permissions-20201225-150400.5.8.1 >  A b\-p9|/dm<$v36|i5q-gjX|u۔}fmP~x|QuR5"PiͅǎZz J۩4U?+-dcY) tJ"r\>N#Ԉ-/2H rg"51&9,UMtpI<Ju"XhBy'D/5b53b28243a2367198d3538ef0131676775c1a3a658a759f03cea33c745dd58be40a8a065005e0d1bc5103a540a8d0ca1f3ac6bfb\-p9|Q]syT]ӒLIGJ_=޾K>4OrFSޛ{DX wO9~t,#ED WȺsV=R͋0alwQLڌg7呗Ҫ]737 ;떽i8E.g=;5a^L{EeT+taE<:x0:H\  ^QG'!3*ٿ+xsQ oI!ݳo{p@@?@d $ C-NW mP t           4 a   , l ( 8 <9 <:<>;F;G; H; I; X;Y<\~e>f>l>u> v>w? x@ y@@z@T@d@h@n@Cpermissions20201225150400.5.8.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.b[ibs-arm-2XSUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxaarch64 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system-YV1Ya 9;@큤b[b[b[b[b[b[b[b[b[39204a3f4359b2d8f93bbe08f9a7532737ed64e7aecd66391c4a49eefd0331810b96e4d3750fa33e3589ef0dcfd4cde672c2f89b916abe31cf5b3cd26b20f8c9254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3b40bc5457f8417a01891da0234cbec07f74eec25256e49a044fb455d5f0fdeb045369a236fa76e8e4c990a83c06c9a617f00b0fb5a0639ffccfdd867945e81c67458fb04164e2059be806fe65929bc91ca77d1f5137f39e210f953bf286d88fda35eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20201225-150400.5.8.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(aarch-64)@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)ld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20201225-150400.5.8.13.0.4-14.6.0-14.0-15.2-14.14.3bVbby@bgbF@b+9aea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comjsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20201225: * postfix: add postlog setgid for maildrop binary (bsc#1201385)- Update to version 20201225: * apptainer: fix starter-suid location (bsc#1198720)- Update to version 20201225: * static permissions: remove deprecated bind / named chroot entries (bsc#1200747)- Update to version 20201225: * backport of apptainer whitelisting (bsc#1196145, bsc#1198720)- Update to version 20201225: * squid: adjust pinger path, drop basic_pam_auth (bsc#1197649)- Update to version 20201225: * whitelist ksysguard network helper (bsc#1151190)- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shibs-arm-2 1657887707 20201225-150400.5.8.120201225-150400.5.8.120201225-150400.5.8.