samba-devel-4.15.8+git.527.8d0c05d313e-150300.3.40.2 >  A cp9|)G}(Bf>ߺ5ywAu6NHsjOPhB@N$(SsZܵ}Hud'xx*A/C9di\3՛Pq6Dxe܅N 8FA/&mXLLHGhB/9lzS4gTABа Dl*VB*hkyMn΄`Yg>1 {ά7H=(^Two))&d;5iO31793a9070a936834baae53679575e156d2ce872d25383bc0836c29cef7473176a332fe8bf8eeca652e15ba7e74a2aab8947818dՔcp9|8 +ʇ@ȗW 2& Pʌp֤8ov\|n@h9}RM[b\]q+R([Ȱϟ <j7ujZ$ (깆đ2&Q,@ )\Bmʰ%?(ʌNDj $ug '7X&ݯN5]69Oޓr8ÐD jS'Y{CzPXROMA'a'}R̀ >pAb?bd) 7 e+ Aax~    ! $&(+F+-$0d01(28296 :GBCFEGE$HG8IILXI$YJd$ZM([Mx\O]Q^X( bYgcZdZeZfZlZuZv\w]x_ya,zbpbbbbCsamba-devel4.15.8+git.527.8d0c05d313e150300.3.40.2Development files shared by Samba subpackagesThis package contains the libraries and header files needed to develop programs which make use of Samba.csheep25ySUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Development/Libraries/C and C++https://www.samba.org/linuxx86_64( p=A@!1N  aF ENTv |H)KU +d`@t2!CY~W +g > v&HI!>,'I:l ha Z=1y<u .Y3T4&{66)w+3'A,;BG_AA큤A큤A큤A큤A큤A큤A큤A큤cvccyccycycycycycycycycycycycyccycycycycycycycycycycycycycycycycycycycycycycycycycycycycyccycycycycycycycycycycyccycycycycycycycycycyccycycycycycycycycycycycycycycycycycycvcvcvcvcvcvcvcsctctctctcscccctctctcsccctcctctcsctcctcccccccccccccccccccbcccccccccޕ57f48e6acfed5fa9841df0f458c77820b6e24ed8279bb23819c0698df22bbbf19a87ebf5c3ecf098bad8fdc2e0c08317efd3ecd4947169677feb755c5f86b325aa97c3dc8a6da5e8d196a73bfb4bae250089de7237665a3a6dcf5512c71503695cd7da44b981f9782081d3d97dc2d2f26726208f56b10bceaaae6e1a3b497bfefa19c5bf4838b4013a16d205238e5fa9819e04902a006a08044a0da795cbaf34f53c103d9d508de1883fac4df0fff12ac27300409f3a1c8edaf31c05c054340a1dc2974d9c574811447befbe13fc0f8b3d8906fa58ca173857f5b73359ec30f161766db604986021c872a81bc3e6dc403b8960c06edad4595f168293005943b8486186e935623059f05839ab0f3604f56687ceab73bf9ad6070e58a7161041e32e3a21a55901cc3c7a46d6560c167ecef63390fb04b124e508eccf8156fd650dbd572ab4954abffbeef5c35b30e8c5806501278b70a08d6041d8a5685a69cd65ef487680f99891e461bcaf8245acdfac7964fa40fa4a298184528c2fe2b51b3066156e28d7375c095735fe583c41fe10f68711a286dd7616111bd0ba9a6c39eca72b30f0da89b141671dac7d0b96636639545a74f12fbbcc745e7e2597d71b4c7bcfa6e9c2d3666eaf6fbe6b63194f9d4b8991619ced1de631f1d7c854271bc4d7d6caed90f3ed522fb13effd5b3f9ce1d10f57b87a233f8b1cb8bb000a06b812e45f1d76df8d2fe7405deea4c26e6e1ccf3951c59a55836952be0923e7928b343892fe61c87666774dd2e18e31d70da33b45c5986aa1c23a6a853a6cecc906960aa488b92850596697a2ce4811cd350af7aec0b5278c15b3700ff5759a3a9ac8a09b87e376224e944e12a2067e9fc485ece8ebfbc7d5cf0bf573e0500c5bf24c38a14ecb5e00e24e7947b8517b8f39a652b5a4a7cc6ed2dd04dbc35210090e571af576c5ac08f897ec08b3d0d2d5d40952aa94d082f5550483c051b99b33ee65aad7a50a60ccf805be82f6209c702e0e7f73a5ae774d0c68b57b28dd1821c1ab067bcc678b898c16d290afc34539c478fc1f6b47270a45b389de9fb9ec0042b98e789e2e76a17d01c1684441f27e27f5c54d7d8d1607fb9cede012344438922ffecaceea8800ef2175f1046485790f995229035a56992eb9f80f586460519b697827df8285c4ebf06595b743e148919677ae2a40442c80549d7aba0bc0b696ca55cc095723a52645cf7513c55934096218760deb28a607b5e85f82db7c1ab580e91df20133ceaa62399bfcfa07ae216642332bf119c5a28639f3e6841dd74e2dd515f2b48efd9117bd5054262dfd09a3617405695236094798559211d988a68effc888123ae63e8d2ba5b96004c14b3356dbf490b4e731cfc7a56467079075b6004265e32c0338f01e95f47cda607f72abd98a2031f32f45a1470dec6e13f4c8e17e93041953c7a33ac4dadb193dc843bf0dc47196230f74fc5a9c4ac1989654849afcccbc35c0a397ed9b8ec9579d7a3539a11d9a1f4db4d40dfdf2846bc81f966b17d69a728af436e405c6653b76b8b1b0cea1ff3094b88f184043efdeaaef078ca39f9c1b6ffd2a287d8380c0ea5cf53ceb43040bca0c4f8a37c75c1cfd40923c16ebfe2ac820e071af1cba5cae4b019dc46eb22b6fc37174d15ac7b72c723c10d44a520b2054944d0606d29c16714a4196910a433f607fed4e35d63918562c260077a6a23b99eb7ea40a5e790a7d97b17c8adc0fe8152598db810a35a439e0fd2184591f449c79b6bc5b5468443920523ea943440534df04294b940ce1c00c0a68cab9a5eee13b0a18e6e5b9d87693f25c1f804ac1878bf03800367d25438369395e7f2006fb647db68043d1590be759478e33b123ff9a54bbcf1dd70a038467eb6dd4dee91c9309efa27bed7b9d371cc936612a2998c16e815dca6ab2131a2f005b7837ddaceb2598db386c1d34c1a777baf0d741ea2d153c399b4b0fa22367ee1921737df26ec3e9fea81c7f525ee4076db13008901c9ca9f404a6db835aabe1a026f6f3e5c05cd08a28a339b762c6189d4af93a1b6a87f9d9483d5833fd883506b51ecca8ad6df0baceb27177fb6499a7918703b897a45cdc7605a9ec9315a0f82f2518db30b753b0d4ca10b18a94c382f3ec70dcc443437b2dc9e3ce610ac30bfc17aba981efd38215a457355b1f19ee2e93d26cfc3f6127d4e633b3d89ae70e214c6869f39c6eba1bd4d835c031b67bc5c4f908e60816711e8d87e6d93f84fea1eb1df4a7c2bb8a671480afe65f9dc7f671e0e15cd8eea8e37927520f3ac8ae6b63fe8f7aea81f7680951eec3ab67f4383db52789c38b254cd5a9e4766b17aab8a99813258ebb4b147bf98c9f0b9ac8e9e07ad86cc4811fd17c0ca05ad6fa67befb082b2cd23859d7002fa75a5794f15fad8157402985d19cdd5ac31597c5b078edd5ee2c594d5f7da48f8541ba4e6746e5ea2bb5fe4faa3b5dddd0c1acf956f394afcde8741c7d3eb9c1f0d24e77ba69ff7eee8ba90786ffa6c5f4ec183f16ec4fc964c65b35a84e0be1b1f830b8494c8e895196ab132fd82e055cc808ec43d0bf84e5bcc059302e71c0e23a257f197463a9ecad24f59aa597f875a287795dbd2ce8b56438e84f9976bb4b587c364e2b03cea9ac7bfe92f670c4d88fc1b382789f66d991a6e526f4093a1972e1391aadde980420a1dec670f3549f87169c890fba90086de0d8498f0fb36921439a3568cd3a29c34bc8fd9c25772cff89b4edcc989ff5af4189ef2e0ce0e37872c17ad0196c4101f1dab6f2233d4987af03f7dbbfcad01f857b4576ffbb67ed2f4c6cbd9f0a9cd2192a7cd36f8201ae7dc5c1bb59244752a7c96d0bcd9f3e3ad075aecf96bc9006c8087a428c2cbf46832f58f5a9a8a1269d77685a6ea46e21b05e9d22e79fff5ff59e2f6fd5ef76604c85c807b4e3fc0dd84beacab1ff25be2672650e35fc5a2a04de281d9dc535f9718a0c12832630ba0008a46bdb263c2610acfbf6da60c6d585687581e877d06ac2587e1c560a57a924744d428603f832aa43148df878f81961c305f367353717bda17d2ab1d3df620a04711fd5a61149d16c19f34a48740662395d01a17ad400b8e6af775cd8eeeec7fa786bd0c1c686c5562fc60c40b7f0fb213627e0208eaa36a7262e7680bfdf38ab43a302de7a5ee1b18fb5e5a69c693660e5ab407d1696c7b4ac8f6ed075a178fc967e2e68e1bac448bf37478948a1f40401d26eab750f4c70faa63142713b1ca959bdea59f5c83e1d20b52792246b46127464459c635949c3f779518d0e830d9f34a33bef4b8d49477a4a648a2d279c88584caef10d814fafc233b2ed62e1b088b7b99fc6b8017b38dd73cf8dc94a4e97837ae5a7631da503521a5133a57f0445a4dfa2427eeb926d7ece4119a01cd20ba4acec5db90984ce61844ebfb044780a402cb880b08cb0e3b6d709b17117204b5ce3a21b987f0c33c9147e5197c8e52257325852c5c181908a3f4082b5520d1cf8599ee8c5ca7e8584f8e6deb53c1682692aec09dc7339df4507a69a44fc4e889663a695d0e42c4ca1819bd7e814f21ea857ca7a1cf61daa69affa14cb497273b24b2f9adc344da28391ae7e27ea058e1909f8fd85bf9eb7fedcd7dde1fddb48b6600c8b61eccc6409a5a5391dfba7e45844c4f2da58e90d275e42aac178717449816161fe77e2af95aff8ff703003f5691ae2280c0809d15386619c3aaf0620e8697c3c0d494cf0d6a2fbbde841699930bd1f5d8c43118be577f601d6cc6d9ea72bd4e42fa96b0bf03b1764946f28b3deeae86aea0bec44e3c3fd05afd367128b4e2513a6a73ba9cdc263d00d43eebac1c05313154d5bba4025f00fba9ada003bf6e08ec3717c956f9a10aa3bcfaadbe145f7723177bebe2a8119752430aecb7121eecb4e1998b5a24b456197855a143c84f2ecaf31540b1f5457c0a2fdbfd8f53f9b9b119b1918376d12eef6aa5248f7ac7d7deb71f336a52fac364750774f797c061e915eb24775ae28d1738bd86f5a5b902862b25dabfc4618da50b85e66272bf52218a6cd2e26338d04c25404fc53d6b230205d0351470ccd8809d4ec02d86007929edab0432c4386098ef7d1c09bdd8cbd6e9b0ff02a77cf2d3de460ded50b04f15ae58b86ce48bba579542df1b00f69e97fe1427fb1031f6930e7c3b058c09850bc72e8361579d8f0b97ce6c33df91db1edab5412d88550bfe89e5d34a73e8be26c6cd20a922ff73294bacfd6ab37123f9f6304ac62b5f3f2c020b7cf90ed8279bb84b70e146d0a47d12743138659271122b65de007d76a54634fb3fa657a0e6c8a3cd600d4be43800c4a74bb5e41f57bbf05d01629d0cd9856ca1c5cd05b52579c70d58b6328de9543dba02672487939e41e910f508c1dbb0923f0726dafc2b4fac411ed2b40275fe0fec3322730f62b84daf91fb23bbb081489863168493d1d893df191dd1a0597fa2bc7c08eeb7f3e7aebc136e2d47f375bc7a94c423e7e203a2271e48da3734000d560f44f906e7b47bdab7f64e2dadcc0fbaaa49cf756dcdlibdcerpc-binding.so.0.0.1libdcerpc-samr.so.0.0.1libdcerpc-server-core.so.0.0.1libdcerpc-server.so.0.0.1libdcerpc.so.0.0.1libndr-krb5pac.so.0.0.1libndr-nbt.so.0.0.1libndr-standard.so.0.0.1libndr.so.2.0.0libnetapi.so.1.0.0libnss_winbind.so.2libnss_wins.so.2libsamba-credentials.so.1.0.0libsamba-errors.so.1libsamba-hostconfig.so.0.0.1libsamba-passdb.so.0.28.0libsamba-util.so.0.0.1libsamdb.so.0.0.1libsmbclient.so.0.7.0libsmbconf.so.0.0.1libsmbldap.so.2.1.0libtevent-util.so.0.0.1libwbclient.so.0.15rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.8+git.527.8d0c05d313e-150300.3.40.2.src.rpmlibdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develpkgconfig(dcerpc)pkgconfig(dcerpc_samr)pkgconfig(dcerpc_server)pkgconfig(ndr)pkgconfig(ndr_krb5pac)pkgconfig(ndr_nbt)pkgconfig(ndr_standard)pkgconfig(netapi)pkgconfig(samba-credentials)pkgconfig(samba-hostconfig)pkgconfig(samba-util)pkgconfig(samdb)pkgconfig(smbclient)pkgconfig(wbclient)samba-core-develsamba-develsamba-devel(x86-64)@@@@@@@    /usr/bin/pkg-configpkgconfig(dcerpc)pkgconfig(krb5)pkgconfig(ndr)pkgconfig(ndr_standard)pkgconfig(samba-util)pkgconfig(talloc)pkgconfig(tevent)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ad-dc-libssamba-client-libssamba-libssamba-winbind-libs3.0.4-14.6.0-14.0-15.2-14.14.3cM@b@b@b@ba@bascabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.denopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Update to version 4.15.3; (jsc#SLE-23329); + CVE-2021-43566: Symlink race error can allow directory creation outside of the exported share; (bso#13979); (bsc#1139519); + CVE-2021-20316: Symlink race error can allow metadata read and modify outside of the exported share; (bso#14842); (bsc#1191227); - Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- The username map [script] advice from CVE-2020-25717 advisory note has undesired side effects for the local nt token. Fallback to a SID/UID based mapping if the name based lookup fails; (bsc#1192849); (bso#14901).- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899);- CVE-2020-25717: samba: A user on the domain can become root on domain members; (bsc#1192284); (bso#14556). - CVE-2020-25721: auth: Fill in the new HAS_SAM_NAME_AND_SID values; (bsc#1192505); (bso#14564). - CVE-2020-25718: An RODC can issue (forge) administrator tickets to other servers; (bsc#1192246);(bso#14558). - CVE-2020-25719: samba: AD DC Username based races when no PAC is given;(bsc#1192247);(bso#14561). - CVE-2020-25722: samba: AD DC UPN vs samAccountName not checked (top-level bug for AD DC validation issues);(bsc#1192283); (bso#14564). - CVE-2021-3738: samba: crash in dsdb stack;(bsc#1192215); (bso#14468). - CVE-2021-23192: samba: dcerpc requests don't check all fragments against the first auth_state;(bsc#1192214);(bso#14875).- CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos; (bsc#1014440); (bso#12444).- Update to 4.13.13 * rodc_rwdc test flaps;(bso#14868). * Backport bronze bit fixes, tests, and selftest improvements; (bso#14881). * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal;(bso#14642). * Python ldb.msg_diff() memory handling failure;(bso#14836). * "in" operator on ldb.Message is case sensitive;(bso#14845). * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED;(bso#14871). * Allow special chars like "@" in samAccountName when generating the salt;(bso#14874). * Fix transit path validation;(bso#12998). * Prepare to operate with MIT krb5 >= 1.20;(bso#14870). * rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb;(bso#14645). * Python ldb.msg_diff() memory handling failure;(bso#14836). * Release LDB 2.3.1 for Samba 4.14.9;(bso#14848). - Update to 4.13.12 * Address a signifcant performance regression in database access in the AD DC since Samba 4.12;(bso#14806). * Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache; (bso#14807). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Address flapping samba_tool_drs_showrepl test;(bso#14818). * Address flapping dsdb_schema_attributes test;(bso#14819). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Fix CTDB flag/status update race conditions(bso#14784). - Update to 4.13.11 * smbd: panic on force-close share during offload write; (bso#14769). * Fix returned attributes on fake quota file handle and avoid hitting the VFS;(bso#14731). * smbd: "deadtime" parameter doesn't work anymore;(bso#14783). * net conf list crashes when run as normal user;(bso#14787). * Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7;(bso#14607). * Start the SMB encryption as soon as possible;(bso#14793). * Winbind should not start if the socket path for the privileged pipe is too long;(bso#14792).- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2.libdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develsamba-core-develsheep25 1662115781  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e0.0.10.0.10.0.12.0.00.0.10.0.10.0.11.0.01.0.00.0.10.0.10.0.10.7.00.154.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e-150300.3.40.24.15.8+git.527.8d0c05d313e-150300.3.40.24.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e sambasamba-4.0charset.hcoredoserr.herror.hhresult.hntstatus.hntstatus_gen.hwerror.hwerror_gen.hcredentials.hdcerpc.hdcerpc_server.hdcesrv_core.hdomain_credentials.hgen_ndratsvc.hauth.hdcerpc.hdrsblobs.hdrsuapi.hkrb5pac.hlsa.hmisc.hnbt.hndr_atsvc.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_misc.hndr_nbt.hndr_samr.hndr_samr_c.hndr_svcctl.hndr_svcctl_c.hnetlogon.hsamr.hsecurity.hserver_id.hsvcctl.hldb_wrap.hlibsmbclient.hlookup_sid.hmachine_sid.hndrndr.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_nbt.hndr_svcctl.hnetapi.hparam.hpassdb.hrpc_common.hsambasession.hversion.hshare.hsmb2_lease_struct.hsmb_ldap.hsmbconf.hsmbldap.htdr.htsocket.htsocket_internal.hutilattr.hblocking.hdata_blob.hdebug.hdiscard.hfault.hgenrand.hidtree.hidtree_random.hsignal.hsubstitute.htevent_ntstatus.htevent_unix.htevent_werror.htfork.htime.hutil_ldb.hwbclient.hnsswitchwinbind_client.hwinbind_nss_config.hwinbind_nss_linux.hwinbinddwinbindd.hwinbindd_proto.hlibdcerpc-binding.solibdcerpc-samr.solibdcerpc-server-core.solibdcerpc-server.solibdcerpc.solibndr-krb5pac.solibndr-nbt.solibndr-standard.solibndr.solibnetapi.solibnss_winbind.solibnss_wins.solibsamba-credentials.solibsamba-errors.solibsamba-hostconfig.solibsamba-passdb.solibsamba-util.solibsamdb.solibsmbclient.solibsmbconf.solibsmbldap.solibtevent-util.solibwbclient.sodcerpc.pcdcerpc_samr.pcdcerpc_server.pcndr.pcndr_krb5pac.pcndr_nbt.pcndr_standard.pcnetapi.pcsamba-credentials.pcsamba-hostconfig.pcsamba-util.pcsamdb.pcsmbclient.pcwbclient.pclibsmbclient.7.gz/usr/include//usr/include/samba-4.0//usr/include/samba-4.0/core//usr/include/samba-4.0/gen_ndr//usr/include/samba-4.0/ndr//usr/include/samba-4.0/samba//usr/include/samba-4.0/util//usr/include/samba//usr/include/samba/nsswitch//usr/include/samba/winbindd//usr/lib64//usr/lib64/pkgconfig//usr/share/man/man7/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:25692/SUSE_SLE-15-SP3_Update/31bcd539228044ed3b978b6d5b198532-samba.SUSE_SLE-15-SP3_Updatecpioxz5x86_64-suse-linuxdirectoryC source, ASCII textC source, ASCII text, with very long linesASCII textpkgconfig filetroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)  "&(*PRRRPRRRRPRRPRRRPRRRPRRPRRPRPRRRPRPRRRPRPRP R|+OQ6GButf-8a1cf1acebd828c8433ea93be17e5f2a8f9d3b95e75eac9b239a3426f7ba30e87?7zXZ !t/J] crt:bLL =NZ#1C $SO8“qD|)>xq#pD]y[:Jc6ʝj!$<'M%0h|U}|cz^uȐ M =NG>j<\'F_}q\H~ Hk?RhwKIiAК]p$D|W`M*}rRV(ƍG=tbxqhyZTIKtJ^Yg?>*pIoUpߵO}glW ,N?Ƭ=}-Id|R'˩u]cꝳQ:Fuf Sw|~^Ea(2*tYH◂$uKv$^W:z eM練Eѱ#hzAuY=ڪ18Ȉ4ckGЩv B c(j402"1m e5JIG EL>W[9#m5:V n1xdk# Qq"5P8* kaO37-@%?xwEƄu)jT!n>G.Ę_IE"JS%Dd+6Kh⼮7$Z5>['x9qЩ3; ĥ9pu6Wr.x" @T$Hc ؄{.k *mmZKW紖Ҭ XotQ73OQ 8H._Zl(隯i[gE5ֶ.:MqJ/ϱg@[4i$i e*tbf cFQOt%^V̌Uv1,?b#/7&^Af!h(\Ynm-$٠]nqD}ggQS@yV69{!،n{X~OM% P_] 0m-2m6_&?;QIA oIf韌]^]SJT;C+xI-sAMT> \.}&Mm/)ǎٞ!IZH )=ߠvdt.E`6m 3}s$2zA.F axmcyK]07E oKN^m9J2$$9!F &އ8 +NjĈ:/b6m}ܟlfe61#kH]7FL1dctp/"!tYα%ri,.P=LD>@bB$<2+n$z#+#=3FG.#&ːxqUD*!ܗnHWl ;LR@xg ĴjRs.%4P*>&u!7_m_ v uT@epUUlpX01nRg=bU&GY6o { 뾺뷉gX ~p]/i_I-bW'^ӿ?E\Q{o0\8ݠ+t=>-=<7#A dU,R5{6$R8 ⿘KÙ%SRXT1e6&VB:7bT _:ypɾ>MI$fY6 {2+M-xbx;*Co/KkfJ۳Ȍ 83f:bjtF|LnRևvmSZn90-2/xV坅Rg.Lݲ1$eQkgaE"5D:RmĐj[2#'!pT>5Otjs'2P2{=p=ڝ&}Fՠ@UtOj?>!T4p&Srg^D%` q,u8 ȔJ+X&h6 b,δH|| MwTp16I;% ]t%?LĮ.7@bE*y0>%mLXu$-e5y؄d1r*E9i yU:=RHO5iל|2~,4*g] eXR8`r*)A i ZIcm( sQqfWD$vIn)\Bm􉌣ʼn]:+c}ƭ!GfƉ3\OzY*R tdIbEL4w_QN: 7@t{AmZ$ 6"C9>,++˶KtDo.f@Y\}1kV5f/'I K2LY7^7LN[wmͅR|m@P]9Lx;~?ԍq|[>҂ bޜ (4U8Ks9'l@4]!>!q@(^jar;*o~ѫʛ%z s].rE *8<щ~g8A"qӞ|-87u((ʼnZu - A?Bj:6r6!51 hlSzXGPVKs&06Q54 DG[47}`!h[vo됤[[6]+샄KBhz(ë[y_ʮ?KxqP?\@rVʰSНhn㞅6@58F;ĻRۙK)U̗) >AoM>i^ޱ^72tvb__ag+<8-*R-WDqXގnY<^z7#;=& PvdA@ט.C t&ou7ZZb^9vVZ^%p%JX)fszh fFxOA|7T(^ųq!d> 96mT~Xd!i8`)=D\~kH3< SᇪtVo WTc'۔af}bKJS ӭLyM;<<ŽnΗ+e\/vc'MY %WBXRý}s`):QD#Xuq^3TGXY[̚0RR7btݯaKtB)G _ҽ´<[Nm@BNVtńzgl6飻E%H}AHe/qx9f,L#5{?) qZG0n!R=*Z+1zg:$'ٸhz]# o،G^wUe{d: w-ޡ #^_3`ǻKnȽJF>յ$OVr5#NqHe 5z\0mg7oӃ{ =q|ateNhJmfiCT;ۋ)qaAF i5%a& %]IH9h 6Y7J9ҏ7S{dvn5mB6mGrV=n*OC]4VC;TZ>WvB;ۯWX#>RWH[@18B9lc;-zASTY7 W<őjQmc/@oEWGXҟolhH#PMlv>? 4Be0@bTCk_XsŢٍ8 Y"ǥ:Bb-&V? |7F9AdzayC#k:PעF1$^pm!"u4nI,a{bG_SnK24&GL1AWka5T/0R~$:@w$~h(5%1: [U,N9OF91+J#]QR*&; ky1:"\FC}"c]pXxqiǚMin٢d̤ދ77eզn%D\œluIٻտ^KkeL 4:(A 3?HjmjTٺ`)I]"xf4WUwY۰d#w*!\ }KWփ2k;anxK>8ճ!-Z}f$Mɲ4zT0(y/A\fId &\3՚r 0q52:hh$x^рӳtdË-vg*03xi"&.)x f`WVR>'xpK glAcĥڍã7}ߕ5f AF M|+B?۪zr<=~q2ֶ(pWw*&z맚)\`BQgE#r[_nME2*eP)Mq RYM&f9wƢ1w~K?ެL?T?צ@H>hg qڔJ@;tv 2.=W] *opߧqD: qr_Q8m_Zuxwv72C-UƫK7O.Ӥ-Ol!NKedyvRh1]7:1u}yς}Q\Klf&n ]UyM EYfbV= X ̫h'Oq,Uo 'hƂ'q*V%w疲|,p!&ǘ53潵VkcpaۨuΜ`W3bIgξr5Cw4SJj}7S8_8{^ltj7Nke?'>L8oW1~z:X8͒40ZdwȞ:2t>fkFq__9E}V )mjZJT *;B9Y9:<5O hVG#m}ځ}y>egkR ;YiE{u .~09iFFA_|qk>9}V-ob@Fh - 81s]сCWQv1.] Dr4ݷQT!3X!i5ShU 4{ !7 -u*Z-R>uALC-@b5\p`Y@[qZUБ"ZW i  Yč(jpeƘP1Xn ;iB/)_U\.Sv9@1NSךEB!-.}1`) wQᰱrf|s1S`gvc8T ce| КbuǷ)pJuG蚰NE1<S~Maz *fT5n7`uJɽ7-zCAڄc@-H91S>"J4ɹ ю.\C7jG;ɫi}=KXT/ufsNJ ggi/3͍u:FB`2LD7OޑBf+KnQO< )4(@^kkjZGDѡC 0mӖ"3 .$k8Ueɯ߆x ~VipxeO}*tno?Ə_b[ëp;F{Q&J2ٕۢ-Kͺ]YZчm}u#ThcaEXk{5~6m4!"vA SXfߚ؊s9aPoKo8ވƮbzQ=v˘vTec+vs bW5:ѴH=%+5xÔyM G !zUfrjW 7⽥ՏФ&M-pb{ zzF3.0,?$wސBPֿ2Y V=%6&(&[뻛k㈖zxPNÖY(d}`^uҢA]m_H F̮iQvXtپEE擘} ok? s>RaȦ6뀍N 6Qs-%i˸K®hv"v4O-0:Ú-؁M W"_Ig_ʶKz{c@)CO,Zaϣzɕ ˵/p޷ eq\^i=5 %Vݜ=_咕151bzbDt6'0Cϖe2!&1p1S:(bϫT͒yg2#gO^ ڒbAWZHCa5i%"ě}ZY;B'a];sh;* )&1"4MgDP]r@74' `u`u`uIAٞʻXxfAPi8GY3fn:Pk}Y& a:r~7-ѷ3q,ܙ8Z%uW _nI:LwՐWڋ#4ɒn2V(FO%Y6n5:"cV%Qa/P!K?.e ?B%2FflgTũq>p>[0gCfjlJWXE鷪_{Fv1G*.Jn,;F̧wKSS2a6<كf$P46=_٭~0 H#Qgٝ NTKEOcΈ:k +X (M1f?䁐AU]ȶ]7hЊ6QkZ ?ʇ@L-»[+*/i~[-Oewqn`u'tn&3g4AV$^>VDw Ӵ!3OmJ`<.ךN;$S ҟ}9'}פG%[Ҋ$I\EG0$^Eд w"mԔhISJV<njGRȻcSpVřRYtu!Ѕ6ձb!\gcpZ{"UD-|l6mND6D}i| yquo٨k)􃜋C&1fzrGb>օ`CY;($ĂEG?cT$Kc6׶ xĢ[ Gld܇Һ~|k^oϷqP4-!_7!>m_C$[X{|҅#? M_@ 0+Pa ˝FqС:4Y d)^1pyų:q!Wn0Op%aLqEQ+jdGÑS9X_0R7|Sb1*rS; E+ OlKm8JJ:0,8<6wnc8Chx-f@^ղhaLS ?&g EqB<iu'}U:ryQ*}ZL~Ԃ'TjvnT9e^dt}BNusݾW&f[%k(Ӧ%@0KFȭ,l8?TۅNOtbpnq~DMtz"_QZ]W205e+jKz1#"Ljz"Ⲵ(8,d3ԗ xZ$6D! E_ՔpłBhFhzF.5F׌ #kXCz)Baأ^吂y~ZWCO7ꗰahЇӕsvqv42" <;1\6a>l.Ir+W0` gcw45L!^_% IS F1Ɍ;jԶWat >/N柟Lht>7Gӆb3Xf[6j+v2, қyjmI_ZQYCqQcP N*HՎx&b B=~ةoƺ-tu2%T%"4$)p1"PN6c&,0%d/N@_$Vw=@9߯QؗԽjq62 ɻ6E+dWb+[BEFb#ݙgEqP$U ,J1+kkU[aEQ,-|E/[&p7*1Dax }b]OFځqo-prU/#0x|:n}x&Te$끓Su'MnbњnQ&*iS}, ;H$OucDق7h{ɩ /yn&鬈rd5OӼO2̔/\搭r⧄k~:W_ BeJ=hӨ9]ё) Z# `gUN0[NCrqO$\hj^^0 Ίls5])@M6n^m#>d1x[2ve_lhA] R.'gL9GQ`"/@@6رv)4[MizEy8rKnWE {n,y8949W!,^&:I܃AgX >ˮ\sQfۺ%<{R=4j3^ Z=, X?!VWS lM=΋iWUw:.toZt\`]',\Ӊ:۝uXI4n1Lb-mKu* IgOJyb8"՟ѐ}GY"v|Fbf: E TsclL!E5#lB&ހG4t"NMRd9h %v !ZyL}LFM.ou#Kԣ-Mj 5z9uWGPp)_G 4pzBMa=WfzYHEcN^sl`)qOqq+sJ |kk3z /r9HQ,lWL&SwJr^vf*Ǟ¡БȢ^q$$@u;g In<ͅ{/Y?qE8F+:3%[C-⠅(%./a^qT8fr4j-gQ˘z1eq_N5!~Qj7g, M5A[шx@}Č 1{@H-.X0>*y<# ^?Er/Fp|𧇚^.>Y#(Ro<#P$D|OkLyaܜ=h,THaPn醾g*, 3יa;mհᎲ ]0jyz(uJejͳ# C H8уN߉e lnq0;%D,2'QLRb9;Xj2 Җi$DPOUQ@?FJ&*if?dͧȆW Z `.,#3Isf{T H!2=WCexVULB[A2]<ôk Pp2v/#)&3͌/wvg4'A )撻\1&!MĤ%:%yzخg7~Q[݀ڂhρ\xP WnECgwb>e@к\*4Bzj6'i#>%k[:A_EJk= Q,Ne\s6 "Il^@J㳃di8Vppq8zcBaPt̘5ĩ͍Q }BU4ss }Zx7r P4tq p gaTwxxR<w$0uVrK^ o!XF[ A_!^noiHg 349$,k]u$De? R@ᵰϤB:8I>aZZDnG+-2F]YE(C_0זSŁpӑ xq ך!l4;a|ټ)Kw龒T?F]q}uZ :((T(1_WebyvC[+OtXQO.dh)3C |Fyd~.1Quj۰0i.K{\mTn2 a {iJ-uϔ$Lޥ5OH 0 ۢyb%~SBX yb r+q t'HELr̨YPڬ@_S7G )ʧs_M+=|KS}L[:(RTc/-=:~0?S~ͮ}=gNrJ& JnNO1$dxݽ/^:FCsG]ÁauL H?Dњ ~㤺:uJ P w>ՁSQ=I{ipw`UӉ lQF{Ctcco` {"L,q jŝqص~nw𐊧/f֏v2o&.fb Af+l돮Z9 AМX@ѽЩ~Sg/ p"6/3)]YG$ڋ\IT7q\d4e4U0hi|cɞp _wqN3~\U}OgF-^UȅWUH\&NmqUizq}xYtH5BLC֟]83AZ(L4s72+4ȩQe&Lt0pSh>Ϸ#8j`KwCѹ{P)_ܦaJh;bC:oQJ$Nڹb9q.vF1FW# (U}ϬU}scnND$0a$ͅAh%J5K5?0C&`UrpXYT  f׀O޽ &\9!cM$d@+x/lM B2o|R]k}hvc\uoJC T[whڽ})`-f~XP(8mP 0Xa ?녈 +\mv ʈs6S!6"JuLgpb/$ -ǂ%[ZqIjbg|2^+bP{$SHF^ ΈF07స}QƓSwd~-}z~ _MSK_ 4Avݓ. tZƌ=1 Ѹ"rVH "<>amazQ})(Xђ/j/u?O~ BNE,>QZr!uד 䃿<]۴R" }ɴ|`Q/FTϛM h؊9b)8ZΊ:͐B|w9bƻ9gc!zH+8̀(5&(ܴv0зъ ;r^Vqx|tI-oNB]zhjʦȖEIU.\m ;!mSV۸3&y5PR m1T2z*4g{JeQY}+_O+z9-&CXլoO,m_[ yGAsϹ~Y 1 W %\b" *f )u(5O>9Bygme_g,͌@fk"d.It8R'I&,caj|WlPb&]ŅԁIQۮUף?7ߔvey<{֓9^mUWE3@ om7x$G"Vh5x#HV5Hpi<Z -,fP6%fT72v͓6~:>%/XTt,=Rad|q_&V)گmݦ+@x7sOF@\HQ;?MT=Ȭnجlj'LRHQ>syx? h컂SZ{̪1Tn˻-Xn_ ҭ!Zos%>ōRsK\hLoFna-+:ò e!~'pkYe7SbR-%ӌvAMu5?EmrZfzR b)\y%Vݭ3~ Z h+x{FD3*jDʅ%]|mvxTM:A%_Jq%!x8*\4~ zV~(%%fCu>*2<Dz}{ }>CKfX~h@wC3WyOdK#m1凑9Ec HcCzGr#4ͣd|8* ,6pJ;(iK֖I%Ƙsv]~P8>sW(f,7ze *(l^*⾸?E)Z5"ZviYm *ׇӃ@Ƞkq%6g ml4;bٹ^ *遣FW|JSia`j߆BgiCj)" ^%0\d)00_<ײ(jQ9xIR~.";Wilu#LoXsA怼ݪ%~f9)o # |ךVhHIpxu ':`;6cb`Ϲ[yնVζC!y瘶ws8PaM߬hVDu=Uk̼ >kKїlV Ъ6~cc]c`ҮpC]ww.