samba-devel-4.15.13+git.591.ab36624310c-150400.3.19.1 >  A cpp9|th3"R 4S2q6|*1ٿp.D_2.)\>,3į{gL\-"<ݹjj%INrBw !F=ҼU%7)d?*gF&G-+H5,jXY' 0p"Dd!Q^8!ppfxGp 6Ѱd%mqDL3h1E* }gϮ=? 9|==-5ŧ%5f83092b697a9c54ce93409c4caf47eaa7a010af84ba44cf0c116328678d83c5f6d7b80274821999401aeee0f91e15db36a5ce84b`cpp9|QNk-q "JMf}6uR_v{u.ÅPEHY]1CpS2rjI v焧E)[wmw0;xk/Q5'CqҎS6<_Bo+=k ` ;_t΀}2,TiJ0CEtЫlB7IJa=b"gD5<<L>pAz?zd* 8 f/ Ee|    ! $&(+J+-$0l01(282968:GB[1F\G\H^I`Xax$Yb$Zd[e0\g`]it^o bq3cqdr\erafrdlrfur|vtwuhxw|yy,zz@zPzTzZzCsamba-devel4.15.13+git.591.ab36624310c150400.3.19.1Development files shared by Samba subpackagesThis package contains the libraries and header files needed to develop programs which make use of Samba.cm|ibs-arm-3%SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Development/Libraries/C and C++https://www.samba.org/linuxaarch64( p=B!1N  aF$2jENTv |H)KU +d`@t2!CYW +g > v&HI!>,'I:l hh Z=1y<u .Y3T4&{66)w+3'A,;BG_AA큤A큤A큤A큤A큤A큤A큤A큤cmclcjclcjcjcjcjcjcjcjcjcjcjcjcjclcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjclcjcjcjcjcjcjcjcjcjcjcjclcjcjcjcjcjcjcjcjcjcjclcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjcjcmcmcmcmcmcmcmclcmcmcmcmclclclclcmcmcmclclclcmclclcmclcmclclcjcjcjcjcjcjcjcjcjcjcjcjcjcjcl:57f48e6acfed5fa9841df0f458c77820b6e24ed8279bb23819c0698df22bbbf19a87ebf5c3ecf098bad8fdc2e0c08317efd3ecd4947169677feb755c5f86b325aa97c3dc8a6da5e8d196a73bfb4bae250089de7237665a3a6dcf5512c71503695cd7da44b981f9782081d3d97dc2d2f26726208f56b10bceaaae6e1a3b497bfefa19c5bf4838b4013a16d205238e5fa9819e04902a006a08044a0da795cbaf34f53c103d9d508de1883fac4df0fff12ac27300409f3a1c8edaf31c05c054340a1dc2974d9c574811447befbe13fc0f8b3d8906fa58ca173857f5b73359ec30f161766db604986021c872a81bc3e6dc403b8960c06edad4595f168293005943b874593d5ed89402648536af2b2a2715b7ec95b88308f700b0811d4e501124f76f2e3a21a55901cc3c7a46d6560c167ecef63390fb04b124e508eccf8156fd650dbd572ab4954abffbeef5c35b30e8c5806501278b70a08d6041d8a5685a69cd65ef487680f99891e461bcaf8245acdfac7964fa40fa4a298184528c2fe2b51b3066156e28d7375c095735fe583c41fe10f68711a286dd7616111bd0ba9a6c39eca72b30f0da89b141671dac7d0b96636639545a74f12fbbcc745e7e2597d71b4c7bcfa6e9c2d3666eaf6fbe6b63194f9d4b8991619ced1de631f1d7c854271bc4d7d6caed90f3ed522fb13effd5b3f9ce1d10f57b87a233f8b1cb8bb000a06b812e45f1d76df8d2fe7405deea4c26e6e1ccf3951c59a55836952be0923e7928b37a9fb59ad8153ae7466cba7121015d8ba2a3397624d5c86c144bad688c8009bb1b523b57a052b7faeb0db0c98b19716729c5617e60d14d2ec82d8501ab67a71e8a09b87e376224e944e12a2067e9fc485ece8ebfbc7d5cf0bf573e0500c5bf24c38a14ecb5e00e24e7947b8517b8f39a652b5a4a7cc6ed2dd04dbc35210090e571af576c5ac08f897ec08b3d0d2d5d40952aa94d082f5550483c051b99b33ee65aad7a50a60ccf805be82f6209c702e0e7f73a5ae774d0c68b57b28dd1821c1ab067bcc678b898c16d290afc34539c478fc1f6b47270a45b389de9fb9ec0042b98e789e2e76a17d01c1684441f27e27f5c54d7d8d1607fb9cede012344438922ffecaceea8800ef2175f1046485790f995229035a56992eb9f80f586460519b697827df8285c4ebf06595b743e148919677ae2a40442c80549d7aba0bc0b696ca55cc095723a52645cf7513c55934096218760deb28a607b5e85f82db7c1ab580e91df20133ceaa62399bfcfa07ae216642332bf119c5a28639f3e6841dd74e2dd515f2b48efd9117bd5054262dfd09a3617405695236094798559211d988a68effc888123ae63e8d2ba5b96004c14b3356dbf490b4e731cfc7a56467079075b6004265e32c0338f01e95f47cda607f72abd98a2031f32f45a1470dec6e13f4c8e17e93041953c7a33ac4dadb193dc843bf0dc47196230f74fc5a9c4ac198965acfb4a7a09b1bcc6ce465e1da70005bc20b1249c16fc62adfdce3f7dc4959a34f966b17d69a728af436e405c6653b76b8b1b0cea1ff3094b88f184043efdeaae3d696f724b61e1689c46ee2eba88d6eeab0639f5d11488e11115db167b2c1f9b0923c16ebfe2ac820e071af1cba5cae4b019dc46eb22b6fc37174d15ac7b72c723c10d44a520b2054944d0606d29c16714a4196910a433f607fed4e35d63918562c260077a6a23b99eb7ea40a5e790a7d97b17c8adc0fe8152598db810a35a439e0fd2184591f449c79b6bc5b5468443920523ea943440534df04294b940ce1c00c0a68cab9a5eee13b0a18e6e5b9d87693f25c1f804ac1878bf03800367d25438369395e7f2006fb647db68043d1590be759478e33b123ff9a54bbcf1dd70a038467eb6dd4dee91c9309efa27bed7b9d371cc936612a2998c16e815dca6ab2131a2f005b7837ddaceb2598db386c1d34c1a777baf0d741ea2d153c399b4b0fa22367ee1921737df26ec3e9fea81c7f525ee4076db13008901c9ca9f404a6db835aabe1a026f6f3e5c05cd08a28a339b762c6189d4af93a1b6a87f9d9483d5833fd883506b51ecca8ad6df0baceb27177fb6499a7918703b897a45cdc7605a9ec9315a0f82f2518db30b753b0d4ca10b18a94c382f3ec70dcc443437b2dc9e3ce610ac30bfc17aba981efd38215a457355b1f19ee2e93d26cfc3f6127d4e633b3d89ae70e214c6869f39c6eba1bd4d835c031b67bc5c4f908e60816711e8d87e6d93f84fea1eb1df4a7c2bb8a671480afe65f9dc7f671e0e15cd8eea8e37927520f3ac8ae6b63fe8f7aea81f7680951eec3ab67f4383db52789c38b254cd5a9e4766b17aab8a99813258ebb4b147bf98c9f0b9ac8e9e07ad86cc4811fd17c0ca05ad6fa67befb082b2cd23859d7002fa75a5794f15fad8157402985d19cdd5acc6882ff8cd96fe30bcf23ec585df473a109dbae488fe05358061e5395f1a23590c1acf956f394afcde8741c7d3eb9c1f0d24e77ba69ff7eee