3 dޙ1LrbDX͜17.)mG/_MRTQAM5SܸLduQ]LZP$i $j(g#aqUE,wՑ/Dai"$1jP >\.wN'hC6-:vku tXL;ؗ<8383@ÔaϏ nỎzcg {r[W}q 7'*p7AlQ,M(Vǃ ήf \8Dh['9LWN~~3Z̩ 9_I@yG@)JLtb/X"qP].,X 4k/uleGK"xqF`1m!<=SgC/BhwK0`9Q{ųI5gEYExZ+lgl&i7FlDP|'?]Pt>/rg,͝Zlw..9ٍ. %8Yi q&麧5m3qaO,S*3Z I $8su 8'ϓR6)qIo+T2csO{M9%ʱ TWްj_[**Պ۽|O☾7(u'iw:49O2x?*?Y PN ]fߡRxaӷhnkj.ȺHxIUQEʔy9h>f]Q=FXQ0W՟U(ꎂ[\.!myn`O(z 8H;;B.H1Gp>~:.M=0!$U@1g/q3؏*)-f<>Y,ѓKX`alLxHFtTE 9 nhاcZM4dGbi/EO?h˽w|A?M]>NDNj94mˮCY%V(f/@r vIU WkUL^=ȢcDJ?*'-T%ZLArgA7.M)\a◟M21~^6 eZ,dtnnWʰh"U.3 ׺#(SҋmSz`"D1iF-Søߏ;nNU*sR3Y;NG#n *UALb!P9}tLd )jkGx.3Kn@(vӅhU-6yWjg&{4HIj2.FyX55uw%#UZC0ܒQO::Y/DY^qLG[C-Ys/f^փ*3di+Q %xmA3pH cLZ[G7 K8QL;mB2;]s%?aq]2':<o>BPN!7 e&e؈7Zf=o"űH͞bM3C(~X'hӆp>%`o+(L|-'gv#f!jx)_A@P&B䅻I}Tw?~ó ;Q<31 ٫` o­S+ q,#Щum8-v3(8skƺ8d}CXDZfc?W c:xG[ t0*@cy1 j1 #@[L5(o9wgaQsӓb:i+]v7^!zam%~v~BJ!_A{m$r%N-%$a&iޣuJuhAPJ>ƘQxCSrQFv(Yԙ}ncKy.Pf9*h?g!neKB0*Mk_\oo9'n~Z&̼lYhf'-:J@>6G cX+1ڛ_moϝc=iز3 z]9N~8)oHr|c \˱׶ @vnN +=Y joM7ާ* x脌-3JYPqpX] u4 :a[-n߷қC/G=PPMr(yfbq\UWt/vK~Tiݵ9^Q@ -w~?Ҹz( zMϝGwV(64KBVGc՘Ytd2r&FAxd`Jb>soњVi%Dnn7"6#C0Cf#H!c3faAs5T-=WpL/-^ƚ 1q%lM*fNJ,U$b3gk; [Kelph6gЃbgjX]!xƒ"Q?hg,؅|%aN/AaDfʡsD[Mk3v~,K&D8DyӵԖenDUSrԷ~Z,Cg?i;#*3,% TOhy8tB@'Ǵ9Y}6 nInaƇSl /Md0׉fu+Ph4F2&4e Ĝ&پ&Qə@;#`6FeaUzeNk+5,E >"}Ib ,&Dl[HZ Y )+|xY34Өdy!Q ϩg@7 zSaI| m֍YQt\8ksBu/GӪ Rap}bp{ >H,Jɾqw @\J'S5B>Dik 5u2tmsK~L0,959;;YO'Kpng5J2 O|AX;_(C:DT< :*7Lҷ^z 5*&[`qy͓(Ip:2N{RrTm'1_x{)5c+ίbY W}%W>QGx쮅dӒF媊r3k`wbeS'u(;'d2>G:w$0G!;2H2PE1ےgL 1͈f쇣8R3t.'.iq(TeוZֹ=;ыJ ;nÞ4'=Jbٯ%4҉]IUzb>)^8",uP/)K kDT}5 Ձ2SCLv8? UjVNJCqD a !9gȱ~)]>ꃔBJ/O ^AiO7RjVX fJ3ټbYWbY<=X@w.FȤ-ZfA%S9 c=_U?%ɜQFC/3뉝CMb_s)Ǟ-%LhFTXWK:{$o;M!QW ,CWi/B0~]cˆl-Tl󑽎ڱa`=Fn-uw 3[-G4Px@(fx-Xf/NkL Y P]@=KwIU=ǾFRCɟ75a{bo#SPH9#>;h6:Tp B(3˘^.vh\Ė-󂘈.Cs*?r7cO_V8^Y L؅suL-6.qDWSɔ]%d;27,ʁűLBJx.3BN-'ov邕xђ_ٳw dqxQ4][\$:\9~]z`946q=IJ>0jڎ_rBgCa.\%N~ept*zOQjRb)@v(옺o+M| `@<'S"0f9܎D1R-)kJ`A/]ɓ "cM??2-]RJFvŪsBۣ˷.P1 ݫ`8rʀVX~썥{wvɪypb  s3CN aCsOkZG+Mu#2W6|U0XV1\/! uM;R2H/u͈͋ҥrf6>hh%թa24{df%ΣtYj clߎTW4$jrTvt+3Y:TuXv>ߣd|BS'.{Qc0N?V"=kd {7nx{V&6)%& 2ʖP9U_{܌"#)k [ d4U)ԣCn=ӭJv]`]at븙+$o4S1c//(|r캛IvL3fp_&i-L`qȶif@.ˍ\7ٷ mgs?#*;?Cv& ȁ"%qfG\@#E~P5QAQ JbI"L*83&NݩWloҚOKsHywH;7t\ _C@6 @^.q'QS~33,Ʈk&e\'G@sM2E⯜0y.m_I:)0H0LӍ=xpK ʋ&7x/)*)iUMgq4^8NMycwxS~2'w{FRe}L}_9hhWB.[cȰ.6O@mq<DdD%W!0xlKBztNZ|ʪsJaR)RΕ"@G%G%IxEk~Q.M$J  Y 9㹸yS}:%˵ƥv-!|l%fD!ISy̧uftM \xx\wZHƷnokm5H G*Ւq?a Dܸv rN.:zMСjJ79]e;= >q;M4PPY'U^&O/Id/ x:~]A-w Y- ^G;8%gӦ0?Vhq[hXFW[OUnq:J5@+cH|&DGh#S%#z_Ē/gmaT%(^sW:`,3M굠ծX3Ĵ f7Ksl ENqJ2B>72Uq=tIuZ-<tO/*4;TFA.84M(:Ѕ:WYV{,xqfrJV,G-6L>vOtZVrܸ08=RX[mQ<4?3Hoү22iy_+Hҿ~OL6&=t{FgAjnթKDo[2/\+jʲ QK9o?.8l FSg= دj-}01ˏm"+q8^h7MPE}k"H  ga@qv:4?\ML:eU]zlCo9&!c2#Ɉbh;Mڌf]R~]5_Yp︣/[XuzmNP͡fz7~N+p"-APIT?bgՑHfFcWii1:xV 1Kw@>o ҿF?# |5UV[.٪$̈uZ^t8l HݗlPƲv>9(ex قɏv>*Y.TXڕ0hι;܌I |(yLǥp#)6-y y;T6N^ ?1x-pw) F"쑢RcۙdC!4,ʯ^ # D3NlഗuO~Ku/J5A?yVW"nD-鷰~ʹq#W?M J&PXpύju7$wv7>}4 2,DZ2Xb iˠj đ*S4v=nC۩{@=h~1ME@s;c-d6GyshgلʾΓ6HAUb{NNj?9W9c[9 [,I^X+9W nbSwhv@gtr $},2 >˯0-=<|й`MVyT&͍Ut ͊aώ}Ke4׌kyI}&=ߗI)3'9('EGI@$qN!U*@o8r4,4[rbdyl16^؆3 kA:HLPgĦSpǤr%Vop%h!~+(,rpL=yś13z*oWm$grGC K5P5ڴN$K8Ǫj~U M=Id sD]dIL V:M&rzP~Q< G1y~!z^ghMX:}NX1dOw> {s,yb6nT_YB@:d8 wLHUQ 9}QD>?mc`E1_?=XTEa?U(@Iz>Sno\w!6ɈkN-ӻwy5 %q'2htXeXRx&FE^4Vvx(1e8Yoۏ']cRDHXU3V{t.h:G_; # %EO>RdqJZ0}eK-$$L|:X^S&[̊?hy@G(HA^ie2=hw*9wW҃ 6dd + #O}O?x[]P%a:5vSIpb_NW(K6?9{w®,JN/~G@b j9NDgt8TtvO]\}Z|pԑ\yڼa"(rmu_hʦY2\a_mYxr哠!Gf n^jq]@W8|$Aָ3JWэ&Y!KY1SUEA]xڗp%~- f=ĕݐa_f|YW&mU$ ."`me?:J-؂UbFA7q(ئ@s6}k*s{(vJ~3@{eG袥 `;\L e)vVBrK<K@XuF744mx#ta.t_Ђ]i4xl:=L/LVӡhrt]_6U*85_wlzUM.Sg 3a_CJMqoV_يK]\X y g9f(w1Yr?OlHwQ/&6o-)=nk23H˖3W4t7V*;g !~Hw[WA:W!ԤP{Hyjq3i1\k O&,Zd̑-q>4p?