(R!j9QFm忨S88XmyuHIKOf`*3HGiWߪeYc|ESDB;.<p*nwY';^ti7 ɒA=,ޏ֤wϸARWFs8\eMr?KR@FaA>$е 2zyyZ[p{A8E…̱H n`+;`ͽx\[XK\!A?X:jƚ9c u"!'A+#8ke䫀se>!3Q<_(nt{LwC\~F/IjE ig2Ȗ&uּl6,7±,-B{ 14eODeC Nt wy%ŁJu=cYNU:&t`u$0J K1'Q HOevd]"M4>/ E׼}ʿP?sna9{} P<Ƙiz vW:~łrWP0Lc(.!AP٠y剂NhƊKxK^@C \VR /)(ރFs!T:y tiR+K[ }%9/ceb45ŒD_XQMc$Fj%ũؓh Hhi7Lae_m4?z|k 062K+AYJPn?U;Hr# 6dI,r *L^X>g5- p"ztmIrd* nBz>wARR6g옞 W !Hwo{y?E@mƜ5Bē0z!0 }d}j, !`ZY|y 'Uy\NAd`6iϖ#zf:_ճf^gmVϢA1My3]5].m>N]*oc1IHncp۪Yl+$-Z2>P%zq}Dگ6ڏ6Ԗɕ+ƞ |ZpYRS.3GJ7(27YF>s 'YU㢺NzC|:ZUVo7$bY7ޘ0_ z#ixI$E=f (AfBi/2?UسbBmrzr5i g xчHTWp־^Fu6XtIz<;:^<k|i5n4nށK6x-t^EP 15Νjpe W6/nZw3% m|/d}=W OqibU:)-zLdo@)±Cз}8PqEO?0u /kp*WDMi` <8vR .K}FOAZ (=0Uo0,J%D^H#z>;j伤aqM*q;m(0LLJ)gǨ&}'vw#+dj!";yē~Y1Idc4xIV+' Nei<ս3̆?$/`eFŹ NygrQtFj?"?lvXt鼯?g/\d6" DΟ\0;1Aa+;kKmJA]U·ӃEk7։?Y WDAn=^)#4Qig+hj/ `c62e+<2;u6vyjTr_n]N}=II %~wg 1Rpr!音z7I宔zd1?}וۚ-i_u?ǻG"k. c\b SoCwܯE5J%.ΛgB*L]ؖ'k5Yc#!WDjp/GDJ~&yj;#O|!ߗ7g8'" C" Ũl@.ٍRn%k| Sr v϶;sx+@u&LVY=TY5}tGT%ĕvO\2d^4ۑ/v/-Qs';?z^ȴT6YĐ cIT')|CǨ= ;s-GD~YKXe/'l/%sC|S?[aB%r/yz۫ ]9~N#>^$zkn(|:'_uox,-\xg\rH:fCDrP#?d#}]w;;M@.&MPZKZO=u rYPdm4'^k ʆQĹ*ʐxW"/Kc& z^^$ ;%x*[bV]8`BlŴVnI;OlWfՐ1Tq{A(")ScvivqWL48jϑ; I/ELhR"v,W4d̶`74:NA %P۵zK_ActÔh'5Y܉n$jakd͠TgD;kn* UJ{7ܺ  If}DcVS_L4'TDJ3A뿓 ԍJm~L5L:7^?>)Ӗ4Nedi|}iԅ}ce{U lr,uِ՚EcOOp2T13M&M]bS2a _6 J:!=^㿩or&=ע+@Fu_mfv+RO )D$@}5v!D³K_dЄ {m&'9IBw%)I4nK7C?Qvƪ_i+ŕ-lJ­_㒕ĤE%hR}"JcihBۏ4y4 ;y4ҫ5=3ɑJ{`"qA bOIϨ-U[I'~s/»ܚM6 zE VE A-gb Xlr>e,.%w3g]6,6@6>_2wo8=xAd5ƭ;y%ɻ;_t'_:<=UPYgDK u&#&"t?H\ɂ #̥{͈C@AU4{,`ʇMQF7[q8+$RW@Қ+ièN5Kx[H؝9:7 S9 З[z&@KMkB#Ƨ`U"\xkd I{&py Hd #Bh{ 4*.61"ISPhH.XܷW]|,ȇ~Rj{~Hy36fI Sy^hz|i'|ibYO{X~XyTVKF8Z\OJ)dӵΑ OswѭNYGߐi;>2uoX*q9<巛dޒbQa 3Q26h+ʞ@UIc\wһmUss4Fj:zWfzq9{UkF3T' ,H u[)evEDab I9gn0 8)>aʳI`K5@3Zݩ[U 4+)h#hnٙ7~ݞ12/> ^NQ5YP2H N[IUqᇁ 8gѨQ#3A_l2\BUk2D$S^j>u ۂF;Vt{=x )";j9zѺhPӐy?35.Ȧg5ᮝXk@6}ltXt"4<] I,^c }}=A.}Y¿ 6zT`"^.+/ۯcM\6rp>j~¨A|+B'xFhBW'7 n"R,S̎v&pC:A}: B{qt9` t:{OzF% ;@$jUo -҉\@k7UM !:@8Y11@g[[09טZY/ÓF{;E @HgZhR*m>#p:vaJ'Gbif=S}GK3m$<_]F(3ԡ֩KFp!]p8{NZ|TJ \Xi݉4_VQJ.H} GRi(a7ce~I0VGsFNf M4.|#O9AjCq l"?g? y,'slol 3mGe;2F-d3ŦWK'WKZ3XINoMֆ-9b]QLl]N:is$Eࢼ'm֠2 N*L?:jM8+;vC'e'ۆz?^> VaCڗ27CX RUW\2p6I4#tM FDwFT5wNJǍHA GDnC c pk<)=Nգi-tt*VNU ќ%"Qtvh E>g \hro»b=3ϡE嘭`y4֥QV!F:-+˸R֮_ e)g[M[ Nt3`_EޞthP0Q#Y~sd@jYFku 1'wwŵh"vc>3綑VbRw;j( #kkN}( -¢D( |E'w }6sա;"kkH),ΤYX ͻ?Z:ؑK)CLNz Fpwr)*Xo֭OB 7Akʙ5`:141+a H.wGN{M69z~4Il%t歲ZD }m},zGAՒr쿔ܭ%6=2NItzNy^Yndd襁a7E7Ib~Cj`?Q.[E]>kB?xs׷ӠM-Dߙ+} P;Us m,nIM (Va],r3oӿGhY{5Jf׮CRPkP,OhD >}c'Ԧ/nKLC>3anOy׋co%WU~b' N騡C<+i*&="uz|$}'.Nr(y[2 :zf”>t/+?,؄@+{=`j/u.7) Q~%|}I hK{uyҒ!KFԸ edo zPj3bmCaiqz=P+wܫQyL>.Nȯ;'RrlAӌn C=I ̹ilȩKд|%=Sf'3:?mhVDxx/XЯ0V s-ofr *A;vCĊWkwjoCy.[Y]5_t^xilw%z2MD.` n/G۵YLٔpeÊј^ 7M1I;`{-aim=[`'ۈJ'0)w-Ñ~Լq m&?ѥ%_⫙-AErYUA{uMp4"k{7wx 誗k"wN$UhiN"E*nӱrK$l3ͼF4D&W =?0@H"GJb[esCe ,[Dd|H\}97  [.ZA:qŰڭYBeF\b=>20=;$q^VU- &!""2_Yw]CHCpd ;j, j8d.8M ŷHG=Ǿqmޞ_ͨ Nݗ?g%~N4kǚP4zO近}mG:'я HDrMJmbAF.ŚorHL7^odh̗L%__EqiT]CE+O~_'QqtPne*pۂC^ϭRUt6FFF)b@됀^Fs AV} X$dk]hUǴ*k!l.mFWv'j@鲈n؃p7͞7ϒD52KV |aԅ5[F%RL'#]@%r?%MH@q7yGj3mt%joauD4 BU~UlnxIe% SXOqGYqz6X[n4XXjsQE+RYx. `sr4=ãvfVTftk37 hȄ}VYy|ڔf wqV871*+IxɾPg-?,,˓F1'Ƚ4 xl0kyf8;@CΧVePpjTcaS Ɠ{B>ZO8*; f ݝJJuhqn"IMN" (-75'Y97gI* v!QjDb!E -zrQ ll{L?Ia!L4\D\=907I\:$0-tn, Hi٘V([I,/ K7ph:XH(e7ClzfW%ȁA}XSsTHɈ!0 HI![?!ӥ Z%:iY$[U]DmˈHEN63}mE%)b^XD9X"˕z *b=ڡ\#+*\x,rA?֠%5B B;dIttOB}7vw,͗]E$yeA}c| [6$%9>[@ .ԇP/8M3_*d[-w^i6z5ΗUb P&`:wMUg)fNF%5O&]9p6ǫGL4DďeAFYy)DC4(3diXek)jH81;T.UT¸May~s%c1to"wUll qMEOg S48P~Au[;N16#F52dܢ_uUs\5[_c鳚g`:kqdVPnCƣ+nc|x XD :盢xVSmr$A&)z)-XzrQ7;pXD11US܅Ilgo- Z4pn%D=>圧*Pި g>͐yL>7:2QSۄdIdy2 æ@Ave0ǩ*b$*K Â,FvN!M+N7T_8KZ/qےΑmz Qehp#usdG ns.[/#ls[FSDr'UpK30"'Su~۞e߷ P}X[oOT3] Dn׬V;6HpG-;@ ܱTѝ.OPz! z!)paPsR3n>%vQJk_5Oa!pi"5InIo'" ٬D~gVᑚ">c>f&jtL.4r|޼Īx4R[%-$#o1+/xύF;TeyrouYI z1dL((So+sA5 ^Z$8%]ESd$?@ J<dW"\+#fm'g#d>5q>zdvc`K'ɞe;0deijTpc&D/3[[r⟅4HQ/EZӊ ڻ9lkRU\)܆tLr!:NfDXҕ@h0R? q.Yyi̹#屝'\3;u=X8z8ezݾp[Z#0rrs__Qt{uʚp B5Q  M+%jPS3'\ADr-Y" d BBQQ,PFXv%%pN^R:¸`cHa㜗Ӌ`h;F?Z.(z9"#gp\DmNaU駍d\53er'b;~'\ű(L$8;?,"@^":#,?"MM] A[X-w{}X tsí|[-RQ/ǯ>+BeFORg'zjUL Ǘ5H8 "n; u./CDQC0M Bd>y:"+fvg@{p%r @9>!Dk|ۺjb%(STPluL%ЙGՏ uư2%A\?wM]'[/9$x&xi.X`Fnמ<`Gڄ35wmv'BԽҥ/ Zsځhe_z 2`hϝ~cZLQk.7 vr%hE4? 8\i5mPRmJirC^,!Ʃkܪ"^l})NwU nB*l'C(i1v_[_7x—ޢ.6P@y}9 $Vn㻖XтP~b9>/};s! 5"ݺxϏM:gj$剉HM4qQac\:^IK{Hze?=F=Ь!$Ix ޓ [e@7vNMTĠWAx]$7 W-vnһ렼 XY^АǢ>bo#,VX2-~'Is/H0pH7Z`C&JpLƨzOX[0xC7N)?l>E?[ xP1D(ǏksiL>Mz` iVF|2*I/ ѓ@;!%u$Yv[qx7W3kڹZh8) kX +鷣uacV>E!JHo11t0Ax[%EDŤ\DɘI 7iEe%/LD3{: hHAJY1nfn':L~U%ZnÔKRuWY׋@lPu5-Q4E`uyoĺE:`/07TZ du|{k3Jz(k[/ VR!?.=h|~hg֗<#J),XE%˯02ic0+7f-X.W•{mBIvb[_wV)[OI95u}Xg("rv7rM2uj{܎lmdg I5/J5UiTx­g f2| VGRVF@:r|jUXٝH}<@QKRXFm`am:213tͦx`,QHiIB!bcT/g8;ʅ*ůqJ,WʫNȑwLtH+-ij]c4#:T47S5H[e,1r'}k]F[ o+_pk| 8R;p.Q I aELPTADڿEpF]<$ |EʶYT+K~8}\Y25e nn@ jM,I ,?LdxЛ'ff~Φ? Zd"⩙2My.{tS׉q+\1(ؑp 1~߉gsjp9?kz&y8e;^). 'ZWd-MU1S,n?ܿ~}'dq']&Ձ i۲ E󙳆V\!BjQ_  gm.ՕyyJzadT򡨐ψV]y 2E.fs"w7b2.'znJkxق75S?Fi; W/ I9+)!H*g̛cKqsU_tpp5f`LGh#V_4z[@ yt#Ȧ4;P Lj[ҊPq*}5hq#LRc >0D鳫ǹ3K'tj f$UnuOMw傒evj=zE:B35ҟfZ>)籴(PG WxH),(g1mC<@k+-[fS1Tڡ=92jhAW52(mAMv SNy+;iAndf}B?'ݭGCk9O/Hnt _zYG#C"5JDi!He (B)8UvTPձPSVNn%Jd65_3\h#BE-O%ߡe?;45œpnfn+!qH8`/9Ϯ e_HXqؤCgUZ~T/rՆۙnxUCJ9HWޗ)UWV;IfŠK}LyLF`\];C 6&ȓ Ұ=ƇpBh oOTnHT_nJ9Q)]CvcB4x7-`+híվDFcLdͽ{NN-A]rjķt+%g5,=HS~3r; 4ݵ&G c@"N!FBt+aLg <ːHXf-f hR  px$F)N_߱BV_1AJKGL ;܎LCᲑ ęЅc3P ɳOȈSu.Cϭ7Y&^7Mil"gfr(4.;٥kލ)x݃*"B!,)֫o R%,m-fZDN`zX` DWXυÍ܈Pr洞&A7׊67)qd!~8yZP <4sfr# vIOI֜'FsK"J{F@1g6\vx [XZ[S ;t]7@,J9u'/$14^8SOqT"/{D? _Me %U=njAo숭g+nD!@ mX¨31e,Iqc.H͌-u{Tg%]Nƒ.K֢bO?>@dElZ!M_(~T`/jpk5ŏUlգa [ky _] cSYcV2J$T++RҁWiޟ`g'+a#G<*HZf9Vp[`ϋ99}paYˆ7AYܲ 2e}D CXdZjsehܞ+abc8pnWL¢TE՟ L.bg'P'IC~9qI~3ӆ+eryp#W8g6|]:Lpv[!NآS?>%=d% .B7 N1̂J=CŵfM:s(H؜e؄dBcN%^}Ƽp^ht8qq@@p?s^|6NG JGffiRQ;3 :iU9qi×]Kv't{K"`l_Vl}TC55(!*2*4n ;YɽE ɊSqOM]T t^WA!1XB_varob4@PRzf)ذcc18P`TUcVg] ف[=3"@8DIm|&bO8- wkfN;@I]%5PK]`"@t.E_GN+f?λ X3@-̨w.2±!Ο+G x"S>019SF{bk`v3 !9ݟY)X<͐NȖ>Ty KK AiX7яA}!Eঠ;1D j7sPHOP[w tvt|n!T5BQ ^{al>^&(Op㊪I@5&$ܚyIח%P4A'5+KiG ||Am{&`$CNir4?|.;+VQN$Xk" e}X K-ˑG xX#zO%zff hFJYRFTKG8Rn'͂sz4|󭙤B\+hG˫fWpX!4n^xLQg{v5f2 -af"J:3I=M7"n}MBCct^h͓yrmMC٥LMhH#9=P3$D}q=m p! 0Gч&W"v &ONLO "mb}D%n Nps%ȠpQ>φWdNZζWԉH%)X֟Qӳ-!ZXwl4-ƛ| ({PA]x{3\ԊvgXx\|1HS)uw,l>fug$.L~ <`+R]P/T;EIn(/%3e2+IZHd%V ݉G=T$hbinyTG,J75 )4Qi }[fiً{òC~ Pd/?24N%kTB0vBR&7r0~>Iւ8f ^`_8B"_`\tC뻄5 Gmj2I2:e_ cP{;y;V @|E~hXIin+Mo wڲî2>Čv7fHRqfzF큽MnW!6n_f5YOgZH?C! 17-Rl)aS[5}瑘q^͐[)8R/J1e&T8_=8N nMxZ3_ - w6=L{l,۟WvΰVysmUe>%gA|d&>~\טgK'!~2MK\ėas>hN&41j2.!WpseG*,.R#+^x{ aY\wᱤOMpX$ۍ$daTs2$耦g˸:bs/EV&U;aOiRJvWNf"ֶЗݣ;_gz9\riׇnJ';kֳ Β8_e0/zWv-viNRԥd|JowŔ[ t7m`Gs8'[%#`Ȩa^(Y!D ='8 ^hdX[PȞ=JA1?^"RVUTI)ԵoCgcPNWEy8toᨤeæm^4,ְD:"r',,q9u]QLy\}`"Z^v[K;EHJq|8poX@ }M/ҟ乺B v)J )+IhK%]M)t Jl7#ܝ~ME6smJ\mhgu4')0GeQ\.X?do}PR]p 8ҧP.oĴ: ֢]1x$~BU7n7X@w9DLr^t;%knwQDG(z"3}߭縫> ä'.?dǢazI<, *umiȍv$ g. 9ۂKtZհBqEdxϜ3.}ES+ pMdVF2S$k*-)W NIŚOh޿1f8_u?ԯу1~}fE-OV 5h{FemJ2{c{κ:dKY˚v.n.=H^I>:A: vZ_ӱL11v9 2)Qȍj =V,7vM}ͳmj>:&cRgE`@PíQ覚T54g<6MT5}(2ap&ʎIշ ?62MnwddNF6]\Nq\ 4o*g=3 `AOoq%3p\g ԭw7()&qFd&ϵ/waEgLT~B̯gODh܀fC q?lYrI Lg K⥼}<.Em6p8tG$7}- (aoJ1tUZ$GKQZOm`Q n,k,UL`̋ۦxո{&Ҭon#[o?$V#lڛ!u-7I6p15v]m8؏ƨ4ң8orjS0mr`hiɁ*;7,:s3 LUMS̘b9c@Լ1}YGܳ[Cݕk:xpK>gߐПOq1Md3Pl΢tNip0D,Y {*V]t᳏ rb"?W/pJOyAb,M2+vzQIMdApCb źJnMPۜrd4`#q'_'lUaa|)p#hSn0RRmaÍ_>ib{ z{W]/ Q#4|a&_' C[kՄpZDuZX ¹@xb*P%tq~:AR$~6&w|TSJxjA{fh]ͨ,~3:&eчʛU! 'y7u)xg>gpsL^v<+Hn%E)kՏq룇vXh-G/ ;v%m;񡯿C4'H[^fJt͑g=<&rg E )fD9U`"P=HGI䛽_䁑 ]H,* tguz3GM5U:Q܄C85,vmKrِ1,éc)0d^NG8jLݦɀ9b oSGivZTYn?'[NdieT"FrHdiw t\":Uwx{YYr]du:H3:]зqyńMLrf!:#U˘v?o:ޝ2ԠG q.Mkb3p yaY>CY,x`lQ,1Dx1qW3"-12aS(zyLa?BфrVņ}QI&.lkBVB tE V,6llS[ǧ7ڶ;spyxfoɹ[,d]v@8?F7d x&5ݣ{ހ+%֊7@8l<,nJ=ZA_rFy;r#-~,s[̊g5mQ >:9˜3b ʬYsZTDvN]+AE;3,Vd6vxmbCVŪ[d VHi9<Һ8TW_KA Pr#ŧ&M 7"459#8 "[KᐫЏ@p&٧cMc;|㾘鮑(NC q2/4c%Ykflucwͺ"ԈE9T6FU%04"?aרW7"PMA'߶ HH6rBWA(I&SvhQ DsJvxi̓S{v/(Yed5z(Hu[7"Gݳ; 1mښrk7/(@t4 v~ÇWkS)YW@6cNCvٜqţ]%ËkC4sc|oz5U_n\""5t,M u(7b^}Adع%0}F yGm,snkC+:zÝX5ϩwG7Uь=85&bԫ U|Ƨz9~&Ǭ 07Ĺ_zJ,aJ÷HzdQv̨Plla|\'L34>y Y^-TC9G 9)F6yKȧV]Q[XD~t3". -P~ h6*0J^"9J  12RL [uHe 9hO\r/ &rFCQ?Ӽm07wC73SpZުE𪨺Np5e2Ñ9G|T_Ŕ%kta4hyP)O>0JjfEG h@&鸳ߊI{W}K7 MX%t%`΃5\|,XPDjl11عd _/|} a]uMqh> : &ȕ!SWXR:,SlIz|*LYwE7X)q`ⲀxШ71Z[X[hk^9O|;A$ij/erXZ (XLxd32ЇXpqӶ~7e#rR+XB.d^&=Hv2FUxN78A]+HKqO")''qccBS{wʻQOYNqbӌ7>[ 'Zݵ=: !v{J0a.LӢ֐ڮKS^J:rEҼOhuӹ++dj3gdi<^\gH9Z^m%,07ROdd鈎';u/X3`ūc ]uRScXdlWg(>_|Tz;;DW;g5hV{.v/'6פ6&ⶨAj'g!cBGtN=`3C4;ua {߃jM^.Ȣ 1p<LjCJG ܖ564{GEl֏8uf 2GwJ߹90hS:YOΤt1ČwcY;$xAAXk&(}vٽ~˻.9x=FPƠ qYY^,-=C׌ErVcXjd헲oZsМ{3^)& ds~DQQQ[R`\P΁T]hF&ⴃuw'ЗLvAMv;_Ӛx$Gne܋CM3gm-WT=Ibb <*P)5]EJg7 ٩^]l}E#0AFsw)D UpJe-OPqAl!Tq4[Ihu{zy :\?,r,^:e"#E)mx(3pD8Q1U2o9U)Gzyi|Zи7:@bz>b+HwiEMG۫B[AcM^]sBVY~,5Z.xAb/ǖ>SS6ۏ*w>ge*eR w. 6%{ Q &5~cP qՂ~р|1E eaoC^Jύ40_&t sq'>/}n~scC]f&0]͞"q|=`mQ<7}kW|fSwgRQFr5!XU ƒ t3CJzp?BOˬ= w2[JP{l[MB&4/-ÇgGhz5TT\ 5)R1x 7K3(%hё*xSTӢ{!3%#XK UR˾v3Gj5t!G2ƶ ZJ(_Eè!PʾnHG*Ƞ9$4(*ܛz/r3xr/CoϮyG*u)'G%$@ce|,s5د6=X^YF)??[{+i/aiOۧ C04ENolÏ?/Q_KwՒ<} @XapPoȧ 2w vGo], @4_`[KBСy2#D 9P0?.QmXhiGq*ZC+W+D扽Qx3tbGbo 4~1u孅rt%q#Y]sH8U3'B535ZRmr+HRZ\xinuClV#bJAPAI[NI-4 =L+[XǝpIOXԏ{#&@b<Ċq,CYPmp>&bK{Hݬ̗촰A/83f†6Uz>٧֭ [7 *S`193!m?RHg%S$N:QG 44!|}EpC(sU+a/'0|r=Ӈxt 7>c!j\ o/'r5&Jп[1~k+˞QH 3Of-${#NQ,i3( &rd)rM;ݵ~S(1+5t)qؖoG A&Y5u[eIJ'^*FkI9tot> E)Ł)װ|',g%‡@zߠF;j}|Fäȕ$igW?H#{7ĵʧT5̲f< akJNwΜ )m! ]C>Gk.J*rP,Nz32Z>]o@4n=NhyuEV>ts؀ɗ=L]\B щ`} UuV̎Gs,.4{NX1$#.B{UqoU^vg3{cyc`rɸAn~.xGAYzoU fB҇y.OJ?Q:TKo7n|LK&p?Uj Nގ=GAND)OQ7Ww*.iX1(bn &'(3(fp`$/azHmx ĮQbys0+Fzhئ|Xs])lL˞8$͋_P1#حM|h,8N@ Hjl#%S? Ya}vpy I 0Ң.,忱p@9jt6H )/闬2@KۣPB|'#crY5`6K(1"=$^)=n8q!_"8QɽE2 3וQ7#wmM>|6,ux!!{T[KKyZ`KI^w=v߸++oD䷱Twws{6=z%\ೄZZ)w ) L>cޤnL+ʠRs#}JбldLֳ뱂? Y ? ZNDIsZ\,pQ3R3Z5`嘐y>|0x\T]d ݛkẗ́$܍z%ޮP曻NVhOcvs yu\#KxRRU7YKpm0]:x&j܁;yK1D0:~o.Ē*1M?)E EUu2:aMS#i HCDs UifBTw]us$wr7GnvqNYb|D!HI4'LГ%J7mloSJF9G 2e4YP_# }Co a!/LK¦Db3nXpanmr7k lrfҠ ܢ]7Kwsi ~ ;IZ)K!Gt]_5 FJNqB͝p*[;:' {.~ief4P "E? AUv{WP bi8d D4}Iy,a3"4d@J=m\ɴ|Ł̹*"F |Q/ynx)Ե2W< ;-`lff|*"=zf&-avek%En1@Êg$ =kɲr5: eɢ]);hs3$B/H3F3f.]>I'5d:ٌѺwzbta| ;?!YhD#`qRҌI-c s2C2%۵iߗ6tZ1eȅ cS:' `>0V|o(/$0 FW,ciQc)hw|*? XXZP%)#alHNd- 9#y* %Bvx#lОʫDAn9r䶕A:)do5wgn"2=[r?ѥKŔUx%R>P3f@EpO6WX6 &s~Cq=WLb+=qCN;;VydUJq>Sa[e.A)LcA\lu#HK Pm2LhU*}.͵D4]~8W4rlG"<-uaK<8ܧŻ8wI6|E[pEZ&J@U`p `qTSmEpMmc'=^:=< Z7<*?RuێP|b WC/b(ez[]n2$1x㩡Q=\8>''7[ ~੨nc>'NVq7 /\Vv!A]r|, uIlM _ tOJ"֑n@DAJiT|56iD`Ж`ȳ=8ZajE(Mzf]l&lx+5K˹DarQ$y$\w;42xf%<hDxLfP w͌H@Ʀf&<%GUI-{wQoOgU=ZbZtDxt4hC^ @t]FX(DbF YOx!vʙgcˡNǸ &8` Nxs2ߥb)X@r#cqa@C U>ۃ_r /]8' ݄wY1^RDpw76W~K# ^؈t=}(9K?5C Ԛ$E{v.ra u$c=RpW4{n'y[6 9\#RSuĉ łm|o9<5AHh`# W>PH4 )q62{+W/ړ_ի˜Y ck@ /1EL.:p/@EF92,tG*;Nd\٣8ޙ`2YkXAº V5_J +c;qs6D|%5v>AQ!`Yzн!I%i"u^Qhjr Vr72h<(kX+Lmm^:E@Ͷ A ^bL}YXj+mѡBbwϞ|3a .ˀ% ء ;(?