8ba90786ffa6c5f4ec183f16ec4fc964c65b35a84e0be1b1f830b8494c8e895196ab132fd82e055cc808ec43d0bf84e5bcc059302e71c0e23a257f197463a9ecad24f59aa597f875a287795dbd2ce8b56438e84f9976bb4b587c364e2b03cea9ac7bfe92f670c4d88fc1b382789f66d991a6e526f4093a1972e1391aadde980420a1dec670f3549f87169c890fba90086de0d8498f0fb36921439a3568cd3a29c34bc8fd9c25772cff89b4edcc989ff5af4189ef2e0ce0e37872c17ad0196c4101f1dab6f2233d4987af03f7dbbfcad01f857b4576ffbb67ed2f4c6cbd9f0a9cd2192a7cd36f8201ae7dc5c1bb59244752a7c96d0bcd9f3e3ad075aecf96bc9006c8087a428c2cbf46832f58f5a9a8a1269d77685a6ea46e21b05e9d22e79fff5ff59e2f6fd5ef76604c85c807b4e3fc0dd84beacab1ff25be2672650e35fc5a2a04de281d9dc535f9718a0c12832630ba0008a46bdb263c2610acfbf6da60c6d585687581e877d06ac2587e1c560a57a924744d428603f832aa43148df878f81961c305f367353717bda17d2ab1d3df620a04711fd5a61149d16c19f34a48740662395d01a17ad400b8e6af775cd8eeeec7fa786bd0c1c686c5562fc60c40b7f0fb213627e0208eaa36a7262e7680bfdf38ab43a302de7a5ee1b18fb5e5a69c693660e5ab407d1696c7b4ac8f6ed075a178fc967e2e68e1bac448bf37478948a1f40401d26eab750f4c70faa63142713b1ca959bdea59f5c83e1d20b52792246b46127464459c635949c3f779518d0e830d9f34a33bef4b8d49477a4a648a2d279c88584caef10d814fafc233b2ed62e1b088b7b99fc6b8017b38dd73cf8dc94a4e97837ae5a7631da503521a5133a57f0445a4dfa2427eeb926d7ece4119a01cd20ba4acec5db90984ce61844ebfb044780a402cb880b08cb0e3b6d709b17117204b5ce3a21b987f0c33c9147e5197c8e52257325852c5c181908a3f4082b5520d1cf8599ee8c5ca7e8584f8e6deb53c1682692aec09dc7339df4507a69a44fc4e889663a695d0e42c4ca1819bd7e814f21ea857ca7a1cf61daa69affa14cb497273b24b2f9adc344da28391ae7e27ea058e1909f8fd85bf9eb7fedcd7dde1fddb48b6600c8b61eccc6409a5a5391dfba7e45844c4f2da58e90d275e42aac178717449816161fe77e2af95aff8ff703003f5691ae2280c0809d15386619c3aaf0620e8697c3c0d494cf0d6a2fbbde841699930bd1f5d8c43118be577f601d6cc6d9ea72bd4e42fa96b0bf03b1764946f28b3deeae86aea0bec44e3c3fd05afd367128b4e2513a6a73ba9cdc263d00d43eebac1c05313154d5bba4025f00fba9ada003bf6e08ec3717c956f9a10aa3bcfaadbe145f7723177bebe2a8119752430aecb7121eecb4e1998b5a24b456197855a143c84f2ecaf31540b1f5457c0a2fdbfd8f53f9b9b119b1918376d12eef6aa5248f7ac7d7deb71f336a52fac364750774f797c061e915eb24775ae28d1738bd86f5a5b902862b25dabfc4618da50b85e66272bf52218a6cd2e26338d04c25404fc53d6b230205d0351470ccd8809d4ec02d86007929edab0432c4386098ef7d1c09bdd8cbd6e9b0ff02a77cf2d3de460ded50b04f15ae58b86ce48bba579542df1b00f69e97fe1427fb1031f6930e7c3b058c09850bc72e8361579d8f0b97ce6c33df91db1edab5412d88550bfe89e5d34a73e8be26c6cd20a922ff73294bacfd6ab37123f9f6304ac62b5f3f2c020b7cf90ed8279bb84b70e146d0a47d12743138659271122b65de007d76a54634fb3fa657a0e6c8a3cd600d4be43800c4a74bb5e41f57bbf05d01629d0cd9856ca1c5cd05b52579c70d58b6328de9543dba02672487939e41e910f508c1dbb0923f0726dafc2b4fac411ed2b40275fe0fec3322730f62b84daf91fb23bbb081489863168493d1d893df191dd1a0597fa2bc7c08eeb7f3e7aebc136e2d47f375bc7a94c423e7e2030038627ac3f06f80f2e669357f81d949eb3c98d1df06838d0adae98db4fcd610libdcerpc-binding.so.0.0.1libdcerpc-samr.so.0.0.1libdcerpc-server-core.so.0.0.1libdcerpc-server.so.0.0.1libdcerpc.so.0.0.1libndr-krb5pac.so.0.0.1libndr-nbt.so.0.0.1libndr-standard.so.0.0.1libndr.so.2.0.0libnetapi.so.1.0.0libnss_winbind.so.2libnss_wins.so.2libsamba-credentials.so.1.0.0libsamba-errors.so.1libsamba-hostconfig.so.0.0.1libsamba-passdb.so.0.28.0libsamba-util.so.0.0.1libsamdb.so.0.0.1libsmbclient.so.0.7.0libsmbconf.so.0.0.1libsmbldap.so.2.1.0libtevent-util.so.0.0.1libwbclient.so.0.15rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.13+git.591.ab36624310c-150400.3.19.1.src.rpmlibdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develpkgconfig(dcerpc)pkgconfig(dcerpc_samr)pkgconfig(dcerpc_server)pkgconfig(ndr)pkgconfig(ndr_krb5pac)pkgconfig(ndr_nbt)pkgconfig(ndr_standard)pkgconfig(netapi)pkgconfig(samba-credentials)pkgconfig(samba-hostconfig)pkgconfig(samba-util)pkgconfig(samdb)pkgconfig(smbclient)pkgconfig(wbclient)samba-core-develsamba-develsamba-devel(aarch-64)@@@@@@@    /usr/bin/pkg-configpkgconfig(dcerpc)pkgconfig(krb5)pkgconfig(ndr)pkgconfig(ndr_standard)pkgconfig(samba-util)pkgconfig(talloc)pkgconfig(tevent)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ad-dc-libssamba-client-libssamba-libssamba-winbind-libs3.0.4-14.6.0-14.0-15.2-14.14.3cS@ccR@cctc5cM@b@b@b@ba@bascabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2022-38023 Additional patches for the PDC role's netlogon server; (bso#15240); (bsc#1206504);- CVE-2021-20251: samba: Bad password count not incremented atomically; (bso#14611); (bsc#1206546).