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:24972/SUSE_SLE-15-SP4_Update/627e0f8c39fb6567e02c6c02445010cb-permissions.SUSE_SLE-15-SP4_Updatecpioxz5aarch64-suse-linuxASCII textELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=8456f446661be135d214e925f752ecb315deeddb, for GNU/Linux 3.7.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RR R R R_k߳W$utf-876914a50e9f3d45269e98621bf74ab8486b9579a6037e8917d49c4c0d5c29be1?7zXZ !t/^ W^] crv(vX0<$L+!>%TgI01eUlǥlL"DUvk }K?C[̞dH*l,vl(u_g:VX>fzH&z 5 W(ȵW\tγCȄ7tǤ#S<'I^l<$`+RRê5<5&uJe!F^(K!?l?3 (#K1z{O&K^_Aɛ >PCt[{w"(htS-yq \<>E(0f $o;S|iRΊd̽//\ԯ0skP^閎+49/GR?)u)Lf TiF$7vn0kk fXs*#ε4꠨0҈j]H"ܯxy+[/%T0wʆ|pleo8D2qjJ':؍ۺupے ]n[f^me\*y+wWQͻX9s϶O;V=gz$WC!8Z-*bu@b1΁[|tk4}Ʒfkn>EQxOGXcvߴBͶƫ߀r!i_JvGSBӨ\WN ҅^6}G5lph;LIdfʈzGS9g+^s8`8vV5/'cՉ͌ęI'#de ?hf[ʻ8FuHLÄ=<>be{X1IJPP4cA$Bޜcy"mKm"=p`!j9G)y.΄&@ymȡ5i@;ĝMBCI!wIqqr/B! l^+{UIlB"ibdxv}gmCt{ruli+cBԗ_-NB&Љp "h6h@Ĕwݮ?)ѳ#?J(0`'Rq"oQsTpVR֐Qrܺ?7(.bPw+ S_Ď8G=+;@"=0q U0YL}QY4ȿuhоS nJ>OJŔ.td ?]Edbz IzDc]qתI\KĶvţsedMY킃Ȋҧ9Qa-I 9͠R?[wJKZ{)mS)C-۲^ >E`{F4cߢ}aK 75ÜdWYHAdo)G]qPf:^0g_FTQr/mbX'zCQ:GQ{"5Nq];b}z_;3Kk^bjqw-$Y1S%Qa}<r-Xe"lA/O:,LRY\N˰}So@c,[„di#RмTRͥcjh S7r$PAyቬ%&" I+mb21d^GzAO(4oRZC(I|)H񱛆nqHe/jJeĺ"؜ON?1SX)jX׬"]z3%]f{M{_ UER. htop (fNHFYBzWa2ݜO-]tYy4q^c/,6৸uz m8ҍzhـbwi֣}S,7¡$7zٷ/ 2|+M*\/97Ej <5sRs5 ]Ɋ_Y{Ys|x5RbiHS9ၪgiDiF1iw ӆ~ r󺙿C[44f{j]Cߧa@Z//'3RV) 0c2J\Ԃ(';x9ᥪ||=r6%%uKcIlٝW"31U"3۩Fį t`CbRu͒Oet`oL[!gjVè0FN@Oo|2՜5E [ W̵wzLD'l6ig&FԪ2y rj驧DZɑ(c$+`ji/y;Cצrk S%'YkSdS ś/XOP‚N@{.A w[k>Gg4H? /^#W fwG1kUa8>?/zYhjc6N;I;dlωCPemD&?o_;eC<u!Z'g QoHe:_Gh[\]l'&V8Pw`a|\fbnEܖ? 