<~z*f>)iʌU Ae>qD⋨4IB\}g BpyV\vpn di+hς!CKN9Z{ml>1ArSEo[`# ]4gt -dXwtdo| XhPrP},0^PR q劺}N@W۝d?| iK؄C,+NZqjLp{/sԮ@u8"^𝖺 iuU}Uj[J-v3k"&J6h-g8J B m Gΰ"9U`),=NeC٦u:,b%0š.b"χA8o^brwr6hw;%:Z"u1挃?㸖Vrw80 g壧cZ|S.Ǫ?4`r!v>r L ϰyp%cM}bgC$# 7HC/GekAG&<rj?Ͷ9ip_#jI';D-W$w,_f/],`>O:凢*!4턨 c3fѰ: 0M_GC2̋MW6t _^dZȶG2jr-i:6pl[ g}f?b|\6g>GR5+.6OU[Zs+p:nр;? 1rV7Nc,Zpo[μ|2=!m\BWEDoB/z5Bg yÈ"MYS&K'u# :ؼRs*cQK(uN&u-klJиQ`x8ZEE*gZdBU+`FG^7Ut 8öh-jV(xO }Z wZwPOuUkYKKEPɍ~go1aݺuYi@T yECYJ$|]7^gnFb48\̚BU3j1-B0֙ ۓ}y08U,*w-@B@X5GTA^JP!^6b ,5[YZp{eȊjP1Q4:|J[#K|/ؿIwN^F;oX E[>JYW]/M[ >ACY6ssC7p+YŢgTSդ+[z&~SyOTꨇkH# WdX{MFjQ1-i^!,_aDVP>1oV]O Z?iVt B .'d 7X<- -->PPwYn[. tQ (KVQVX= ݾ,Jǖcc16b]jgPhWN*mFQnJ2D/@_~Tjo2Dg2M9[SxD$ 6d}`t]/=sFI᠜4( 6n  :]i/MrJ[)g)SC5\,aI&9HlsE|Q穆]vs3DĬF;VEy"8s0D%&],5 [+_0rIA1S}`v%bŬ+<*@ƻΪKshxI<2vm*0u;~.`LA"V1hك"ΏoSP&6u'2\tQ[Rw[D!%6yP y8PzX,K&K3E#O{{-"j#>Ów69qWd(@y\SO3ܝF2Tm~;D2uU UgG%Q&K ,(zl:C笭ͺ{ q,#`٣12|7m%E/6 kiRkeŻn{q˃OH|1&ޜ[,gc k*l#^ W>h&oa׹̣r-ГE,b)β9)+bU6'jn EXZк$MP\ ߭ȀJ@pHyz7uQdC]#mԁuĉQ ݵ;uw!a"!^dL ˰ Xalf򊷫8e-{vRrS>}74]1߻>{cVӸdO1J[؄A2xkGokG&: `1^nnr /;%i"to )Q0&YDJF?Fgy/6ٺq bagPH~r!;QwB7C((?ֳWqstZJH{G:EK}chPunfwZU\{'e430bNbA Md(XQ͟[@To+dV˫xb+nLc7_/d'UH}0ԝvI6=sBCeTKWc>hAc|  Ψ!)p@ٲ>Yàik}hD -gjvHhTl9ZlCz7}H^7a:mo1J{ h3\ R(qT v[K\2P`zaFd;?#B+nwP,wF$ޝ$7m; ^{F{lky^?>oy܅Q)3w핊L`JG}k1̧=Yɪ je3_܌Ζmh N.#YDV0OQDd-Me4/rFoкj|μ+*s=& bPRL鏚k';QzG*ޮZ.=A娗mTĩsy4A-ݣgK=ghaQh!;a{hTTy7v%YG7 p%+x2{!Gdn "[)V-$ 4bӻkǫt^d>/X#E~PwF>c:.]"rλ3jb7G ˴+[Ba 5I!alj#Ƕ̒?% @Qs5s8 wO^&mNg]g]1RoJ.3\XۊQi1稁'$g4%ohWSxl?\Owt7B gMQҾثaݜ<_%y_M$#)#!³LLizCWEP Oi`w <>Re- wZG~7<ǽo.#@\hpnmg/Bqw;Re4MbBA {1xnK DdG5y}8YRj#Pous\p|l?;d2-@U5u=4&򙹉1}xV6vš{Z-TT217wApQrU%<rYem2t3|p!ܾ/!KUWQĸw-vIm=%CTj^g0m*DeK2_aAWO(}]$ 0ΜŬ [ =+ؠuqk-lTjR8a-Dwx"" Bqd2l 5hͷ~7 2!`G{s{W.~Wڱ0!0a y?JVH+#aU$uV?x^w<Ϸz< bP= ^8L&VY7-kXE,!:H&0  5$>l"`$|(~[ [H Pbc JpY0(+< ^1-Iu)4bAE;BItN w +!q['-?(c3WC98/pƚp,I*7OnHB}2QM}r=p10 ps+naτ #t'HV' bP)z'$.t}1 ѼӋxܝˀxH}.GF޻Wbun郵KAyIHj_rcyIJ0SO,gUx-ۡڹga>r,A"7fdZ`OU2c'M7<=: dv>|'6Pk:UhL)Gl/`ԗ]lPjg"JzO@R&Ux8`윚 U ٻz>zK~񥚰L:=35q `z`%ϊ# Zl? VJ`뽧9 Dwb3w86{jݷum،]} \Ti Sj(C²1_D ED#pzPY[_[Z@-K!Ťxh0흩,~tw_<.BUucAZFYra7*@,D2TH?^L%brxvtLaPUS.gtuz9d,k` BьѢ0v&i_yS@eŗ}7-rcLxpچ<[:Z{F^6!ϲ1za޴ӥ.jNCJ?hQ}_ʟx_wA!~]ԟD_brRY4!>*&#湊Ƀigm(VLOW]&G`ꏕbr}wJl8jiQy?ԠEV0k f%kLR3:/eqpbRJEh|7ԫ#v=ďW!S" ]7)ħ8 ^ |~g`a͠pׁ&?AQf:d 1oV^CȖBD!DN%艛[3[ּw8 Nj&$M(8K=GCiڻ`ץNGm"÷ 57)F(yz^`\kq+xS3Yx]C*? fU5P$7ZΖ&kZ~cl`PX u<<1ExBϛnG+&})OY2S(p*8˟Ids/^ DiYveƝꟁS]xk,~X\[KR^ڬUįNN  j5|a*o9wIAZסYŭkr\(=x۝ő@cMSiVYH B{aHPT+%]A>[[3nT '&?`9r/}[MQjJ?n=S݆Շ' '5~jD+VhҁRtb=U;Em^[ٟJ{bk\uB6ٌpy~$i#!2 &`²?$i?V9ttT)&[ycYiMjc', wx>]@o[f-| =[Vȹ8ZTi`BBG-GlD4(>#T3ahne`VFWFH OO bKI^T,Q;NJCZѱސ_+"N1q2E_ Gr) Edu ɧ|^\FTެcR6P+Dy8k+5 ~d{.}9OٽL7؏M%< KC;4@əF ]X:/F3"p :[Pf1/Ga~O tKA <"א+"P˞I^{{LY{=brl+aj{%F\f>P`ʭa {8К.B8⠎mo]OL}`9 }QUfյ5$p#HH䐋=Q:)7&Y?ה)X9OWyA3&P>nϸѲw>8 hRǷ1ʹ{JXODo$NDԏFY׌]" fmW#=4pjρdʈy05$ \p>c=?߷ߟr% s j<ևX1@˄49u[߿+NE^̒/2E!^DSp=s@?7Y [HcYR\(l6./[[;/2bp+bM" BtPH ;<X&Λ[$qE\4UԠ4p|,'0͠Ts27%p*Dy2NGeWMOLTn cW^.&]꛹c<&Qށ~9$Fc1Z~ڱP5E^5ħQlcGo2q}1)M!pASn_Jmm`(2$ŎpYx+VJݻR+C-$leEmA}f$NӸo8'!.!N)p76v۵5ZBsS~ŬY,Tň򍛼_Bi%Bfѯp]윎]EBsCS37^LӭJS{Vа6wH] %ިN38yM9G6= vjV\yR8gy؁''k2 DYg4ڽc ֖M nlL?ӻ4eR:/ HM wu 0us;{tsm(OhN_"g 9 ͼؽC2Ñq4+/]zu&j&ڼ]7 Qa ^~~x5X$ zfe+iqX}co5ڠt;lfN1ˣYxhM{+v#'mqb8LWJ_tCL>DOVnPO+*#m(y[)Ay{ovZ$NQNIvoL UDynu"6 y( ͇ȩU V<ۯZz-8Jg.9Hg$ye|έP%䔉L I[*1 Ǩj,Vz|icf 3RrQ\5Yo8"M6'43gGIi(,qHTp>ǮEGO *_ѣbBg,9t`S'[j=W *ᗷӄXSiFyq5nPu]Fހid+u [<DtxCUExvwÀdy5g,X֮/7"(Uw^؅ Zd5>\k1==)btB͈;OUiv{g4F.3aH̤:XdJkš*škύИCǓ8qs#.=\SL3~rX{wneTbMխM"]vU<-̪9?n MҐmDǭMF]mO!TtۤR9p([utf :`4xW?Ӂ$PpDrj[lp!P?!2 9A6]۶׹:֟^+h.ye|:Q9"λvu;N,_+ 9{{Hȼ$tX?{yo*ҽ/]'H}\iH=M.?~.2F?DROO/yQZX"7%I8e'&&,ae!rf$1?_XH^6W.X.T^.l~yq8 ōтO=Or`xpPo}~eddr8qlKC+P`9:G\֛(,Cw[;+_Uh*8 xA^ش]6֟+׵jQW^1A_UgSCƖQIl03=?@lmIPڠQ2OձyP#TJQK;:Y_.7*ApEn7MJ BƞUo?<+E.` %QZ 5E!a =p ݝ AoyȫMHjNc~;4_/UjC—㻺;j{X.4B+ MiRݛ+ii Ǽ|.ih-wup/ߪLR51ltSC 7nfI`9~ɺ Vv(뗠K->rN 9_dMi $Ss; Ӻrsby_1BD Av[o5Im>s2,B8~ڛyl1>d92@MxaOIj{߶&"QcHR *b'1LZr2"*!XN ;T pޑ[oDA+ hOcENϳ-T?iJ '`%XmYQPSh|5c1!ڲ3*jtEUPֳAbV3zE7<ݞV52r`wdr¬u*t;q[ +8v W г|5#; dF}X@PJdƼRֈxD ]Zخ,Hz7z)geVuƘ14אszHI 0(:,GpUb`&>~[7.,>7JwSb:e野$)!&x#vəheg|Q3Cyp}X9cDb[I Ce@C5Ϫ/s.ŭFDrWzG_\Ƨ[y<MsZ˳ʛ6]d+W~՜Am:Yv[C:C^,,{'֊uc{ezG m)KDrT Գnq8^9 dAM:r@fpھSuU!3kA|KAjewD\՟I @Ɛ &IN3ғ9p^+`2RL,KXl?O *E4:5:I>߬x(- kQܵӹl4΄԰Z[bSeQ 9#hL"Jo(o䒅{Q?e(XP}/671 `h朹`Z`l -L𚓴Y\LF=H 8cɁ@uuD[otehqb? h6Yg? H&i=z&YZ]M{yIAI@Im}"۫CG\g fbt#Q\M2ݾ G"_9Jr鱻L&My @%7\/2= xvuQnl)KឮZv]ۊc eh^Jnn 7G#/>D=ޠ; 6n7 WmB[- +jEo ecՖ`Q x默1Z'wSܗ7O a4.D(R `b'͵pHd/+0؀p=A"e9F'BDܹ"!_8Nbo#wY +kSg/pJ,lyQ_h >tG|UAsc/9_o+ t:դSm;_wې8 HL;M)\C,z{ G$˿[nB} OyEM Uq%|R%"{EEIPQǨEp!8t>sl+A'ro$h8v񱺇 &5j8iY$b/N&oj649F>\YY&JK P22ͺ ??*P;>kU{$/=Ul@WoXt.=1вԴ*-  9 GNE2deLzski싽c/$;;eGjSOict`99*'B1W_|\12 V}F\M7nG+%)'h4F;e?n} jҁ:V>S|&*=c2ݴVt0k` ݝ,QMF<˧=>lHm=ϻܼFk ,p8t{>aRհv4®VZ2JM>LBvҒRP0&{jk_9R SLx;Heń؁moEm(`wۓHǷqh-RPp䍾ӳ;V{h-݊nNᰌsS362u J5Gm|gl:#Iy )'Ry0.mAz}fpP\/$`8~i!2DkK/va0 2YTe~Ĉ $~Upd*Ÿs2uϋ` #3I UUn>@ U 8(fw?V%QI"iG $A#wW}ǻ6?UA.⨩ t9ZzʼnPe{bQAA#Pm=Mv@%뵾9[c7.} ңka-\3yQ0PqkuPRaeW9l @~&od@TlmѠ 13C۷ dł'!#P@h||F31tNwl9nҐGrv*:b] Y WkL<ׂml g> 8oz7S#"- ο:N8\5|.fϣ ;/H"s̸d\[[V+jyyXۏxV@ϯq@QB(md{"d|{I&Ɵ Z~N3 @ \C0+r~ɍk5=-r6z`.g.) u Ǭ9`HB3=9Fcy16v\ZxV?Rd$꜊>"T)e+Xd-CF2*E(- 驦¥B(]l"S"xQhJ%-S48^p;sd2*8+Eǯ\!A>|z#3}'AM>hfBFE5)U]5!b/ɰڷSl 2CkB=&LSH뾀Vc.Dw6b(ϰSRk֬_'8*u󓪾cQ}VϲYri`qs{^u40@p;roԼk!Jpp`/;7_&M mf['(gYeJr K `J:dlّL&d0s*Oo QѓhuEρ_r>P\MiɣC^:dcGh }4b3,WIUT2%ܨq'd7 zm8k 7bkƄ燒9kgAʪ]%Rq T3ST^#ƵNY&t,i rƀߢ+̀f_\%Q`7=R {#t3'>zn?Z-kFF!Zy zai7-@\y%#Թ(QR9T*?=t Cr&`D3RXep i5?Z ;8۟MPq-r_}uU^m'BA%8ҷ #RcbJ$aPӢC"B4`fUqc<~,N5izfw:X"C8sz1`9̋yZ3#@  ,ϗfGVxT5UֹO+(Э}e=L+AbpHmd;e'Gh>#tDOK#{1IYb.} \ǥfGP38VG,{)0;,™MsW(D@ /airx S n}Tiqy-YCNth &1?ni\v񦻽QnXҐg\{ ^^X*Qo;aF%]n&TAJ1"iޗ*] '*OȷR81W>PD.M? TJM-}T.bqIeCr|,!m$w~NέGABpMY X60j37d[e#~ƈs!O6}z)WMc , X"-Z΀OW#5NKFp91m8O F7S jSm^tۄݕ0\pvۑ{J"[MbY1JɞfN%E z=0 ă`D!o`NJR4Wv'ҏZi2vyi8\UT.]}0O3 {Uw[҇5>^V}$onrV%Oatn/ضq$dT?,vU n˨Tt00疰ջʨqVN$6B2lk3a@٧2A= PL:~kMO?_< C̗V-kKq)ک,l[N6sŎ,JFɻ™_$'uDDbKեѫ %37辷fj;`q6l/Do NiF \f/?Ѝ߬PKe Dk/X dǔoTF~M,Dk!ډOp 6 {e`l`nrtfR=(玪zVO#]Ӝsg[FPo.OM\RRjZr՚O<^ ]cҥѩzv!ﱘ cyw*` .65ܳ0沜6P{BߕjW#1aj7 6WCD/ZC_U"P%Hݛ 9y.kV% ۽.pn_x*G4`Й~E*(51}Hs%Z%8߀|ܪi@L]\0jwrL!]'ݴ玒:Hk\֚䱵Vm@)Ո4M>.'6 )b] OhYiOёRv9 %籦ɕ z8f^:t+P 0b!]6`YЁyh~2zBjC'2CIYusizE4 l'mMU35;*Ϭւocl6%R7s+6Q-HÀ5A) %Sz&V]\ǁAfK4544Lr0OuxE6*Ig &&ӋsF拆u@g |M[Agũ4Ofcv_/kL1ikBlk}2w`'b:o.Aġɒ1}t_7!%v|"Q!R:}0D{dU _  @/2/ ()I#T4inLԩHvFHր\[%:zzFh/J^l,kr+JQwF+It=PZŲoɘ)%$'[4d!W W._2bua#K " }5= 8/衞dg rpzcd19ZI͆;>A1r`tΫqH O>B&\&W'vb#,1K/ȳQ&q.tu5ADCw_bT6.VS*Υ_NF9f+AlH!Թ1$R0]>:!É ca{S6QE ai5Ĵ)NϭL4is:[ZrT?*~U>NhgsSyWi*J:ETy%\Ŋ\}y4{ N5o/q$1d=!<ej]֠͡VAF Kf|(Mu,t&=8߷ZCˠ-YNlN!-n T#d 0 {`D*(|I=VP9m?rdVԝƕȎ\-ƖM8e& fiX{XvM0L i|Z;n5g$+H9징Y6vo0b;іiRkN_ j~OEuGo\°?$ U Z7XzKͣ1)E) .Al^*`6cܣWD)]rGSc i'4dѡ< X+tG,  csq+Ԯdn/WQ6|uZ9䯜E\^]%PY)6YTAƮG;nm2PWK?g&AntE.5TB[^vjQڨx=Չ t4N8lHIH2:iKOT}LR۟g{"L7U|h3҆|4aPT Ky%w旟3K9 (wJp+3|Qr֣q>)$նҿg~/}KKɘ:dxc'CO| *d] DmrcPY`c"Sqf.E!Ö=H_]ZWy-dGJ gI}9%wl֦j.@ZH- _h2(w֘^ӽ6IݹQpSZݘQ)s=, b=]ߺ\eS3LaUˋ[)49Z7)@:\A,m'5˵Rm 1> h6=[U:q%bW^bJѪ@e(]'ull}/?LؑY{Wu4!~ Nv⻿$º2gQ7.RbAe_B6]' *O}n&rq1ɒ/̭}rs"FoߺCSh0+OJ= g@lMAK]"Kmv[\NV$:863zZ6wEzt#g4oXdc}t%T !/QRx4X'^{ %: 89(x6G03GbSpU3nZ؟B2ul=ѳvR7E![*5F3ی.@PNmGL%J2k1rU!ħ7a!i@΢g7{%q⣆2M7/d>HLD֯ɸ  O'z6ʘ8pMa6hٱK>e7uGA &zU tJ@cO`~)+8s)c/'%Y{z|]x_B膃B@nXChW(PI;r:CVT,mG3Pg"qd&Aո hE,|ӡԟ}Grr.pVP:@B,Q' {8t ][=@~k&4:Vff$/+hY8`6?bW5|^HʾDSz.E!C)~&ZbzY5--?>><CVx:ݣr<8 .c 聲WӦƫ]g}Yloi2:nD{:Sti RءcsH$bz 㶼~Q$]:-J$5+?vA&b! O!+HHlo w 3A;mX OZdTkzWibex<Vwkw Ӕ؂LӒZ(˅; IMfT%D<Ȕ}:tJp4gPυpҭYpCyj]$*F-CWGU–ϊ.ꜚ̨(w:/"G:j1B#ݧY.Cu")uwaB-LM( wһd39:<͇4$WGieh-=梲l'-ٟdzst/gNo#,"E \9Pn/8I^Q jUbѫ +Ѧ+,'\j9s('>EeݮBBƝ<'׬hثpH;grA=J 7^\U%.URfqJ6<1y5N}qԙ'TbdW{xTcui3jcYA%l)CUP;q,b2#^b`Ւ8jUdU_en5p[T'NRsYBA# g:ހ8NnCMeQM2:3߹E>W( (AM}ENU0hḢ -ʐ8N U)pKŞO٠p/C5,X9 "ad7ѤxVM04  5d4{m!x#C o-P 67pa!f~)~Rt^XsY5f'78،~ӯO2N0{+? %s=z8Y| TpתPm+ʟd[)az7^n %iHLo2<[i\b;2SxRN_5׻ Am,6B&WS!}xwں֊K Z4|-8{%滝=tSG|$#&m iLm/cRyz5S7S gh~M/6jAN &lpJ"ZR)::q$u0f!ޔul$Jat'qPM 1'!Y7V)M*u۰B6Ijx(D yBԅPz}&o^m !? S;W+V*UO^tOC˔v)u`Gu*'tA>>[Ǻ[ F{=#1Z 5*%ۦc 6 p2OrajFt(o2@N٪ cC|גy q8.~I@O;C:Y>ײ}^<އڕl@cGɈ/R ` \G{(okгY0.v>Av6L*^[H*^HѶ&Tģo6 T96丗\mbBT-)d4mO|`[",k}m3Kt\0Jޏ:k&M?-,*=Pg 3̔S<^峂SN>4K -炿sla$1̪mc^83?.Sy­֧?Wpd0r!j-pӒ~U_ Nqep'{gDkigO{y7nAj|S^8kܫU!l餤+8&)p6JˉYѭg|KaAcȝD~m[SKG"yukᙀN)4h܈fHG$zS%!݅ 0(21ouGc .g[ yBEB|t M4rgmM/sZ0b:$Oȃ+.k^-jK;WwZQuo)bضT7k/t|=nS0?,3="i=T=:8Ro~jyꮚ؃͏ tT2,,4 q.p]VmM15at)&۴08d 2Q*gɄYͳն7m<-늓 Y@ IcVHD"G0{>xĸhT 4IEimVEr_'d:!:Im|iC,YqWs'5e QA1.{WHth*<[UBl[KW70. L_Ps-{[sT,3 7\^'ʵ=fM:Yej̽ݦCB2dMr<piGX8 ƛ~HEh3u/9r/j ]E`َ3nT0ID$t ;CFAfwɿmDc5UR2&+gvV2Q+6ЙatPyk}4Qϧm1aX7^gK#%3h)b!ZwX\aGs5OyI;\4OshfEtGOLqЯRp+;lþL_)xeKn,6^=hzR /i!F/=vK] ) g0B δ,(.ȩߋ+p(o <zAB_`^NӮjj[eg ?"- ly-`&laN TwDNNJxʯV ghe%"K5LwT^Orot'u[D ^w5aoWP~1ԺtuGy(.@!n1xEgbwəkc̪OYhpmiw\A ihbFS T!R*IWDJ(~lɪKІP|EIiGO,R+J>yy+ yH-0Ӽ(;140Ab2ܵXyO"u[8>z)kM~ ScÍ Ȝ*d nA.Y04ICb|?y{hAK.WԻ y:S[et12X!DQzKS撆/2?xz6>A3WY`p+I.^xYA7 ߖiF'4O`xnmsa)cJ(p){&_B]ݒ/ZK?pyP6ౡ1V!e^UeloAbt+1ӷ&=|fa,(BɅXj`58}f4 'wo{VZwOP֨.[ $nT=uq ]8+~B=j4j [ ,s%7QwMѬ6N'a'Ëd=(>".>Q*;[w{e$C4[})E»l,vYe8+H_IW4@!D7YM! 40U;Tc_k,5LߖsC ,@NP[(}*&]_Qx*xgLKlI!sg=H Q 57g[C] نJbEV6̣HbXl=n; XC‰͝:aw-io7<$SP'&,! z5e3x3ªXz)I)m|o2>ob'2̐Ah\RՓdclΣ>Wr<*>bf Bkp9VG}A2-1WDst8ډީ7ʝMI_}c­8/q٩@ bSxJ$GkS}{\њ>Zc\4߱DBbbV3p|~rML.Pm#\oLR0ztoţS,shvd;0]kbE,/%=R䗏(;Yv"Rcnb:OƓ 9@٢b+R,mSV/ʓz^'LAQ3g~XOrDeCD<7>>XtxVgrV$ggC|r.WJ?u#&|iLNJ X`r E.fy1cnk9_D rJ}:-g!8<\'|S6k "6n!Xi0P?loŔQ>Hw3QMj Ţ1L%_aǣ搬9 }?ﻸqj>ڥ0`aWLYMOVC]0rf D$g:Qncy[BN,-:$ oT8y~@Xm<<*X^{E{4Łh6[F?!v܅6 hJr7%.qTū&| ޠ$9VAuEws8Cg~%d+l[tr 2iKʆ`M1[n߯$^KiI#@?o Q4) Us<͛ hMdwMȦI8 肢Q/Yo S) =zyt#B5NKS 2N+< UbNM/-7UCoZ)sպ:6˄tl&dQ\z ͋u]<({o- \gd2^.QUam-i)\Dw$496) HN@e7PhEȐgntZ'qwU 4D+$\G')3o|D22ew2#$nB~qlBb}Jn]ОߝZf ahנ4>o>2tœXJk_P'_3S%Ӗe-f@q}MQ8f6OZ#Ո]% Vlũ]5DD^>vfP$@'~>(ȁ($!/aԒoKs_KջYˁ @1ہ;]!1IxY\yXzM`Xhr">DoT[ Oou;AhDE}mZõFÞ,&2aύ\T[is=UʱoA )?ɸE$#B;r͒C.aEb&m4ڰ8. '+q5͘TI#fJjҭ $6fSq}ggBn($z)H^Jjчd; LFf{#?d7k,`7Fx9x _1d>̛Ҡ7E$}>76g!n=|G]a/Mn$;Hv?cuiU!ϫeD|3IiFX#1铗n' "NmD$ hsۢ%Gr nxU3F 8N'U <+F1J%,eJch /r3}FGvN3934ZЅNn3ɛjx L|㦅aڹ3ᴺJ5BfE{ "C9^;:0*r<|G~/g7T_ȊEeQ HnFc|k?\mu'6I3s:.Y|o|F8 SjBIQS)F%B&Bi]sX~gƉ:3뵘O`q%w dfj;%;*UC2vG~})+-HH&|ҧQ@AHYBe2r+LJd}{3G78Rf>r) 8|/A\z]CQ2mF| ґe 5E`.:mrmJC0ׁ7D@&~-&T4/e 5e%ܦۧۜ3I6"VLH.z@,/}z\ԄKbXzK;`$!;3p 2GLW,u @N#9LݮOg0 5=ޫW=}$I؋$nx跒4hR YS2t\4]eP# q*DbzѲ~QyCT( #VHPw̄XХFr\Ӹ$Q6*l0)G+J4*]# MFеg&#ԩU#$ +r)6)mUl6FJ._s1#9i.:+1|0B'eMUqCJ($cuQm,,[$Ծ]n¿58KNu}&s8:U)P E[YNJ}|Utzӎf mŃfP^0cto7Bj͋Nr߄@JwT]1>oQLt 0/""nH%`~#یR3Zb>2eHMn|ǡDw//"^ zF4ܱ!v…h1*F`h /Jf(m9/=`qFH[`Q/6+ w~"ۭUx,Srz%A"7['.e{\"$•Y"y'}F}YdѤ׊]:Zf~F?.y8kM4?CrޱqE6-NSPSt 0w AuvS("{g !RP΃rQ}t}BF[lJWrB} ls] |L*$R.; ds}Xġ=J'-Q%i"f{b`@uڵJtb|"|Bbׯa%Hj :c^)Ё%qLFki)K 4og^2#4mx.JB#Ι^[ř9J*]+R,VqL0"ɒ"8hݳ{Xhp}pJ)'/}2v#"=LO%'>vy6(@w*;+::&'zÝv2;sm;!