- Update to 4.15.13 * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); (bsc#1205385); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); (bsc#1205386); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); (bsc#1206504); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; (bso#15197); - Adjust the systemd drop-in file for named service; (bsc#1201689); * Paths are additive so do not repeat paths from named.service * Prefix the samba DLZ directory with "-" to ignore this path if it does not exists- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2.libdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develsamba-core-develibs-arm-3 1673948540  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c0.0.10.0.10.0.12.0.00.0.10.0.10.0.11.0.01.0.00.0.10.0.10.0.10.7.00.154.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c-150400.3.19.14.15.13+git.591.ab36624310c-150400.3.19.14.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c4.15.13+git.591.ab36624310c sambasamba-4.0charset.hcoredoserr.herror.hhresult.hntstatus.hntstatus_gen.hwerror.hwerror_gen.hcredentials.hdcerpc.hdcerpc_server.hdcesrv_core.hdomain_credentials.hgen_ndratsvc.hauth.hdcerpc.hdrsblobs.hdrsuapi.hkrb5pac.hlsa.hmisc.hnbt.hndr_atsvc.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_misc.hndr_nbt.hndr_samr.hndr_samr_c.hndr_svcctl.hndr_svcctl_c.hnetlogon.hsamr.hsecurity.hserver_id.hsvcctl.hldb_wrap.hlibsmbclient.hlookup_sid.hmachine_sid.hndrndr.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_nbt.hndr_svcctl.hnetapi.hparam.hpassdb.hrpc_common.hsambasession.hversion.hshare.hsmb2_lease_struct.hsmb_ldap.hsmbconf.hsmbldap.htdr.htsocket.htsocket_internal.hutilattr.hblocking.hdata_blob.hdebug.hdiscard.hfault.hgenrand.hidtree.hidtree_random.hsignal.hsubstitute.htevent_ntstatus.htevent_unix.htevent_werror.htfork.htime.hutil_ldb.hwbclient.hnsswitchwinbind_client.hwinbind_nss_config.hwinbind_nss_linux.hwinbinddwinbindd.hwinbindd_proto.hlibdcerpc-binding.solibdcerpc-samr.solibdcerpc-server-core.solibdcerpc-server.solibdcerpc.solibndr-krb5pac.solibndr-nbt.solibndr-standard.solibndr.solibnetapi.solibnss_winbind.solibnss_wins.solibsamba-credentials.solibsamba-errors.solibsamba-hostconfig.solibsamba-passdb.solibsamba-util.solibsamdb.solibsmbclient.solibsmbconf.solibsmbldap.solibtevent-util.solibwbclient.sodcerpc.pcdcerpc_samr.pcdcerpc_server.pcndr.pcndr_krb5pac.pcndr_nbt.pcndr_standard.pcnetapi.pcsamba-credentials.pcsamba-hostconfig.pcsamba-util.pcsamdb.pcsmbclient.pcwbclient.pclibsmbclient.7.gz/usr/include//usr/include/samba-4.0//usr/include/samba-4.0/core//usr/include/samba-4.0/gen_ndr//usr/include/samba-4.0/ndr//usr/include/samba-4.0/samba//usr/include/samba-4.0/util//usr/include/samba//usr/include/samba/nsswitch//usr/include/samba/winbindd//usr/lib64//usr/lib64/pkgconfig//usr/share/man/man7/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:27433/SUSE_SLE-15-SP4_Update/d131a1ece5f5f825caaa77fdc3bce37d-samba.SUSE_SLE-15-SP4_Updatecpioxz5aarch64-suse-linuxdirectoryC source, ASCII textC source, ASCII text, with very long linesASCII textpkgconfig filetroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)  "&(*PRRRPRRRRPRRPRRRPRRRPRRPRRPRPRRRPRPRRRPRPRP Rg\H1utf-84d25db77b6ca8a9107160f81badb44369ada3b1eb4bcc3e31a969cdb40471372?7zXZ !t/] crt:bLL "^HW+D@;/yF##b%+,~>gNÁݨN #:O: %Ltߑcu'rף`؂2un{lt3֏ Zn( _L9#;t4ۈ %K`V*+,{Um0PcL]4;2)@21S}(_ecԗGKkIYTC"#&L=VS];`Ն9oa{bvr.aJBpZ)$x9  *U5\Wt|h-#ΰP8zbÓ>X$2q¼6v('i༛KyaCȭ݃<&!=`j$@SI*k:-YDI$|Ѐٱeg]l{zM|AM uL.$L'5A&fjbrۮy1RJ ,XYgX$vKI~SSPME=icr?~7?u<41tXXD"TT蘲JJ v쨺߇Ê[]cL@a.dSĖцb0 KH ϶OI3ieЍ .v<ႦL8"M K(\Ҕ(~֥/ϮVk" e(@dy8^\1EO\diU4p-x >O?ۡTϵg_5 +Z<ǮENL+r}S(hQ, X*э{k6" T>|A^WgX>KXM̓Mz#al||>LgyhOw%-#E?`,j66>n2]qc[2Qi Tx)K9΂W&]AoYW{Zr#ЖpvB!lӑ6w68!Q7ag( P˫ ;Y#aUZ, .H9myӜ3fω6[T6Z(kG3+/1!EH,vk1qh_cd/AI)}G*k6bep> 0SL%9_ˋN)%Tvt[uRV߳0%6]v?ɱʻ2N田D^jZ>A/N!ǡdGHNvGlGϮg=_\ nfuDTX*I3sUKU0|˯{$:<>KIap|o1lj-oE MVSS#=i rU1f2gS/Eti14X >V p,ħT̘GBIo =Nm6cm|X2<nq4.LlxF1J!,.\:aT[ FV&73ŃcT+dGv|cmfg.P&f*`pDgf&Kٺd )s:jW&k_#"M2ҟt2;6J~Vdkm Bo)Q=?60)0J=g%?^B:S_G )UuJPgp9Q"O[YM"|HQ>ttHsh=`w͖>^95{{y=;\ӉHeODt]!)}6Vn8TtIeHߊD%Q L+ "BMט$ qAy rFӛ@59}dVDSJ$ٻeh]l,"u dsS y\!F!yڶq IW a'%-GH:!̩3$-sގH B˗qcYw4j o\k33S&U6+ Xj Muw0{`nJ='64L@752=avdU8qWʯ9?f(ph=?, '~D, gQ "*~|H!GDI./sP_#+O>+J1ȾHoyd~O xp|e_id Zv[/+.%k94.ý9s]h>yht.{-(3n܄U#kj7.QKVeS/N:QQ[~$rAt{S e-zo)=[tcLW1MÇ!%k@YT϶;YI}wqb6vO%BNǍ2_ϝ0mS7!%+lzW FUEYUD}Ts69>Oа?87# u4yR남'; .0P^U ˕gUֹ("7:!0fG`ɔ $ݪk(ļ=ۯ| `N0ՓT óK/aݱgױ>!J$6DvU$'V%U0%O<`)ݑ [Arcx!%R ܖ_i@n_qvt;g=XcȧGmKK=&rq{(͚1t$,{?) No*-XKֿ{z%k@hc񉗉nPʰΙG\vsщ5?mWE&:\| B55b_@1fthɔohzFڹ-a#^P)>9uH,!N=z:VlL384^˜ udL14uBC:#x=GI= @ R; aPLAwIsRɊ}"j~ffoZ1$kn/591 ګn"LJaxy) p|Cwߛ@'Fs]~fQ]>z5o36~bܳL} f0*$,=< ]oqQ|]XbӐM@;ܯN(v$oW*8"M{Y2fB=̙&ĩHLzoeb|V#!w=;23R*-J8y{;gv!@@A%ROojUFT ˂<|Uպ%#Fd !a$.R3s, 9K,RXx]#< 24[xaXjdCr7ϓAڹ4#C`Xhu8)Ra%QLf>`FŲK9܆`^4ٗ0pAmY:'| Q!Ţ1x'c]P]{@ 3[նP޲eS` DtVL]7N@h-?4=iƄ5j悸 TAӆg؞"=0˩ A{{p6GvNu$ފx!urcBB}nҧSyr&dߘ K.-\ZD_U?f]gLp ׇd'Fp@e<%"هF8()mCtkW/mxW=͒a2~#7W4Hmޘ]sew(Zu2R.E<=m@QxCWPuo~WMۋ.l kۉ[n9"H_8@0 Ѫ n7 2+JM*>υ /ςP}qbAlj #PFt: J%+y*يf@G YwץJ;|B% ҝm| /}=ˏIkoѶ*ő`\mStMOyh @oj݇A_K w6T>1:;Wzє%.bFQi09),!j\C)XCFZG͸I#r/[?f5PpTjg8=E.6岢kt_Ro1++@)cM)-uΰ(z='PrkV 4έ ;7%BK6H.