|MnC(<R pEMA2!WBCb]r gbla~T*@d]×}ϒUy"T)=Wwts# ^Lħ'ٻDE8y\k2Ӌ:LǞWe\ƅx2VR׾AMhEаE 9K։0mɈ.ӏb'A$N: o8Է@o>J1oXl+Ixo;F?Ww{p(a[w.(/7Ajͧ4#$QhgrT(# ~ ֎l]jQPO[3$a4O]l~X\=d=Zz!s}*{Xt>eۧ$kڿ7+ mTHƆ{敟b7:=yϩ'dqrJbi_8nICc bLFk8sM$g=\٢MT¢>qBAɚ>`q&b7"*w$=u^#NˡdKg$ rɪ4FbOe,;=OuLf dTZwk~@9= frؗyP+D~ wX҇*Sҗl/  k"[pE 0wY|K'c~?R ڙ}CMF}eAD!q(CeXbt+螟CcC^$sLCg6 =HW]$Q,ՁOL@.T=aF ^^gI"W7EO h;B8k s. Ղ5aWz]{\%8ްs^Dv }:(TյfYE=>&.0XkTݡj2!jRq A8Fv|^F?H`ƃ0y^vf'w-Wٸc㛸o;(SJC=ޑmFi=G@;̫ r]ɭ3nT"Qߴ?Nd=U3dT~-Ҍ츤X KF[e}z!]t}z&Ay4V.;&,A"vNAmZ!{ Zniȟ?sA]t,~Uǒ#kO!Yˣ[N ^XR8eVe|@dL]1^&lgvX L(a(T>5=2y ooe[$XPK)co OԉOaxN:R]I\e2Xt3BWx#!E >J&̽_p T:X r鼊e,9ڬ4O;:U/yBgtG]" !A81>KD7H`-咄yM]B9a1#Et4$-P{qEޘȖj=YMًH柧n ݜ=Irk _])b:]*m0m+ a5c 3 >Q `a_0f߯r6`A25xt 9r=s˧?i>1+2դjW)k)^*"K,L]nC(њvcT@_HzG 8:15Ui1r@Hx w3zi ۓTh/٢7io7H ) '`'H!pA1=EM͑w4κoZ{Q9SzΈkG$RLTrnrVdAl/zn[!JIGX_!y:gthJK 51)7Y9O#VZQuWTpypIB#5}4e5C!j4E#Ox̄Q\IAx$ y+~egY$lEag [ Dj3~LBP鋊?_e")qޤ IAg|uٙҞ4\@#^ [37,nS?ݘFo{:Fm~I_Bď0/u )֙F$ETBkrO],v 6gºpjdb'8/w9TKh3T!^j7! ?}8uV3 ?jz&irY-"3 qvPrLY!xWxl|y5Qn`pJ/GJj\%,Mj0SqNS].p?p6oo0І6 Ay6[_*5<:?IN> 7_ B0k_jV`PN ?YH8nUq ߛf ]ڶ)2I@Es=Mwup1k7ey8H1mTHS9I\": Gcu)36=8ٲD33E:j24ct-腼6G-Rr|EK]8ttQiq&Ðoo@r#f"Ndi S):pʷLA@>bPXe+7ּ mݔLe+9'aAau?FpVe:uWpYc$=LJ\כB>Y˓'-$\YZ)c3o6/sfNn*;etH(/!M1s/>YVی)rCqK9h^qN64}Q hYR7ݢ+̀|m~e,e/ο+]7KBd*mdJu/>JD!-U7<epLr.~M-/UkD쭡JBLɡSV۾{?-@M.~)pSkZ=G_ m 0&Y 4+FmWl[8JjD391w{Yb. p-41n0ͳr6|PΛ^S.SxKJ;&Ĩ^VqW@G |7M/% zm?80݆X®@A5 kBSJsbx:#qOL.AP~u͝ʃ`Z+6Z߼~BSM, {Nĺ7MA HrkBjڋΚ!tmɨ%TVsB4 R)|u'E#֊*r? S`8ϥh@fDZJ?{8`r;,W8.jFm&oC#( C2/oe%µ-\ }x~6,;$n 2n)࿃#~D6 LoBj5~0^)Dl2xwu)/(_3qXoD8Y-I}u:Fb%/qyah:7eA㳞KU!\Dž&JE@V湹*cE+7׃$G=#2eUz)yB:%QWeX%Gg.U6g iQ;*N7GVKA\&.(|k +4zZ&?j7^7T~b9\3YnylE7G6i70yr:m1݆qlI+Oevb)#q*ڦP#)t<#A5ˊ!`y*.hZ"j㷠ҁŠRf֭vz`]aӗ1UuSvX/H'e Az>))fj4a]~:GF*;pyDm42I/ iւ{$\#s>tAcOjǥȃvvCh4sm'7cFJ48tt ^J (`V]Y-O4 wTH"ĺmLT87A%yN4Hta\ԑ@.LkITpDҞa=4q,>&4:]Xfg9eȉ_Ò!BK,xXRC}PX˱dUi/ӂHUY$CR+ %T샴l6ӿN^lWĥu<ؕͧv7*:l7g?ībVJ3|Ԭ̇1cP!۞0k@efcpE].@`֊BN -)sC^ FrY9!>Q͔ϡbbMEd5d9*mѫRsݯK#ppnQ:w5U@X$NOb^k #i޲8v;Ѐsz% YhB# )8X:ǽ"SHCS;`/EKuۜVKL>&Vǫdyf bmt0s6# \r[o2Jr͆DP y}MC%Do=D.-l Ѯ~w*MeD )Cqas{,g)yIQfvthi~F[4IaG5S8@S?'6h vuu8OfSSJo;Մ_U:[u>FwĞkqA0J)+oxSxJ`p,%orPRYW7[5&iMF7in&Ʋ7rB!{hc$tZG6 IǾS^BT!2g)خ:},foi'"*hzuK,"%kTydh/cGuCE!]n~amÐy0-uƇ'@qec~d~E NB#= sϳ Mu kO:,EU}}X'*{2g8`9R~Fh5^t0x9B¯~?)d(y6 중ucC"a'R2R C[Vbm5$Q& l1-0Jy'IAmE>W[#ԧVhW!j/]⮣m2C,d1 u X֤R:OFYuw5#~ug a"w|7j X5,ngO 8- ߬-V:/$NLt)ё#T5._8s-RL7p# /`LnOzbZ 34͓)]Z׷(%_ճgv KPiڎmӈV<.D +_~(Gܽ5J >v`pYj 4sМj:o A;jkkB;]tԜ0?&FԆGَ$NŁopJ\Pw؍&4׵^M|DBVї:L[8=?=Lѕm vZۊԊEWtz n1h9u'+pM'~exkud})M,`n#b8%.hb k:N4ڭ_4> $Y!|TCr@1/<lܷ=,]"#†-|H:C{/-k3 Kž86TUwsw,U7㟊a%;(6F '$}% Y :7F PnD RmC`1v<|ّʬ`}zV6=eXtY苈K C cB`f]ĵ gI+\eޤ [XIzr c|PN$._~y=~÷y iR^}ro/+Ww%܁)$slZ[q0k^CXQt$ACG:QVшVpbQY]zd~6w\N퓽i.nGq|q]NKu i`r` x[4Un,QŒ=HMF<7`8$^P: ISw0yhxE/Yc?-eN~\*}C2uX؍sl}S OR R4ըZs\ފeFzw#]K;:Ÿ00XyN\n!"}#MDJ; k=(P۠h'SliYf-\d RVUF"ج5*jڿZIO՛:EHfQ7eYgHah0 ,1(!T3(bǁv4!2$.!-yn`b_mPO CG`)¸E Dm0[*Fr/v`x›g}S5;{vĬ:i- dݢhDOWm&'"䐲.HS=ټ$IxN: e~6i=ZAivaR =bf]<ɭ}ĕ`+4|.W'0rBGAZ6,#蚰6-]/%@֛T:Բב,кvi*?m GҧvUߟ=N?AKӔ^(]rd_@~-4OyhAk(iu`y; T>θ\-BDIa YѯxhRiw%u텉?]Ө!we|zⳓqX'>z|07XJӮVd 3!ɅKBRF8W_|C}tt5ܧyi5iHngu:9^D @ÍEsR492*= \tl$T2-1VfE]1wId~JH&`#^tRzj%Lv*0a)|vmΖX58'Pe:C'-m1uxh>kEm>C!JQ#U/)Vdda -/npO8{ۚi٪`&:.x}.d QJ<7^aBj^gAoP0^&b'`č([+u+h}}tc$V=ԍ?r!Z(kUj*4\c !RY'R&L&Ū~{Z_OT\ -1׳:lΛ εSSf:SiOD]4Fy>D]NTOӍ#8y. P@79YhP, .muwuܼNN$EwZ_& ፴0H ]48oNl~T2(ڥ%m dhZ_zpvelNor Q/*7%GA~1uht ]~ ?.Aҷ _;λO1VZ$!F#o @NĂ*bͦZy͖-Z_7[X/nG* flltZjgBNL89t? uCY\z^)uSM*s WR&5}b3G HC<]Y\=G@'*JdK~.hꋉrY"EB\7n-#7Cc9ht(!b?gOȀCy#, νpO4V洷={#l`W@&} Q ZK 86aTdeo  0xazsw'.-ROX<[E7QA}8*a0,?KYd ^%_ڑ )kP`3Zcb*_`WjXi,%&lt ڳ䨉^4*q,NѰ"(X4.iõ%Mˆ<@M.