(]u7tIa'Ui Vs] 3IT?&=NxZjv6Όbg>}dg]\; <fLu5|= WT7uIחs OnD^QCl B Oo8π[|ć/PHVTUkp֔1>ʊ 5#l#s}}뫗蛪*Vprϲ0-)@ҨQ7>xe1ˈ+˅w(Mq E0t5;R SV !zG;VR1f6yM*gxĜ!qpA craI=TɁ|JGEaE#}K3ЍɪaZ MlB=bE purZTf\@Zh;⁶|==sFi̯%x1<_t ,ԡvQ:Q\=XXLaAGAʄyq /̚sW:|L N }~v3 NQFWN.(X6E,2Ilbs#nNNenzi-%MJ"yƥK{`{#z_dcrW5ZT~Izun8 c51|Hxss#W~6X Si%0ƴ 8b#aRr4<-vuc ?6}}>^=/*oH-fUM}ʓ7)΀qtΨV:g[d%|\溻x:dT\4C/Cg@m EDqkd%&et)O0_d;MDs@;eIZPBj>1ՓVhX tB^vRHn ʳfg1 VYU:%#,М$Mu1 ܢ/NGab$=Gz )K(S+es*+cF5`8@!:*Zps<9rgۿ8bk10V8jz P.J8^}?rJk9hQY4NN[@l QZC~FbʤK8!-zO3fhQDxE>6) Mcve|(1N[)ekI4Pv#Ä XaMmЏEb`]%w4io 029 uҧ4tvu% '{HsLO0)L~bU\w[a56G'&n ? /ݿٖDf_%CI., S$8_H0n?<.ZJi[)U+u6rTp?pj8앭zMxbsiȗwˁ§,6Nװg?@?9QNTiov *Z| mS]xG s"Q9F ӣ(;&и݂WWFyUM*y5+\`ާ2ޮ2K0:ʢu_ܘ2hUy0B۲=L ^|d IE}pGWib: jkֻpz5+KG,ö%ͅ{ O<{OŪKˡl!<:ws)"EnGU-RBv4拁CVBtDuu@pSI;Z|'1mц-'X kE>n\GTGV W~: _ѝ ^#uO9hrqQ6?~(Ȣ^ªTP@JL4- ] 2PFs $jۇL%oD3ș]h%[ftc. ־z,E[9nɶբrvzӫYYw۴I#@: o ԥ6wlO4_DFEڄvC&,=ޟą](bXF&b/@N"jag^![2v(~F~Q^RÞѸ܂z-+p!kk KԬٔ!٣rll 9ӉRi q+[1-SvԒ>x:mrѷPx>Хư1"N-Xanbu]myʠoF֖΃?^q|jA_a'P0:I锉U *'s.~]RAH0Yg"Z98Da?iD1۩G6R>]l zfCڶF)_<74(Y( (DBd!#k^`|5yG-l@|~2 5d,3!qM H̿G?8g?@-Ίsj~,7twċ+K˨7tc`OF}U!x2]5;Y*NBT->OSE`I0TUsarbgdrC@"? Υ;̧MwJ2O m} hv뜍)m;|3(Vp S77c&/p'2I7 L_d#b˗E(*c kL{Rg0;/껥JactTN`_="WwL2e7Q.|ȲIx)@ )ȶO@"S+ [L$KODb,ֹÓ}lFX0`Yj /\W&CԶg뿵%(,8JHDQDh{FKCVA!5U`ȯc|zDz‡L>1kv9aWsT;kA;$A>C 9=Q_) @hg)EwmU93 9b" ,7fE`ӰdK% dQc{($jO)j"UB9N<!Bf~Xح殒`"ο<+5 ~welj N 46 r,-/~:JĺxӅ-ݪ*d}!'n=ii :SW.(Vn C7n*dظXLK#8HH 5m =i"MȉfJ/ØFq0W1SDXn7ʄ!tޅ&gquA[/=m^apY؜ rKxJPwNh+B5,])f3"sSSDy ]A}kUafc&{j iyAFu'2`94ya;t7:R|o^hO<[Pg|İ ")}$:ߤeܭpj*Blp :/>>C ^]zO,(D^i6gsjm,bZ,)Vf"Qg1]@>UADKB;߳k6z^%8P3Ա7%m$> ~͎Zj͸v3r[ԅe1x9*$ ɀ#u1,p?6`TDy:9U ųOۧǘca#lu Kxjbh af)@ba&2%P-3K7991JJy~F]׻ԍØ ӛ5l!&>Ս/ch*q} WT X6{>?BxGU#!_ѷE_eY8i4,Z+R!DT HNf_CM<i?(Y7UqhpYX _C!r~BSkiBqPZS.bA$ڵӯgB٣P@~;0ECWWB@.f ; %" =%U[ G*W:$J㦴p~ȴ<,ԧCHz_TNK#O 4dft6dҽ);_\I^T"ؒ9%a(p^|S]GqӟUNouWA+]3/awK(@!E(7B#yZq/!ERJ똠y6tXMy 6QUr֍ d_1t:[67IZZS =3t-+v^)9xIȺ ̺AÇwԍiIܡɾ$->;Gt|J-7q;LYo"o,I5pl~*[cg6}ced&̳H,N](%ϗ_ϩs d;  <:B2 66ݫVb.!߃uwW5u.T^Z269WFx]oQ!K> ɪ {k6$SY J:-Ԃr:<8-2q*vKΓ-d0AnU::^ vܐfw|a;GdX^N8Hl?fL[CwU&{2-i/XBd6*<:oQqiU-Je+lYQ:.L1wp{Z"ʩbS?*EE3ygr@%p*+Cf!켧*c(9fNwE|CT% [9ծР:NVrb-"HkC<8DHYjAhn } Zu[5@31X3]]Nü;K- M{t"a8ի_NXD-ek #]QpoJ^#8ٷsGS 1Pk(W

)gfag.NpC18 D|xgɗS)HYFnWt:1F~5rJĐǚ3\.@oҠ>ۙ57q&ڥUEoY *G >mj/QZ W05oslV(*! t E#̆ ͞5VPƖv%R 'Z<8c1a1CB)K[<\{pwM4bUwlD4wWX(s14'HR*p(]">SE#bͫ>X >ֶ(uFXmZ*~,,E"į:fea/b?9]?5 eq-F%-!xr1E&O,g`4aFw8Gx0T 7k3uwuz uSС$N,_>DGh \~)UHHX{%j v|(ਪ[ΩȤ/1LG|F@W~ f UItTS?0ڈƱ=9q6w.\1zYKH'X,P7 |BI+;iկ~A %Mdv7ie OCmptBo6/ q?dwyQ 1Rb$-R(]OdN6L+ lN@]3х75l 8͙r>'{d͉7+x&ՋQ.gwW="k$f$B:e !7>OfU9AM+LFכth0lA[BXRkT.d@b)"leKWk=P;/[1|T=0$yIjj/-:e+7y3'TunmJJDIAQ-HA9  _ e ^'% ABmLS(AN;oUYyc敵)sE"~":UwIO:BvĤC}Ŧ<8(zzyzqr] /pÛPQ)_A1I%h04{1bn!y5PHjq4cӼhO$żhJHfc "Lㅮ@]N7u]v@Z[+.l$#P"?lm&\:" BF{zUMV;wO}ԕ:. ~@H`5-)չb59Z6! G#l/r{C8Pr, Z9]'+N'\sZ֞#!G-TD#o8:YN¾לT"1LWݑeD _ *1ۮZj̟!{QȌ"^Y:[N,lX01h^Vq3Œ6@ OZR#/PHWҹǐVc.G'7p cGKB!9n'U nx#\=jpJ/\+Оk_ۧ([c^d8Y8 _@]x,Bj=\:il~eBTSg|`3: eL0Ϗ΃"1dx3" R7ʔ$nN )]&픿Lw]Wv,&NZ.+Ru"Zy$lt#&R=2jk;wk^h^,,+_GHwd?1JٚL!-hW!n4Unm!:aq 776P?e '9R8P3J2  );hO>;Ѝ(C'eёkN_E_BcEe9U/ʶ/4}!?U݆wl P>Ĕ)TPɌg9L*4B _J?7_x`,d>(ȩdM QgA{sCǤ'%8?E2y eW2v"l]áY\ TDs, D-fĦ>m|F5rA_@vt^=׋’@[W9X.3udS,Ϋñx#Z^o;f77iF]*<{48DH>BBahc7d"ˤ I\ On"3stxW=Ҹ<} B! E+C`x:0L] Y;=KdP748`q /pj5:~~u.:r;2a39^\Dc.eWk.$qiU3"mc:sf=Pxn=B>YHktPkfH1??/hh(]YɯYEA|پ"_CO3HCnXȢKVEev&ݲG ViYN:l DN?HL˔yi//M1.x),ǜet(^XUZbJ֦2V {N!1s|k-B Gqs$ u{*7栖S7/ C$ꦸ4!£a iYGs#1L5~b2 s=* {;B[⑝f #6%ޘ_man8I#P\ R2.ջ}>(lXLIq Xx6D\7F_<O€txD,geA/I~"jS##_7cŒh%^ A\UAArɛ#l/W"ZrS3'cXnT}/4ҵ.T葝*T7v ~k(W~:>~ 5xni4A0: :?Ĉ#K!8P\.^=!0f6]lAlm%aL6UNh1yGM\%I&@]&iLKv@egp?s*xpjYTcYg 3^nqJPP֗c>M}@9B{ y~ ,Դf* p *Pk=eC8|¡u)}>MEyI [ͬ&E>k&A JNA ~Zf)yf)?Zror`&P;BK.,Z4ɾy8gD&O"92챙 A ^ v pPQ77L)R\б9Pԃڐ!G,, ΝS;p 2X%sҩʑ"!^g]L<z.:yR8" ۈƐ27斴|'pQd$\3y ƿ"(-hLBgH wAP ?ғythCN4Nc&8z]RNr_DY$~((`T s!:,EDL7cY+ɺcP{SpJ(uCKM=)El`nVi^ގ [blӮ l]1et/ou9ij2WCp^]U{@j8g^_fG^jo=﬽j2jŪ\I'ݼ)8@.Z9'ۢp3Ϡ|zN,6'O~`rJDͻ'ә`miL1U+P>qz yO8mT^ǻr-myEҜNMb!W5qQGj'w hy tR嗤j0׭>""3&bCW6L ,]I5o-ح"sO[8t8Nu`kxϐAO|3(%`c_$-^__- Xff}AoTiuݩT× }:͡m\]'ؠ1Lg!Ώ FqwW;>fSNi8w Tb{8Z~ g)KnB>xI w'6Pە6DG~-Pr$McY{x@§v^.4CAe̶;\McST&8(t^QIi76 ~{1˺;)ZwپcdzAOC0 #fϰ.Z*f)n E )L|1utY'Kbto4@qQÆg"Xx+V(zx%NvDV^6yH云wiA0v -AXQκp7P^v'FRͬ놫Z]Yr;/؅*&XrQϵa|kNT4rڄ6u Sh?Rm u%k5͊g=ͧ7:U2>6N_Gis2)pI(%uUSH/<dwvwmlss0xi"uN?:y Z_I=u0'ɐ|? dq Ì%\$.IN"`,\/ΐ羙em ZBV8Lٿ&k=R/KPHMv-3r-$Sd*ԈvәdWb|^XZΩ-.9҉ 7, gK2M.%yƫ4 1x /&BWI$+//B]PIA)2Әc gXZV/gsoDT'yISHq2e.1xS]P kN L_ N2b|Y<C{^t@pA5xLv3su5cL SҖri=|H|ϱ ptlk,Z4. m泅PMGho=ܼމȰVJM#'j8LMAvVNk.tVRVL|Z͉vevvd@sx>su{ 19D  pF:L}l&}mͺR ;v٘z/p'CwO)(hS֏!UaԊ` { 9BC{ r iTfw4iI^˪;sg>MzR_ /bxE=@RZ z[X"M~h+h~#cꐧL.b&[3mt^SƚۀD!4r.s+;xBzTp MN#wxSP䔰W >tAҾuQDq1*e. Δ.L _)F)e癊8FAPp!ȟiD;O`;cR1.#3:[*.#:ZK#3`72DT }5 VHUL51Ճ9]bK 4f8Mq.35KE~ Q*VrPre'ci#h>xyfA}_=Y (>6&r7`Bd\-+g;P+;`FnHriaC`%FZZnUADvnF2 [twLK) iվPe}=ZvޓM+ڐ;8Jn&&hX| B\dOLq}0,d;tv) lo-ͦ47KJ|M!W`V b#NZjƿMn\%]:㎧T"Ryt~cȎa>8zP,w¶|Ua&l?,Rܼ\ O`jzYS8ij4 %H ϺߜBkװj\R#. -i˄@{u$GN4#慢CB3# 4La%y\#OOx|{2jdҰ=!FSމмvKY qܽ<J&.AW],J.rCkk8B;\$n֎t]cmNan DVpAbUi ֙_N6#x٣wҩi +l3G[:hG&0[*ȞV@Gݧ)-,%p6;D#05t{y@?}[s`@|FK+vh s]r4Ow| _}/r]]-Ƣ璱%5k+Uyc 1'U%}CÜѱaU,W֩h6?*6իI[O?@e<AmlHOK[t@hG?0 <[ uu##negSnTQd/ajvP g+[i(N>nnqV s[[<",f0,j;G5y?fȗaae183C&ZnO[np+yYb]acܧ+"jBsn2/`14|RF>` hN`ؼ!qh\xm4 (?EMFtGosLS\V.;d9Ilծg=W\ nI!JDf0 qkӰa= bYaQLW?lUؑ ,ԅ^8\lhJ[_= C4޾xDӥ+Q~oQH<lŨT1WҴoU;M,H++"YUU-7ҠBU`ٔIE]V^$\v|4B*[j sXyqY0M`.H5႑򁐥ϘXս 0 35e+gFzsӬ]4Vx@l5zlC=R[ x,dSg$d;f|C9ĐHkuۦ8{B0'yyJ ۸,H g62[@u ?b}JnrxrנV߆ 4vGbXxH$fWDqjW.<nakO_$L24_ Rtyy;[ن܏1AZ ˿cD @68:4ucC;`xF7=QDWBڱ B[d,os:Tac-RWf~߶7Q%O_Nky郓 %O|_c a;Ӽ쾦$=BÖDSbI#p!s6[nWcM<}$OP' DŽ;Z;tZ l]1%/w)/@b+g|.D ~@QGI!<[\6)kFb&4U}FEW bGY#M~{ ~*G\ W4kkDbȳ ;jP9F_v,c(ò'x S@Q͇bp8 B>iGs;\q䐍M:jU=f,rbAa o9 ̭BewH: ,<\Ȫ1V$/.}E`mQyȹZJ!UIl=eYľ@bԱF2Z0Iy 'p͗z@kOYnz=t{CaT\BQ n׉Z0= R#2z@ѹX뱰4NeS k' 6pPg)utKG9\3Y/qNLZR[s @Tؿ(mFۛ0)B J\RxSbEu būeK?R ]ZG)+J}fpUbQD,᳥[[am䇞tXu)'X< eUh 61(|X:W-^KfXO-<{ۄr@PSRX1y#7~e|]FBCNVlТ'1k=ZhgP?˻90vCΕYqfTL&K^b!V#.l:tNH^C=jPwLHH) tFpkcG oEZyu^Pv7--aHm/WӎC,^!uEg56HmZ_5UY#~."/QdBgD^%hHv3:v !Z}[51G0nڊ1ِ P6lex}KeG)LpV?"e'ا@SIK݋X#C8e .O Jk}2>1@:zUxIX8'UjMMGR6<)?)pi Fh̔Tl~sI ϒKFr@fi^S=8~']w]윁s,vE%kWd~:] >fd:Dl5{.V/%b5rlۘctńXI6Qiq]? .Q@IͦxI S,Y? qF5!Nuo^|-C&& j:WL |_ihԂ#1!Lz < EvC_B:zQT'Pu`۶Y-k86c%~Q#K6u@x_ .^oYFGHi% ~xqV=&]cpv:oT]͵2 ^Tes/S(G,l砃 ?շȺ=ˀG-붿^bݸ^Z7tOuI}njʓ -!N"d$j ]\X/s7P<3r)U Jzfz \R)!;h$$8a (bԭ}^kz lTTޑ ;*{o1rzZē,~jO @F(qSAAHP!\c령=NUpgiHܑ78֔^!1J+ė_L`3w A|؅!P; (r0+ԭ:YsXR(Kd !s'L^w+/*`ڄʪς7=ﳣ:3ҋx Դ2&˴qKH ¦KŒetWABF:4}j)ԯ-23IrpwsqQ[<\Q$ڟiC=iԮʾfPy%xǹA(,6 0w1셮UC؅ U;zstҒMh.Pk %Ozp2K^6 ![ٕ@ykBZVXPt2U*,ż،E_{4{/g ?k.H,srhG 7dxY0VMuF:A7q=_vK^[h4%n u~c-nG_?GdQ:O&~Y{%p8qjGRk2_@ ^:ZH]`p)jP;VϷ0TKn+˩y"n{u:mZMwD^i~ѭ=?R^‹a7M<, i2Xs9,dţdp\ (jd0R8Y?56-0waތ(-( 6Zb!}̈́ѧyltR#>j smB@IN0yiM8sfa0G"y<<?V6cX){=B@e T| U{YrRCZ\Dޱ523G=p$9$}_. z66!aLN?'MB(KmB:CT-d{GC)O#2amX4P7$\J 'ZNDoU#|5h2ܗ'{({p 'o3k  X\{_RȎMWx|1׺Fv>N6?k{RpcwF͆RNJQ>X&I>[ I3BmKřJ c 2ʘzFSlkiM|f->@vt_5 r=ojuUa5`Lu a?CAPh[ ́Z[OB~z<[VL̖EAQM&'tفj*f&b/16`Jh݇ބ}ȩjgd~D 2=ՅbH-y 2O iTJ˶s_D C8 CB>{_UgPw,WPH]N$LMqNA ٹ! ZwUފ ,;@ϴu`]=[Pn[~(-A<KU v h%~%  NyU*9{Xm|Q׹GNS|=v-zYc0\G ?A/J5ZdZ>iڿ1ntW2g|*U'Ph(#IB6~$=LcJsY%30d3 ΨCycF?`Wĕ^we CuTz aϞJ4ʰ4.K:FxJ[d ΎㅋuIa`)4PtN(߂xERRYmG#M)P8hpQ<;5 ov9w$9Mğю('Uchiz#X<* L˧{nyھC!U بFf™.8 GpPike@[fSjٕ3]XP}|F9E1snq}b}|`;jҊ篙3{믺!*9*#u$jMhQ3Z+ǚտTɤ Ǘ?3uH!"*Ĭzc^י,Åq %7RqB5G'P ͥqY0rmt*ohZъdլPᵬ1KU>%ĶS5h?T.R3;NUjБçC, J/^.B"Q⚫ Y >(]H7$= =աzkݘ?iXcɇ\vd ?mVéoIu*'OĿwU>l{302F /K-L5R"9%IXW?,~5Ew!QK񉎓*_g[9WA,5 Uw굼Ua56 {+$L (qvH7g}oZv@vL}*< JO`&i*{1K]h`o_R-$# Kʑe3-~z6re;M#$Ve, K7TfgBm}4uUG$pY;;Eo"R*\5uMRѼ[ޓ}q_$Iٜ,.a5@`) nJVņَ\;$>?bGC|We}|$qFt/07}jfuw+I8ԕ2`w RbɣEdfWjэsbP|L7G8 ~B^Q!?-yUz҉'fM!k%6b*c@ HdUpN?G76r~CLZ>1Y#XQUYpa$!KaW[t?Z.)Nv.E;{k// XK?[E>' 8ffs Y1,ydAL.pq(nbfp|&4=I؍Cѣ|W3=Kc{28YiSDuV`}oW:rx<pMܽw~:pmolo3T V,}*(=a"00RtXYJ608o qcZC} 4ٶ:LACڴO؀BoxVj ıOYfm}0SR( ,QM8z p Z{+ `[юQ{[l2 VWSXM pE+3Z},apRptA%31k36cωz%pIn6$/.])5[14uwTqf(루%~oVFҏ $:.Q3<&?.Lna4wj$E",T˸Cof@E5|O-fK<}'||VP*5}]7y:(9'1aLz N </=IO:v,n=ezB|"UZW҆fKMq++Xo15(n7QTZ­hl\ /z'_%HBoSɕ*uhr!J TX4޾~RK{z{qa\Mם嵌͇F ʍz),14c]* W,z[6Fq4};l,!,4He"e|nR)N؊r|esF!K|˓ՕκkV9G1 g~$9؝1) Ɉ/XG9Z5"14#~PхԓkjxWss*F2Vh{*8'=(7:՜>զv\@˘^62}s$AZcR7tōo*=ji_꧸p+pGwXYh۵g/m'E ~S! mǬׅhJF} b Zv'N36i[hn-9C$+ Ե[k0Cus)7(_QkxdKX~L\dҷiOtWЬdnY*3.7%YhDRWpG<AC5G(b-$ܥ6G@2Q_s!arQIi1= =f%}[ 1vm^vD1dE""9d/!O*:U_PZX諢YxCGx~%cbddiOuq|B3 P^?K[勥vyˌY 0+1?sKNK~]iҒs$瑢 ЃqIC~zx]U9l1|JKrTV戣 'Mdy_BO/*a6fr0$._Tc8E/Pdq-Ӌ_)9-9!H? x݆/]UQE~*v5 _'T@qKs6bUtm?/5;ʿg..HR(@mBFVNIooe!` 0tH6Hz |ř:_%W?15AEubyTf2{h*ܖ3ѨQu;G,)ZMHA;XvRo&RW7{ }!:#]>"V'EC~n\L0%x 'HwXDAqyS(@`TZ&[/@ 7r5_=+`-M2EJE(Z@/JUr6=قb3K4&srBS!̗>8 fc4hOwKR>ZS 6%)~>h(J/ <,7&>f6A4 -#g"k6ƒ  8^x/McGQ㧈<ܮ҇ -Qsf|W#Om)n= I}ҼA%|8Y"\QyH@F6 ,Uj^ࣅ1ȽKP@oh=nL+3sy cL\ip:YhZ8o.~/K4VՐE銠 8sÍ:':{ubg-a+W߃f,aTс8ƚ1]fgI)DlNZ8%30xp1ՉdQxeie9Mb/K- =@\؎ͯ?eTǡ^#{uXP@@*$N~R*F~Ԩ.T R ^m> rPSKTq(a ʎP^P`C=@uK9$տI/FEOuX┾bsCHd{E>*-#I*#HC)sB9 ~;ɓ1~] _$c SSkj~-dznH9(@&ǭv6#<0!Xil?ޥ3|SÒ(dC:3^Sh !#KVv0HS%Y/D4ыz-ѤCxHW(6M}X=k \m%.BlPy Z\+dBI1nA)oqPMaV/Pq G(gdAEjv&ЉycR&.n,ˈwq8&&ewGeCd~%9j{m1mzA:OnYdV=u|u9ПhLK E^~`P;VS"]9>}=B U6qa%H ?= ]U7UOuf}= @@}"p4iOq`\ّ=kPP7aDE4iqii:aKè9b[댚UB_[vZuGG؇^SJ H͡hb=X{k<08q&!e&Y++g,AF!cAb$*R-,`yL0ănګ&NMz0% !bZ'|x6"|D,4fm0 #}l+IdqXW=;`-Z%j<}Bv@A8Cxg5]1)UJ[[Wp'7YՄW չ =L|fJX6L{k]G10 $+ H<Q@5H]֭K蒬.SERVuP=mOU㚕L`_%I%Tr -xײAH̃?#s8 `KSﴒ/?=a_XSHCC E=liE*Ǐ10Yˬ?yn&ʤ1k",2qc[s`YOT/U6?ErcZI68 ~ϛjJx 2*mV`b::{n$#|$ń<<='9ڛ sa㗩RHX p/mr4hkk>>]L(ķK >@cMa֚ ;sV% <֍Ƕq ͨ(b:,Ta; 7yh/LF=Ε#\W/s 1x5,ځVU1[|=T7uaTù٪HyY}>f"g ()t)SOl[W$}n ǫJ{\YZd*s 1 MLxCT9b h'8,1WL)Hu\V]7IK$7̳01T(-؛@ O}kxGvH*$h BDLBV 5 5Mh5:Lƺ3c7B1ۭ "Q#=y~:Xkי"wv,mR<1D0TdB/ΜpqCCSʋGISr!*uJ2|9!]PbX _ [?sywwo@#< +S)G~7w3/r;8ֳW]í@saW"K0}kQmzSs&mߗ!+}S4O*k{{ 44aSsOWfA\< 2=cd;myT6cG!otd?PAlѝ(8n\4NWޱ•І'ʓ#jiJ#Q-nL P1겤~'ɛkL90֓@Bn:gԏ"Z凧n8%$?'e D@-pҩ JZI})jL=x cRq_鑬`Ԅ\E*<N7N/\s MTlN5C$".㺀Df4chQ17&ڙrLWjJ.`oDt7,,`SP %hӥP.H#M^Ky'>o20*Ss2aIl{9ϴ:g`:8c:2Ti/{97RMՓL`OO> zB2Nk4@=ߥN!7MkF-$Kh{*S)KJ 2׎='3f lI4Lחɜm3M4K .+/iҕ`eq1)L'#O;DI4]m ~|9Ɏ|H'(C:]GVL4cD_?f4A}݇Psp ]gAvHQҏP-v=j!%riT oW'tW4C\]kwHgKx Pn$֞JWGpr<8^>Īz_=CB&uS#zԂGRg-:cQnL8F1OS }~EW.[d"/N(L _{.6INn{w`J5>`_k<^nj6ezhjT%h%ւ[7F*QC#;j1-gEs>%RşE&*qCV ƊəltWP}'8 O*4BO5[XҲ2џ_ѽCr iL;۽]bk+}<^~ս:2>l֟WlPphඹE>/3iahQDq& ZUй0[)ؿ_`:%ߤdzGm%K9yC<;AM :bW?4/b9=˽  !0]`^n5:{ninB Q[fs}1g lS̈́/:J &#/i( @Q%I0-,^0>(x;y)w3(R 8ܰ!7 xH8 r8|ÁY^--ŮM(M Erw).v)/E<-..I'+$%P;,&?<<7p5oifKˏ}C0PBz[B5VE~8Y4gw_@{3PӲQlb31tdg̔ ft%z^N'X8J/!}J%"0YXR^l?𑬖ש3ܺF&%>[J 4hEW f); w^K:i&4*Nfu񨉢eX*͏&GI/cUuHk`Np#vN(3 NW6 ]p,-(vkTs>?QYz1.lߙdCi+`pO-ϑl*솓5uSG眲Vrzw:| r ٮɹ0fQsQ0Q\ 9\@N/6\ A6+k ]›abޚVIPH y EjNk7pA%Hq߾4;~P釄Fd WS{ ZHG XqZ75L c 1".P oTHin -χSB'{䃿d.4ԍY@y`24@Lls|_F:0G#Pz' rEKxV@g?vo$/aPS] ITuBN5I)5x:7 |BWq.