~VO>Ep3fۻreN*5kVtڨ:dJi'v&Ƣ[ũMW_nm}T޷ G:;[2Kpr1]6[BIWtدIۋag:bS,h-BlC*Pf#U>hp5.{Zg "Bʬ]ߐ I90k Biq  ՞|֎Ԛš)j>$-(^0",*Ȁ|(-;Cq{ X"!ckিrO*|( {w(9+%`=$}#=zޟ;mGcEOxZS;ƭtŸ1fd&0݅66n1mCWg ͺ>켪4M5d[-%#ƵdVA6 mgĨ/pἁ(}Qz|rף3ٜp7Uœ-96p즖ކB?vIR09#rVͶ`/:rb7K \~Kt`[{f5+R13V HW}(Jz`Ї=3+[1 \Cv2kgIiVScw?ci,Xr狟vqebNi_]ox[#.3(ŗTסhՆ e[0dz ~?=v?C;,y*2^˦<Ұ(0숨Q nXV+s1wq4r$xNFil%CLXiP{H1c _׳eu1h*l2!e^x(197ܟ!n%5/8RE?/Y1N\8]t<K]h{fޙrw>u_k>=4F،vǤ*ZgT&9\^ĉ\nM@*>pss ;eރՠZa#sW/dGK]e: 55vC>ֳH`Fb4Al{+v(0]< (e +͠ dvrkyORțof=ebK$.RzPVU㣊9uzHM4yL0x%rf.^U ZrEC2*i?5{xMkr$t@Ի *WIz NpԦ n  H~ܒ1SasG-ptwN^uչF3 #1 )[N*Ѐ褎/6^TB7n#!殊Q(Kmz а!9y?Skntpb1; 8I/=(<;3쉈@KE,aiF8n"HʬDN&gf3T8`0Cv1X,u뤄#1>M-IYy;Jy` 8kת7\k*Cwujȓml8ėLc=+xYB#q ɲhilxYIG*Iҹf)s\\cR \mg!;va]O7`a*箤SOg3T Er)+2(z/d zov`HcTsJK2qX>}` w ?Q1'no@OUr#skU 9M lQ۪ij]iV '"Fَ"Dx~ R:9H|;u ;.24 Re}E_0-V|@!X.d"95E#|OI6 c;u6ޝiE^$@>~zBV'3YU-M7*(j -t seP/NB'%=^!wFbA0WV:!Ó?\KG4(Z~AqFuYkt&P/QIJeu!4Pj[V%v`o[${ ZF@^Vz?eDt>f}cɨT&V*;fmAWTш%mN<[0>-c ^Үg~z;-{W(i#Y8ė!e"9G'FjFo<5?#kJqjeX)={? ƒ 4 rfv͇oGn訟| -ߢf@fNkB7hszþv j0yOGG-G慔J'w 1 St-oS ؞ W'8cyL V(B XV-Q%<&١4]{k0h˪7[ubiCr)"s*lES}X\U_s3  +,B Cx@?ax H2(Uckml8ȅ:4e@gM̒&h/O66TcEK"sM!>;ш.KG~6ʐ+L,]فT Ypꈀk+FTŭ~^i~nhJ&0C8t9HZ#`ۭRG-?:>RoM-,qHILgg-\ø}ĎՒ]NKz=5]ّa=njȱ)NՀ~1o.l Ot@u.,ulV$=$A`P;-Ԓ>fDnP}^)MȂV*IF+9V)N;Ў!l"  `T+S姽ueʮuihU |(BCƝ؆qeߑ-2JEU+(mFuDjW~yߐ:827[4 ;Zn)J)ĝmr?Ԭﹸf&oW#&D[8BL S3'ݔ6-$۰;ᛟRRO(d`oHwSD~Kz=JLNr*x2Rʑ! WciHwPD_R7Kc%?o $P9,dU~y"!@Bn⼤5 x&0J 2L8}ȎziEӦe$kض ``Dqj@@h#LWri30a'8yffu[ MrG0UՑ}}&ɔWc wGscލWP7;ҖXy S} JQXa~Y`"uXv\'R+ȴW,!pܦϭ&-n.##67\qL%;XX?k1L }' EwYoN.+*y˧&3,Ax?#XZKm5^2ocoM^#hO.4+hQ<3(3h^9 쉜q57HHͩ:d1x7uZ^ҦL "B"dВ{`E{W =[upe(Xn v~ Xw@|sQ敽YmjBJ΋G7z_ 1“|B0-1CH]D4Oy`4AP-yohKڕ_L.'牒={>s6 Ϣ6ir"K$>Z/}D^`) r6sԜYb1N#dnͽU߆a~6}8k3$=7vXrk|✙gw^Đ .X{tc%yH D 8`luz` Z@48'ëNa0vRY,nv'EZiJxk_Im^OݞhBhYv^3T.1b|z3e9 af#bG3gsءHV&scNw\-M|7s?0VùݿEs̝ sZ@X'o&T]tKJ6cMUoSV'ؒnDxTEҤ(JElȰz5³mfa4Uf/Ee^"+6t*cJ9y>_bϝjMG.+5jX w z׊ske)-aAMD6VK1)M.&4t}#7Kظ#A.+(0X. 4j]Jn`JȬ qk}rf/>b|#j"r(k a;S7VkmV7|j'%u0KA7,>S Ȗ* 8Y:lܨ18k9u2 > w+?0-?Ɂ\Jl]z?ǡ#}|sSAUj)݋˰q"s֡0+x# (tfܩpypVS >OkݒC](,DTe@ɻ?!?IJ1(nG,.0t--q-d㈱CM սIZ`ht:4itT"p9 ɆmA􍶑D]@ !Z Anhw E=Bs?䇆d~OӠ^Tϧ|8>Q\@oPi~oK 7X 5x %宆tJ~"#U/j *םP|WٺZ r+-R 0}2}isEZ.ԉ|oz[C6Rي"JCdk?w ~ѡcuW^Җ"ȟb=u g" ! zº,ap)l ,T@vgW*0ng[!xȘϝu%{A,o$Q 0xpp.~4] s,/{BQ)6^ai*ӝ9QfW{,Mߘ6CA?ΣŏeݝuѤG\U ٖнcY*p3_9~fCu-UZD߼]LJV-N2-Cf Ah4!a<-ք=/kRRmW D\!:̶;3?y<7KBEc[G`sB{xL#ywkoQw|9\"Y DYTE Uʊ{gBkl]a@k^ A.6Zf01u)ٮ,(],N}=(kn5 #EOe;MN\-zvԺb "qu6'b!@sK^~$; M c#\&12t3;فuʤH̊w3 :>$)'[З(E9 ZO#66)=H(`g*$qȄ틜SRQx.D;oeAQ$cX8`'^EمI  T08l_xVdKyj0r4,UXN7TվS4@[P hUϵPV̉ (8c*VQJA{]-V/c;=[iwP<& BDd5%fY4$Cref'0_F qW(厍k?x}VT|ZV~prԈ P֑'G+f*x :^vݦ@uL}ۊHj0\YBWէԔ-r՟vԆRv*ȌXzjuÞ(7!߼Jh5qiʵƅ}/@TJoFQexaayvʼnGba{#(b\Q/9cL0 A6sM*K a)r3W/IYDiXtY1wЖ[CvSD(ή#I/puV#cK2SzB?| CZ&%C`2A^zɜk\T~45E5q/땉F+Zc?QH65VXJ8Y~B\4`]Ωwjܞ+æͫ(Z2wգ=x]:c%:\c]{ݺ v{2x'!/uYA(/>^r*_k:fbm27Y}Q `]ESO"'JJu XPRV?Esj1NE׏Pq{K>?9 H DR1I7`RDg Тm>QUZ0ku>ucYO'H9J=f?9ii0ϸpYکI.1WSϽ0ΞƊN?DVv>QXWV9_΂|= XN(f1_3xq# !TE XmU\X_-Eb#+; $?+4T 9G?C0xBYDA |2МV&7),X"Ηqyp]-[}|$DP!D\isyֱJ= 0cHbTxm8+7As~%U/TɄ kVS?rOwiO]Y$:)Shx8ÙU D[gH ]ƇlAOeͣ>k7yAҽCpwG< y3L2m,׍˒rZbN^Yldrq/>\ Z7,ܹ"'Vf^zF{W[sh|]7#"?5Z1S~Έw?J#c;/PH_nk _PTmIYiTA$ܜX[$asͷQ;R yz aYmbiL\bs~a;%@$ژ2$`dޙuZ|P&[3x]_CNiX%f#RR 7[("_꛷_hV׆>QoqCpӉnU%fKC\9_PǛ8"n5r8:7G cY";/qcqֺpz}Ljz!0'e~]Eͮ~'h\\ NJ8c/ZAx$9ʴH^ eB* 尣_ Jb/)?,*p3}~ו&?RK܀-R~ -K cxN#XL27b'{30_ 7|Jћofs>*rjt Iu٨9APym;&cOOJ}>xU׳F<"851hqP@,{nZ,*#k4 `I.Fwƹ)ZGY\-cM]"'2!giWy ijh~m)ls]Y F5nj6i[rmy!+p>޴  '!˄?8N UɏOٟva ٍ05oJ֢Z`k1܄dlIe0dkdʷtd1a+ވd{h H2C'_u1I%,Y捗궨ڠABcĶۅ&#&}U|nCHk^[NƬFҝJޝ9kE4cƧ.] \%rfA OjبK y1Qh<ƅ]ҨA+**d4&oϸVגAM9J\gWsBjϜv>Qsdt!E7;BuO x>kҠf9Rhk3|ps7>2b䜉+Mk9թA0?KG{%]seCpBz"zsT|u$%,AZH[Ldlq^0ټHPx6Ȝ{lXȎ S5~[¾'ѧ~D٥Y-AS OTxL LSA7iu^/, @@TiH/2&7$/3!g+Fu nْ"9i ^pNiH[Y`tInS`^ Hѐ /ݓ훭C+'t$gs%ym\|w~ln|TQ; B̚:V603rXa!GK Ktݴ0l3JՍBFԁ XW tG=~p8oahJV΄VNc\6V '}$e&M@Ve1(jZމ1/ }Sj,ag#oGAJ%ό9,>ġybCce6b+ճ-->Mw. xlbms64@]j`[wxW;M ^x=|en N(~Ű \\u#+[h_P-n8Χo-XM?H`0F3`ux%(Cnʴ c4y!U|xZ5@Q[Dn-Pt!E|`zi3"u3n1BuNe) x<^IY穼YNA]UK Kk"'ݓ;pۣK]뇴]+:u]?yph޽l"X#=@p,:=0 Du&jP6]r}Âk|/lb^lgTAH&Vn>/}+/h24~ ƭ>?ƚJy^\ ^C8;SHq+Qʕd449XF*ˬX)l" %1xY`|vMB~?#_8"KmBH{:{M {4fһEM^/v쎒-!)ÚM]uQEGť`pD3t]( 4m݅yj"6tύC E.9t'n܋+"5v>5[%`y'}9sT#5rd@hR+n--—]xVv+rv򾙺cǩRI>'Y!e@HyC"!G@&5I*꽂SYi[>5*@wt?qQN~t؆Cbj3ӆEPܿo 637De@Y;ײQUr~Ņ0|b <ŎH]I [Jo9__=F/Oliޅ'X,p0q%Zg=R0皑Y;n;&!Z0G 8w~LR틁|*yo^~r)yHr} IRUg !8S[n`xPzQ.@;I&շJY7&9=Д F =kZ9544.ɘSGFqiPuZR3ܐ!1Ҫ=K;$}T| ẚ}s: W!o\VXÅg0l ~"Qoj!`C\ 7s~4VڣR|2I,qim| IJ?ZFKEDStYHH#( ؜'?w'S7#8}xn f5Bh7`NT)fA !icujLXy$*0L ݖwz߄\lU$~h-2P{#odD#{KojA :_c𖄚QG^+}ϵ-E L絜Ivྡ?$L*+^F [U_k0\bFw7 N &=xZ34_j['sgv?80-̘8󳂘לoLX0#ILǰ6qҾqo*˻PZ%F#kPϬ״sK'8w6d:uزl-ӷO2 ^Co Iע2uc:b|J Ǫ IiBv "AM䂕h]ep9^E1ӗg2t|jOƵˍ?ؼj4.N 4PMLnџ~:@fh& "qRu$v-]V̷[I!93Ig S&+ ŵui6†9Im>{߾4㥧D&(Źb6fnV0_ o F]E$ hP%0i5Gi y XbJw#^,:,ы _3Ϸ:E@},VB'c =}<˥2P 8`(pi^й Ofv,Dw@d">V_h}/ B['`&gN|sq)ӻiRo(~VXӯs2^6vl:0(2O*zt#Gbœֲ9GG)Ipz @ۓV5,Խ}, M[NŪ\LC$x͖䰗+ܹE hˌ>0tM F\si,Pm j~!Gc3fLǸr&FKpG%-nU{p'l(< }e"x?