0D"āa5 ^d' ,%8^'ꔃQNy`XǨWѲAP֩L5<~^),sG=: !nJ8Ws1"Ƌ[ /T여 Kl >=*^wvlsD(hO %ŝ&quXVxkrЃq^Y.D^1A9;gh@DD3gMI=xΏ{b |< f_TFqswtD9kh_Sx>W ^,#,;q@v'r<_ZxN_kF/4ƒcXlgUd%&z2h=A MCc}'7V5f:m$<Kގ u:<2ljhmʙ(7"-*y7K(b1KՂdWH~.p)[\x]G;L(!o1cOuWN׀;Cē"J9r֖90i2)XnHiPJ=Q8nk]jGD\j0#BnV61 J KחU_<s tH1b/Eo F>fmR`5@vl6'r2Ω; ׇASD6z X>9%6oEY+cBV5?ǜ-.C¨O O8-Hiq.:~S}ϲ5 W;P W-nʹgPj)cU֍ԥ YJZgϽ]e#YХE $-d> kѰip$?[cnhvP>@HVNhԚ%p7T> \֛]cp=o)}x;6ڝ-%Jo,GleR=S2HפnJj+9X~ԗrͱ] VhZJ,ʓ](RPPFMC%sjd= 6R$X|k#W6Vl7u<ľc}:'3R.mt4 %[ mCۑP 4ckIng@_KN<%`Vql "}H=,sLpbnPRW.|nJ9]0op%Vc RUؗ0Oj֦nQAϩN ,c$ESanˑyьݽ>݁o\^ȥB]YCo su$.KeĜCȅ?jtU^.L`>Vοd u36&w\yAShd|.jb}^9[ТH]iˮ7KWdU/SI'!(EG ̆-i.qJW <[~|KͼPj"MߺQ"J{t'Hﵰ/{*Ò!3#uEڃ_trrLj,5*Ì62$QR6&tS0_E, hv8kgH;ҝXl޽#@$c4I-['o|1Y DyļdbHś1fVB \a4#֮o?׳o|!Ĵ~>kn&^>Y;3ݗWwL.kecTH2 m8G:]f+um{M{/L2[CM2xWtVؾiH Uu6;!כV^4u=-Ug2lr[l2>miaAaO,R)@Ԁ8W5U`l78y(oSv7ǪYQ*sF98.Ӛٵ:x8-#纽1sy:?Z'8N@i/#5lyHljmD@5~X*N6OPi[y.afA!P*%^}!W=mo >bv,r^`%f b?E%ٴ|p&+߁Y(}lM#e6،#'vXf3rxSx~&ݷnz ۬eTuAsԼG$٬¥re´B hk3 C petq~+PvChAKi:W`JuPL y8.*PVzU䇳* kL>=(KDwB g>Ƥɼ{ W"b%եě|1X3KZ{}"},Z b6La\ .q؋*sf0-uOm[첊桾:QW .O$q h^^c68^¦ٱZyA64In}gD`0o@LpVXyq7-Si?2 JXCb$A `0i}`hMN/si2<蕳h6~My $WNȈ-9PNb˒*X}ٟWB'U⽶Bh ܒ2煵Ȣ%]!k?msN8;5R$y\_ RtEDዅc ݙ^RdӀٖ5Kn0;:׋IZ )` +3eB\y40kXp!t?U.Z*dg$SnQEqu&'ITt"I= |=dl›^,9z@vY}8EYd=wNl[C^`EYN*R;& &C,=n2,{S6²g ,6|;"mfVF{1uVYWͪp v ?,ۍ yT2Hg ƚ6\8_o*~\?svZ}Y ; xTJ!.ӊ鹊€*t?D F c+ެ@ziDņˣIOg B!C4l䆔sLMD]xѼ-튟S+mف6)( q/Mփb^¯x"W$&!beHoȮgiCQߘL$T(6@.CUKtvWW|3EcyG|˷cC[]m!5?+`hn"$) IWy`2jDph>7D1fdEZ ZV.QG9Rt /0$ Y@Y3Ŀ%r ݀ ke~e"(x* >~'BXH G mZs>fk7d?VST$ =N.}6#&؋2P(?6,-JR; Cؖ…; - 7ƅQAk?GwhMRG^Fno[@7ڏt=7=&G'EG񀙖(hJ*'ܭ MK/>Jဵ=nlud c3F1-䂪?SO8:B0xU:tlEZ+CRْ{!_'H.^X0p4t_A:{J]Zt+?(>aټ&<4hQuIPAF1-ۘv90ӟNSٹL#ҲTȹYS 4Z @ZUPV|m0 P%K07\Dٯkk5(p0g518FGXlBFoR3N9}|*(bכy?IY>BotrI3I8P(q${;Όp2N10}~q٣)PS*VDʹMmTIUV@`244|jЌN'o[_TD;TKl")Piʆ6}U7B1 Ts>6)SBxkQc 3&b%qWK$2GgAy}k,՗ nu%#-~zX!