#o72;cЧai0D;W"ix4طlFW8[Q ÒӽIB߄_t:fѿnS{pK 67۳" 1x2þZ[b8e0WS.kٸi @M6 b5&T7z;a5-o1drlR/( =ܙ ؄v (p]rU(̇n(O<ݳ|<՛B{S.;gP># F%m`ċ/?OcӔ?zrwrs*ALP^|ǦMPǶ s}۸~J\D{T%d)&Ns 5򬒛iSuBk](j|ӑK%d.bSie7nG TS\6PF+dS/InFp^hߠ嫠4MMclnTp ɫ:oD6?%cf8~ħ[ 4?+70#ddԳx֭OSA6ptW6\1x`J*fP Kɒu8FuJV  wd) #:lO#z= JCsUٴ3j^ SIҫ 7kY+22Œvyx- -ֵtͨ G~( ޱAn{k k)y OPqܨѸ/ #7 RsP؛4.P[$x5P8Fy#>^wǫZnNAK*4 %36Nɻ&J\':Ft\qe@.HF"'y+> lzفlOdZ.%|naQb#%EzW_">ޖ#HQ3zC UY:[5žC2,8{gs3L.nJH//V0YNcc-&Mp_XݻFUl10'3{D8sCL Q˧[E+Pp1F*})rOFc%s$NtZ9Bg* pΉ;IӱVDS|RӢ᠘0cmZ%RFNy+S~#%2' PeqI8MH7&<1߅]䫲m GD٪jC'$?>eu7.e![,q1BXï"uF塝FsvKct'8;]f#xo||jƆKr`wL](o]\B቉ SwԵW԰]^_ne51|qo}V`jX:8.`LeDcTm޺ճjaop@Z?T<̶KmXZaX:R&™ן"[)P|Y)r}e4WۼZ$-("60Ktʽa m9ŸU3thQiVe.Gd.eg=9uxGe1f >% bkakVR? 81^W v!qGYH8^ɼ|"Jht0`(n.awg%'aj1!vmIpZ`ȘB u=PZO\IIz( ZY!+]ы 7-À/ysXek.*vzDI:>L砛zn Ɋp ZYrf9)*R(iyRnn  E2YcH@+֮Hg /.ŏܚlB 30p-8ԲdEտb2C=2Ch1ߐdj5G)Eƨ!3w;_=D2^; IPuAa@f}wXrh 7T|E"iy~wAdMV⌝1&-ok:Dկ|c-|8%X5;\PJ1ΓE݌ 6E_в 'ZPl@#0p`Kqeqv<+60Jk4NN{SŮ)tt6y/4]]@dd=ǾRB8T; h^NN~+8vFfStNW+M̌%D.rqB/d-2@#[ Izl$@ĀC"XItFp0!5͖ ;eAOiʞC Pxh 0Sc`Ju"3J'+{˖U:b%WnlЃ(,JM|EbRjb#Faz(QS:;𹞑ֱEAԹ=L|/$9d4`Pd4[ hyMz !m ^zsd>}9jfw샌bm:y#D:o-h61ǘK&0in|cWg4‸.M5Smt8FZ]mFN5=lsU¡0ě_J/D rܬ$1*Y2@mHhsO脀Â*:-ɀdXyZr" [N3S0&Zn;*k.CΪ:,y( .!>b? d;+ /h^e{ua i;7G y:̡(F1CMB@)Ē>RjD=3A5e L!g]G2WNm)LɓΥSӋZ8X]L0Y NQIszY|2OT7Ø<8x臢 N҃_݃8tY&?K6Eo`J1XŠrtԵU)ϴ,+Savxk ebƦ&%m_c(UW (Cd#v\|/Xm\Qb@{#xeq Vbv +lTRa9}x~]Mw_ ?T#|1TtMrwfc}b Rc|NX^0ynA 0,w?q|'"炶-X/76VUs9'VʒN }EShfCYh)Η=:LVE'N&+lԂ*F}/͡*pDa귃wRQ ~06RHiQOQ4uC2 CpɒuD_"-ujoA]ҥC.6.vJ4Hw5Rpod1 Kay{hk4a1XkiUSgz)6Y6/#&rTTW#K?wfpiT;>o!:cD`̤*ۜgt=.2 J0]{Ik{d oXqa`r_;aX%I-£yN9&N`i0˙~~0DY`)m&X5YF&TߍNI\q!'[W1 LB&;fPʼ/oL/r9)wUiMUE`79HrZ]F,&57T0`*)d=N mںP(< Y 2UY{jpd;Nv[xd B I^ gjQZJ:*-iFGėj*L R~`#; JGl]Tm2b2^1(r?lx":+A 9[Ln'pG5%b$_JynbS (Hȷ}'[ 2ehL:qc^awjO(`z,Hfbqk-Aq hdu궆 LfY.z5]KD ֭%1%‡E“ܥW8r,]z|8&Gfaz.9Nb?ey[e>Q5_XT;xDN~2  KrC^ZHxZ:?a@P*]J/H]k:1k%<9~쾵Y0o֡Vi|F񼳭-5,?aF~=9Bvsq%uNa-l˕8;$"J}_㧇czU[G"nEw"8apSc-ru~޻0ua}.oOS];VoixB9V.3ߟ&\|/Epӓ-{_Iw\Gl51Wfzi""?uҵœQ_0iL0=!sat%K/KzCm|9F@ɿojJ8 P9\ ;^^fA _F/ { <~EN5^G6 {5DAQ w쥇i9N|NyH` Ȗ^6,q[v k Fզ= U8d dJ+򼸣@*T `b0p<*͉6Us*O|֎; ˟u w}U qwd$?O4"(H7Fo>AY&KWr/)poժϴͬݾ3ߠ>3 vn\ߪ-nkO"PR+njmqE8.$668yڀgtΊ /T#rM0s(eRNScLGe6(>%7hDƱaȑ(-!Ⱥ^N+8Fܡpu-@w_2l iu "ݬ9O\P @A[(E \Ol4U W? /0)Q/c]D@ FmD8s4WBf5Ee$0;P3]ABX ku`lw&E;VlJKRN.P$hta'/v>t,A2;ٕ?S"p:9ݤ"ыN'`WKdU%gQX#H@\Ahγjs*K-3}GT=1?=Z]nQ/aWtyc ;1็UJAf~.h*X)f<3x84-d:p S'EVAyS&Ue"ʛl.[ }f$oOlWV{}ƹ@mD4)+(^I*kP(jb{4Yd蝹 | ^G;làra5&3qJ)T&jCzҳ/vW,cP=$|w3?3nk3ȚK3b!.UMl9%^3A;gv4^rk @mja;qf=q}Yz a u^C҃oepix1}bXbڄʕ&7- G P6S-w8fu 4bs P2_R%'誜t>ηK Tq^4W|f??7CS9On0lI@K`:O)l XDYx"܅\Xߨ&̑v'M׷؄+Rtf@#];-^8?Hl+*Et7a^3/Mx e[= ' R2Ps7v;voV5BJijbgOU^Я2vcIGWL8" n\C*Ը2%ߡnm2C-g>_򘳹>G*fʪ5vAĒQl4E%{t xZ؛W˸i,$oM?j]SotµԡFq/B -/y{$ x {Xቖ|e^QV膃3(ЀeS {'LWb5| XTr3"}:v%ռ/Xo1pYo3AqeUQS:x̚хxL1L_Msܤ:o(6ԃr]b@W•vťim[A㎘¼Ҫ %`Yg}1 | mPNoۓC;sێXeL{VlL5iN47_>ʔIV@=E G @eX NF+r{pLjwv[U\1)5FBb jzB:Δ(x`$lŞCT/Rxv5.vlldjK" d=a=%{7`st*W/&ʙ7~ϻ( ]s>bXK|>@WqWa%IмoI;fxg3lflYܭ-p1CgwUefmCVZm$[@'p[B'TypwWh/D Q?5C JKRNКWfoO7~ ;D@uN ciW4SDy%TPu!PQM*e^/.k vTqC,"T]qY>vcjxjaB4KYh~ڏG"cmB%j|%e/`+7W&2x˽9V2O \"\Rljcs]Jy#G:8/ _q#ܟZ|ts˟=9`E`h`mQw;H@ÅH3߬0sHo#L&![*5srhϷS.nhR0U~Z눴_BElcP!P2ߑe~ .ܟUMīq3@$[-L9ui7RiUiKj ʁP_T8Qja($Ґ,8"pnKEd "d"EU6QPuSWMG=͎De+C}E/{P /=l~@KnU)%9^N^v"f'FdrH(L;6vCRNT2W":er`8rp"+ׯG=|YV=΃S53@6έVxXy!ͧEUmVMv(z_r/j,^vV789uĞ5I,huvP3'&i!ݦ¤iNxY +ì(3 IB- 7/ܪq i)a~ٱnȁF<˿n.,,<'8S !?VluQm4_;?"MUZGRAAG옘i)Lzha$:5@byU9 _UG N ݴۦB˲Gs2pBLj7jEſ-6}&Bs!f6r”>A,M?ejxB:g^,,091#c$-Wp0]/S$|]>1OGs)qeӃ uA!1՘^r#ˆ7SR :p7.AeCd"U:&@q {V<RUg٪_&~F/p{c/IL z[% =L"\j*Li˜K6Y QDOhr%#.vp:OTy#$<5r'00Ldo*r^04q?YCm d.ފ!ɿ+\s-6PTnԭ(iƻF []Yl6|\\jVTR={gO MIO[eԧ C )5|Gk>Tcyր:$jhߑDFi! ̾l˻POnVhߊ;`zv+$fƩG_ 5ׁEfzUDC Nq|+>9B"LVXOM4_ YrHۡJp̂7˗djXPx@gzP%R'A!mFEHBN|f70uoM,+4go )N,H;9›7 .NqwH2Y(ra%S}|Y+ZRp%q=wVq~s-=nJIV~f[ [AE[bgM$,^cY}‚#mm_fjW%qk`HQZ) _BjJ_fi(pWqftX%SL3P-|vƏC$'t`qh+ zPγB-lmr/QG0njGFWtFI,&Bs~]Q 7pﵽ{ϾKBcҦ#m*ljШ3.^ [GIf+U*_Z bd3,fx3E7( 4ݠns][.xť;?QcuĀ {q;HoAOsKC`´*q3klr \wc3 \0$fO~gƵ9˳:\yyW`*r}g㐚d&wbQNe>-v MZj)_^}dyWOb(do5; òH\.zpR¤K3G2g(nS|1"SNOvQƫw$Ex~aY>XNW-1P.b5W%ߔڪLP] Dķ|Ʈ8-}m#SGè2ejF?iXJ2Ɣ*ǹ2E+y`ž+ Z}ac?ƧY0rx~G&46*Z@,"X`i9EssmUli܅;cq G: m$$VۄjS϶(0CY 2켬+@NgRQ6Eó$lLPV8D6ir+,f~:n?XӲ;OpFz*7}Wl\}]q:C ޖ}_7d9|$0t._ Ċ"2!O<8i69ksڪLΦiˮכ%R/ZbǘB W}Pd+m DŽ^>s6oan"S$ Y4&%&? ~p1RMҦ׀޷07xhn~zYW&4/&Hw{ ^e+ǠŜek4V|C޴^(k=`Cdw pz,[?T^]D!TFlO*0N%aSjBZm߽;93n}<5>>1F &yOCgd_i^`3B0ԭ?"FO06ҳTכD[ ~rz}2[=ȼc 4.F*fɩz9 $V0s26IԜ:]-OHz>s4{&ɿOKQAU8c1WHWJaAkt*Y*O"fEiﮜ0A\Vl`F_ļ{ J?EUSf 4;juEF_'{+,\5m@=P'FlHemPoirk :ZIIpGxѶ`@4;A^t ]8gmE$`8d׎͑0IMDHSgM"1ƲS'˶hhqSiddꖠhcWNxBLB测$̶Gنq6GM{)_G=}şUG Ձ܄NCXm gvYl7)pokpE5M> ~SHW*K088Q,KëQRc߳i'4|,.cGK+1ՅyO\=&,'g}eF:ژJ]+~mE|? GJ˫][?7-vZU"=܈*3DDaR@-jTC;ק9;;Q* {c}Q 08fOc6I`h V BQ ~aɃ~!+fD}VkD;j5ԗ{o Ls(-<'OMm:3zv*'dSpaTt$aW9FG@*]+æpy ptVF}ܮ 8_~[1LZ4輶ЙBz%pӉ0.#LkUg%n=5-~:a_BCSĚdR1jLKn}MR1!升JT" jRtdԠADj3OGJaDLVT NMÑInh#j.Kt-qP#Za,ZMF|4&^b ,@ZogNɪ/B8Sp r IZ_Y80dr_ ţr$f$@΄HK"m;ƗQ_ zyJ(*:}IB y'Gd-=@@;@Yp)7f( Y*:>0j| Goc+as;4:c#`B= LÀH3YB.I%ʄwk6OCL`wb0<'N#&iUdUvb%^. wa=DϮ&C{^?k,Ա@WC8OPM9&;'~SF+?haXǸUMaLUّ\ q9}ZHV׏{ګi &d~3bDQVba=L `b;SvIoK'8r1U !UCXk9o;Mi+o̫{hKiRaKU/tZI鬥h4hGj#*ڐP7>v9M6Ƚ_4U[O{8Ӭ^1*@#gMlYk2-sɎ bpnws2c}f5O9 еMyܪq^.6?¿2Qfe!63dhaϘ; id9t >Ut_4IkqwKl8 XpɶI5k"E'nʋ@}8efuQT!QS"xRa |쫮%wT4Аl;q`"{( .kU!85cKSE>WvIE&j2R g8i-Ubωnt-Ѵ2 A'<^ ę5.BdW`=^PbX^K۪p6Hvx˦kJNRwA^T' aGU;ǣȓ/1q>?C%<@Ax\[AGD!Xc!9t[ Z7=} kƓA݅ĹDCi̯*s3Lom<%-դ\"ޯ%g%=,-(xW _ay$Zud l[oDDR(\p0+koD9mkKr4<$.b[ ɽYǣJ|?`؟iO\]dQ#* dF| n1uX+ho$t⬖_#rgxײ=0ippYW Qʑ4-",_q_͛S`E205ȸ#|X~_lU٧eVTm!-O#ߕ$hϖpɯ^ܸPHsM8R;J8*nﮓD': 3vg{Pd6<'*5뗓reEz@"@$0< DIL(t;xء<4B[Fs2?:zE>$5%,RZ̖脝Jn=ᝀW _k n(V:_ڏzbkE(/ GN)dA\yyuQA֩sw[L^lcIvlLb"1١oh]<;v|sY%y t2\X}NShq$U"Y~x hklՒ?' kԉ T0HHŷR͜`BjZidk2<,Z wO)s`|ƿ>]9Ys6VR]Sb*ShjBV3Y2q$;M1w; $n,Ƥc"Y3ay;Ā-~x(uc׈W_|Ld?ޱ(YC0Loh0)}_f$ 3fY:v14.O^h76TO|6 pjK ,{DZFж1EYp0Ez95e yAE8;l %x1lQ1`oW7`7S>>J&SUF /WՕ] S0ګ?)]߹(h1_ h'!ռm[Bw3M,aw;·f|@6k go\G^ 9Z AFY4iOÄݧ8x2+UWgʼ7ܘ90}%3m}%{Y!% _ejXxB'.-e"(r0>wCyDv-m} V`0|9 eLtL`els2)D bRKK~qrLm&g70y-T=X:Si+5|:f8-o)a,$/T=NQJ#&];-CB1vWfh#N_$0.M !J5qoalnF1y7IW,B_rw@jV"~6d<~fCh1zzhXӤuk;ްx뫥]w@CN KѤL*8+W+5tj CqP0`:e,.>ɶ8jS2a.oGCi:[7:{MI M*kD?EƳsKYj*X%lh :ʒԧX#" ew ,\Ѫm%ȞCR~<06 (; 8J! %~Ԧiil e|9`8hG @LSg;L;g+z$!ɽ[5m=7A+H S,H0wk1N <я q3jМs jWFy̢Ef_eQmwQS@8uqU@XTzPO+[rYamOg۪D-pZ;*FOAqD6w̮M0)"Z.z;ږ=EZAO7rp١cw[]pmO!(ו`+mlb`tMqj;mA3!1/ҪWPK*emHmR@b+*6*V*K=Mb Ƨ̝Ʉխ~Q"sFrы7Q/&03 (ҵ3?uu* vO Aكb5vRZ@ cQwti{wdPdQُ_!qA}$CzNoSJbAqLZ3jwD+\U HĪI2OnU1ZJkR'FhӼ&*/C Ѕ.E 9>( >6]A~Q/$FhF|A5%77?j<8q&JTn4Z{Yƅ wr wfӻ/,^dE"ʌ+H*mXv.V1:X!AH/\u <ܜ'}%P$6'™SKQTz!RЂP)##r9>qӫo  n3Ԃيf&+`k7NLD;!HR&3>fIټWXGo^#T+95m,[+]>+XЂY3F@;J皩 DOը)hp9DLBZ}YuBׇa91:D]'EfdCܞ@AJ//7f4,Dtt_/y&4RDJv ;? ~!D)yP>~zG=,'cIi_vIb)pUN,{Sϒa1&*yrPEZ%xBVE$Jh|R?5'C٭wŸ'Nm(s` J Ͳ 0(ի#zӰP(K ~09Gݸm3^0Jn;=o㍛&Ǚƭ4\j93:{id"CLl!'s֞^;7Zn.A7ic{Ɨ]gXvN..ʹsێg<*j;n OXr]Y1sUL{V;vU,-؟%N߫)ԡ \kU N@Uk_}!HvM(G!_ ;bSžyl#//S"]c?kK{!h ĹMFEjh!>בth7U1q<;E=cX3nD=Ӿ!k|gg| 8&mP3,hODl+0 LyDKY}]&ĭJtYYn/gz Z JIX[|MUe8=_4@nH}~nApM W~&kI3J4,[9DOk1˥5 ׾MgN=8}"i27~cڸM{ CK(A7OXbӚdD<^*]㊰g ](Y#uqxUc̮=mc|ת3kѻ@:;,ĥ->J ~cՅ +MXڶ1rgRJ N$MkvQZ\vڼ{@AVP΅=Q%MĆl(YO@~"1=-S`(k ;#1>8>Rb֢?v^xsqOwAdb*{0N\ Fʽ3U_6L%MW>AA%ZዬLVmc$v|K\^-Qkr`vfK\HlTGA<} ^kXӭBڵ*˴w *_ ".Dž4bw<v94]b{jQxRT :!Z9>:9IX+\|b]*%pn!_#oQɜ7&:cF>2F)Lnfډ mǖcZݐ?N E2k|CD&0s/Kb G1 = տm"v3J_^}Onը]orsWD6?cDvw!F`;VK" =SpoPxLJ={7 :?B P@T6U !> O\%Tcr7)2”bh\v$eʈ|Y*`n^,PboRW Xk`ᔎ%%bMڍ/9'c=YUM Đ/n8 <5P^!0d9K*Uu&WH[M'uo88>-Ľ(1}_.vJor1Iq tѬ.PVhh^) G֢X%9鶣$G(bS(*R'B(r0*F!x ll|ݱ”6̛+g^.Z`v60pm9CSSۑZ"}ݒ#)J9TJ]PJv/W!qBgS`V|0۱"P=v:փJDO}h}~L#-<ѵa<z%ڊwtpaK0r{1/e!YB=w0Zb@B)UY>+Ӗُx ct+V7~ڝ= ݝMգ`*zSv^Mn$xm5Uɖ.iW`'0feΔ$rKav8:Y(=Uۨ֒(Ŧ}ڟ>?Kw\eQX!%39^R-3 WQ!ia}yt |LxqN ZBoͭBTE$(`2}_w ޮ RXEh_!}3j.D>wּn@]{-0(& ;U-Í7d)3@uq7.va\5Zܪ23e3F§wbF%XOˆ-ʜ]6d.&(;s9AG[lU'_+}QU`资~6#Mկ Az`EpR*2b@ֱ繈>iA%n0=I:Bl"bp⍿+Z<⟑#dmb8v)dKt,Gh$P(@wfFwOt^̸ D\gE<aH`Bh-Q|(3ɞ2}KAQ:.lۃqzhJRqae4* ç^ZrN /u};8*_X3BvPэSETJB8;haSHqzɾ-^mCI2و: g8X{#L9Ze8)#Px$ TQ 7~Vh( #̵kJŭ ".>I ,0EdGw\^¨L9V+(oȵF6Ml%GKp{@; Z}x~]|ܻ ;eXFtmS/??T;m 8M4.Q%Ik1s2һ_Ɉ̮DgKLJ+yv;<(mD74K8[%*klyr6|:;l~c[ʰmnWULBe+"ߟ&. :LywϤ#H# Q RkQyi6=~\?\g)+ }ltmU/Ψ@%]R介_|v0C3Ŵ$ݩR1pՀ@0Tf=.ߘ&CGͪ~ܠo cl/>t-F= 'lyu+A p=y!1jxwCj2j%cޚbNkq}95oEzá a0ӲbRIBW^8&glS*{ D,666}_{db ]5x1(c\.$HK"0S tUcQKs*Xd1BWn]U}E zγ ĜVM6q?,1,t̵~/"<6,;  qw().Ѿ6+ ÊI4:v* P>.~.,`8-d"r "I-,<i@)"{q~,c/i;xbPjR,%D`g>h{DbRb9`ъ+DŸh;Oir!jh.l39=LG?Gq61#4Ac%vh~8"4)퇰l#Iٟ8xR55[ݱhj ar[Rdh=Sܽ)XMD"1y6 m>8iv|xW篘i 'o)jl /ROE(BY*L# #^nČR1%ii֟eu[: x_R@rW$́@ a@HA# V'2̠R)T.0=?_VFT7vE2uhuޢRGΆ#\qRn3V{wx#cIKkQv[8+r2H(WDBnIoߚP* aZW0cUǜ]@"D#Mwi. 3~4s=ۀaBk~R@{sO\6$sQƵ/_[#h6hZԪ }Q!KgQ!st!c'_s.tLB5]uu}&9?YW GHtMYLqQtiV\c`˪ˆZj jAcXә%g9v&?ep wKMCk^>?W Xfj-/RuvjHSq4n rZa̜=?#El<aȔZ |S-:7CDӆV1MNhpص.%`Zb-LU{3*bn?S6fr= ]+Es&sWKbU}s v k{!YIޕq jT5WzkEp@tb0U< wIs@=CzbL[}/6KL<ݒ=xDqeh `^f\cl1z^k;rB+ywv΍y`- xQY߂Zʤbd3n|,8U qe?JC‰N*8:by ;ǺpOC>E6[@biWG u-ݪD^ϪU PǍ}1ථ" zK_GHGIAo#N7H H3)+C ] ò+e`x?aY=ӣH/_m8\55`f,ŇKy?7 bʛ#AjegJգU' s6Y~U'dګ f|47IQ+2ג'JIX˝njM^)N׊0R"G/K;Іl-ihj`ݜ ,m? .Te֖AYk06Cywg)zEW˘#{U/2"^~L]eOdP%}fj;ʵ "'T'R_\(lX5^^3/)2x-= =C+M$'ۦŸq˱x#v 8Hw-]p nFWr/>'4A&SC%Px3gŲTœEXXCw`$o[}|SJPSM3oK?_Lo vAJWFvC<֨"JH80ӣ龖.2S}tyvF/CXt.̱{vҮqEj *e.%s>6 nt{ JKgTSnm70uY %HfzO0DCd+&6L-Vk{vqYkr vߑp>{N^ėGf3 tsՄCGewF*JպWG]XMZ¥o/u-bqMC~kG~NRTZIen^DОG(ߎA͵ehx@ t=*ˀyKJ'qnN"SRѝ[G=B΀a F~"V)-7ݡHŒ⤿Kw2뒀Яv̯?'IFk[_1! ^?n2_8pUտ䝮¨{d9V.U?b1J5qjJ p&i/.72ZXXP' 7U7>CْAtw!ac#e*ۢbO?/d>sGAiQu:{y[Cst=%,UEd&aXkIl387TQh=41|kf7Y6n&r{K%]`4g:%mƸkZ~ˑDk&+JqfT&݀a`t(Rӈ6͊x0ɫfZ+G9T`|euME":?j~iB7y@/c(*oa^ %nq>PI"zc Ty*po+B^28܈`T~6cC!md/faULbbGŠN0כY0D`" +lHpftxx'$2b ĻqZUlF=Pe綫FdW2p@9ʱg}ߵA*  ff-"$T!HVSкZ6& R 0IC+b|+i)t;z QhyOڬW7eIcZT̓ UO X#֦xgzp\Y+4h˶()"oE*J'Ⳮ NU U.qjbxt#G@T^"ĩ6tb_sa%:H[@˘No:'H6Kon;&,s={[l=(~8 vå݈+{-N1ݜ"^%=}Q#{/n4Kᖊf87Ѷ%}l̘.N%,TƇXKG_jcc:Uo@D3 0G"+N$R@x!*LE;'NHOROtfV^0PZ顝6賫V>Mɝ%@k;?;>"Xgב yp9 5X|ƈCt-e# Drr" 6tK2hć.5ԛtưwpv d'mϪr01(k Y2ytDvSCH2`Z&4+*. wu>e/$&/\,P:]=:2Agn_F5aWa_ I6d єFm4iOB7U3?Jo_=ʡyWz CM ɦ.7lWaʀ G+4zx=RNWX !'N`A$IC&oCx0EITp!,>f)kԁ0뗣;wXʹnM(݄J) rrF<ʔ+itw̭ˀlShzͫAHG]Ǽdfjg!5EBZ t4h dwUQ](;,wajն>ҷzo1 Ti0E0OB4I/7'5,clBq U>~e!)TYP cXצnocPNqU6)Xkx*&q&bf$t0`?amɪD{fA \I ÿRu !8auܞjt iGE-hDK|8_7$az}Tk;{eb` >{]7D5="ptANm;IΉӨ^%}R.zƅ)ܵqQv}Zv-ϕᤗ] aZۚL,xDZjb૫ڸ3$^g9=X,*9\6R$S=T.FGy4~N@=e*c`?[+S굯hvjSl*;1ZT>)C^Ek`{u7X- @f^*/|'@e1InEZ7/i>_|2,y!UFx}ݾ+,ajORNC>; ~qGKjDP{X%&B\7^ɛ /+O0dT'۲-a;pCK|foaEI,C'л8XҸd\5:^aF5MNYx ۊ=whtv0kSN $@俻u Q2F Ӌ@>aF}A*$ltq Zi!NdVr?iGtLTkQyhKeW Uzݥ euoL5[Oü pi =z_HnW#CHB{ JP :j { e6u$һŶ-VDܦm/zH*v8R R)8qI^2'96=~4ҭ͝UC6C=(#hC3ZbgŢ@hçkE jx;?=˻ҼfUb%ʆ)lQ'Ӓ5JgR$j)10w#%h6rŻ2vƓ5qNtOE v|mO0+:VͺHF $7x, ‘ 1q9/%<#u]vxv|[qCQONJoɱtgO3Ř+hqy̛[e %h¼zܲS s GfpI@S;*29>[g`:cNW|@"=u\lD)q)$fdz.