|풮l[7F!$11޶4N3=#;5@0۲Vaݎ" gǦF 9gfHeDqH=xjCsq=fqSNe,/}%x ͫwn)z,.O4GsϢK<)\yg\AEu4C8Kϟ<^lOAGX,{X^)iB, ȶ`CMWjf, ֪}j22̤f`f8T[W؝`aH/Jc&͘'2}.$ܽSJ+{TDBW?wijHA @=;\cNyT 9Y # ? F?чp{gT/16J"}#p!ҫ ,G.|}}Kp'2[HxdJDPcZ[*V'PZj(@:HK!C[ǂyIp>-V߮.;}"DFZlG?*Sqou Xp2ŀmAf2Di2mQjb dzPIi3./ރtt@+064NWk/ki9BmgЅT_.G!7r=f_6D!]f}•lYV.o/+xVG# uשǙtpNo$< ;Gȹ^84t6}ѶTȥ28AT@.iFun@AÄ@NWO-% s+yLɯ0: v15uǃb AL>ov`&yD&#i%&t <__Xd.'[>1VX~JjېY)F+ő`Yڐ,5v9mN9Bo-eI4?]f,q|Nyv>v,TZ:w"_hp~No1k0P3G@n󇥽~tSH7$7dq_qIg۸wв%A_D~&Oyq!ָ̔HGAg%'Zrϐ40:U3"We5g!4ue1;c q`8Q$1ۘF|IeFnɧh"5NR#C6S',psǠkC:pS?Z˶B  &-!>g/84^RAm : ޯ%ǿ9A1OM-F))o!0q!(xqvJIG'}:"+16TWef_.0%)=9Iu㹚~Ck̸|'/5#WbCtT!ۛ,e3m쩵%:J\pw<[ۚg#(ywd~34:2UmOo 0M~R9,xn&X@B{hsBX9λTydn9ŐDl'&ߌ!SmϪs̋9Gk)?O`/aKgQHg2>bWQRDO;{ ?(2[r`ǃz}jS|}v:Ä :J}A^L̥ @uȈ}1EFLaDc:ՈS݄fEA *I/{IO~8㚮6 (; pI/K\NNѡJM /B뱥&W!0>!NS%FgL!ߟvTQ_FUe2 _Oq^+,UE˗=qorP"9pVx?HeC!t-sԤ#:1iXS3EX$m%ɼ In99 C#I[%UGHYRL:C7dKZ{$dQTN}1/ ؉`5hY];t9C֝mq~\&2DzӝWzƖTQёSсPh!bM+rz?cv]ru}QCSk-Ai$ QA#aI l\θ6$gbs\ßm+ŴhgG6hcsP7{ ӬMk0v/||)ny*6Q}?J3pI'0n/{z /g\*.2 ?v( UWz((#Y>ŭd]#3f7@MvT&O{CjOjۄ;lue՘<`&>^M6 s"6qbѭS"|t{5 &$i8WjXOoAju ص_F&<6gl nim*ЌXJ# ϓ^xrH7 Ť*I͋PҎlw3F,B#VQ*vȂ |] }5>nj˽,%ݣkT3L,`9=k "ϯ&Đ80ߝ7㬔X'_p7,~'0W)3]qU ɩc*;5dž"w(ÆIOywoN6Dhk4W85g μ;lH-y ; wgZXgEQ7"gSg4{ƛ3"瑟䗋]yZ.V򧁦郺1ǼdUA ×ױR[v7Mʺ?H8kDv' 7-lH:L@J`_H6#D<e:0C'tU=M8;j˜c6s 6KgJޒ×S&qՂtRR\ t 1"<ŕ-ipÎRIi#c>x-/dj!YmC0̚)Zi6EmQVd%o,+nKxLbЖe0,MYZ/?71t߿7AA i;ћMpXtI.T;x#\K^I v,./#5M* XE5^'q|f*uFNҴx`%۶bwp}okte+#T~ዟ7 #7Z "F : 7=|d#=(-ayt}I@GWH{j'{u i{c70$Zuj7W r`Uv=·QwީP`OYe=ZeKbov6 2ai^zu\4^B|s$kF /ٴD{z~GHcާVl5ԏJx4zsiR|X &'~!?>@;u|dpPn^b|a1@0x4$*u oPcLo?pB4\>' tA-*>^6noC吧e/Q5VZmE3%Zab`u81Ef(.1<W,8&xV"F?)aڝ kFv--yeQd Ho ę+[rܨey 2VƗwy5׋VBjZԣ=j黱0d<R:_PrZ%Fv#frꋽ ֗>{Z[J÷4 -s-9PDT\DWsrYqZpM^5xީ$cfzi&:3X}YAx[[o^*j#ۘ *{plϝzYA+i6bsd2 \H3 8GܒJ f2*XYU H $+i$feSy-i7Áz d^)~a1yөגrP7)rĄG?Mls\ D}H\ArbVw[^j $7Rk14'u# dbBN\Xk퀋wN:u@=`Y]FX[>B%AqJ1Mܼ$lQŨOY=?kh4.FEvs.a[Z%T䕜e=T_%dr c:2I]0а7f1|q(ӼR`E@;Z(h7T ' Ȃ"_1bwCPЇZ"XR6`Y`6EG%GCk!tMYKz 5wɜPí89oNO:vPxn#Vٌ|Gfw+EØp-u<-tj&xK'|r8 ˪4\u%[pb`4ށA}\OӹlcN4ξ@/s&L} 86:8&583@zӡ XYVPD@L 9؟_q"y+75xG⸏bJő"~oktP\X@xue(|g0{~_>㚊ۃ:klGy7Pȳ[r*Vav1mw䁿.ugJLq5U7j"1 FV6J`bް+n"RC]$hpGm`]ЋD40S e[KmHJO.GM [cH+(c?Wi]ߑ!qD3@*!C>VxaoQ>S5Ȗ2}gHG!\1b2:劰e5>㦪\i-ݼL-Fc0n-{W<(>vb8]t^EQl&%%12yU|"}X(sYË?b*P/KmlhLp^҅RS!&02FuA.a; #ZJiy'OAu*)4$KņhgtA j%)T՛.:<)vĹό@B5b5ȯsRF?*(&2-4r#=ZاVwg(lN!ن*'aCQ38[#gg%[Ar6i6"XkI跐[O;$_xԥ:4O;^KEL2]h$].g08h#e%߮køa$;Vmlf@^^[|gQ #Fx&/q;A8_ԲÉBFo=cC{zwWʽiW ʄJ]G<ޗ6hjy04AE.onciI7؂՚ޤv̊3ܷf:31,^DڠL#4<Kk罟[N.&@,R󐌁9"W`c42P\X?ُ^~n,^Nkyȝsz|D9.u3|(=m,Gte\PeHtwp.2](ܳ4#Lo\#_\.\B,_<6@ }IA"2#5!ꂹ!R U)Wm}|1CJM+0{\ùvtG/ǣW}AփqwfGn ss3Ɲ!g.9|NF>AP/J|UZ#MQUN1Al~D}Z hM5OAxIe(\ ^+(:f!hȭcG&Y1GIX;0N+wʋF]xfSudqUnx/э#~cZ SGւVWvc=pB]o,@*SEQ_.){ꇏK8bHyWM%ZNDȊIln ^%Q;':*Uj 2`ԮP +{`ALBĺ.]ɁORIB؂G춾bLmuPna|Pₐ:){@!"+9<2ޚ"2yHhq?#ה!Q';{nchHOvL%ec@S*y:9{? s}4 jH1 >VaSΉDl.|b=_J?S8jI`FgѷCt3 pBG/J\R)H# Ῐ% fhv%#)K7 wd%!لjCMNĜ3x!kU3fh'Wv,a"B Bfavd;K{GzEњ;!l0.X=kiVzV4D EM ?z@Ēw s3+<)jmΟG3e׵w m#D>aзt+˵bq |KѡOK͸0 t<Հ?ϛSe]Sw dI!Wj|zyof}d(F~je,3mu&g1q΄܃r8C%TYg7h4uHC:vC?|£[# p*:,| :a OαAǀn@B(@qYhxҾ˜f|o Jis~Wzc<ogu=$c3< ޿@7.[ubJ~ʟ!RT 92G0Gz2grg B]PGF#"Dm"F[bg?ɳ ~K;*h3Ҩ+dB+XS4S0D>i;+<4?Zm~2!wmpk <|m8_AyIҷ.sĉ mI4YN-Kb;`?^dpYw鍻SF$|܀JgZ_t3EÙ" t(OR5jVZYXbh_ >L[CXk}W$֜}NN㳉kb dft(X]MEe`#@t5*U 0˟GIu%C 7[32}&)a e$ Bl JþǭB$]Y9*O>FX('pȖvk bŁrlqtod1ŁF PP8<+@]P?qZSָNl,yufF;Y7Ku3&xZd`T |?" :V F `)`${L|xbp}*/ts__v? ̫n7GGϼWx^ALqOVAdJ$x{[ 1L-i xKRk  ;P4|/Li>5M25R9Ǩ$W*wxt%5V)jPN6ώ$-dXZhAF q嬎ˢe+F B=dr"#֚m-gdpIr7 ͆Y>?ʫU`-ꝲ, $FAFP7ƖÁpn"u8vم+ԐL)JJ9H:N~ZS%_S8"O*2O-W-5u,ufn_8$[Jx;+Y2uO~ݻh,5ͧ$Qb^G*gIx܇/"W24 >.omy/Op0g !:5Xόf0 €7?V}r]^,@:d恓Rf%H섮// '0'ޱQɁF-DHO1@%գ4(y_'pr5XM9uB(KOsNE{',H-IFWL㉏)(f,$- P0ZxL,rt"]Ue2I914\_F7HMb}wC+M h 3x R[cDʍSs,vRSa,9nR0,nVLfL*ݲl^˚!Ct֒5?x/Tw1-}뇆Djdp;.;'=3~ шl0#4Dm#8Ro&JIǗ{$}1cX+7goU(VWwX `w &*~>(6ZT.  iY Y>pTt ,lSvm|KӦ6(tq |i]c ,XzlA`@V Y'M5?(O8=GC!>{ffE%{S 'C6T$ӲrN VM鹍,B !^E̍M"ӝ%H~][ +"'B?̮⥊f_֦?\&?!f"5VkPdy[kdzx'`YLRT!,=w`VQ8%Vfgu=J#`rHY !ɛ.ơ#4P?\Mh4 O=lh]0*ŝc;&9lhRUGme31y{Ҫ*g@PU~Av>20SIS$'Zr_%U Qܷ ^-hƯahTtI'yPKt/ J~H6F[o}586R|-S(N7Etwpx'^Qg]ωnPCg5#0E 4i_/˖ 8Kg7˔?DHA|6HIdD c}Ɩ+'ǃ- vIx'?RQ+"UV65xf3VtPR 95 gG6V&"DPHV ) V7g}Pkj (~*NsM>$f s-hLwY&n?=-> :=ލEW#$Z3Ug|>HO]V+Ct{<1C|x-!XVTsYH ZH}&lj7ST3a9Cܻ00ԗh'ib^qmjY50􇥫F쇺8%XqH̹J3j0鲉 a\15D dέGTߖ-7&{SK r,hsTcW$=~+G B}c^a$*Dpoۗcfaht{7ZClLF lQY]Ɛ "'mSj( d?j5J OwwމÂR%y (8An,ESj|f0#8,~j+D8H@#ys" @Gy'f0ަ̬}7mFA_?[] IbIg!Eg BV ڧ HM&3j,[6q~z6s;yL$*Pi~jNCGYT3Q1 EhgqhwE-sb`a `S!c3kdw@zӒu6C lE| W'sbnˆ"%H&W;Em&pAt 'Z$ 0"FJ ٚ!ء #\ +8K&\Hq}jAO T10c!xc0PҜ * O(< BVp5~~S'RFűPloH0O;sf܃PݺLԯ\cͶaq+lNMT>EY(&0qFE<5cgCa Bh{45$ػl;?BDB`P <}[?(7f^? ҄fPltUlGJI&=1!uIr,0Z^fgZ}8Lv'Vq5K,3 ҩI@DoF9BlCrFL]"~ZM=oկwTSP݆qE=dO74jkD"? wj%yB.p\ *FQFb3^Gx-!Z'Z>8NB3UWċ ־:qo.GkgpK\]||eSJ/j2"{!QK khA4x%5--Bћp6lJC1]QU":,qԧf&n^ .B,fԁMO童vmXAeEh"FdpD7 `IW*@HܙB]i~IΨ0²sl:1֚L(P_.|<fLziS :%fo\Gk :"K Qg!l]-Yݮa2XUWT5K}AOg=|)[/k;)z^&$XyFH@"FV~ 0(dVtEc9?