\fZjWy} 2)p83+-*a3>t_z  .B, eL(jDwCCS-dZD@[GT<r;t[dF[ΡNZ$ +6y& 'bH^bVtª mۢ2M@4G84Uh5[t qAl=2gP삺_ "Bk dn]б".T#904@YM nvY=S/ UsiNs{aOŘC8Or 1}!Cbi{UtLPW܌ݻa_ggcg°9grcoM[D/ <\KKw^{Ͷ1eͳH?r\Fo 3Ϩ*(2 ӥ,$ &lb[UK$+0K&,'3کr;iX3#01}4*-~ۺS.Wt\وN5pg!Qܫ Uw;rùBK71/-5&pޚz Z]b1-Ihr+ J,gͷQ[(85KV`<HqGz#Nvr(J8By 0T|EcaORZK+W~ŴgKF]8F\/o>fđ#` O`/[h kӗzcD]Cqi|b.e2n,Ljx |j]k^Sh}i.S,[dn Xg1b="GϜ;yRȁ8ӕتa|2?22I@{E#;"ŗ$n3dltxg ֎o{XZZ {H g;|.eupR*)lY*c4㫱6 p$8ɔ T? vwO_'nB+hs4soqV]v޹_"#^=*Xx/x#TV;<|y\Cs˦:aIέ6,\ݔOtS$F!n2\盈c#Nf(ϫ1(΀``pS XƚlAWͮZ_Kw?$+cyܘA4#mmW';I6}+Wa1Zq8$*I>lB|"8Q4 g.uF:?٩^t` "V stp-X@q|f$?//tTYGk-umoEaPlRscJ 賾?[KIvWXh*cʵ"Vt_t2')bN4KCYW[LtK:ǏL{e.ۦݯѬɚi-h^4ls ,+p:uN?G4=Dd8$.( K!av^SK; >es&DG4LG%!"XJn5ź>6^f.D)hn'lr_H4 gq&Z}͉Z93- SJ\ߗ0*WQ7c?+5֜wCyx7CuC 1б<ems*)/,HE\3H KKwGcdA̒<ݗ`{6V-/_[ P]֌bZPc JP0yORBM$liN,pK3f&&VS-H=]tb%o"hD}R½yag ;Di,duAtu/i KT!9(DKW{'t0>d1;qR0Xuc@hhS@K*+_q" $9􅜂K6(RI2-\ȥMUYjdhVKK?KCRc+%+09&vX>CPshd}x:Y|'tzW7Ld̥.P?+j7vY Y7) )'ۅM뵂jQp;}. eB5 P qHJsi!oP~F yJt/^͠BmLkq<`>PVYOA ZgɃhڏej%"ldCP@ú 9'uJꫮp8$_ڿ nSM%boc#S (&tUeަ%h{S?IՇ`EE)(#ƪ}f.Ȧ+bx5 [*I@YAɶ(b#-M/?AЕu#@6]6+qP;(x|Kaـ6@%:ØdbFăN7KGKC[Z=Ny@\7??_fsC#8Lkm=lבYc}yrK ܋4U |s==(mDsNI OҾ:$6 {3˭7®l#ƳPȹN d-Q696Jq8-'f*̊ kmǡ%Uh] N]:t:[{Vg<Յkxu. =2g&#ee' 0O!{#X5@./$Bwy5IQz%- JuPcz7ծ'Yp0YsOu5[oa8Clp݂vmm9Pu|is+ @9@a13};j^:-cKhYBRL+57uX~gvA?M7Iu l IVDȓ_]r-ẘ!h<1?rfA%؊Y[V1|L/bɚ4lxGTW c+s 7y'H.yqLSb'&EPϣV!'t;C9l";j!lJXWr'=2Ql0=riFՁBm jN#C9̒+t~(jw5%\l'ܒ;#Exd@+c$&w5!'xQ8)#&0̽H⎾5Jo]wpw- n<<֩b7w G~W]iBJ}dpԚ " KvIeE43 p{BKD3{%iyːZЌ-3VԾbT#)ߍп$Ň> hX>Wv7!6>R볥j 8Wkz{בklyulp!BŨR&O`u8SOCA"<-rY&5fVC8-+FKǐ8 C ꆴIh!ҊvQNWʤW)b^,2\{F[@5IШ4@PzϷrY{:PËBB HDh,2ae81 6ma'ԩyw׌v!g\U?d, 7H89TfMy =1b^4^)Zfho3D1ajM8:p?9M$"kQ]YT₩HKTǑj}a6D.jKy;2K߯ѵ̹E:H␕-чu\[t,eZL9"M;BmkdI8b4`x؍ݬjίy\|'2l3 lc^pщ]+p!P▧>%Y@l>?T`^\1IH.i{Nsڈ6Y4 bz5~Fb H1D1eYhC[nPm3ΤG$ϤPzsA/5[grB64Y'N> IXg(ջo_G/|=,WM/(UӊLr])uH׮AXr,l#\#6RE,6kEP5*礌}1YR&fzd89;oo^F,V @8D`֓&޲KRlLH"%wu]wlQ`>*s[ljXE!(kUROZYb kT?n̑A$:5n#a 9'hKU ؤȅq=4~fݬǝڸgR@XTnjdfM3IH&9EER-'є#Ri\& ~ oŢݴed"`^!oj< 0B]S2`I;#ai̿fp:n@נ*K{>O2h 騉> ͛ՒJO{Sin]Qyo$2J٤.veӎ 5U\9IMa47'_)tq$!@7Jě]Q= !