*B>Q2xQک_|1Z$^rZֲ: ?cJKsghc?uL <9e}Cyohq{b`JCQǕƹ@bZeF" ( ޗKiNtW6tMN䏅@,&B .a8^ ];9ܶ.ᄱϏH 0B)#5=?rTuw mtkn8eG}RBC3fmJ3xnԖDTL*kGSƶ ~g9d)ibͬIiM{ T L~W.{S+ $a_EΥ靳mFBhps)wOO7~YĎw`es@WvCfSvf2k>񠳞%皡bCt$W<|u4R~I?*grz&Df8ç  \^⠫̥Ҍ;UzK5c|ZˆE߭}Q ģݱ뛲x%#imjr儍e8X.,lG@SI4d:d$W(NHz=[dJ%'r\~w0Muב҂ֹ[%U OQ߄%<'OЂI.dڀnH9a/g:Y g♢`8pOƔ#D 纞;"PpN/7c!wTF6>ۧ?ظ0 ?-MHvi xA(1R_KxФjtOIj e>l$SFQBAx#ֲPXVݟF+ʸ.DZC? Z1Etep6_5S'=Tmh#Þbt(ʠuA97Q_<LG IW44U9l~Y'h:7-*/.D~R\O4yS:xe.`IDM,7@oij}vh5JTNsX~â1}Kjg&><=q-OBXlu-1{PXvw)r @3*)5UcpN+7/*^r4_8uyi^ܵusF@!TκWcl2Ja U]YDRD'%2gVЛ[4!4{2cSw`3fҶwbVE{PNNf>o V~ٛ&Ysw6JI H61͍.gNdOr7J1A:5^Tv5^ K G;)x6;-- ~gbgj~1@- '>4Z rlo O'~qX$xL=@wѺc  ֒NШ*>f[uHb DWh|q4KsI{?{t:$ӓu󠏴MC;}Mdd`Y(Mj$kSUÕ毑}.'.?ie_.*=Xt"hby_EZwR2y;P{ 1>qeu;y6x5|s/w)X2pq %UrVcl;Jߧ # hɺxD喣]nG 4Z?J r)]LUZŲboTm0)slĠ pesQT=]%X>l"w;ĕ<\&lԤ{Kdq~cZX h Vώ<SC G-[8ܬ4OF|>}+'xlSETr!q}d-ffsw*S:D1u0KF%ǀ\x9[:1R;gtX AD0g=\6W((q *B}W΁7`z^vK͏DTzTaZ!Btkw"N@ӳ ַ*` õi#*Kёnh] ^YOKu#L3(t,@*>e4n8A~kFs^8&1ZM&9UgߞG~ʪU$6S(Ck qu;.*Di2BI*iur\ܥJo;!9<|!A$RZ?Vjb奌#e7xź:3j&$}h5SQ{5c@'\SdG] &M7mTECNMM |'oStgbW0|O7z߹qiSlJ.l[V#&x$z8M Jt/l ewTW fLauW@ FQPWlN Cf-@MZG1WDU4MMwH| =QXЊ띞_7 ,<_mYpg [t~o9{_W).A=$W2[!BZAOCEOƀ#9i[2?HCI%Rի1.Ǻqtqk҆ʏr&n#>CJn#և㈐N+\ Mend5rr>IIʩ'־CXd g2ca 8Eyc5)su)^I"#+?C@&\Bȷay캒$<<8 qN.uQv}Ԥ.`;eOߎ#;MluG3mrHh1Ol ` _< v,j )!pa_P諬}2FNU=hF -> 5XHX]9HS_Q6o^4-kcB3]"2>Gޗcѭ:K+ѫFIR{mdƭ>:?Y4& |-P[OtSE{Nait"ʓdD )޿+p5 Nq)8F)>dB.zM2EvL ޻GZ|x19.(j=blaRbB]"Ki&_3XZ$R:e`ߖE%H%c"‰{&#k4Sҏqï* <öo>ԜUw[%kI;>oyrÎkƳEsZ9mVTm;j߼fF[2FVQZԳ>Rȁ1l@e%,YcOz(kL?QXXJDD30EkI`޼&Q*⋫ۑXal2 ʑBRF-}z}l8Ur9BQ0rQ$gWէ?c7tpU(EE sv`tEj4&,{$GRvC|ӑjruo+'EͥPik<KgJ:0 7d1\#-@*i+f4B[dX4!J拢1qQ+W ~d W&84P}&m.IЁ!DF;? e`YX<2bHi@gQO.߅ωFSc[Z ,SJ V9f448n-NKs!.di Xq8:S\x W8:7ӎOTO1-/a5:Bja4kղ Bk$ B|84He:rPRX6 .A3G w"Ͻ }Z8]6S(qPgd/9:0оԚ&v$Z519󿯢 6hcԢ)6V\ \]w7w8Q]Ǒ~[|5_ԛ9p&J bӍ"Yzh:4,)18n~钍:29ۄhՑI_ҪHgXg?猜aWb`lCto-%_ lt,ʮ(EnPM}=Gq0G)Ƶ׎íao) 2{& _y j51miGJ@&\9G'EWy۠#Sehb>8Vۏ-zo|7 SrgeP1⦬jah`&Lai5 ᤉ/,Hc=]V8#SgݕiO6s`[caijyAY!o_;'\`5l-E ]x㮪fFʪc*`)LMk_~G'?խ"J%r&,~!`8Sp/llpƞB0T{MG#טq%)fILCy||oZzYaIW=T] UGzvƊWZσ!z]}sӢ.$lM n]'#Ny8^ӉiB}َ񀈻fg|!%_o'kt\BO +3 `ap~cd|`hѩS-Z۬Vs7`4A7R2j{c1hbOG>qAo:XJ@UPnڥa%̘giuCqRAU+Ir P0@LԿ5)I0T?tlU~"X1HR(ehV+a" ]4r%a}p+P}Cr'I6h"|3hrq5z7_f3 NRr=ڡ/q.ԛ>>nNh!dڻnWn 1@ Zʿ u @N"ɶ-cl  =hW !4uLt|#2^}XW y|8r5 MY@RlOry5rnkqeˏV?u8[=OZ4;_aL۴1ӌ_0=RHb.1vdT KkU @sfJXp&Mz3n&89>+Y wA>ȕvf͚ 4zG(eI%ٵʚ:1c~™8^e~ ̟].*P!p1^wMZ71.ShMH;"<}89Xܕ~׵&ruNqb/^Wa/ tui@h's.nBf>BO CHQ^|Λz֏WVק+2z`X} c&Vsgt ?7%ѽߕOWE%>]{ 4/C6 -h`T;m[~}XBL#(0EJC] WRuy0ȅytIZ v 5AuJ^3-fCCE$y߾WT%@a6 tJΙ/` 6BJI 4o[T-V07#?*Se0sU^ʖ["kfZnftFApXEŠ F-Ȓ!9AJNUьFh#(BH{Z'p%{ #!ObA&lRx鸍⋇)DŽ Xkˬ Fߡn'gFeqI(8Y} X{.dkOn,"Q"-n]@#}CV?_Gb*ox)8~ɉ0d"y zd:qS>u2)bAf%VѿBwnǯ`aG̉jbH-=kC|Wڴ˜=ƛl'7#cLck7JKVNCDe]fZW&=#kv7D$6P)T}:ŘX ϓ M y, $; :,ϫk`3b|Z pZK|n{5PSɛiXhNKġQzHZT<"zmlה!?Ea ##z22PU]ԿKk:.TnUp2éS ,ar6 ')b@DeYĆ xjZ+r*ԽF{*?Ո P#+%8b 6V5 ߪ3-g|R0"6 %GOEߋAn#C:9(Hᗫ#Wj),ű;;E=ŊWY?1axgr;V#ål~'ƱIizqx7ru!_ :J~,}*^vb% [1r%rf!r-FMK%Ȥ=ؤͿ-v2wOO&i,D6% 1X>,+OأJؤ!PQΥ.TtĠg?z.عzVQ _.n6"2\|nM$%DZؼ뤥ШҧhƋmٸl| Jaꦩ·1XЗ7f _cNd8QH"d7tj^:l7hD J8E٬1wIRenf0Ljn`׷l?G<6{Y_[DNUfgU`p%5ak%&#qg3CPq1;GdȸĽ 5aSQ핀\3TΤ ~G ,tUG6}}Go53A)#&I9o?[-"6L0}`VvǼI[pceu7,aa`/Ued(ma+?:_{ܱcq9aՔWR',EG`R}f` 2gjXUrc+Iq 0h̛x^.\ QI!:)G`-I=!F<-NU;lajK_gPK.9\VC$DᨙYo#_Kb2qq71hYRWnݫLʟqB:za͞Dc-el^Vڲ#OekРg uF[pY #lۛ)ʈh8 _Txo)ybJ6C{UeI]?p˂H)Qٝ2 F{/51V rb Cs[|%3CEc}x$,#$.vo*-w`]#oz-MT cJN+5N21k~JZElP 7O ɼ'7u@ԵEyUz8#ՕM :""J~o LnYKG5+}FQ0hrXQN"A1zkhTpk;xb.ޔXFY0׌,VڑJDfWg^2*Վ]u/~&t86#-6Ne៙G9?]% GN;՚ !J0K5-elu\v?7gxIM ۧHnJ/HGsanoi[gۯ6Lgh9 }jljZAK5c9-%C7kMQSI5:W1\QoeIrՄV@VŸ"|m4w,~0%NťsIV^G)@,_V[;L`5VZRHNm,1y@mm-\Ibc8TZ zD*b2{-"-%Q DvͤuO|"N+(+SXUT۠awȾ^g]I zkX܀ҁ]C7.t]<\˙ʼ'jաZ# ?