}? 6]_&X'\VLA/%ڴW}^?e}[ XmlkE;3 ~kw;Т1@2uiwt7$zhiŪ77f4)ݿF }h%Jz zS|7 kʃJ{su6g`在]Npx ?aḏxD['|:\zl} &Zq~I[LtƝ{ *a8j793kn}Wt)'$IT.@ UZVc % a9+^Wነl>uZ,$p4G=x(C=T̈́rJU2D zLxw9=1'Q`{SǗQ<^Ιt73D, ŃGu,PSE_ #w)5>a6wg$W\Mݡ̺y/ ߐ0B?ة ̥]pP})i8b/.T`}J;ޯu7yaY0YO߃s5[" 4=]nbV3YKk]3dTc9[R/Lzm%J2y;&x{|NvLW?ƃFbg%OH=uS߼S+FQ2@)~߆Sd>] $܍r;+gs?gۀytbBA;2$Xk-r v4ƫ2$AE!`[7>}yqJBYoDli9,7qg{D=76B΃Bh׳VO;)Χ]K:ʽ >FKu$2 <Ԣ_=-xy|e%3?g7nȂUBz=_=f62F?'ZA(p9b=JN|̠A!PeЃGE3V҄ .+0O:}m-vկܻ߳ l\7 i Y"-=YR*XP =|fИdvUOO,|<7*sE!)Sl aVoh]{ΊIu_4?D_[)ʍq^&:v^GWꪔ]WKYOdӨW'1[ SBE17KY''v=-yJb*c,cSY `^"[`5cIE‚aEa=X=P-|U@l޺G'^."O6IFڵ*ů6,2))Q-ü+.ȼ'Y ٔ!'zJTH:ZYr`EfnP De NA ߙUQ6}a) {mM=&d};֏zŠeN?\[ Ґkݶ$..BbTE~#agt!D =BV,^pǀ,[[S=If31X4o47._J$칾)}7.e^D^G3?(_EMyԋcKn;̞ytn ^x`:x4onI-T֑#a:0Z&EjGi}`۠ ƥ3Fx?{} ?$zz"jޗN0-_YGLxS-Yϟi:>^rH;c0*qX k{P(J:U;wIk̝hS`\`6n#QX)3Ux"ap֧qW_u 5V9TemWj:ViHrZIF+o1hJ$_-h?c :_S{| x7;~ȒeyAFh3]d;`@ 㼈L0F@W9]vR1 \5vW8YǼDZXŖW:Og &j۾ykY4q<_~b0GT|޽r)ĥ'u `) KJG}ǟU+N)WwC314G:nZ19kdyΓSqH|ČGO^M륙ǘ@V"!0^m@ũ'ўj(FԎ7?'G ʊ1Co8 #4IWz?d!K~ [gJc\KeyAi d\y(/&{xY *,]?g_8A@!9P\R~o~y@c9z7"z;5r2PZ{V3HR<%&)H7ǪfX6:4L7 P'K떡 aaΧ93~BPAJ6~v\V6( AVCs|P>v< bYQ* pcrjx*"⇣yԝr'n%˖FOZ|]˞('/KVxoKHeGF,StY2݋^7 Bґ@IZ,w`z(׏[Ձ06 O~I}wJRQ{1Ϙ}*z6V[~Sˤ ^R0J(/H=S]T3D Ӄ,ǸB/SpЃ=Ix ;" \ѮSͩ;p ^-l ZRݚHB}ܠ?%~׭Eʃ@5Tiviߩ)!6Er`wXY>[ &g '( tTyuF!SKx>m.UŇx*zCCPcxR;"|1]ڮk&pI#m'D'(LJhnS^:R9Iu&?*bc2 6@^uPuHWغᾂedvRTf5WYtI)A,J݊W3MzEMd#pE3XDlĈQ0[XJu_=СQ7~ q1|,**O!^K\;-n P)ўo3:uv95n]r | O2fTn֌)߫y"t  N6cm^{ŷzՠdH'VNSu20@H 0ň~VCa0>n jkwUY*vhEt&0|v?e:, (&O~..l4CNZ W5.ZЦ<W=3{%l2*8us 8GhRBiOi`` vV4B:Ks]nWEʵkE*|6e0.gGQX`C/Br,r75:ȟd[$j=Ħ$bG਱~=a0U.pWrK6M8_;Tws*Ԃ=9Bk^kI1wpҜ0+Y(j Cd_8MȌ${0WfZN1%Dm Hc"%?Ls,xآ5uPh&w$yhmSH D* tЁc)M&S|`<,%iADuA2Qi[&g]ZU2SzI:: *. $9qv;g!x¡Nx<,#:2XLoϸ nQaH_~cL/A)pqEKtvv81%3y66hp~tc{VL '׆HDl@Gs!Aȁ{\^)$'g% k'Gq9h#a]knjICb[/guP4 :]穯ɰxy%8E`{Ι**']`KFxAvƖbCg_ZJSU>J/f@׃?\G5WVu? cΘӧHlq&NY~ܹꋞ޹.0% HA?L0NNBM#_Lx8r`SH/)2HnzxMY?pW+<R偡_ #7Qg4~Q~\reVffOX[yx@-G%ط~.kFxP%)#č9=6dOz)~[3HߤlWd,&8T% -xՠM| 1m4kڸ57o;*חkC8kAYͧp5X$Ø &>Z'Ћ0\Wpʯd',[sIlǐy.zwyh}x?u'aª.OS~6Y+$mJX-jȗ;5 u: 3^7Ubʗ3Ɗ=%/%|lM#,B/kU$=.l첋geﰸnř+qf? K6Ďwh譫b4XXJ:E8a 9l]DKby#2KQo ML^, 6=Q$XSL-QDe>}1ia`,%GM+q7=:o1=b Y(nOp!7˿ Wlm*6V\2[q. J9PC H!3_^y4_9~LsQg=L_e(n0`H4oEbI@2orZsw87Y9 j݀EwSrq1%`M67&Ͱ@D JPi5j'?"MvuiH|%$+>aj;=zYIx!E}p kYT3tndBPdo|- um],İb~eJr]F>}}7XB)'E'<-jP]k}_ [8vHs. Y1ͮ_iekTlRϽ}gT@S/Ugrbz`brv|nLMzKu0r52D:n7˺|?0dUyOyź*y"*d@g N'ۗPs"2pbd\W~>K6M5ZfZY)fW׆܀-H`ϊFz7 "j5rsgj.%6f֩Qq6Vq+M Aa`~QC\3k]tR}<dD75kw".a/B#aL:-ƝMf:^.>uK ,' !*MRX?&šťϤP0Hd1ZDc WZׇb@L"+ SMm[nP]./Ou%{Bi1T!5]Dr>^?_sVϮU%o/W"_\~D7YJQAt(ϯ^ gw{uw ֎XNxR@\Z7(6G(v&۽ZM &ĸB~\L6~}Lz*P3-ЫweY#\ٿZVLoZ~[Te9Q;x>n*}C-n R PE\M*\e>m vu YL=*9G1Vu孠6*Hf봶@)kM)f[I FU˦5TȸȻ׭#SHsDYkO=Ve#r, %slGydXkS*{!e^aB ny%j\tK?T$ !pPA[@cb\,f4M[-ox6n8vCCa=U@;tP|Эko4n<J]F Qbo𔼣E"ƀJ0 $JRPDnlph[a< ŗM2n&ѣך'v {tU̕1W-c~NVӘѮN{=La~>%6lϛb 4vu0C`av&nʟ\7"[ժ/Ux\;36ћ.#t8 -t<`&/v{o[~-Y;fSҨpi Z`J+֞?TX7B9|/2a+y0 m֠=\apRhInrM#?oj=帵 }BR@:eT ur!v7TPwH4燖|qP/U 9Pw^TBm-}]LJ!\J3wЇGjx"/2 smPVΞ@~Ꮹ7AiB>.pP ,lpրODpeX^-js+-~$0mde8YȊZUob^Oሆ2=,엙ljrRՆ2_dvnF)m b郠ZbN`?R l<0fK2)fѫlJ%G\I1X'10iy4W1ܔ+2jw&#n:-0`hA+-0tL*Axh0ϮOԝ(G§;/}拌t?N`64: hxJc6g~2K^X-R(دMl] 6)DjRCQ mY(4Ǩ j*4>3yiv`E?Q\<#wDawc82D{Cm sXS!fvu95J+ g"ZՠWzbh+;fP|H y qz\-Ӽ&֥9jLKp(QMݧnzB/pNC-'6^ QM#~GbF17+/7AY_{܏``39Ptj?Gf쏈oe;}7ZCp:LK|nZ8s::)պcWQS5&T,`yyDe  a¸;BGFiۮa>9"$g(gjr&,>SV9u PT^s ޜ=*o*sjy.y:5b0LB)kmEzLl 4Z E =bWbel:#d;o&Qv\z6uG{$O3*nvE zpŁe9ݤ!qTM7 gYHz#6ecf̰ T*& ~i1P<#rïz^IzUB) UVmї&4n-FE0Ld'j/׌60Ҋza;*W%_%={uc"з*d\no~bxO@1ƈ~yۏ6a e҄El"[pdJ:%68ͫM0Pf]ݓ ޢbS]o ;1ڶ0=NfHS_X;)wh o&d!tg DZ1rO:[1PQ6.t9Õ_NiqAp.AM;?]\`e:x^pRhajѕ-1YY*{S{\$[5֧D V e \.I՛ha@RԱ_x4;E&Y@oko-׏w6p1Vvԁ'NI<ɺ!҂~QI~Pk)&3p$70w-!^=XBR; 8secL{﫬WY]*tOee`,.Dd{}7ڹ?zh|W2mݵhLblK%3~t+M/S3ivz1;-.qpJK)z-[%n$ym?؁8ڂM/"YkQKՄm2ӕJeRLMLϕs8 v2Gf򃲾WN&2sɌ ]p.ْrҟdwYb.TP4QK<<6~0՜I=C*;R]w6u`+\`Q2b_̶BzrHkqyɑ\i2,Ήa}AdI1 A9PM5A__F,ȿ^ѻr rP~A9صg[2F.KMPdYúE6y!Sbj(^qaCs8`+F@cڄ}\9j)\"M,P:nHrn{Z܂F T[qۨ.:J 8H07[" UQNy=)eg"x(Գz3 vpD&,* Oڑ}G&=F͸sBpũ@c_FtOYoj5|BĂ+!Da 9C Wg/fݢ,\_@>%HwAC>0dﳞ'{eixJpfSe|q*NZ^/gSJ8ܣ)\~ p܃ArL#j|_%-Gz 9U4MX́{].!V殾]-֎ 󤻔~%; uS1}v!~DSPy {&) Ala %8N'L\HfpIqvЋ.j{Y]*!031g=·G_#ɓ"Dbv]WhMNGvOb,(@Iў槍y#Gc1 T\nWjiC3F4kXw T uL?OTB%5 r*ȿ??kӭ[}#G| DkY\ [qA 3&P2~XUDr];k%?!LJa|[(V'9&Ggl?`ۄk"p<GSDTNn){,BbqvɣtO4F,nOMhLk}tGwps*?]ƒq-=#GS ncմXuFbV*eq6+@ӱ7C?t ڌ,lml>tiƤ PA3Ψsقܗc@F$:=%k~Dn[:CrnUIlWA(˲^iD &ﰻ @Yа6A=k*"|["k9zH|,E 8(۳DXr DU*BgyJ$]Uɸ7\xaPqxjI̘'4B`^&s>aPeWWYI{'>&1[b"8ueC`y1vŇ9%\dwJ pV vWiJ m;6=FȚsHm` _MJuӐa $eG=A|>FF7Xy8YÇM hNA\ wZ{I| < U./V>_(?r3f.ϩ$^c$hVmLkGkJqx;-D_qېh RNM;IΚ=]&ubtdpw wf|;JkynMjH3>XZI|3:H O:eY K^flN8@Kg`UX~ mxZ] BՠJFvVhus4< kSHd"Se['zL&IAJ^٩H ṽ- `d h-sv4IB7'x'qsj=Z۶?wQxD?%:QFgDi$%l瓽X!{U[}7Vt52M~RP*Y3 #<@dF`OSPˍSEmP8"JlYO{ڃɸFVH3 ֨rf~82W(99"f=l%1V_ÉƎn<@\cRxC`7h1au7R>Պ*%,hxf>ZIW-MZ'/L];%}G%V\IFcz6%lE@Ro(6] Q=+ڍq8pNaĚ4\:t}gRZ1d6y;gmTGiD3]1L;ߓ6{]Ҭy| ‘]-u|l @+_` R9,E63DTyL` mI4s{O/WQ)'1v~ՐO}ZM\4Z\P5*RޢxN_8 :*˦뢬1'AR/=R}A噞;`9TDpe;I^|dn6,COѺ!