򹑰4RW]A MuW$;+$ TTs32 :T$'ѕh#a05o\ đD1>PWN/WV@哈t;z5{("9ɓq@`:(>Zֳ,FЪ=:kvc>"hYK4R LTAPaQ@oSX69ZbB%^=B ʚjIc^Nzc&N5x˛YOG틨~`̨hY-DZIP 9fȈ+]aS&968YP;0za+0/PLCkߺQɰ :AKHvvCj:YD3wL!]2׮(@ȈSƽLDZ@qu Jr7r0Q{ A?3S٩#yΠ@Xl޸8xsCF(,k5= RmF{LӉ+dVU&A[x-\0Ҥu-{1kkMw!ՍtŦ$ n]Ze Nl[z8-*U[s bXa`<|ۢFt_Za/nV0+~N3g5ynkiM X+?>78#bթ.ƒ};'74ѷ jI.nI.qO+'ٰ-|5N "*jDvmB<A#Up|inNIO_ǔrcO|jkB_]~j;ƫ3m@_EC08-f s?dA83y܆"){`Fk|1ʬsWHFEcҳpOP2~^Jf6L~[AܸlzWiǮl!d!T4JY)_ iJn&YXpHbd\WAyӐ H>˟F];jpP"Rͫ#,!%ܙćWBX,0;8!hڠs+0"-_5jDYR!FcizO5yLq$鐿¡l{]U53c'm#U.% 3)%؝ {!oŘs)!;:y_M3ۇl!(U0h`A?%88[XBA ;L;Ȝg "lE¹1_,u˙45jvWyON>/A(Ϳ(Oʹ34)v[~"mP>V3AZ~OΦ'ٖmFjfNm񦎦OI+rGYl澀¿b ᦅHttjCSVWGjUi?5sMHzJGaqKT(ao^k"~N dЖ~&H/nOitgT>U*L=\,Fu9ِcFO)9i,PeR'@ ?k 'īb hRqK@( 3%t,c<,867LUq)2t j(i}GA8JT:!<#a :XFm98Ĭq[/v8 87 {fr89`YПCJsILn0#A@碖!?`x1b9ܢvE =zX'>D2O/?gGY>.C[BXEݢC Gx~s.-ZJH<9{5eG^U_wcr f&9i"YWCx%Th4*\kNs1 k/~RjFH_Xl0P4tx[$9]5}rm~2#, mDGlj].>!amJ(\DBeQd#н'@g l=91HyޙzluO'(,U{"tTp`p}꿈oPAc!?'0a9mb&.G.Mu>c؜4'>!b{Z\GvU/a1^8 >fsT421q<``" `Oj%.]$.rL_0^#" 1(k6,:!"<7ÀD8R@b 2F}t֡iB;֫xJ+ZKλ{ R0qN k@JӳN$]+[8l*ѣRIū7eg2׼s\Qic$@ϨẒ~uAèɨ7ґZ~1q~WEP2ze>K *ygb`ox}\ՙISƊ 3"z ^Â:>7tZut\X њN @VeӆrV_.k+zRW`ntyu*&4B#Ԧ))#2JϠr³ĵ:J҇UJ7X QOVx/isK DkQx)ժS}Ryɧ⊌8bM7)2ƥ.rHs6r]7@J6G^17 $)%w^x2E=<<w73Sl;`b7D8.-kBqO٢C1Βҕ^:JvSvk!Vye5n F3]Tߢ]#Q|Û`Sumlv1yD5Ϙ&?deRLX'4};L7_(wVpQ`]^cD0ܦDPdvwc\.8#Tʵ_ C`tz.{v!X?>^痒[(z ͂k(j|t t3FEI"L.z h{J-ֵO ƀFi[ˁ|"J9ڇ2 Sr—n*h}gr\|&<0Qj3jH+'Ⱦ@b/(M,= rif1e|ʿ+A:Y,GsL4yf(RtEj]#+ E?͇ p$(R%T;lY;'7/paOC#=aW/Չ7Q'!`%2,"dnƇqH+9xW6Ͷ?fcy-tQzZn0s9 bt%G7^ =Eg͛"&;ݛir'ޏ"՝j-w(+Sxk_dze0Kh9z `C |Cm_j -'tU=n|ˎa>ܩ ɆfWx*'GO]blcM;6 I Y5/ ӫh˵x|\>Ј4jBeȩXe=HB^aN3O?1Y鮟6>ɰTw7nbhDf1[uD[Ib;W|c{.Ʀ/|0IcLt :^:]h ^yb{n@ÿ0~0cY#Igu\8L$)#F(]ʦ*4x-=kZg+@OHKnq3NF3| cyuO{ݛ }kRfL;e+^I|bD;a==I؝\<) .B VF›'vO 4%ʽm ^!#n HBt3L $P/o{$S}+ vN?+NncV-:i{"GR8yEhp lV<>10>^D YZYIkպ 9,, jםCFP:$ğmwX@,n6 )`(psQ'iqk'=  g+uAv Z;,,E4+8bh#uL/\'B6!^U8jZ>Y6Wbfx3P?j'(tU/ HX'C`CȪq@zAgc `i$B~%J7>0pxX@LG FGxlӤW#MQm]3u=QN s)H)j@P+)vmv'*(E9-d<z{)bPU xFj{uA)puK!`;nQ^"\Ѿ?)g[MC21w*<>S9r{KqPae:&"tWRõt')FPr'OwP#gQrt&#o :躣V= K5F6eKN;,jcC!K*Ȱy솣;IKm7{Xtdc![&c6Kz=/b4hQ[ m6K\Pi0NʨKP͵j@W;@RC֐bou6"!{ǿ6Q *("1e7# h2ܯY"F. OP@Gg' ׈4FVxռMP[+)SU>:hijdZB7 S`[12o5V4E 'kEyȿ XYEjs؉%f0Rti+ f0u:Y´~B[lۗ"ߍe5_>BV+V.yMF/cgΜ!x֎l+rJ`oI,SϘ;o&).De g`e^$5Q^QT)(#ӛmmݑ8ʂϛqs(_-x (`5D!*`iB>).OƔ?8p}\ikh,o񄗏y6 4<8E=l9ե$n/ICW;_S|(JPq\9Vl1ʆ[ kSFhf&rfP-OlUd$C))JYLc"v|>6j >M!asAKD˶0+Y1@@P]v0`\u@P(}Kr9~ G7s79*Il$_;J0R`WI̶N3xrI=8Ql_Sin;} ;L* ~T¨~ILol'x? mG W B‹G^[rY;Uc{1| &WIJe_熣xv-Tg'#DUQ! ꚛyy%IV4O+# !adWYO$@''KjT|0 tNk*hESp.&JQGlH:#` IYp{p&zbg kc[y IQ(*;p!R: ޻ t#ǯ3 ]ZY*5#&2ESAZRҫIB+#,C` y4#0—2!俋/#Bڦ Kp5i.6|C`zM_Kn v="T:%.xZF  wmr1f*S@7mmncAw!6GJS2 ԻE-e 8V}MBt0R|e},K\RZ^8ҸDĒ`-RM^S,~a$q \R;tTRj%{jn&Iz#2MWC%BB)Sg7-ihʗL,UEYcLהo.AH102 n ԍR5]JK78|o)&'=^|AQO\2l 66WQ]G->&6G!Q{BF[$V?`Rhv%aދ]n]`ft^hwZ zD͑,=@ TucImu!n ,ȳkUy~jxeκ qk㼜SUӟS7iDNnvj n-f-|D\yYL79±MW#lBgl}pb}NLP?X"Nizt>0v I@\a980N|l!B{'FOu#4T (eմ(ya!ptm>)(t 58Ȋc'(>~'c^B =@+!UP8T*p' ƑW5x<%34$F43KH5W:mU$M1)x/0Zd2{M|@{¥` "<Ќ[_;>mGOEe-۾i3 |;VEj&:4:''Hk}9@wư<L>a]VtB'DBwOAE:ҽ#rծS̏)U\ In E$s52ZR#z_Hz2!:̚,W(aAvR9NU3F 5F*fhw3<>;bΏ*wr%< =8_c#?6[횾졲y(N֒)%Y'-{&,(wD@U!~eSԘmNT6QU1bhG# V=^f]7F@wĴ5w:}_ReUVD{a}]kN\PI\@䮑_Z6~.$"0﵊3X%r.''숥ԜvFZż@K{ Qh:9L3բ'<r^5st1bQ*mdThe>Z^VJL̀)Ӕz*c?l.Kt 7lrgՑoZXiOzk&f ~ 瓉S+\WAWOUs~6Fu2[@+"TwDi~qyf/K,N}ay_CS`/<~rmbN{8IW+SdA= @*N}[5 }dY +B>v\1 "@άQyQDq>S^\aXu+rF؉Ť01g\>2vzJ4#Yf!yq}b%-;I4&1m7n\N'+956$DRZ:2E,Š"ˈ{ X*}T(}vmceRO$Dpb&:S{G!ʃRt/$pPCO3׈VnC0ϭ9ƺM66ѢQ)}>pMYBFp^tgʔKq#GRk(7wt7w*<%4Oo?7l+e~XQDYޓ3qkMiQؗt5J>&M=^:퀤_GʊeC7[h3 l4q>F,'S+>m)JR v3JlJ Ѩcς}7؉N`oj/}Vvpۈt$LTs՚YȢ;F2\ѐgu]_qӲiϵc{͎#"tS9OƈoBxfm0xAx'(HZJ*mo? ZbGJFi4⮜`^2fN)GXޱpvZxѫz%"Pc215uR# [XMuTM YY +ֺJӭm8i350}Hizi=8BgguR;a=W :qJ'Qc[nm>h1Z(*K Ah'=49}%OBO m.W bym@b^'VNi\єȺqZ\ĉS0rpBO@1^MiR$! ۞5 h-`cwm9|?CUNAn~CX\_.۴}$%{uMnH'~-0>|E-aeq`V+nv(qjFEx݄Ky(ĸ%y*l(x I M]iXE>l_T~(35ŤgtnsJM,CN@dHmq*lF L;ޢb>9<0is" $"2baBKkupIcx+_tw;5T hh޷٦S-AWK<10F_M1R%H6y1;ayh>{x8qJ: esO3uvFDuxvz m J LѲcJ{º,d8g2 xel VрP{ߠQԺG;mr12_ШS$SmPŎ'$[mҒ,服(Ѻ#n;#ך1{ Ӿ\Ћ -̨d&"A5dsI 6:C@WvrT6PpPROMR(Bоu0fB4EQu<<!zG;hFtaAeF L ҪɷE:,tIO_E ةFO|nk|Icss?a*oh/8 *Kw s>d^5w9'6yys5ǞeQ=?j[֘sκh;) No$(g!=MBO׮l4-=xb . f,6-=@;P-3]|Xql0k*.!i2hQUGk8Pc.1cp*Wjg+C{[:=D?= @&'o cMpQΝ>/.K~uuu2qɯʑ,)! if98Cdz *tA@ C:ܒ.`cݻh[|+y%б9ۑW\5#o-ꈧ ` ǫ`ri#V~/ )[>7A6 f[\է iLGMMjp!+DAHa.Pz`?aHy UKA2FOicHDe5~^w  ʐ\z ̠uUdMX ewh-/#}?ʕs`'I }q(Oɚ~DdE,Y}96|~O+6&3 h$lCXNixV (2~>Ed\;jsl?HfOD\87 Ye_^0lނC'3 9huve4{`vv;du8PEH6silgw#`.0KO$ s3I*&[x1+'v:ΛfoNLpICkFS 8䣞77(ǖ~FTAFLb"K5WR$My vFE$ˊ3Lt^6xVk$B6[ ![A Ez>V _ G|a&])NB2Nu͢3^\$ q&8\@Zo/MsoSdͽ7~'E8"HnHםd ={M?@[l.C&Hϒۙ_xs\(UP x*NؠkXcA17%G.n|}jb\ΰBJ68 w3QzԯUY79VGA"CXMU fy{vbٞHRrN$cr_N!g@%pc"lmcx8,ƖmҰVP6tH÷;|ȏ{4* :ݸ™rZ^_i?8YWftcMcjz=@E(vIpsw ɢ-Jewv] \z}y?Z7hH0t(.}e "0KhSvyrB<趎CUtwlgVhV:[V", -qK8cH3}[?EvA7vɼo^ⳕ~Y ,k =!ۿôI'3K"ۍ4J6u1t)S;HvyYU#6O$7?l].9T }ovu9غU5Sm+^Uc+<~N(RçB/6dK<"[ wp)]2#r/y=^R~]4%ݐM+\}^:],{0s >Y:bǂ*wak}{ͩ%ABWsTJ2.B;CM7ÉI[Wek!!ok\ HֿG@kWI'7euAQȵ=JMUVmDh3&U/mLmZpؖusDGl (,ȅ[]eD0ZQ IXB|@ZY4 gYW w )8-I,]H !G ~;Bnۙ pi-iwG B)yyYZ&;Z+zQO&r(p7;3;3sVMH56u,Q, `NxF%PEm<2+pxЈ A]Q絰<]n[l"+ c޳=]G*D3C_Q(lG10GRxfZ~]4 9VU lIcA <7wY2+MQ%M7 @Yf?ܜɣr|.|ݑꦀH*F迫 w(\iϡi!ŠqŁj2( lJ|6k&=t\#qStT(,TX"f*7K*Y<ոJ8"awӄ!j} lwEتȘJ@9/dr1Jz~CK }ʗVd17|ӳPd9Q=HgNs}6L Kk mq(쏡wNs|arTԘ(&q6H7-u; 9;CcМ;NYG1bH:1*_ g LH= ؍>ZA=[g;<){6Er߭h[$99[JNCA!B9ΌKWR`gy\[(ə UL>`dQfK=YWop(I4ub=KTt6]L:d8RJ:P2e$MyOvuQ6oL+"kYQ>Dێ!Eg#QA)]6oRrG|kx?29 + (|uZF/b0Fl^;'yjM t@ ;4!_D(zz sY{cQt8yٶ1ͥ Uhgev * \5-!#uW7RFg+]°eiN`&4@?RL֟ XrxK`bwP3N }=DH~$dZszv)lVG̕)1h 8Zu\]i='?q0e3? *v}_eaF`E&ݨa ӎ 5>wUx4 e9yo'hY lyI{vZq*c) c!ˈ׀L$iЀ B$:{t#-֋fj81`>!NT F^5({Hݗ|3xd@ڎ/+(<&w?~J] 2ʑ|{„Z[hI-hf6QջbȰ؆XA P& s ߒV9zq l3@-VĮP߲ukr2^VJYUX1$ʞrjx4`HSљNiLz]`KՎE[ljQQȖǚEz]q@!VsWrD:+%}wԊLCTӠY >YL=vje/UG:"t|s H{^0 ;>P,E &v[k&Ƀ!bD|;Q\W]h>=jҜir|V8MaedžxR|g/wN?0f_n=oIrٴ#Qת Wi?7&d)C۰QJ,"ۂIoY؄@PSy@9*E*1zwO2lh8,0Q`W:Z vt_`Y=x݌NaȎJ$Xo} @/±ooV. ùH336^IVc詹֗@~$'` aXVy @lxOvfZo}\|jÊ:nZ~R9 Ս,3]qE% 5x˜ךcha fYD7:zl2O;AhODqF5)XR}͋ޙH9NBT'Yv3Od%Z%M3y ?cφ Z^ R^IL*J!>^fsbeafS@1KUM$n"} 9}(RNpӪM+=OW/os e][ }pہK;>;j $bN.F;L\ SӨ*0#豽@OٛDv`l חXlqYud^&]dH1_{&k֘:' *f?%Xh4LYͲ~WY'PA--)&퓉/7Gt^ `-cIÝUqQ& Zk=r% ܯ( M0J_JoYFk,>!ω4vAJ7z_+}Uq¼F&VT4U ױH+pV@$推RUEkf3_')d s­;b2RKpm ǁi5u$ as,y|Yxh4U4z~l`I1?; `g,LO.{)QyG diI'J/nyW  Aƃ/+(5(|nӅz5W*F%pj-M07Y?D'J *OL 2e. d0'Dl9e[PlVnvYSܹ)wz >!K`QLHHN$M@L P84i-qoRn-_ivob- C+ރP~.e?_ř$*3)TiџX@כoOrSlLWnbX[l=U_0ULN[JF+! ]џ+jp]ȳ M8o_sZ}I-*`  &|~WdΠk3Hܤ!Ze2%Ӝ0p`-쨸Gޅ vRh֛ w0(K(] [&B 1%rODD.\r jt|:02;-UAw e G ы{/tNʅ7 m;"jK?pɪ V6%I[?Ԛ5GmjA5Ehב4lhMSt7`n8JE\] xٞ&Iz/ôZOܨkJҿzr nIUăkf'3ɐim4a (#l+<g4tT^Is.KOPtǗH95@sHt.t}$nυ'+]?xcCqcdu*CxSg!'3[DGM kI,QEH*BχDt'7Y^CC:yz>I ^e3B;3/ ; UFB}w~-eov4!6^\U W xt[ߑ m*ZR&?YpWcD7S]1VwJ,dUEc56Y2ȍ39Ӕr<_I)0ۘ$>GL@DYl.m}G j ÓN,j¶U,?[7|'iɨPiH)c=Cn ͬ0[v!Ƀf_B 6 (Ξ}aRm+wa.CSZfR !;,JϵT7 !sNFGsw,#@ .<%"ޚ^ dr(v2F"srf$lFkn첉UD8](ߜL"B㣎-h["*?lSx&JAn9Bȯd{gr9и>JD7$fF[D"_F\!V(A7mWOz5dO2K6¤TˎAQ܍%$?ԉb@4tu.*i?&fc!Tb&yNTke@a}l3mb,pnIq>J<5/{HX,$Pd4`D#Hb"Y\@onBݬL\b>2^! ;*#'}ٕ# }>̂ {i_;T 4~ϭCY?8ɨv]ub.$ʶ%@EjcS *0¢KEe;abI%ɏ%)HB]:ʃ% v;;~c:m H6><,s{ =!m2pJdp4WytQ{Yw2MGN2ne U7~žQ~EUbtbmw/4FKMv1nkfQ؝ ݘ+tL#HejtGԳTA]] (ͬIȺnEd^Jkƴ$ȅݺ7iy}6?|a+:qXfKy*;ʭ1pگ'F'llmGx3zZ|=N:d;;=%7䶺9.h&Ll| phUα.IAhJr-p+9` prh!L8VKjGx :P \= =Z\Y{>˞c-P3i.DB?CDyITmKGݬhDMTUNԍ܊$U fLCakk;nX$ ͪV8:sznGBU=ϛ L`ݣ'M"<4Q6X>C;ɗ hR0{5{J=5S%%5PGu+]sу8ĬyJbSk\^! }og6Z{-B@WG4РޞߐXtH` mm6w {[=b.Kj}/Y~H̅I3>\\D\bƐllYS5H,}CEw^\>/F$FͷB2S8\,WS( 'ݳB(lcwΥ t@#0/Qo֝I_*;Y,peve$*WbMAqbW&SR}FwTI0n<-ћj*j bmG>>eZ sﷶjԥn"\#;Dd]`=,kFX;$sbF$y~R^ ?1rڜUp9;&Zwo*(oZJO_]z4k]}9q.Q:Rq 1YVeeXffwDJ ~! 8Q2JgS C1ﯾRkIK?@H[l؍+ͦږVcun l ow&Dӽͼz If /ot+40!_GtNj4^*&v~~K'n&,|t1C,BeޮMh~94|O@{~Yatn|${!= hՍ3M;p[JoZc&qe͞[0h8-94lyx!2+QN0:c*iEjgP[8Zn'uj24\ӏ\*ZX 2`Ž xg9+.H!B|\Pj@ {ٞ~ud,2WЦpxNmh7Qzc!Sm^5I*Lm=(V-^ߖspkKh'cB85q*^"؟`4̆)ۄ 4,i毫r3-6MzEUoȴ eJFIn"蘲[OK#vMk2զc6ȨFz޺lhP Tj-Yn@뱭Fs-P.h-՜3ks󸸅_is2vs;|K ?rN,,X鎁OTy f~@,WbN@rW:Ւ3ѭl)|ұMNnuעs^o=^I]1' @`Ibùq!G iFU0ŠĵX hewIy},~fd?lhV~vaXw"V8 el.mRQZo:T+1t "IsڻҜ2&!$:@6A7*jxTi(rρWi XΧ: l0^ ے*E,FYz]aj#.PM5D-μ&޿v|\wOc,k3FDb&C<|8+o 2s\-&$AқC?P_o|)#8n > ńu=~2ШI -|K# 9>و?Y]9cra{L){-mo}a[%x ?w Q|+fb2<ɰdnYv8[5NTI^^1KX.2Dq5r~epJ4pc""",Q`}o 5tb$቉*tLz%NKM %iūTHLhXUڄ2F3ʎ?)S(3b"3Viu&~ĺ@f_Tx)|VGQ ?ԃtPZ*r /kdl5˦WJgR^BA̷BfJ.4tFjM* Rq5=4Zs_DA"* .>uAyH=5Xu۸A.Fy4.}ȎgRѥK)} 1p~kO{g<@\d!+Q#{.!d.n~]PR^20pQ")]GS oSJ9dbm鷙XоO밎&֡;"\{bl0HFG3hijcnfUFȬq&&Dr֓j`Īyh A3m+P=+Ll uݰV+)WCL|Y},u}kZзB(ueyrI9fʟo%Wy2z|"B۷x|&_8.5 nj/R~}x򈒬S׆L,B25銴7(EL_ K C0oXlZьAF9;Nkz=wM'ۧY؋%7#3"$v!&V*>ϥpi+Zb00Hb*f)N6 H"M (؆C %ň_(|14!hv W\ V\^&HX `T 0 C瞕hk<|7ۇ7%]`3CM#Əh1ߩNBS7(ť8ǎadb, \Wq(L&UA!1AFS̤#kG6"'cY9~a=}&EĦ  d#( {=m/+.uhV|uF~.5*2Z}4{1\` |0Z=fZ>7RÉw KPow`()0@}dj&~Qffr62h$Vaztj^EZ{)-lU_̲\Eh ;G?&k L(:S'\zj;hx߯Z$;,p WX_tKMڍWc/1fM%DT11];{g0*>kYOXGk@ +Xrt3Ǟ/QexLr&W \ tp;sY:ik{ht 0'=UTdH}zӡtǭ+zr5#*ډM,0on# ;war&<B>g>5j]~D6V fbl?P]h"LW߾6ϽLYzU5~a\MㄈSO)3>]prx6<wHgƐ4)wIZn3N/!ȳ)Db\5(&6>kU }BK NP'm726OKX+(Ud@s݇N J:촳b]DYr[*Ji3F]`yPM=ì-m^T S &scդJc,R+\jUY>WV% rFXH5nG^)”Ÿ>UƬ@K?CC?]HR Fvfڃ8 b='1{9O؉+><; l9s?C*_2G.@:̀Um Up x!&$ESmvU<-@;V!ٞtT OdPs%_iU+bzS_)i5 b+p nLŭH mEj>ZE;\fU 댦-&BK}vJ a#}xa&M n88Z͇ )Y Q"ÅzZ@؍3]-}eeIK3vh4?U.W7r^l}O/(z*G$cLe(U씽]{^]!Ph)G yiFks@᎑^ʕfLef9pSZG«j4 ٮ&=%u ĕ֝ncf.j7&e Nc3>?MX 8C=&76ӑ(Ww/ oOm^f XfВbm'0ʡG$z:/q7ƣUh^yYܧNv8Ԃ7uJL=7s ;X6 su5 JK=ׁ)qs_ɻ \7Ā{ߝ\Z<q?R% +38''u])p-}ȩ-YkG[iI ]6Ŀ!YJ灃2.5U>uG v[g=hCg\'lGӏ/[&$-*o麔Hn d{EL| Z0:4{#ef5 ԫgCL5zqRq 0| iaIP$!PeUEQpqgUfps4xkÛapt`8e@0]eCv/,vn߫X>xPʭ&Iͻ켚3GvP{wrB uw@.Oc=qf2hC\#WԨAm]8އKNNmI6;cZҠk8qMRQRv3=7Śr5ɞu(y.֜~?>KWeAt kO11 jXgE:Hktayt>6"FdG6RTscpN2奻8{ovIK pT%pX^r4;O.|q6ܨ=3ouh9%"M^i g`u0w2 n p@@š7pȪ,.e{z]zs(h k0CًU m%3)2 NlMݼ)-})g9E&5' _LSU5C*0.V6}& dΝ7N鐾A__䕱(ږ-T60ҜW|oeR-F#/MzPґ9K1*=5U]8TKǒ&jqyAy檽~kn !ƌvMs\؁j)5$N|=.s _ųΖ^}O ՀԾ mhl2~qyVAa'oD%:/>2ErxCM-/]@Cw93 9,s*ҿvO C{QhZFsw $%;2t`d(?I{np0*r8v,C!U6YVg S::%U#uvV35ֲtKl=d XLb`,g^+a1g#':3i^F|2MA;HC*92 C"3^bҎըMݖsrxcʗsX՚oZpX<љaݽ¥t>FxZ] ?׶=3F,i,91ol!;x8IޒKÀRYKJ*V5x:?۷bB8&}qBr*z/zu:MvDyNF\aИSK@ \_lQhu}IJ򦢪%Q3?{ömIG6r7m] zFċr Fb!^oa'"fݟ*R̠H w_ޱlV#/&F9WӠURTJ0_bL^%T]C"ԿۀDɞM8숗/ܹ@nѱ9S3clG S5~@ʌ1PmՕ٠$qz }G_>DN,:w_0ʺ?.yGyP? )'=^rLV9]U*lsy%yx:ecq 2 tiɾy`x?nZsrwuptgDB_ {j@YV Q5#w!MG R1@DžjeEJPOǹCҙm  o6ڳtpw3]>\7F[.|dE~(V"5g(!E3^.C4ؠOL"qCz|pF†TqJm;e1Fݳ]|6Cej37aWB>+c6!0<*+zQ0MiFX3#h{*!5z̰/ehDk~]u:]q~K&23Vd)be#7"_wDgi`1;4URNK ޘCPvZ֬ٴmBWC+50VUJ|=ALOuM2b>aQ-No%PKI/[ݮ:)l&ZʥjP7IrB~P~|ý},,l\sX#F{|!(PΓc*Xlz:V?W..2nНTJD)אھP]*eLU<ͩxW""&V+%x\svG@ YϏ"&%0Z$RwMg1Ny\N;(Dy X N][%7sƀs(,l$j.[`EZLIA>KT !i-VPr3zY7==k (T8N5L>3}; 8MGfr"b';O*2.Mд )oD= MBYBbm<& zy xl0On$âõDKrHگA" zY| nXrk+~A~ݍGcn1V>Mv[$ME/!>J]c"_w0$  o1QN'b{BjkS0-tO׶Nѭx!aj %EgH Z(r(:^Yܛ@r .W ]( #~h>!\;4ɦ'%0.$__1,%*t^_hwki3)y7SUP dod%z0W;E eK=nmsL#i^ٓyj?6!!FiHB21̯V_HZb?;hܢ@P*A忁yr.4[V܎E̥}z+_sK[|P|^WKnNO5)q*1b`J}TEq}L ?