ܶmm+$(Qq9ƣH["GָMן:9/m/]Zb& JN]W)BM4؄x[ G+X ˍnFwA;oz2jS1~j⬹Vb1V4EĴ =g H=1h U TM&!t҇B4Vf| jYځ}}μZMejvX)!v5Iߣ(c%.U9|j^rK[VŎU )7o9GajpѾbSwOs8!ƨx*ܞȊfYqR]=9:D.5P2!@f/I3H^ `:"mC$y{cJ ~1vM]i"dOv]LEp)7d2p|Qc~4QftjedO^͇498Ov;긫!E!BME/JAt?.va8&Uf3j]-'`w S\ܹ~k gmwO9Mx&RDojo6lAh[hlG7 "val*Ա1yyqܗ~-T͚e|X"=vEߊDULz?nfF'!! ,{R2gN6la|۞Ii-> c^+(,Nl\dq\Z6qn{hgs,!jxxv}e b纶V si(BM@TDo{2({(R![|lJnh1;O,KKVAg%R?! |iyi,vԲ 6Ai cvS IyzL]%I (Mh1ǘ>hT (3rf"qHt8 tng~tQY1D1PFf$ lm'xv SY QdQfdEExe{ˇS͝ܥ+:|plo mW aY -&ӺI;5l0Z[{)֤=y>% 'AQS ?<]xCZdo !!r]4H'jX3j ߭fd)bc>MM &vӊҀ$[(,?]J#C$@#իӎD 3a2 G6LOqC9Ol^uāq?hP,"5+hR^tϿy MØc i}N AgQq}&64FB73Z3a9 0ddU-j~G\Vqh[] YSSȈ}NjVχ??7<*\sB+YUUߩOW pR^L f.UZ. dt濼U^L{e>2( oCd{睒FTgx|3rOÚxcBf0 x"{Er&]HL/Y(%?6>CxpKT/D I 1RyWZib.\8 +w7gG&AP2Tb|q, J*o&O `UUBVbO(TKbs2,Ӡ+C4L(w:.[x0_@w3kq~xФjP?#R`wbx~Q(hPZ'{|-kN8ܔﮑ\4]sy}sp85=f sI\@YDa.eߌGb‘77 Npu2RU6VTބPnlUqx5M*=r)0΋Grq/ `F<fmkOyCIYc9%0@xc꺳['CHMƱ~,:av(9G"Zzեj ?hԖS͍F6>Ngoo.|k9Ez2r&5fN0\bfU&];xƠROɸs.5R6 "H םL (C=/C[2c3uPnvlff?3`|Mc]߭= z&(6[ yt7JĞ|=*P af}(FNߊXuҙD@r1%3lJ_}XYrMr )1"K8֛EAݐoB?xJ*2=3'dӫsoZ ^ fȴ{}"I$u$0m ֭ydAXV;ܫI/N nhQM':- <wáw ;t'F ˜>p"!dQ HMm3Oe^ڂtV $za4.4|7+|ةpCش |!Iv`=M+PaJ~u=xC]3E)my#< Qdzb;z ^EC}Wo'y)2HCcg#-i }*>a#F ]/\Qni6E/ʥJPWx?ČN&p!/{jdZK Q.ت@rh49S- w4:iÂf>K0T!3"1$D#h+&+`63BƲB}XVA3!qk%?KM-*: &>qF\(SY=Un )k*Lkv+d*q]BTcp~˃tBK09%~RK" LHw6Guԩ/}LpNZ3uqAɃ^3hsz,W}d[sIkAcKlV QNmkٷx{&"KvHUXعcWi0(&W~KOT]mIRA)5kj^1!>BIXx2Y pd 6f<'_zB(1I3}%{o1tq3vE>ۉw4AhOI!_݉j/ݍ6V^Q*D-Dtrj 'vzklB#N};CRx,86E]6lhdڳ wRe$ṃTi:B+숳ہP&:+#S"o壏>O\J9߆,ZWo!60{OF%( Iqm db,PMS ( MOd[1m3-x!tVž"O4n*$LáF *8a%\j)=scYlPcnhQĭ7ozQ9e2jy?= <,r.ev9v7o -ѲXPT'\Ul y Ѿ&}/9PJ[ RW¦]8o#2e, zx3o2:)x'!XdjmA[SH{5)x+{K2*e[O{u'p^:0Di/{{ʡiVߧ4jNT^tH!H*p? a[E_IƎ~DV' ZCa&u+x;l`+FBPf JͮŶe?k3tج-FFPu ;1B:F!^vіVz-mxN\P:n<y17(ӑ[hJ'BNkq,91#*g9%EfRͧo`,{>[fɩז|t$h, .f *\-[Q ;#TJbp ~RH5_3ts`?=|T洓+QSeBk)"N.S.M.R:P&_"Aܶ›lп򧢍bUEs с6jWIfD(3zp$,/$]RJ9f\g%!{CNX6Eb/LBvn*WK3b.U4Hf;—3n]B{X﬍dR`DUr٪c*t&LJ<ĚO\]Le\H,D<+ B9ɮ3пHˏkOW{Z@Qpp$HAem'Z J597o).W7clU<lf{dCQ/|xjߝsapV$)y(.}BYL9ZCdf -fzss9%mej7joPㇰ7a\ZLpF2[ô$xْ Wٓ*X}2w3o# YCV~Zh}nڶ!>WP eԞ1{Fd,oyG9ayyzbE6Sijn{xl0HYnKWKIv 8_f{9ۘ$:j xRWniN1¾ Cd/HưeWi"m$$ J0QN[s(54Qgsu靺Mط@S,?h~JFtV,&ERٽ 5:NNߝpIWve5[4iTw)_OlNL^v]Lf,Hd˳[U ׌V3 w}Vplu"/1ES$x U.0*5X̤`Cq.^k]Mcv|T7Ey h955Z}Gq飰Baj5ȞROEY"|;a񊋨N?J$/f[mr`=.rtjf=~8Jd枫?JR7-ZnjHav 7~._P ==/8v΄1|sdd#tF,Wͱ^*@H?FPGf]1,*~t)e$^wJC;=Ɉ1]47uԅ=x+)AࠤWU7iy^K#c!Ҽ.z}Rg]i?w`qq8t^h26NU|-ID~攪PS 2eY;WXsXrBZgd)݁Z`ʹ"c)`jXS16#=\*#`MR7r3$}|6. 2O6ƼZfFxW*фِ Cˠ|@f2*I?K5j" p5->){Ghog"htSEjSƽDfwiɳ|AP)ΔՕ$D5Ԃ\=3LnۛC7sFf/ă0\M*jUXam^\YCY3Uynk }ІDAd1kn?G&2a/7&}摑Я 1jNOm+ӳl #Et]0yuWSa"=ugs5ۤ`t. UKI =X/PkdOC-uGvxpZi & y{R,K~@Hs"s r99xT̈؅Yn KgS-d'ْ{qғ泌}{ܨަjGAzydYC [1x,|pp k HpE61C@U9i-6d?~Is5r myN1BBXЖ^ ?3 ir>e|鍐Z|Ʀy]q L^˙IV D S ɟzX5$+kJ7[Y5&is/6`%E|%ѝeNZRDlښZ%P< ?X{bٜ`P72I"35P '7W˰8˫-'{v/9C;͚V\BcKi<$H>VӉُdgoiWNP{*% Z}ụçOD6TD~T^{Us8<0Kȭ¯Vi tfѳ]ftɘJEnl[`&~Zȶ|!!uLχ݌Vm͠ Ik*3r4%Kp!|5epcF\$?Jό^k/%u O']Ld E1'3r .d=B{x; \"1[$e%#nG uj2=]@'Cwpt1al~X9 p7 srV-2l$Z˛B!S5(˘cJqH6|154@ĉ(E]Cd})H3QՎ 0a#O:`/uo&`nL@a;%UE\R`UE2(&5^EBkBP&H͆@.Up]P)/\ j\Xi!-͎~vMɾC ZtA"Q4CO7!2P̍B*SaG$X9.TgZef*ݽ +j: \D?WґhG?$TmK+g(peTȭGga| aAdOktѝJ}ܿaI(ͧ`P;KYw[θQMzRDV<< \s+\7A_ߔ0<5E- $&1TdRKKiyWjD,~TϱDgU(5U TQo j-GfCZ{"S;׷F>ϡ>Ȯ @2j02ބNh:YURiS"BA,_(M~FX;Eei1(umÓ*:jh<\yNj8*YJ,J֔EA5.3lD EC^E@687q͖./$4O[r};h ?.wmd2Cf/bשׂ'ˁ+xw 潵gS4\֔2#9(q!E qjvPNc0n$\R_|gz]] O\n$oJ.