Ⓑ=r"_^Z^&܁$ pHC,[]Yl  a,9XM7#| aJ'us+=`-}g on_WZۀ < -WƬG8G A-Y#? mf[=[Hbs,pأ}ՇWTER AGeU 0V]TloO?^ր<%&OTjgqjla@Ȼb)7pNNIIk-%a L](#S;."ti?k~KcF7Ic e HK]Yy0I~"ߴ #hȒy]2KFϷ$4fEИ+oN]Ώ!1s &ѣOsVHFb~[?OA"|dU{Fba>ܘ 2݉0w;q%vE. 䄦ug\}1w@ |Y!kWq!5XYrN7p^GL]`C)u{!lq <=Ȣd)FdpXk8 C5'Dt͗"elb"3JXX,hU Z A.SN9*ta>"WV)]x o;$&CMH)f-7..Yx}/9" ҅<\\*7cTe:#b8̎9+jC3h. rkk!?$<&e\wޯv3PUq50ÙҽVȱV,z;$ر>%UޣbTm+.Eە(8Q60F5X~ [w:&,? hspXd&]τMn- _T è/Y`=+7$J2C{^^R8G=\+_ا7F_мr@ѠƁ>E|NiN>|Mo3]0'в,mro®,X29ަKd1J|#j ZjhkMBP%5M~P$M-(6,zT[TH g&bJz:9c33s /5_h|[}3T=2W}8m2Kv^wo#w|3io/>Urde~dvb|5)o2q>` 4k_ǍRgai믙}%Ո4~LK+Q-as<丞xf琅iTV{4FF/376lRֵY^+'(kl5o6"2E7+CePx!3i5n 6fVj46=$ ޭa|6"oh 7v..ܳqCd 53VN^ee ;..w$$: @SEثNjd(rXEɨ9T9>c# XLf34 ]oy7kErs6w`0'aNh"+3j[ʏ^BرK2,~JoN)4 >Nk5̮0ltU/9[]Z*Vp ţsZ~߽r2EdEIۺo礰 zM~y!5!|#)KGEgOV?%O7j,[.< HX"^퇘I2FC$ƨ߫t,9L;97$]TH8{Jm{H,}Eh,+PQWԸHԐ;SXkc$K6I"JXhki+z㏣gN_.(w *6j*clG2D6AOhRKsQ8jƌet{ fä$y,`{8SI8‚]-u<+q:aǠNe}z?؃ɜ{$ er\#E^ME>M\7W@@Dps{&ؒ]WscBHfp۽̣kWcۻ"\'ݽ}gr&}D=FABxHwc8ۊ;r-X6{W>,y\ lȍJ!SJCP{1X7u"^ -*[[=_\YJ EMH}(2nN*oa7ȡU`YMj6"Ф%ڋ xL# :'bݔdvWTHcJJ! ~P0Uo=fdzuSR-޲2a*_9kV~Is0I)+؇\W `Ɖ@)BÂB<' 1гt@ҿa$%h;+9 ƃ=A0bmf/ CJk\,09 0O`Uby*/y{񆔍6boYX}V{ZUݕ⳹\ŵ(hx)xW7)?PD޹GGDT-d[xY_H D/j}Bv*Xai39k,zSEDPũyja}c,dHi 7wꁀe’ zku* xC -oD 2[p>9v3f*+PڱYVx<6'.@2pBj7(4h|eb`WrseA5m$NЉIA[*p^4Dn%\8,=bXb;)if3=/jm=]70zTx rqQf(۱_q PTj=)Ӛzp,Kyg/";-eAŎ&Խh~-%*̳ 9DF7׆h_AʇVCOCUոM3UVLBZΌk;(.qA/~#O}_c>D/?6J,7{_3fݴGb / l8k@|V]!k:9SI"H(dK ϙ"uaW{B8Œӭ|h8ϊ mSeҠ讏]&wy$@kPuj=TWvb?em66&G΂/+ºhP r a=*=]09.~w^!;e^P[vݓvVfݷ.pN^rv{ ^"~+Rtk|(cAgNlr&~<`Ccq Ƃ+S-J+c3 )̺*&w=54Nr^qF# H?rt!m} %?b0 5l6*~Sp\^mEcVvn_`klr=V T*rvU82}<?ā%>ltDĽ+jM"yk.KclvՇ}%x2/;b zjjZN'pug5t@}2@$)Y=֢풧W`6S4V%ɧofhk뮍XvoP6Oxeи>BNKc¦Ȫ@kz&XEtwOm¤rCpվPr1i<9Ɛgx}bK~ :Ձ9>=QWC b,7'uBJY%ZsŰtoJuOO0U'YO z^IgC<ɉxC (BDcKE.6B-RP/v a{q[gwYgߣ\2Y_ſQ.bt g-ǪܔsF8 r(t Gvf`i+Q]d@ MQS vj0o.5b)GV̨=eζO^!7u'EԂ$ '԰_LLm(0k2HC:Z*kB˫ KBea(YQs$ ɯpw*p5y"?褦bēp/(b eb%σr/ <%A9sXԲuC?|m_)2KcgK<,ښTP4^>7we )勉iH'mW΍C;̴OU;t]Ic 7G> Y{Hv^d}{@5DHZ]X/$AkB፨ZǰRIE 02cΥ74 >Dˉp<ć `& }G?;*2+0V9m ^g,g OZ(uiбпQKW`&Uj!`r ˉ7N90l![2DKc1a;[# s7R(t#wa 3l`yG#s>Pza _d1r*ݡL=gW֚Zȸ.z8/: %UL[~_|Y#p5fԖ/b x快MPNYĬ?4MSY'bt|(= ƨ^ Ʀ1w#8Ή ',]T&`k \w ط?Jbd N) ֤"2)\3#%_ֆtcG.akȭ <=Ge7qfq.M~J6}kTm\T9q:C;9ܳ`e&SHkl$6@˩N'GZ$8yy2LT֐4*r9( !!_Q3>񔘔6T#sx{nW6&Svs>~ǘ:"tGZ5vݫ"Fܻϕ;uP2rp lS_ VՑe~ځ)4g21P.Woh՘=RˏY LV[ - /iwi~ovht+ PgMՅjpPQzyI}i"^ک Ѽs.ؒ.z"Ӟ?" x57V(gQKV{56Z.6 .  \wpO7 ǹ*\ [)}w<[a{xeȱ:kJ(:,Fsۀ(M6#CyB),28%X7xΆݶVeRQ2lݛ~jl()TZ{Y dp #HU0кw!Rε ޥ"m՝7JT~Ϥxa&-#C^;[\3g,`5ɖK ܌oM 3v_yh"qsK0鼋Il\S+Dfz[*!VB=V G D\i=PƦEѿZ IF݌jy96a]x3s9] HF-h.SB*e /},>ľt 9x ~-^5r]نr> Cfۚ~ؾK5ilgkH8 hhw$YcY?{ Eb)Rf?4f]B{vu ~g|~sjY8{xɲҲ޿TȋToyLLywy&zxf7b C JMij2]$wDM<|I #_}չ F\GEjxz!oXۍ:~/T. "F)jJ3>Ahyg/SLQG'$ .QcAsM3NH q  +J Vޝ(ӅԀ0͌n\Z7":i-PB}:#2oʪZ. ˒)4Weyњ( ѭM}>*Ov9 0m/Kp7 80#NlOCJ=a&%:I֐wHUo-Uk $7`ψ7 g֩6M\ħc TIiq#:̞^! [ILbXcL /)eF\F NlEE83 [V>Jfi2D;~wz=N4wIǸoș ]Ai6"{N?-/C;s `gv1e[IɞAskTLs r>o2>Tcj2z]n`o]v+Q< H976Ql/j$f /vEarQ{Q%,/8u: ZfA]I;+MM]4XuћIbiNy?Be-L>b$nWF!:S$@1{!# q/BnCj]:x7鄂H?Zo+9ګ<#F4?~WeM_Wq9f;>q0*i ۭg#LEJnCqCZ#UkRyv59$w DU>MBʹ0CGCي#KػUǣOz fH EİK]( H 5,}ne)qFQP77R7QO}XoAu*4Q}rQ6V$( _ bfc3 eH1fsM*QrBf:|W 7t mYa蓑Ʒ4܇–4eT"焾u$#zcVI|6 N\z&% {,a9O~LLpNCPx~o^2\Z8]hoUQҾ>}R3Nq1~a^k&43V7lC=UZ=׌Ճ E}x:*o$jl!5~]{䒣Է1#=ɰ_-]&Ț Ơ)ۦo 촹{i _Zک/ :OA!Bs94/_bpI0q9(.2t芿{ 6Q5 Gƛbx .;7jA&GAYfE qR/[=+uݒҹ^}nH 2 XU4AJj+$ M.5X&=I4N Yw$FXme5n&߿t˞@vi1{Y솹[AT›r ^6ٚ߼sڶ,q K+w-TY5$7 hZ{r$PaSK^Ğ_Ӧb [JD0tj=Bo f<& f2H=eUJ!6`78X'ߙ7@A5f4bW]U+͡wiTE:PjѤqeF 92-(A'uٹ8e,T"ouT{U&dW^>#Q0JŢ}f}XŊ69`qH h;ޟ3xeJ)[*W K!O$o5EAS-P駮^b|t'VM̍{KpreXl  Ùy؎od"b1v#wDӗü2v%sMV.v21NNT R0]wVϡTf.j3ש-$<ɼ ҙ `qC5KIi{.!s2QSnA.:3gtE*ayPd|H#eʽ'܉@Q[5o{!^Ѵ1{E%$4Jk4`sp(\m[5M ʛI |HE-ܶ۰?$##z:b9oX.?/U0uX88sn!j QRs67k(^$i.k=LЋdHmʨۦlpe-xkC;r7 m.2}:|xpbG1^j/tTj8@`XA"fL=Rr* ]3%;GxQdmp *Ч 1g:kYIi"̕ϚS)QcOIk *[^p%  N AtI>W}*ZkoFЁ'b^)5sN9$2V ¶C*!B~Țe^6gf_b SxnTHNi%kt3_6aiGN ZTv2huktV2Y(TE/| Hy8Xn4SByVhfW:?gHm~r8Xs-yN[88j_wX\+I!@oC}-xviF%enK1EW&/8ъ="2O>#>\clC֪x?6Fg¯ap}%nk)FK51Pْ?VBg8{`grEdwP@ ? >ZOz cϵ삼8yV_ ޙ(ϐj}§ '9d db{?E 6ձa݊FO*/ *ReWg!`R$I&_QND:(upkDu I5,A#.GNj?N:gGoKԑOdžuJ$%}Jeks5\U)almx~ذ>}͡5s,^XcRd\W'i%Dꆘ䇠N#esZ *.H(+W` % ~EOdRiX[*/؋§|sŇr#iSC"6%Խ!?OmNdBAf)xeb*2/AsJ<_D%oH6%\7gci%hz i- 5WX: -O8R5zw.od.H9[+G\o1j߂gLpv2@,k.Ra^KYD'Ez 'ChpT0Zz<+hsAN#354D;o#̓j-gôxA񘌇;̓uɅfY vea(jAcNw,zb #- ꦩz.$^dHtsdȓV{nmâ> 7)5 I 6mN`H}frNo3,7rU\{ [_{(K *fHo (#Kz7gU(u 2cXl̟ɣFCHI9P vuFӰ |Jc]r,qQ#)+?dÞ_6NBrue cO˳0J}Iok%bW| M ز/Il]+ت]<QT XѴ/Ş=9ˊYE H!z=u`o* x^~8J.[gzɵv|: WX[ڌ23cb(v),o | 6ߟTǥZ G}8 N 72ÛE 8HttnF yCb9ILI5eԅd|5Z˴#-|3p1)PnlnhƉ)|r2~}`~K[03Xz?-iX'h{br؜/F^*.fxh(|xq!`6XCm'B< e)^%vxGȅD}j͟X˅rTߚM8ܾ=zIV#3M;"#jd'ԪQ%r99KFu: ] 9q0*>L\ ՂFWmE.RԴe~CJ 3u*hioėaz2Ty=K|콥ߓ^R'|0'[_ D`cG-.2ˆ\ ML'%B{O[ry *c<+<*UT5S>R\=㖧M\-7`@juNY eڸ{IS#~Gb]z;j[?p.Ը3hx&L5j(m=?I\:ri7d,HU&lwOʥݥͅ(ϻOub֝pN 3{M>efw}JI 2xޤtku'>q:}lmQraII#)+W&mWv۔@7͈1Mh&~!s*t ^B̏YTќ\k3gvkeᖑew*kjxD[F`**nV4~y|gR'p8׳,4}瑐;9^BY5sQ>6ETce}L-7%+ t &ر.pW2.