/^vWm+'z($|C3jJQ~yaж ^e%x:3ۅrpCѮ0iB|3h"f7ݫx2܍|b\{g! EiuЁ`l&dW}J咙 Rl[Q^~>By\#x7}b9oQR1E~ qM&H RRY)na'[R/@@F B3LI_J|#,$hWz_<[kz#7}&#aK׀Llep4\=TBمU7 $ RH䃬dp-rw?Ԍ{Dͨ'5pո(.[l4ފ/ ˌ/ `|C9'i?\oXR|]loJXK}FLßQ`B+D(&3yDpmxӮ$X GMBT>Qۀ*p 0d5`;/bï^Xɂ $ҢFj^(BI*+N=}0z7e2gzK2Ɨ5 LcNsk`vD i5G20jarIĆLIʲy=[Dl3sVF](s#t9R(6\,b_ڀ?~k8?R;Q:<›9v{)2|™nCc 6jEn|:ew*Oodn>\ s!p00jYؑ$}P(A (EEcCb> Սì/%>v`|l8~? vC1iCGosI=ٗ:C`t/eg[1n]Z9ݍ zOù>IqdtgN Bg{bR z ]VWg:xՁ_)ď)Rm>Q3H^Y՛${0-<Ͼ tPd`^Ҡȯ7$h @id Pڤ[ߎ2V /y+S Ij+7W}(EWJA:k +Eko͍:'hd텥ío:,ſV(vZE=r!`6Fm"T$;c԰!%}23:[+ 9Oeg7³Q S0|#СǛB r[hCEdi,vuYvJZIz*ytj#AJ ,\lyVdΐ|gK#k6(lT$ e-_Ta!7.nm\jDht'?D|7W1 7 ) 5%Ã8B5`/2( )w! &q(cq(ó ANv CLtV|I8q髁3+辘=J"0+%4f̀jih4GAfB)4-;-Đ̭H:Rq JJ7`JcP) ',):4Mوe~.YKg:MuAzY uc]G;ӜXCs^(\pkx_GDPMc_=F##Bӗ_Mɽrl /]G;bBY4ϲQ=dO+S Vť H^rmb[eO&]b(vx=ޯX$HEt3+wC4 j/Wv؟5Ƃ_JR[«`fq `;Ο$I_ "0}X!c]*W A*f gbBY A83}G׉-5kY_c :dTԫǺfƽISK8ȨFU-*>h GdşM\0VиysD칡ߜ".>\*`=nwy*Cpi;.8Iؙ0$ވ%N' ~ 9o+&hIܤ|฾K)d)2s׶|KڡqradO^>[% mmhmt6tY^+)jov#Ո:`_q-LaPX)RY<31`YE7v-Eo,N/ * uSGsNzcOA39A "EWdQЬ&6 !TQqmx}5) k2#GeK-|<{ ڟtNe{;k3c_C-E7?ƘYSK1)ژnj,DDh5%B/GcGrw_UgՑt`zlSĘj3y$ ŏ2ʑ˂jx"SͧJTp91;ضZd GgJz2a̳8G )ڝz>݃J䜓эsyNwU;ɐ!Rc07gn9D 51R/$?e7$6E$du Yow}Q,79} u53>ԻX g]KgYx4/#a6xV&&ʆk.Wj.?tHOS0v{H&2S<$QztX >:e|mF;y'pX"5~m*s.L2$4 t5 >qI铮CY<7.['Ru[[@&sF҆'vdIbԲbRWQ$WΦYH>>dAlsNJՐ* q"PĬ}|&sMP¿(ʿNf8=Eۤ$XZÿs.q늶q:z-ADdW#Q6%+=!?~6`:t aEd){q;qUwa|Tu> tfN>)*?>}^KRx }DEAq_ |6dExi@֦ڜAO|V}b*b&r_94O.Վ\r)Gn͆tyDx yWr+a;oX;|JWZFOfz Oi_*x>j˭gcVaY0Pf!l/ I ϝmE0a7Dď*qHD$q,櫭V~ЬH]PpsAm.o~|ѣ5ͷe,<@7g&G4;vVdY3ݓU/af+zd9}%AIw tf4Xvߙ~Qo뉀j[jЉ.N$bv}em-Je3*3V}J_iy<3ZJ*J1D;&MgvQ,|`ҽxeor7A!sQ<|y.|Otޘ)tbO:6-' r_[']0]hh%E"#/ULQ$ݳe?Ug)Wҵ)ϡA ^jpz mNI28ucQlSITs ?JjL QBsnx?o2N*[zJ:piQ0|od}hF?Gs|7ah$~B>3*ʝ1ɺOyYSuBxQa+`e1 Jge1b [ eO)$ ySNkp]_t,+H,Y/n`^kAPp͎?-sP/dt4hD7k >ˣ ^&@"9͆0w{8΢; 9vӶ!fʷcrʪt%Qw8$kyj qRb 69wżd?`U:Iʅjr/L3. Ѐ!1WJE\tǼqX SeقbU=ȍLfZ1ACժ[}85jYmRTQ`NҥЩLDw$a!][}B?ҵB ÂtIwi{]{$E0u]P~l'rۅc~Hr'XUlXT"7p_W|a6B_ ;U& m Fm^oK7 K]t cHڵOfSV^JQ3θ2qr.J*Ekb濐]~+ C YZ