| ^SׯwU raiදs&/XC0I8#m4>l[D*ݡcI"MwɶTtIB+䒕qQJ6xyGl5D؊2$!Triô\vΧn/"DwS ^q 0i=]k6ݷim P7`I >Ils{4[Ґ' ^Z :?wxyHܽ}VRH,%1i*T_f@#bAy}98=RTʼn2rhXm&bڇwMIJu6xks5ŨlbeLYqb=/qVIaZ| b7iJQwJ[H*;Ʊ J"jؘK|:5۠Ҹtk(s#tM'uT2ڴ۸fi1tcBڛJ 2,HxaY \bWg1 8>sd͇n o>EK,YmUaմ7ȡ@ ;[aI4| $cVOJ<3a8Q]{CIAm7fo.5MvSw#fWO򌡿̪2l" # }QNB#nn,HGHt'"߁dXuи8aI &%z~%s̅+w`7A=[X(I?DvY9pyvp Iu5Kslܻ5fxcmäkCr4ƪꡛ+BQYMx2ciz/|zOz Lmso,ݓ0Tg߂GӀ Zk^Sl^茹BT_KqJ8A`F`Prc?jr۸̥xU{,Zr`ΩC"ePa o_yqU`,&r)xlWp&*7Вi*IH)/ys){;*8 `wfDlc /dvxV< I bZ]vXl5X_fb3L.~igԚ!$أU@6I#أ].B5յX| MZȟ[\Ax ֪ b.hoNܱni-3J. /@(&V!J>gt 2߸eˉ땁X}<yPH8L+gNǓ{DWLP?59ԯp7nc+uzpAC ŚtХWf7rdM>cxjT0FL6g9ßTY%X,aO6EN5@_ѻb>|cZܫofOtܕKKp~YIŜ]noYDMV{,:lzulVɎz Ws;DV,s}m|iS#7,.?Zei%눿@wGeP֗?E}Hz?73c*=5âsoutD 몬t$G:)3/ܥ@`w^RqbjE #Y Y|ʚ!8! _8hz*l%dN'z˂Tkhb 990Ɲ0w1J#ŖN=ޏiNk&o{Sz(BrISE3 ÈaJ[)+~ 2:\ymjPK̦ I'KKVΜXi-F&0|Fd$0,j.A"baX//^!J&60;bi&mVzH ijԙ=rIߘ+4cw.50=:hSf {Z R&Q֫駹cwlh-/hZmLZ:]O(* Uq5Wc_脹\%B^#oǞn#*xGͧv ְ/ș_;b߀+Nm?2R#۞5B(4ȴީVupz*YkN+g7ݫQ&Z)X!B b4lGdt 7)둓4?3CG;S?"x6?Ǵq]~tMXTyF3~V™ ;>7g)Tb~h9܂|Q$Jf] nJܑ)D?6 %!o/B&_FL2v+g֔-8!R't$F:Y+|!_%w@%@M{@Ja8M R:.U*})~bbjSEa;K]M QVt:,{H552 ipX;6aF] F+u|CdzY!4W`]2+:E1r{_Bzm,iC@Fb0=o:ߑ:r9IeO紡1 'q,UdsFW4_XҁrO|1$9J=y}KGf܎?~1=KM%yf v۱LO RnŏrYx a5/pKR.epGL=x>"4pYn ÈēGTzu#rd:N$FZŅYrfOIhA%tWqC3e@/7155d=*PKQ';)c1?Q2㳩цM0ǁ 'u-}ҍa}af6'd6 /.!p7*2E 6has1 4ګ.7@Q[CB@,)ztݻ4t87 J|3ּa0L蘻  ` aC{'gK[zX-1%Ȯzֵ y4qwlQw"v9Lʿd]5x hsXڅB3D).)1[aMrnp(ٮ@Y>@'`jkzf A;4Ǫ8zQTuH-Q[EqD30!Xu $lپ9~AnhGO5Y^LJcfZC&Hm0++Eg>j.^CŁؕN=>LVODO@9 tל/h< c?45U[Zmz=n?.v,䅅s2ք6\Ml,Q:qr"L˼[.k/7`O~ az@\L *1DZ=MW*va|?dk]plS6.| c&g&DضK ٪M}Cy 2j?VQCx[􂈔*w8ޯǧ1Kb nRKN`Ӯ f&( AwKEHERDd& gy};99Y^>j}1_.%9G2`[Z8OX| U2~+t!+z6֎Y7QKgD;0h_,TL1OkB/\/}0*V VLB<*=44pFAKt:]'O鸀oS]ڌg:ø^ӭg !{-]fagi^A)G'0Z3= 7WЗ/ tD.B2Tu|αץ(b,ёk?N!ZK߆ېeF9ǮEɅ| >74-?9mr9ڷ˫ƾ~h%:/Jan4&K%`?vOn)dGؼpi*/ϥ>fRe(mQ5zm7Bfs-] ;K&gJE|R"n G`CW2(ze .7 8Ǻ̎- 2_A hFޜ5V*w7]YYվ#m~Wj*On?Jl uAy߉{=W [Dɷ2j=~4]8¼3POL/UD*\~0  ~*ALD~<mzwB!Na8KSڢKYvhpjpeŅG/3ΎSTML"eT۷h]svgύRfV dᤐ$֜J;@WN̆Nj?n '"/ lDk'oP+:w*f|ݱac9"|f=+q7C M1+zZz$UvC @nϕYXGG:oXIVޯE7~ԅcM RtK4َgj~bj<, %+z/yGYn~$qw7YrV.:7#syL"K\1\ F9NQOAZdnQ1|Wh?l8VkT@iXq?֋Y< hSSs$;ޒy|G:9H_dSmQ6= BOv o#'d'i.;̼(?'8 ޼dkd&qZ%MDž9_M7ke@yWbÝSWJu:de9\np'.@;CTr14V+TL~WL'd\ͬgvG,ֶn:ӷ^W;x.KnI~k*p-meiƤ?G{qկr "t >:Lz9A&8,KD&"tDsI`K vtN<عOs7`d6W]Ào|m{)>}*Ru>ߛxNY/^<pbseQv&EFo"`#Z}f$J>K ٲ螈6#>"y$+F&L*"O߷ ޳5ʄzfi %& x"@DnH40\57 5 ;cHY>-99n33s73Dƪ)etOٽY]eE^LϿo$]4bv][…vM4|s-V@[5͂RC]w}t‰: y|@3y y%M>wPSxR|zqheǿFtO'BVoIAH\= yʾ*]H02&7 z!OL/^ci*8j! _鹮rd10f-}U9Q47M`}~hJ؏n|`A@ $Ahk!..R&䜆gve.SB kizL@D o^ %_YwlőW}DQpŧ8Y20=ɍ^,SS!Th> ,NҚQF}T4F:eULM5Sj Gkf8wڸCP=zg( 4*X() ɢQ?v EZnb$0Senb&2`Zuf B75)tHmIks чxY]$)n>/ߞ[B/|Adr];7LtIy 2d˟~l]ۻkH<bgqsw"n&;*oeXP`1}<3Ћ|`Ih8uG}ʩfocnxJˀt:4z3{{G״80@(mod' nd)07pj["ϧ]C%/f 21M]KCSyzlI}.pD!2-d5;r)kq"EL5?(zcsIm!rgGiƈE44<>- &ZUs=b;gy4_K763bbݑϟ["SL2P@^wbPkL HCZ ~&EԒ:wMX; ^#gj{r1 &,*\{ʼl7}%ym˶slZzH&aZw]qL!{"x=Ip'X"3<Ȇs`>;]jY`C@a)xh%jH0~-@^G/xj8/V8-QiJ<:Jf.T]whHJQr\ivv=lJ)#>_46T­j߀QIh1x1fO;?߳(Pľ>=E5 wodh}{[33qGEܹ_ k+{o nyerQR-Bi+7|G>)XCAr:k jKXT@dd|&t j3 8wTj';VoOZ*C;{-XՈǦzAN0J}$gR*zP_&EzLZ~Y6 ȤEJ+o:j9LXgpcsoKr2gSVĈ{24WJoeV *k:Kg@ Z~C"pTO'ZxH$I\J{׶n-JD)ɣRXwGyԒRx\/.ucB'f_0r2l.E"C jn@vU(*%=ؔۏo ۴>/aʑMaŋ>- MN e¶ݠ)+ *Q%w'" fju sijCxQzu Nz<٢!i i{: 57Q+4:o勰ʏ 8h>#V,"zWkPtL ;,f݈\y5y욍BPN*Hu]C8{~C]4 Jŏ>ؘbf-/pi &T |g# q Q~ܨu}hۖWi\,SX"tYu~LqO*_O|1J[dS3B{N\36D-࿔FL-_zRK*vdޅ 5O `9y`2LQ,i m {1?vљN AOy}C\G+%0_RJ`+C%Vx#UU!~H4|Ղjo6-w-6XZ̉2ydC^E3GKDɋsDv4M2b*(GeK+.E!/`4VʐF1fL̨3nLȿ([!v6jyXr [G;1"ȕK4я1E3;̏d C9̧}##=Dy#/[jeb];^3/H3-~7Pi 8%/iN!PJ+꟣~ bˁYPp$# ꉃt=mMwY-Ӭ&aMb,:6BaE] D.yXEok;j>|/CAmzpvY]G0#0,|]&#N.|A')֕$^2a--,RCOɼ= ; P>㷡c~(]CUpғO^YYFheC8Pkc8kYb d-ÅV4p%Fq:}Z-9c;*7 b:///{s,nxRa%k]+i}0.?v0犢w4N&LֽKP_-X5;ݛP{Iw6bH$֙ ࣦ 1:~9AU3mu|a6GS}Z"{Oꨑ6Vpӵy(O5Dxѕ4׀> yc !M+I e|0-<^a^T+BI0shcޜ!u]࿋S/ƌ?8eSkht0 G6}:٫ Gi+Imiljt#(ExADӽAd$a cO h\G/ Ӫ`i9B3>/ʼnߊ[mzxݞrD YKdz8SA UaY:Afw+RuʪdX}Oҿߤ걁>]DJxJ6T啎dPfB;dp>i)[ nyLF?`*Ie?OUrEc^ Ozբ_剂lmx,C2wҡJ"<lKaZ,@ :w 2wne}a(/FC’v{"F<`wլKq;@jZNAfO@(/c-! q~d>#đMl)63:^>$[ bo)3/UCDIj ڨiUc+֋>D;xCxN9o*9bU"xBO0{)sG#=[htKZvxf0}ɢLl/6@/Cti|v*+uمx (dmĘG⹈f%/N)힁b}UYy0hm" x1' *BK2FVETSj%9*(_CǕIf /!dሃ J! H ً,}ߧUO?vRPe9[EG< ED5R{N7!TxwL&Eh]1mmn^.{m\,6 el&M*-EUWGt?չ7埌<(dPŊ'jTtg[[I_$u,YvǞGtΘ2bز+R̋36ɪX,8DxDHQdWXR,Ƌ qG=Љ*hV ]3W a*aEW~{L7o4I_whPA m7Z99u4wd(&SBSlDg{*>Bz!$T`_')2>Oǣ qCVրcqR:,΂rk{z\;3 v[MeC}Z8-gФ_KM]+U~f9Ctӯ ^ݔs)@) *ojn-5\Uc 'F#wcVjP|?Qey/УZtһvuoS!04&RCHu@-#2gJ}qb;$7Ճ{CF$ sAݧtXMc)~