؊P2&:+Մ(O<1+O]ڗPtCLFˀ*C58P+VD{KG-$/J(dV##&\y.EH,>S:d ?h{}:8e|ufޱWi"vJRsE3hOHdLkfQ҃ 5] LwBD:/1Q,J3Dߏor_ =Xqƚ!:-&GT.P@ݶibiʕ'5F~}ƣep *ڞ`8t6ty|x,YףUa^7ԛ_*:tDm  J<-{?kj:'gŴ(7WKb4+)C )r aM#vhK[9ak}ZkhFNayH^g0rmS'Za =2,j.قmC}[ekETBCQKeɒr(̒a|"}{f73xT֕s̱W*e K!!DSew]@k1\!<BySv2`HJ{ 70YvG`TWCd) .x.R FEhISݡ,U>KP>p̑CI1  NLG9+CQ5uIU'UrW2$9~Zv-?|eK$mѭ@K*z춫޶km5@3Ԝi̩M[z&]Fd$ABuis-Lk0E5 ;FHh7w39Rm0ՔAGyy@'0W|C.^[!ɌmYn7Su7wA_ҳ"awQOlK #$m}$]wD~$hzt6|.$Cpox! Ǝ‹xحbo>t;v^1&Hҟ䋀Q,^M.Ck f_At`G|U3_?5yi*Y뙓UDq fr3%f-F'|sl^&3!W Y@geo1+u聏.ͪWai8{Ia+A'3 ڿR-o>Cć xK,Zn:T0䵡v(9¥2VZ8,mP+XOma\0 b]Y1Rnޙ Q},/3jL=b Nt q3̶rT"8`]3RyX󡃏a%:khXjC<0[Z)+F^&m1⇲fh[s(jc,fЎ0.vCx9#_`d% $4[5*&UY J\[XAm+MDX5,W >L(m{`S 8,>N`{41[lOQ廘( s ѧ OqM pRowR\!tz+i hxH9dFZM}b}X9!+4[mE={!B>00?f%)uF~e1Ț-&WyMë.En/"o m _5M!v*:X`]i 3 *.̝/ma0DM'`8Q7nk.4-M0vOUի楇OF s9?gYq!@L}_682@VQչ">Ÿn%Ҽ-4S:5X8sƹL ꜚ-\U126lw"nxZ$X2ڧɓo32{˘sM4\lF _Cì-S-MVFm>jeČ\S~H7hI „\2|f\*K_y6dt++eDe5R?R./!&Z&=ÚDF+vLhyنaQ*h#lD4+&0FǯG?O WiB;I iڸ]+twPqL}1-AQ,hh  J>RF[yl9gN}Ws2 `(R,0M hM>m*$.4;5 Є ~h7'ʙ%UrqBE|%'Y0V5o>Q{`m:g'ciA,Q+ AewunK v?EVN$zZBxpa%UJT:4 ε<8,t~o9N[ JZ[=np.bǛOqe$Q?*Ə1;q(RDHmC?|iڱ"Ѫ,h{ߚvR9A\lPSe3%UOte&Ќ=À yYW>$Lxē H8^edT87lNN5L{7#Z _' j|p^IHb˟輈{e"y#VaGb aR;sN?sSk s^-ڊ29t<^-4VQEӺ^*6d1f8.[\@R灁2V$?\HA\*UPlyDH,1C Gzq&i8ո_lM)34F S ^^*+vF%4+3֓u'GsVٽT(`YƉX~ <J@'eoAkI1'Oz3W׳mM\ 0aWZ?`SGHPN' jdi͇צ)W'iaR>]0 1`H}V-(;ĵ.n7 o(!s`l$P $6Du f^KG/ ne1ĝ 9 sQ`q" G%M7Rn"yzoΌkۍ=Ly$'qfw?JNZmeXw:!ޙԭV#EĜr*JT(t],3>X\%^4Ѕcrax3מil@_% $>f~trxв쐙9GTWeR ࿥yfANc }'6_=+|PniKJ6#>9]rVu]FIc/Q7@R珈 ߣOh#Q! n Sݛ? ,Xx XdF1(ywZl_#TE6Vnl3s.a;LXCd1Zl7rF7|5;cv֫Z-Y4ۛ^NyG8].Ë&)|ɳ/L6wρDmKsOf3:IγF(3>U w] \d`_Tf}99bY]pXPN8-5a{VћJbs i=|Wj S5)1d6s e)T*)o|ҺKѐM -19aL/Ӹ MLV&4I`1o͎(UIdߋuU]! 7,|f'}Mbp1گK0"ӸB R]>C q1Z];@vQ[ACVP cy-7 pIR/x<Ou*\+~T(Tg'Vxa3VK }Cֵ0$2$SfZ^`,E9 xνCe,br– {#]3- _@qPj=vZ3əV"*ʾ>ʼ = Qoh)75{\9^/Vbϸ4Z!Ab\-F.7V %$6jREֱ//euk`nll׏cpJ &_f7XL#d0#aM&!:.Gjzw&wg":jRbU$)lt1Dō "j!aI8E 6]`Ժ,6kygmuLԊOk13~H 1P֙')1*aFAɭ|WIٙDZIoեu]9i53 c _ysK KtnT?B9ϥ3~ji?R 4+:,mrUWL ma(І&3>BmSd`.ϹgۚLJl1G(?툷H ˑE.FSg޴w5vtɫNvٔ}38Q> !I#C$S0ᅁ44?lX2LGί 1F- e,Bm!1*CRw2'ZsMi8t<Nkہٺ}AUqSv9$ߝ3 7 'Uq͍G8{zYaىF$#ɤPΣ3)̒iZ<8!y7RmAB39!O}i6+&14ER? FiDw2A}$ c.>PŻ>0{. J{DlTo> X=vp {a\A]J],XMH!ImHtFCE>,\p]aNW3D}"*mDM˲IRweJ2v0ۻ_FDzK Ώk[9`m|Ia{P="BE8 q+sq;S`e|a-~J0$4<`G2ʒUӗ`{1MtZcbY-v?~g潗N*tm`4EL5Mv(ZZ^FR4Zk[XkŝBGF/H"jOT־AE’ՠTP:4׎aNEDh"^iԨDLsth"gғ&]%ęl]PХ3Mmf7VXn%i AztHnv@\J@ 4[j/bSDWUvf F,B$*QRL"zr=) Am(DθB'CH}f 5 06j"V2 Tපe!'ugi~8m-24LM73t ҪH]^nc-.Cd[ "ՔXLpj:i+IR8]$g^sd˖JŁmPK]݉a 8`x |yJ 0 jIUT?D_`iLeQ".exTZQF% &wNZ$cJHwԆ?ֲ]~ψß:dC֤IDct}@|7湖?"ʝmsG^OKRN ,"b٠} $]- ԭ-a~8 ܸ d\c䄼'mVp[lx39bBspL $5Li?@pm+pnAk!ږB)ʃË]h Be߼0Xo1LlHh{ym)H$Kd@ 3 2``e#9xe4Wb/L3p0Gj/{+#{p`lֿ'F'i.g8=`vi0c/*DrO/%/5`6rqϕzf㾠<W(>DKK)5)KptO8كl 46`ECµ`\cO\mK9*Oϐ[zUFuS3ٚ؊ MU+&JfVf()B{_7zάz% |sTV.=r迶jJJ3IY2'ZR' $ԛ4+ Tz@FN}y_)p+|%.ݲLЧ;gz!{!oGZW"(bnЂ[ ~د Wڡq4/] [{&XlSi:38@uIF ppf=6V6?a1&IG9XrH>R?P~F?0'Jf7qEjgTqkc `]KYz!!c@aps N/]B`RO膗 1^wJvh'Cz5u3Ӝh H^ك!)av:RRMj:qӏS1?C37]!̵5otI[̏-Ho/^zd&*mw}zUv0eh1&ԏ!-<Π$H0V:#)sDφ.Fw[c8|2#Λy-9PyTljYН452ow h̐G@(=`gPGj!({WbV"$&V BRx%wZ*b"jMt&.Jxu9r^#Bje~iX=HĥZ)M<,֦ѻM.8k+V9:ciǛ 0)9VYo;H@!#}׾Wxozo ib`YRa^uzے8HQ< `i7ig e\gKk}wX-XΤ28 #1벛?q:>}:]$˶JVal07oKNJ>a2^Ma =$%3d?U{ nƾѲ-X;,av#{Mº{ So\o{~AvYa{AE)Q@AC kvZkD5 `Ti#|=v#Rd)s|q-tPLPMˇͼƻŞr|?pƍii^?/DndFSAF MV[lccPC .OׯAZlpe_;Ӱ/ɯ{K O>`$*'bl"Kh'oإd2d0!H BŴe%h/"L $`!][as+PSjm"qj,}k%P?A!TUvnRSQ GhF!K`ug˩ud%rb NCa3b.)H/&Q(gXƷW-n -_J 28RZ{(Iʈg UQ؂U5ރcY=*E5p4MR`;l21Jz ;Fj^#`)ژyxࣽ磒)+HV~m5<:Wh:gv8䚷Wߵܵ :"ݠhR_Q͢9i &zQ\K ӻ"U jޙZfn86)RF!Kv9ݰ WX\?dZ򩡹l9(Xl9XR&%HN[YSO5,O+ o 8%X#L?eG.&2}K6U ۾-v"O]lj昿͐5t3%a.3P' ErB4nTty,½ 01y/g=^o>qv{e4~$+ lv3;՜6n1CkFtނUGIzqgeJ"jN)brk?K4f3͵bQ wUxPZTNU70<9K iw=M"+{8'~fd9QQ7/zK:'YxDĶ|p04.)S6| Cb'7:dK[_a,8D}QuA?=bf[!8,ĂR+sȍzxܔ R0.~MZ$uEw,1^dt<PlYnCDTac}*:=&;D($P`)eN--Qu8k=xA\;"15OW ܪ.Tdܻ4u0BD$P\ѣ Vh5,I>wv8m6>u=s5r$U{ Bq0~kYq˛^&G1?UGB"kEUV\DZ#$fa%hFYjCѳH׻FPn%iw4LÎӴ !3/\sǥQaڳCô=,ivM̹؜Xg{HZgJfE3#i3Dܖ.-N=TlP/y$ S ;̣hARzi%(꜌i!KK/YH* &TDU k@z CDͥk i!1uqbZKȿFjݜNJ6Bh ,|zc2L[J$3oYjƓ$ 66-RbL۷ڙcεEQͧwooYt;/\ BYg,fD)n0|7[0"W.t?2c:8k3aFPM6nse1RgT,Inՙ9mT"43$P8nlS a 3 -UzDv_у֒`b>ӂuENg9_Fyo4=.@ϙfzmat )7uj6yݢƩr%OsP$m#qGZ \g P-2l@MלC ;T2Po>$pmToDDiCvSvd%abb[e.L8)ve%lEL풥8-2Dn6U>\^njeSLtns+cK# T76 [G$숪QoPQO"cJ%|:InVX'+&Pi|͕k'EiiK%Ao|clv ,IwQrXpA<)HP<6_[g2tJAC+W:kP}cv}kA 4vC$}bXecMĝ$o~ VvUl)3n\m9+OY߯+C  !6:G:Wr{}?(\SZ.TĐCڹH`i0~mBUX+:(EA\p[6$3b=V>to/$2.-$lf}wC(ǒ3`JJv{ "_$A"0~IvN;|"zA 6W+‰½1 haw| F$ G Dt9/2x ВF{óܹS0M29G1s,([K BQEo%3*$P󄣚!qb9g v x7b;T}v-TٮkuiW#Y _Ō3}*Uo`zH8Xen6%d| . ~,?[ᩱv H?i c2!d\KIj7 ើ]uZؾ۴HJoe#UN򙼘1K*‚.Vk5sG ;+q}M*|tm#d;)ыA!T+<х@7D9"V똢=v5j~?SË]Ύ5PӾA!ǬDz^3]P +x5 ;"`$t2혵E6+_Ǿ.* G^@i[KŽl'-\;!/ ޖ%m:lO J{w,sOmjczb75Hjv*@P$Far\0KP=ܻcm}3 ǹo I`'i XѐFI$ےowJ+)uxX8,D*^@T~&X/\pYu"Y07Pee50 j. }*QKYgB`RWjtk3d{!! IfV `S}EU@@'s@TѴo|3>N.c_p)vi #>WpJr6duvy 8Iet9},ߴ3.֌Q.0(':QW`iXä+!L9Zr[%k*F(t6YMN%ALO=@HY-Yb?pXŠƾ+! C^z#חlG޲jO䛏4"rzKPF;@[{. y Td۬3vwE ޹M)Kd~ By[7683&n qf ̕>y{M-UTYsb^)(] 0PLa4dW̢}AMlRDЗ'yJ-KKK}C=H8u;{tV6D&ᙝ\ŊR qf*w5rU_( ݽߕS%:g,`>~V2Gpu5\Rj6FQ ).98*)Z|B/7r^y9&:NGP:k yDy]  ihOR$Fȯ?d+"s/$[u8S|!]6MCC@D,1cS}E39̃o.O93{H4U@xgN$yn%:CIY+I$Ty}W3+w}!01/:UMO(;Oӓ{MF*'pp/ߖ;-r26aaInHY؋gp Q$4xwy)W JQ?;wBÿ3)$;9*vKt%>3/Is_$ڤ.ג\oh i ~L4^lx9#͓o+Vvzn80βg/t++)r*;ZH&8ޓYhb2Iځ FJ0(ˆ4T1{@w0[d2YQ֏Oަ3  muXW(-trsD8{t(>UbtK}i7/^&bKld4\Z1FztƵ`d\8{UX!&6{kq<& XdVcEliKdHbqS Qt .6(f{r*bPoL`E稓'plh٣>6gJ'!fވJgzAKU.fdFADogl p¢Dz7\}N S?/#C>\g쎉 .דP"w7죨 >>*i$aL[SO`-bCM ~b 3;Dlz~8]lWjZEe쉃~aY)ZW&[VxU ~rk@M]*͓k!'9R< Xp$\O+^&t7%,)uzY@[ 4~KRVk#zu܌}ad67 {,l[8 *zAszGb) mAhx1ϣX/Ew,/aɞYFCCo4I3=s\kg|R>6TR7ٳ]xS7K Ql]t7o#|1WK02ڭ|l-nj" VF6nNRPLQCZg5<=&ַnݠhZkv9(&7i_,ݯ7E3{1)<̧k }bs : hmѕ`AM@~6Vud7%ȑOdw^/"OI0 lk~3ѵK,qXzNa!2v$%4߉qKo--G\r'?uo*::ۛ4W Nhx$xGWV U} QIu8`:3?S3C捈hU~fHQ*,(c^6{QW/qF+aɚ-m\UqTӻ@Ok-<]u[Z:SUY )yQ,gD4ٴj%Y)Sq_ ҄;h}>yGWR׆$W:+l$ό@'7:0no_LVQHL~俸W=_Pj%{(GS,}4[R2U0 mٮYd`^]b oӭ5_4G^#̹mF;{, LMbWa٧Spu)ߕ`PB/C;mN ˼T8N6&@]8f, Rhw7%+ 71J4d<[Qcv޺|9Հ( V[Oil_Ȟfb2ygx,5Bo"3 7D0A3Otlތ;އ!EㆻM<9fejl_@(ƴBOP8)~`.s%Mwr?&ڎZ%j+bQj4 {yd˝qF & eQr }oZ81M11;点hƃǯз5X?UDRX7y@8E4V2i!d 8{u=Ô(ԡn>d R( tlΏVO(hOM:L_0$L.FX4=6lgoanN@Y"A#D#)ucl'P5{"H>l?'PNپTM":_~8jbuad,*.sZnq}2pT8TΆ~-5go+CQ"cR@~2MCLӭab(*!B:X:P!h$5q ;~R QAOz?zj^'aĸէ֡ S?rv fyl;|9UM0{Y*7gN-el'(ЛT@X}* \|eZL^M:Tҵp ucÝ8yFt\n(-ܤ:6Ֆ$ƓB[*^m4 y4g˧;(HT*BjSꇁ݇yM%ANfSnt)I+`>űbB}?\ >{W>dV8R!_`P X!C)/(#iX5l717Hhl`dHP(Ws[.ߝp--`{dM @{Y E'׉6擖QvN\{ |S{=X-᫥st :-UUhA򩾬% O̍'/boObY!ş?yg3flveBkMv] Vj{|~/~$NY1+c,7O0]Ϩ2[PdV5z47Z$H.nwYɔl~5uu;zv_EВ&˼­&*X|Jײá] 5e78aLV9abاNR_?_Ǯ 2xM%躹g)fYghˋtI+,Y$I0$ I>/{tU̯$drv*;h0)ԖIhUv>o`x@р}j\R8]?%VA%6Z +@h =ܜ!KAΡyTU xnJɼ(Y>?坺+4dS47 dSo_ =s`#pI4ȷ-Ѧ:bĈh7Iuux#gEh vqgBF"#erPwmC9< j,%\ߊّ89 dl].x|8}Cڜ%mZ*ZB$xd#-ZZj؝j@$n!r- @u=w /v#w*` 1d})~Zؕ?GPt{ݸeE8Oq%\hS9[I1iл(8-,L, pD3@>M4F^~Gl8`B?5=@oh _.K%ՑQt?ZCR5L~$pxh]#F-L"'C|ד-_Y_f8Bߌv9J5F48[k$5V1z $%L8 ۵ZxGZB4lkHZvoK?3sr?Ҥ+?9^=VCO+;VNy}lEo3(]FD@zYLgl6 |kHj YkFNt:x< o4(oD;%ڳ#;H8Ka=߇dʠRVq`mP&<!cr߮?4M*H ,'[m4e)c᳙wh;5@NxCe>!=]#ÔӘ!7jXA mAT$MINTh9%"ZQDz/]\'6o##DڐG*lndi6( g7cO)5/*f9ZYDDR,sE!.߰I淛53q~ p鏖O:E*y䵳^ey`uT}:"f[> Vܡ*=NvȤ!$! ŧdw;o9%^mP "mpn P/nV"5E a;U 6k$LWPqWW;#)MˤJ0^}}S#:+DF^R,}O@{QD7:bmkKw+\?fT(L3Gs–hj;ȡIVw}bFOѢsť18DPMS G%}.޿tIVN9b)&.r*k"Y> 9!o'ǝw'mhBo YghX WHcj3J'-&4FgŐc`pDy rS*' e%\CݣR9( ˴uz]c5\`qV):iS㍕d/n[Ĺoe2 rOtO͙cѥ:fX<=WCT<*uF +e3IQc~[+N]j;G~w Hж:D=tgdi"}<_mzXt5#v1_,&[bK,8Zܼ0 nn'* Z _okQRhތD&ᴌt>֎wbQY X:a  uwoF,7VBɄm2AHFr%j]/ 択c'˼pd/BT~a7g]aiܷf¥6X-;pm_\f1^5]t g 8 I1b8[EjWqܝ $ƴ: )e[J^eLP~)tQms@h!X;ɒ  <+;x7[ c_Tq7h{d,!mg^ 3 1vcn<"-MOյBHw i#,]t̕9Jt1<10Q}~ a8H^zT7UT|F/t 2,3kȰ<{"}j&ԳM:|.I$uo#Fj` ;mbYyw! qtl?Ys t1v~RK` < 6veuaMQwfՈn<+$#GsgujuxvvI<=):QFEHEbkn[9bjSpQP]@҂ +l\U(tNvnY->ytmJ(S`QCP]m}aTʤ~uwXl@rBc{BrGh>/^Y&m}Oo\S}RSr( iU h༔ٻGW>^7 ;q(˚аW5\zRjM@bАӠƉv(4O3!ɿA7-b?Lvޮ Fg l~J0@o,޴_N8-heX<8AAhP3EU8Lq7{Y&ϒN78[i%.:I=}!} &X*ĶԔ]'bAWu+ ϿH RA3̿2ʻ+l͡"<6:N;V5jVV-ؖҲ5{TBw'.8͔z+ɡ>0||1xg3ePqlWuj@cH= ]`:X'>,v6O`$@Q9G> oiV_96g!O enq8qQX-vB%L`q#LE5*B<Ld2y35;j!s!\I-_!e"boti;upik9w N߫T"br8as4Rm/DY<~'@m f,C.zZ#7 A]$֨f6g' *?G|: -E#MQ<<+fNk;f00|4& Siou20!*>0zH/G,ٍWYd7oAcڰ*!e32PS%26oVF'{9-/-񕋍g~ux=NzRhkctJ\kG'LݙϘc$9_1G*kJI^&x̓WЖW!t1eޒdI+S 6H4{x ( i@XxЀڈ ,G19N3fJlRJd fK'r]- ӕһI SCbw 6,@ Pr2&}Qx q";ʋА9Ƚy+l{QA0*-.©ZH/75;r+ (h >B'&9Q;u3l# LKcݶ#ϡ40Sex+$biat(J{x 0$H"#kB͎Ʉۦ-/ Nj7?)y0wwLǐ|S/oHq`&%jߺ0wcFvc/B=yϨeެӞz\Vxh ]v3)_%$ s$;A ~@CEomMNT& XY4G][@|(?`enߨ>aT-CQsx] OnLs5\U88$H&,OIZZ|:6$T0shg\w²('M c#qN+MՙON'o!G +~v&AJ~f{R n*RB(_珷XVKe3#g]4c\,d:s+.<@"T1e$'csǸFWɶdˉUneHm=d-` TW"V;Y\(I1Om6K!ipӔ]P\KKNqNjmZ51Q~S Tt@egԘo]x4]i=/N̞buл$6]nC9]j -\]-̝cD-Fה{S<#'1QGUΖ_Bֱ=ATep ^.9 cPli4WG)01 TjNN8V #ҦOKC+KZ.VQ lKMLW$R@Z)C(INܖt{Ev;Rxm?}X rCeG:ۯT4k [} {=0Mn`R)yB$.J4kL/u14zaNI"ȅB_z0s­Z!VosRP\9 qx D^R 9o&c@q"Hiv#}K32UFڑ1+J!pkfw]ᬮ%?_Fp]@:hMD,UG0f&FqC+Ix[&cFN.abF-A'>0ѯ3¥ L蟂$2H#Z `|4aǥ `;KI]e}{CL4șړ:&.V^Jq{9ȾA%H˨8z|R))ׯ ׍v3\ZY<%hN8QuF}~]E ߔ)|B줃gB-ͳG5BڒzB]3b"Y{B- S[yKX3DYgxCG/\AF77[+GMM<_NB{)綿]BC[-$[Q."7/,R_B{qk(TDy1{ ݕZ䮾 ܉8I BiCȜ4R.CFܤV%Sa1%,ץt%'Ľ1.?rD{#X.r,>Zm`}T6Ʉ%q ERؠ9X 4Bfs!@xJ<yFiSȾ͡g;夊m]W+"^fzЀL8bZ 7_`'w#$9He.f]WW,V·vQn5W\/ MT5x=iσ߃'DDd~ ׳֑]!2;OᲛL"hD1cvYؕPkdReo aрcu]=}=/F{珄 vjM2ևUw F(ǪKHOQ!%^z_Z4SӼ\sRҽng/}ǑQEL+U3lSQdšXJv# ^ )*qƋ^ WRlظW+YkY,9FDREmn"}Aب㩞S6(· }2Ns!^J9B>x Ip!~+7uGt ާ0_BJ3+@xq W\ӂwS@FE5#ǡ N98#/JOrmOjH41K^'| B&GG,Ei -DDVtLa讍kKN,_ y{oVcroq46,Rz7FlĿ22NuGXnu3uz'"` C&".bGfwgB\;ʏʘ6E?1x5O}.6mq-!S-"Tt Qi lp@-i GړKο/X  Z,x|p@fT-=ɘi.N q+3y乷'ZmU; 4c)u6/v}pc ]D=yy~_5;Fk'dPDwu%qEⳣh}Jc6*8?YǜSّ j!$*k8ƃӥ xJվ>>} S9]xt<N9B̎/t?{SJ¦75Ey=N!uu˔Rbl6#%+A?Y7yBzz>CK"1*jmIg|kOyh3%E#V t#!Ղw kŸi!J,KR{¦x9YToҊdb.֮HE7!*k\ϰJn!InuL4`qS9}*">>OS h`)Dg7[!,%UQ FROEs $tga4/O CS"VS뷦1JSPJ|AS~02)T.&$n@-_䘐T{OcHbXDdzg&ye(8Y`f>[0a?<ߴ27` w7YЈ} ? o0Nֹ*(Lj%Kэ^N~. }<WkPC d" lIY VtM)AxtuZM*n MH Xڇ""HP) H 3#:$:@١9>wBpBia X:68'vٙ45B ^@ X-U,/ʺ>ψRG ƅI\z 0m/'~Mo/kkzkrO4|-s=RđJ ]ލ4P.7QKTq=*Ei.>h^QRoxAG`-DPU^²}t&#[lpS,׻sBc_es/[&oBڕ\RX?դ rLk![-GNjk&CT<-)rĜYYX)NEYL @U_H_{ZߖLD3?V<Wfu|zBS-b yE#! ? Z"Xy RyercaFgkJ|}삑qdD-\Pӈ]@a*$K<)@&YӐV_]Z\MsWU&>tྵ#5~>$YH]@q^d XG9۰4!C:zC]g W^x8O0i#Xk&`9z8/CsʊUwlʔZ:l%M( ъk0<" =!-wv|$NO>vPo;]S2)Q׼ *DT h +jl7A1zZqpKh/ܚ$n2LOsϳ,dg@?j o,$6CzT<܇[Q<3sv]EH8Ƙ>|, 6 X®cZ`Pۛ7T"n^+kX {.,8v^/CoO8z|o퍌:l!}1>@ȁT/4]Ѽo+YȼgǗ CoF.&.F (|䨢/0AV#mehZzZgx4S^gQp?&)nT2FTALzT1/ἶLJ"E%(ß{jkcs$G(xct;^9s)3߀jlYBTGzg$Ӿ؊r\WzXϥ'## ]6M^FcB_G5cot$O6A,U@[`įh&*ެrbm%_1.V"'}%]|u'4իƪa\e řeŰ,vPqR'X2ﯣ0WΰF˥dU-G*2Vn RֱVE/'GM{2FcD| :>E Jbd&vQ:@U/`VV WdFC 2oƁєA}:*(n! ]z5n?g:JĔrRh7 1 Lx`O-׽89cN{e|)`Envp! ljQ#㕁O%tR] *LO ByD= 6}ɿNYAԴ*(wgII^RXW+ckpD#:=mq3/"f|/,!HQQ)G--*oNۘ\a6Kqkq (1cސՠ~!gN$|$'m1=:H{4rOœ(dR9Uu h;)frBHqc跬Kއ~ʏ-=)9SZ barP\oO/x^7ABx²:JשIQih,n;FyXHHf P/& ɴ?|[RjU >5B7L8N񷦖/{6Gp#J5W^"S9Aᤏ&LHm(5Έ46ɳT PWωOqs88dj2̆~]*]eD9`졲mF-0jєzoG"nSȬE( " kq YZ