,PiH*VP0H"eR *z&Sqèmz(C*o0Ġ!&uAm:zy( s<Hi-c$p0[{;x!: ;+k^ Q| pOEpEPcb280CAŏ$uZ9 2$ئҙY$X.["MĀMZxhf-%M9ۈ uUU7l yY/Xά: Zyg1F~ ;VNYduk2 \PRƯߝzp[gY6*~숷ka^S]ZU\jhQ٥85Vq(lz>_:J}:N3;yy%'3`Mك92)>s1Y;Ft`d3yB%BjwtQ״'#M)?Nw[c-Awn:~&tЊ#"2I%^֨$ϞN`}@}}̺|eXƬ!ɓ[>/<@%\p~=ݴIlG!ѵW9ѩ]6XY5Zϙ;^ZڑCւ%4k)dXi#-*3Yv~"9q(,l ;Z $Zit6~*@TLG/^&ԐѕicֆRJ&_Ƃ۹>(SJ?&@ܞ&t%!g뷴r5>*2+~CkuX *KWLibldG-0eI-^cAp(I ޚ}!%f IO3sC\%f޿nߩf*~Ot& ǎbөۺ* l64MW)1%_$.J#{iobݡ%j].VjD0Pomu4 mth>;+Lp7NL^q@_"cY41a|7q@KdÒŬ&`=߈ʆFYR?)7Z _ebAh [+-bܒ3PSѹ܎D[R_ b v]l#Zj g 9#F7ֵQVR]"Ei. . >s9Z-~0=0ۺpⲾ^)ahܴQsv!}% kʗwqEڳ.+z/ُ`%k w*9fĖ=9}?> N%T7ढn@ПCehqaD~WImKQ2&4̪h}TD5xDfE$ N |DFTƆS ]>Ll-`[o6_.T(˨A0X=, SQ F J==UneU{ٔ꽐;o"޹]=BD(AݷWªIZ& lsK4 Uu߭VhQAl~a{VC:Y_h Bhxe60p6Uep"yΛ ?-Ju PD\&=?K!9%E?\udCq3kxHT<6?+ [wxwUl^)y_X|F-2q! VT6U^GH7E4o [=&_2p|g4ncYZ}oL%jfrڑ2W!wX"& _z6:# %J+$[N\m_D>ZX2^vyΏ|w RJ%ϣo2{HhVjfJP!Xh8tCwCm DNn:;ߊ"6~l&xylh @`يe+ǰ}H)U0]Օ@ԡp8_Ԕp8в- s$iQn |A>)B4DzAvG)?c$ԐO x$04 ZOB1?~zPcJ9fFfv3P!g߻텱zLK\r@aQw<ېt訲K;YSrK7f|z'Lhӌ1+"+.tj WC16'UNI$`NZԤGK%ְjpWchL}3=VjN,ꨲ*6)62fEEefP6n {8|6_ߡ$QiܸsF&? bKte^3Y@<Ug +IIg uq=IH pS9 9p̻E_rUNfWp N$uX?Ο܅@:.ex3_\AV~: Οm%ך WTbVvA.oa{ -U1ڍ fY j[2!m#i;${QjP$,d&ܙ0!2C Yw·6^ `HK \xw9~hexeDw 9.El9%9Ӗrk,䎸BF۞CQR!.Zo6,fb[ n, (7gsfPv-֕ dܡ=6Ζ5 =CvHDrOb=}Nf*Vl@ 럳ǜlQ5WUjQGu2upC!lS2o kaIma.<6]~o.1!H&p*9b #U6@M6D<;y0s{q M3Yjd7/>.%ܞ<왝h+̸kbE3d x=c!q=qG n5,IQK /rEZ.ٯY*=86G:ŏѥp# nRzNi("梅Tn6>9:x(o&oc,?Γ(1{&Jc wz3=Dẅ́ 8_L$=NhP1F)d )sUm[yom&^묀}>lBlW j&5*Z65 |==ߋ]jaYpT  ` m^[γcuANgiJG>U1(?@v[5#sZt##HH!ZefṲMipAṫLGmxD)3m봍s>ھ>reAֽ#6S7+Bj?(S>3^qn$d'C_&c~}VG8w},τݶJMNtM?o Z@S <;5!S͡c(պ(t]8kh j|Y"^"[,yأo'r")e:md >N2Aq5jע8,PFG#w98$I9|3'*+Wl@ IEșg%>ac/bޏo\&uM)k[%<[HC8lax% gSOf@H~THzgleHۦAqDуea^Я]6VеS=QI{꺘G\0w|p/i+p"SR0TXR,1$Bc` 82HÇJmi ZlUyEmgU`HݜMMm<׀s"-)P_seDw{5ҟ+ܾAȀ~OڛŻ ^Ė$1&@|wj#0(U:TPQzsTL J[m~_xh󥪝7_jKHM<NDa{Ϧ~4)LQ@}W;O5/bR/l}?biDzCr//KEX|1^:(eрMA4ͤ7GPIcB4O >Cw׷ҪOۨ'PZ"le:''l|]YY5Rk{#/hP6287 )]Yu76JK9dt&Xr3#xN9Wsz#npu!߭5){G)P]sܣؘCN4h`ҵI:D~e+ [.$sd-CUR=!s>dWal6Jv}2*'fsD J0yf@{=;:(̈́mxDѬ@Bqfu.idMNL] 0۰2 <}S6n:ybkԱE<)"wywKƔ[xdeC7qXC^7;+75RX*4A?@IuxL+*qOA#߯]g(o;ϐ-ڽfpi*\q-dQG%?-}4J>EnnLJlJ'Yfo?N ǹ77|=7~˓چ0hʻ/j(ՕufpffEΠ#`T j6%āqaxItlG$͗!m.h{IwgOXbq$h/F($t8IsMA#EUb!"x,Rp' sM&jbJ<o>Wc(M. O&MNub*auSCcܮ[|* O\,NO~X61@nZP1Lz|Ѫ`R>PVjO?4[9:l[\q.c <qO@u+n_:G8OlҿQVY;jƠK4$|G/+-=C@֖HUUU}#@qMh9o^m1[a>ᇨ_'Dtӑd4hYh%&Fާ~v]},%x1A,1ј}t7Jwx6dkn]n&[N~b2OL0E&vj꾆6. y^ZjP|EjVhZDo$\M}2~q]l?#xbJ9ϑ@ak"Q >> 7- W4؃G)cB'<{KUG0/DnSdpԆ (ǷOxڍoRjHA-^ =ř2΢vyl197 }Iӧg[Rxk?ߓR&UvCi>*(\ l;a2T|M,0Y~Y&![1\*c|mF/Cs,,S45"۲?<@s>X'Ne\i b.Z'㥃xM$[R,] fhO;̳& jU6o-/m سx1\j5IՒ9AHoS:=ab|\~sem _Z {.d~=e[k}rQgy;8^!H{={}Af_J; mp݁4wֶ `ghl!VO?c&*2Kkoi-8K"h [BH镜pyĺOsTռŶ啝.w6I=Wl m4݇똁j;jcc!Z86 E9pbP >6Bt b`A9bï??eU M+C:IYxZF!H6d!UDq.J7OCоL:dz/t7sjM̨/쫰X ҡB&^ dǗbdNR2,U?2ʚQNVM1BGA**+7w>Utw@^Nry/=op">`1;jvθnK?bm,l Fs)L "(` j.Uj6%33yϪ'ÂK3/0ܺC"Mzq#۸)etKա(Uo0'B\+ν%e;LybK6;pGSsbŠ>< 0}LZdyPlYkHWz?%ZHlhG^ CRPjqgiޅ9|@k kQ?%ͺ?L\$(Ƭ!Dq|'%6ǻ٨y]w#9}H>b0\(),Hˊx׏:r9Y#Dv6a06v#AѮ\1H ]Z +4`+>Jh:yK{!&d^b4K7q%A[=2;W&_㕃q]17:ڇ]j2Ԣ4ndr rwns=]>!tnQŨy<*€2O'ceTڛ1 uxJae zl΢˩9L~,}/v v S>U0] (ޘ\Nˡl2`| LO̟84Šk)aezIȋY)>L;nO ̹67g_nkQQ=4&{2*Fa }qIu)"5TB3($V@*fτ(dS6vꈁR$t3Nj" ێ) 1hCR$l!HW 87z̷^`opN8=o8Z q!n-@@s#] PXB j3$%6W2(T䝓1m'7:jA!GHFj?T"hb?B:#N]=_ht*%^7P{,?l(BP5?V o臷,!7vTvx-`Q\CoFXwᣫNyuA!x&&1[33od`13/uhl5s|۵(wp:8gSΘI}`eLz ro_gl~dTyyހҪtjurK!i*7* I-Pi|oׂpHfby"Z Xj"ZrLLԣa }\ _cwc;a. K0*-gup'?Tm?Eԁ>0w-+FarՌ^yCKHJyEڐZE.b`Ivf/C n_q*]G/0^/'{VoF7 !Pް".z%3RrGo{3 dp-]zֺ!6d":K%pN-f>C5@e C, c Wٗ#og'١Ma056[;3JWe.z0H~ξ~i@*GN}}Ⱥ^w0oAM1E'd/.~^ wdsh6T>—ɉp0z4-$!v F`/v1 e A8W^f Yu[,.ʅzwrO˻Z͐eyc=pRB٢'6NaC o[ނ qx9¹ޮ1pQv ޔa3"r5>A`'4D0˨'[OI9d3¨NOu3:6A9kU0<3PStk!ٽl@)pRBW9 + 2);lSzL?rA5Ɵ%wۤ0 &o˫)@kЌj`5w\nbڤgjI ,LG4s"qNᇙjd9<wiLFZ[a܃ON㇝ SwF+8riU3<liK\7d!FTŒZjku@'GOR xNv*XaPh4pZD]3B ]:D;TҲͭSgJgIqZ-CU%HS1[{Q"W{vNflfΉ.A5ʦc>LZl?wͥU@] EMKK(t/uTԺ[6F$!gw+Xm!i-Ds+3]m,ٙk bÚǡyL3X&C7ˏ 08˗ͱsHj?8m aDlsr(!b֘0F>\<IdpN tzFSC;yIT&rrK2Ev\,:2̕ *%?حh9&`P>SSYz*~X4HQ֒*(9JlZ&+izc]HzNT(ȕ+1Eu~4=CyǞ$e.l\Ctߟb:l2ܟ+%=sTOEs,6ZoFA cY:i&JРeՁLx΁-K[qL2]qQ62DL= ;m[d8uziU/7J(`qII~E.mǔk֭uu瞘+ް0L$ح!X0WF|!۞)mLDqB"p݃{Yo9kv"[!~V|I6q>6N^7^] 0>b jh $"'8)twj^i2Eʅg]&N0QE.bA& g};[.3MEJl*I\ Q5`p\SY_C_5"ziGMN6yAZ)f&zPʵ : Mˮ?G-kꙀd)taRY0O:xfR{ Z̰r pX@}:(ɞ5$&zgoȝ)栵@2$|y8ڥy2(kvivQ~Qbഡ?{ GΊaTЪ wᡣ jF"B|0zVB*\owC.`+_b@[~b.fCBE^{4ﭼaB!> C5΀4wnR'@^l o[ +גJٺLRS[(tJ5;r@+|?SD}qGKe{xr~]"!6.nY +<2r Y8"$Wel"F4޼"\p/>17XjR w?ݖԦ3ؕfE򏢊od-._xnd#tp)p5w_[D\_eZM/s-^Rd/,XI5 g({Rh:=cCv7eopdt,fK!uCɔ8,b:4JoFz;-u%cJ|#{Q o-=L0c `DM.Jh˯BP-&uKZQp* ,ة^+@ͤ(' 9L;y8,~ߒ$B 7,u\O\;&XLvFӜts1f5zD-fvA\$f"Ѽ'MWłW᭻kpt{\[MaZm#mû/D .o9Ƭ5 x*;sHnّտ"(<+EipvǑA002xw{B8AG2hq۩_K8Ep_TC<Ԑ$S%*{8~=-Hk$Ec!s'0A+"\ $@ tsRE.$w RnorW'߼JB%U7jGk"*‡(#1|FT@8M9E],gZpvy/@|501]tƺY\GW -׊r)j5{UؕtFV4w&438{Lڝ2eʠLЕ+Bl~N~8KJFBP%mqYz0:t 66@W9LĀ@FdU}%L6˜(}Jj.HDZg|%9OS,q*$chNhƃHK fd-ny}p!ĕH&CsayPR)ṅiGݖϺ"H[T[6`)oe`EqLu8&ˊp'Bh+Wp ;Hi[x2 *pM:RXfc M.4k~-g(qiqt|@ײUc|k11N_kbN,ooj [n%KUWchnjJ'V`vJBał(}?reqHCO4` R4 ʘh|HXQSng( ~MyDJZ$csǐ#vZ㺷(j3Ef2{ux2xͦjbڿ1qx8g/6%fCJ:,$^p Dt6fgZ=(kVݖgYwZTB~!7ô\OCq8CGxHCgkGst@]<WC.Xrm)!1;I[Y NB3Y ȯqBP?O =pfJ@N cV=ŹRqozeȳ .>.gEKcW %TFx'I ˘2d604ʧFn\(}i$q嬄?(HªgZbs0˒UC9j?rJ^Ɓ+ۄ D6s@JyY7| 4Sւ*?/]򏻍!UM7ΨO6)|zI_B)i~EnƑ8Ц/0c $g䫔FT4h=*V͢ZㅮGoAJ{oEc'wtVw SmT_Y*Տ=/JR=-,T\[%$B+׎wb^yM`֭BIxhNk~ i\P]5<9C.Mje{)ی 8a~ *Z`6Or9Bݤʾ }ZWw9B]=T^&-$WR 2J("3K$G!KLaGQ/ؽduY~A$=UxNdWtAf[*g3xLwE l3+Dca6b$ޤx(OI[i i-@v<]./cyVFĶ+~.;_>$>X-C+^le**3~@Mj4{XE _iK]F EiF@1vf͜ΐUIAH ]#-D6BW)qÊ]$LP^}\p0HE':UJ.Ƥnw1UDc5Tc9w(r|dSrPR`-/2:dq"y+@I򕢸b&y+{tC GWwކ D86 B<{`zѧ؝6{PF$nWG}DS=|Y - 57~ > F8N@א<.r H_D >a[2zʁygcv$01v<"̴r;2r?+-v^Tz&f'`MU&^Gm5") p4̿N*>qT]ȑuXږUh "Z=fTScX[H1, K>9F~b4F Kdv \g=} =>J >)H@565_adnr\ #n2:|t` \[s7?+߂->>YdF ۏ nB=5d(CD<̟Ƌ3f'$Sn+ifmV-$p E}y$ulxN;*s &3JNߒoP=~ H/9C<^6{w=3Y/-l#pXM'{[S(g5W3;و`B\؏Ҟ zӂӄL"b&t%{x"~.;i}Y#!GlU;_hȂR2<=dLcICn!VyZs[1",( blĊm:A]ײ,;S` T vL#ƥYQрKp/(㞉 +l ,~Rܩ=O`> ө?7:|_@8nT ,q] 3m"k#E.rԘa7d2%Mz) vz6tޕ ǺU8GIy SPUI:q-ڵb9-CQXÂ˷-a~g>\0?e o`.`tRGOt|CͷA!W;ڝU4!o)|HŜ'QFö/ uo ^ Y`5|R5H 'JM& OL,j7fj,A_jl&&:;"TCnaM1Ϗ:g-y6%h칃3m@c#)y+!Ŧ24BdA8SPѓOd ֬Fr(\T=̭b F($KkS)B5S΁g[.bEGIE+ c-R`3cϬڮ,,;f2J"x+|)Ee arS$S ]U,U&P4ljC5өd7!J c빏9//:x`;X#(Qѕ{U^r':?g})#ˌ?4~dW?Fh=_"2UpZ*^K $m f{[>Q$Mu=r|o#nA]A/!-䭙ل7~LbX8[ ܫW_|afH6.̫s1Yc%NH2Gd)EmAtڭ5” `]@\q-Ost˛q/T)G\a7RFmG5ۼ:4eku3vx&6Uk%6 Ob|?_7F╝еu0ɂ:a(v N-[2~dLZ1U O.*>+7g<>cjfHӗ>̋@HH0qlNwJ]6S0[[~^!/9/ &qBféQ۠5]-gߥRv̡TE5["F|ըr b$'奧obcF {NI`;{eՇ])!PCѐ4dMec`fPQ)ǂ냖=X,Asס4e|qV\pZRQ ZJD-enixiг1bB&EgFMCFQ& O~;tVfjHѫGGzĄ8)4Ib-ܞ=W!noQ^U̕5's̽4i cY3s6qUh,8F5Z^?n^֥sFecn߲`Whb^Hw?S3f:fSնϵ_k"z@a->l-G%#UápԔSm*"Yݬ{f ){8ӫUpRAn2rn>O\԰}njB5R4Y*5orMRӆt \V$y_Mt3Hm? D}@+-?cN  ncWT',֙Mf9 z8w_>⇌HW{WGuzr_ü8@áKTZ;EHoʨw-5b*k+H\T$BTiNXn@ϼDΩQu^S23]{h* *h cPiMhR?Pߥ(-{/S~Z 8N?nm.(H=ڭrYxOS3Dyv)Z?Xy7OkB+HZ01TI=J# 5̈́Zݙ6,۪~tR(e^ё! i`%lDӑ3iEG!\zm4 خL,ƬvM&>kU ua7J?a_n8٨jn\'A 'a+Edb|bTYRے=EꊺN9G%țGwH2?Vq{fgnlɧ/!8!zG20H+J0~B8GT@U%P~O:7d&*N0W? z%6^ -Yqɡ'~r , /XJrw'm}-k˄qݦ.bSf[N~2ԽgZeS \~l1#!B eo(%;͒ e"9,Ukِ]}v-qG7]DpX.*X16+,:|bMꯕL0`c|M|ex'NܚW2~YbW(Y`#)&[OaC*BIv.2#.xWX5}1[U`\zdlD0`ؘ1f:8 ;>E;YS.NS= Wr!ݻ~G( s[@ hkf͢-N)<*\ѿ@Wéki}L&k`m+l+i2,ŤUJ m6X˫؝q' ynOI6Gbn7nDrM gW*BD( QtzbmȽBV7rH}JΕ8R|d뾮W%uE}1Z%Oo=;lz R5?Ut:öjR8K" J_5q ?lS}+BuϛF)aOcpxC5`aف8 #6)о^̟S̏W.r-jw8soηA>`~0)Y~yʝhv&9=3Qs J,>9N=SlqW[7/ Y(=W FX/'AB &3;' Zɓ{lZmQ7 +R9ݑǬ YRRA(:[ȑ^{$3y]ft~S>l8TU;}6 oi@Qlk\sLq =gY\uy @q<= p`?bG[8˶a@ (R =05䈔kxrLB>2kDZ,LI b8iiy ye5{='j NO'I/i)EkQ*Bxqabd\QѨ ξzo鷀6T56Z;0<,LIZv.ِ<ׄS ah-XP<`b wk16)uS6yT~[49ܕ iI[֓;>uD^|O /On`mll(uU)zXO$-O%  kɠ`eL [`ǗuU#MlVH!#Rrɯ btH?-z +u/~THh@Qyo)a `Fސ Aqo_r08{ܳ۷OLEldtK@Z@3ay6 {ct`Yn;M"#N ermx}NN;Z0 tx0ۤ%>L'/b\͉F ~ :xCD\P(.P7-9Ϧg:Dld!&HS0PkwLth xLsm`ű7A .{qW*'П<>>Fj[QNڑZҢԷϽ\\A>뙳{yI/u<<ɑ#4R9Yu`&!Ć"eHc:i$W£ʇp.4 |o׵q"6NAXAoO5&tbHr.6f*N0&0e<*ax^oMQs HWi'5@}M469ߟ%VqfjHy>i>5g ;P:^dH|ۜj`_%mE2>ª++sۭg3T y`,Y(GlK{EQBZ9snDM/Vi[ ;?`bvdBsnzMSEjsb[/H*j­2"E(2.6ʧFWY06^.aE ~{L\S_DQ2PF;+lRML*\ 2muvDn& 0/O%q-#Q!: ,ݱUC3gU~o`UƬ/gǴ^< !QpIYoR#WֱSA;+ f?- D26g Vcd7j2yC\l TΆs[EA6 %@1/zcc>JLO+g"8y mo ?WܑK$t2m?nqە!s}Ç`р,AӅG"nSSHcQm/ZD_eY,pN\56PE:uZpS_'S"GLf36f L𫑚p.EȦF6"3oҟJپU@wb KjI@VVy[TD^irA\n7ޱ=h[SO÷#p%-l8_&d+!xr MioF(T)~7l6ɛs/N|بT]U?1qb{q̹0pq'@蟻k+uZ(7rSRL]0~OUL .G3=M`%J6CAڛJh4  Ou(|Z/fπ2,|cTl* 'vzb_Yҁ&9Gj$$;4b Ez! }i'49첁...=U+B<)$ 0XIo"KDo tm4=txINw.nq? {i_dGW!!RR,*dV o+(vܸ!9s1}%q MbfAb`/\rfIÿŷRO~-gAYq)DV…MrIx*ʦbuk%g9^Ԓ1}^K Bk[g29)̛EiO[ؗ[O ;.@LۦNAaI@;|mg|Hd1V/@@j. I$LZD 'fq ޒC EBzfUﶲwbIe_b7M<, C`b+JrK㌐Av(otR9Eq&?эCNy`] -x10GUЛ;G#q7QOV-(*30^ͼ^bx+U* r{3f=HrC0̨\ύQ kM.ׄ9S\Xj]^m3.1UKXZ&9ycmpxUI²fЌ4={ `ֆ '8cj꟩J@Pmݳv{hOfoQI7\9nt;z^z0> uE;2M%&=f(B3بS43eވ ) .;kRHBh.w/~iOvEye/3*q.|+l"mE9SH-`VU/ȡ+T^J5Hges apZ|9٣iaw[{\n8 hL_3<ې Rt+\.üo䞊dj#`~FRpx6盝@#?·zot]l 09V*b6UY|ﻶ!,]OqQ^{|A=>MDB)hS^b;~fײ nL͟X7ٹUp\r܉}Zd DZ% OKZopҹp "sxr  ңa[bERhWv^̀}*W~PB"y|^rG(G|6s^iPGrx5|ЩJ5nIq8[ƨu6_3@K;'BPҩiA@-Q߇>`ja#[7p/Q4J  .S"k EK};qX =Rw}0#4G酥0x N(DSP(ť f_!|u5s$@IeݽB*.SŽ`r zhc=Ŗ!^m@0‹@erR#0R ѵa|vjɀM݆f( %W'p!: LaM'xCAl7y)LO JVts lc<;hV~GvXٰiR'[G%"}?;EExD Y{F# G4YǸI͓SRwiŶtuApYc|n;(ĒgyX"lotP{{UOisYC9`P ֢dz80EޕE[v{؂CmXaPk us3EjwzCox TKO%69$nϕ BV^HO/ƿPĢmLLh|Iuƽw1ħ#mߥ( FQVr\z0 5v-+~{7+J-P2|k:x Ϗ•e RC90n Fjqžu ‡09^."q:e>oEWp"pY9O6E3y@ґFj+ F2w`/1X^#sRNᶉ֯C+ѕSПWϖL!nږ=& :zJ6a\MHךvSw=Zӻrf*\Y 8R{h;+L097ojJ"1'B!//q dOX/&:|xs%[Z!d yVOF!ID^1)P1jenZ@o2jǥy5ﵓ0<'=6\:U p?[S2 I^Ь\gT0_8T={H&D#Gk %H ^u-k%`?{q$XGb#V?:;,|/ g2hz\7ᨠ4i*=y.Q .0(O`kn{ (~ ixmsv/gz^~~L#z"ܽ6쑛6]ɋ)_Hph} 'ڳOoХ 6,JDء{C {[odFP'EgtYU gE'}Met(|J\:=XilOe֯ɟ,Dd8G34+kϷ,u:^/ V.0 h{v?LYYcY+Jнz\-z-4XZA17|RLoOg&H$= i.o?b*iҧs 8^QDڎX%SCR-DRD}@nYQRwwhV!64G 3'7RVXȢ+AY\(ܴS{ >lΫ4Sz☰ ׫_IL(T϶|!A%~q̙43f`,V8V}}Kl/ZyYz-rF x{ ʺH}%DҎIU04YuNnD7Qy(O]MjmO7jXIˆ 39ŋo}s;z&BC]=G\y2!%|aGȥ.J;tDH%OԹK{+f1DFIӕ%ʈXD?" dvz,K81t\md-a_H> {NSKVJS A9t =*-GYIjo(&C5$xKڳzߋ|${ e Uiii\72AGGÉi:9ev)#hA0O\{D23d=ir[< |'GXN 9v5+'AJ5HL(;KB8bVcg=}R7σxcL;ܗ_Wx^`MK༥2T@[JpAq+ƺWpD$ `ms1tDAVW+%5;]qFl=Gz;n!# ?o-y\f>vCE%V)>-IĞnUmxHL"9$/.庯&txw6T!i9 S8V|5R+0pcGt 敳Q$jk]H?x\ <ȸ% Rl-»thKܱ P3nI+{"ZY|#E*۞𯮝4]Q'{I鶣"[@)ԅayXknc끢($Jq}!JFYRz22)_Mɒ*p~$g{Uu,䵁3eX$uuQELP F(E^TՑDnVB.{$xKnצֲH-6K!qd? ȖT=6y:|@zSn%m,ي?};5j͌k/IXABI7lR2":34CO<ϼgw3q=6a]:X1ߍ9?/+aFXMv\L'KOiX}"oCv=VM5_ߦHG2p*&D:5ajgUc@y3aIgq)鶝U7 m6sQFj(_sOD>{h9cӠΒ'C{sZ.$꽞DdM[IЎۈAo[\=I8Ǭ!n޾r" *ԨX,[o[h| x*g#i6.r}ZS?7H)P!o:7kÿg$X{DO{A W% 6dܤ0S 4gQNu{跫,؛)XJYxXW>S-]q#sBhDͯK;jem ܲO!pӷ tqa& CQ(_jKK- *1H8]pޭPֺ@F c Yccփ}4v;tdet G|i)\8F~9Q7cY"{I|×ęl^p@vQmqAo :6wWb"ۢˎPlq`t0B(8q菢[d\s Y}pg5o ^qs4߉4\X 2u1xbdi:@#1oONǖͷ:b'G/K^%xtɨa&qDd@yi~a3D$wHΨ5\D|'"i.{"}$}nlr*yk; 60Nw19f k YZ