|TjUg" {?gvuUbvo&QV (=9 y-z5X [}$H>Ӥfش@DW;8 J OŔ6q[!+t ;ί '-x1%:=/+bdlojIfY<+$^4;/I>ɀMfA~Lu==#|ץqf`l e%<d6`HAmTbQcj cgNd WV.lm{3s\w׻} пB38i\E5t"ˠjx/}?nR}kIR?E>OHu87Am>xrIA 8p(p6*]#34A AG%s!yF$~8~%V[mgg0O1F ס[Ǻ$hbyL0Auk#6FJ=jC ZEA3C p"Y_6gS(ͶisInY-h"7r$5J-OmE̦Ed2/66ȋ(DK#8pwG fU Ι#.ʹ?~#l%8}`Î85W"wR0²p$q._& L\/xOCٷbvI -"2W$ gPBO!Oi`7t']B?xp/$";71XUTDy-A[`PސQp+i!edWŸ#*=1{kǴ,1踍:,;xr4ޗa2[ l9R.R)]he~mp,l ]nZ5kB`Uc?J[lIGmEH$4ܷDT) ɐ:_7N9=Y`kcW/-W;1OY7G1`_ %pUCB};ui9cGJ>={j:)9&Kr/ٶ$< oilH`7ݭ0ۓ1 #,dguk إg|,װrmuA$,PF3S3$6-w$ ޞ!ufKS;9 #T>2|$) _6OppRK&\辧wַLnDd_ wfҁS`(DJa̬XP?NjOU"rakms85rhƈ4.8T| ΈGw z0gpE)_@<7) &<˓nMqI6ji#Ry{?9^bg %`8a۵9o_[noC|zM鍬Bud]N]d!k /v-z낎> ;^9x#(Nl a.M 0m]'yRؐ#++NWg4UJ ʚk &$1l*SMh`z|MBw2|a,sZ嘩8tlV'qz/ >r2E7 mQK٪F4.j@zGT;-3#ވDwYF=~>8\f~8%Zäs#<pz"$턐-'ssC +~L+jvO둼_`Pze<<Aޓ*TKݟ(\≠e@zss'WMh<2= FĖ!?63 ҺrUe}yC4nS.Թ:up`TvH W5İNJZeD [ShkζHB} LE,Lۧ~?@vr(^7jYXY/&X;/bf&6J \Fi鰈=v`kXs k߶:D ͜.adz"_$Va+ F[N_VTyL {>0zRYWE/5CyDF2 ԩO#e2>!nkXH3jkuHwa]bn@p=˴BӬJ7¥c)2Ji_CbI B99Q {"!ͰGIjw B^B \i6?Qҙh|+$7JX9.OyCƄ|57ϚKZ5j݄Aԙj\#vԨGRQ"Y+%Hr-sOmЄwlg{;@Qgd y;qcY<=bϣ d尀SFwV\ &$t{c|cAsx! 7v#iT޹ޛ*aK'^d;wJ:sS7{ںTK  yjoϑAWuI`@-F,,{ ^qS>S.u}'<}E#7BUSUL 1MUP-u54 & rXl%"'$Dd#(l?1D;sIE韢 k!9/֯qյTF\/]%(_z,V|w6/ ܂8Gk+yԡf<]_D!*X}]x ;[LSQ6aVd0#6V `(XkrP 3>!ID@ Zth[ Vo$IBPٖC(ۉZVOYi/ sA>F `B8*o'ol-p }QW lwfFXgNfZ] wR&edΏ-v>kw]Db=3,Kڕܠ &gk)A6K3z#0 M:^@ WLpy̲ٕzwC56#O( =,ټPi&$\gr<|nį!}[ʓfC;uٴb@poUppyӲ)[cx Rҵ]^C\OTD\2qHG!Q;/5^c]ܑf81S 'tw<9վsc Lr~q/&d=px!;~|=k.d^EVtbboM&]S`of3>fj>eetjM{[00h"~h2- ¹vj \ȡ(כ=0Iq!HSjBV-E P}w?$#g-ޚ:ڛa#)'~p!P8.H2ph}Er3Pg&qCLf;4j "P"!Tڷ?Y>6Hi+ 4N؂on-Ȋ4/Vu& nǗ cP#e*8^7eQ]7ؗl#al[ƦFZk|G%!Y5)!~njTlvS*(sJ ˆH7ar&/ }`1N/Dɷ}1zBo Ɣ$(Njȶє8!ɛr1KL}{pAl6ޟJ ~eHg)3%=yt~L@Ihkǘ;t]$Ȁ!m vV)BWéi\MNڻ.qEMod_7&Kb*Ogpn\\dt+L?؀I͗#(uZ6Z8FI10F,Wסemo޳ˀ!| v`t=_7_nV vQ؇F oPxUOL|Ƭ'ZJ 2]BPSh&I:ȯ?6Jʱud|yS7Y+gOT="SxvR24 Ld|M5 =ViFn%:PAʁZCڹa /^ +]+! @3&Un\y>a˛.s*.^J!.ESSuNDsKMOFG?c_]yK4} 4sjFXD`,TS wk|X.#CEI9y=nkP"ܙ֔FAؒ 5f\Rߦ.M7']q&=uy59 ev0Lh /.5bC5e40"d;TԬUk>a.vycB^ƃz mPos]WHx8((q:c10$}zn{+nlS,Ԫ+rCCKo,*l#BAz#D;3T$O‰'sDe&Ο^ω1$T9CZjjJ(]0 %sY0JBa5g8̿a6VoN&[,Q?] v'5=/p!z!?F9&t`|QJs_ V,hBXv$,XV Ʃi&O)+j&k8[Th@ܬbU"3>OjC[aEyj>fP:&O 3 5 '؏s\7[L؊^-щY3Y Bn5#}ePuSfi:p}ȔnٺPEj ɯ%=aysH;RLu#H\kE=Ud9:Q$-1R`o2q2<ÿ^YIa>ŦD<KDDjOov|:tZ}/{| <B917U?ׇ1LR z,P!"KS̐ KX2D*-FH d8|s_/`,&o?s̳=of $MA̚(g!ɆZ\B;p%:r̗QiYck{mv TMc85lEb{G s5(ŏFjcQK/QڪAd&vh+$KN$a}IUR#OC7=n4~_*;q!^@=bo H ^s\d8vmYp?eHyk~hS*]B`)*xk% Y=VoYaY ͇^d *Ѐ{3" wjfnvDx髑/Y!1 Sѥ)vZݙMn_ ]ٶDL ,^b&uR*Qo=vWc#X4ǷB.a {Z$lbီ~v2#ǔ.M, {`GA `>Z/ef^qdQfQZN])C'YhWQ3~8ј2й _:P{ ZTTPH t%>Prwh8qb BO; ]얧ȓ3H*_ҝ> e~R$^H3UQ@ ta4e4%#P^~Tmt ,{zÁ| ߝ&(f 7.3-fgi,:ӑ uYZ#4uL"Yu`p&d~PqJq%Moِ;DX覔W\efmTl{3Ap~Rke@)ÙeWufRd/y'!}O3>"{+%+┑SNč#CL8*UR>1oFzB |+*֥l]i-DK(:і5N#̣XΦ8/m Ti.FZwL6F@1TZvP)cd+Ҳڦs=yBW ^$wkq{ $$g zh ,oe X0޹A\Z 6q%⮫XRl.TIT·E"\ Rr9MJb1 +" fO KZ$Niv^(@$99% g|| ^@-Fh)) Dci(Ƙ=Dca(tS?́bwR". ]~BuсkUNfrkXh).{_@IpML%:b$rcW(fk\\e1R0TXꤜN5>z2P4YNul׍EF> qslgRA&^|΀VN ez0髉k'\ŕC.LxO4Φl;Ю*ؘ '$0,6A|"Ao0JBs(.{h:`a6XS`r"-%"cj3z|ihqikE¢$c~@ߞVY"hntzEVop"Ӣɨs)~M>Gf=I0}n׸@A`ӿ_żޘ4;^AK 1b:b"_bt?4'c YbJrk]-I꩚ĪG7tµN$(T38Vxx+xάf Ȁ&Tf]`jtz^k%#IY6+QJw66Fex $!Ro?*|5vbk1R-E  Űb[F|MAU [Y6 8>P2~&&U U@cfz&A;ZإJmdڠ'kt U\@H7}ҟ":APL[.o08ōp'3$ƶ ~IA3I.Gv\6}RLY>f7:IM0%Rn@EB@:2հ2|JT]9:CbrxF8+ N]xp$a~'t&<Gg<{'/"خĜ;ZDimF pv^,:K4233tV"I2v;e$<؆ա'fQrE5ER 2V1*rNE)G,'%;CVm;gxɔLigmAE6J8t:h5`K@40Vcd]Cz^:1 Ag;ܝ8g~o;AS 11:ko0Lr vOuOݣ*C"s},!-['Z35%H\Nn~2%Ni;)+ 8jw0;(YQm.8G}`i@9fù9S 13QdjĈRfb5h_Y/R?By^+MZO --M젺k|eQ5P|؍Dŧ#K?7pQ=* N{ICfRF*nYʏA&q{J? +7=KWA59L*8# qgb-6qҀHۚJ[7EttxbWcܢuܱp?{(yȼEmk 5/k{Gڭ萷l(]Hd[1 sd3,]*3@Bt۬>.QPLac;yX}?|ܤ WJbRT_N>X\7sVhLsI&Hm{-`k#jD+Ft`M'17qԘ]Jswi;A.uf?T(pd|Et&G%:* >V~wYh/kBͼ< .3t CyKtc"IݐYY̅j^ݗb3NQPeGbKܕ5{'~tŷC?|Fc!#dz!ZoL|?@l؉sv:bUl/gZ50aW2FOPb=*B2ǧkɅ̦Pe0*) ԜOOU~7y jԪX29 }o?8#Fnwy&v!RI/V nYWKZ>zM D@MT }!qGQh 0|zK&uz"_V8^,E=w>i"MoRg^6tPTxBaEqW:pf , Ψa碘y76;7@p.Vx:#S Y캬0_Ȣ }M[~'Dޔ׉G,>6@xcu+ӡ%kӜz՞ 3|'hw?ڔ.b`1&q"fOɩ٣?|Xea8<^2]O^vҵ$pve_S* q2#뜼K9Ym‚$}%lZ\Ͼ{̔.$W(kp5䱵#? D6fb[-Wg+y?( a{~cY`\%=fxR Ekjz[W>4!s(WRd&N2F'4CM/nBZcY)*\/ Wm;8ڴosK(LlL:j볺&Q`DZsOp7;sLV2 .X4!'w[ Á|ٽ|syrEZ^o1ӗsjps4^Hc Zv2M$3Vރp b@lծJ@yJ|ƸXŎG X"ofHu(5m]rDZm`tBi5ˈ(ΩUHY 4Ȣi,GkBc!1Cf(fq'LBS"&Qb]]5ԯn)N[ ژs'+ Rx g1݇unDa.neo1E֒ɲ^XLz7QJ[Ii5Q3A`S4[QO.l(R7]@-GyNӧ /!u~|$%\`7^Ғuz̀\̡]︨ b'mQw!):f[g]4>a0g.Z)o0oi:qwOLf1k ğkݱ-oZEt^qEv Hwm!+XH*; GX:oe =Sg +;u~c ^P|juwp.[ǻ .M9彨#%N:3<'\C(uk+`e#nB#nw9GbN*I}Rs̲ Jz}6xg뫡D9^rҝLs% HkaĈ r34TE|r#"Y`ބ)J#ǁV)*[ae=tP\dvghZky틒%.vH]e;Ng[j[;OT`8Dd"2P0wΨ/ 5`uJN HGTk{* um(&~ey>ihf&|!4vXTC)3exi,Ɔ2M]7ߜoXm&^3#K&??` G1?c'q|&!I{+xɋ \{4vÚ\Qc&սzO[܉#[=.T{k7`|[@^lLT8 3~nG|wux$ǵv~DV;T"VT"E 1B%Φ{ejv pEG-OsT/&-?r5&mc3=%̞j~ wˠ7#+XH%G'~۩mSX=}xFL|#p\#~n*;UFڶkg&`:)@S$!s.P.}ӟx^7їx:BN&tDT!tC0/\t5{WW< [^1o1!b[-\[]u@.[ĵ|]Jѵ@p&*z~[pϧܱp2<'ںfߙ[yx )F"@e hU+DEǸ@5764xg6v6!fV0ڱ 6 >u!Tɉ 4JҊrȢWJl%eaFO~زloZKG "K'D;"&@`Y[A5s2i|aGHAt5*$Qە\Sq6`\epڦY~T(yoPdf畠R#Às1{ژrћNKNHM(ίv[ේg[yʶ9 eo)i5"A7FS\V$:M^5.D q]ؿJ MaSW> ~#0"fBzIxt'fU4om&b}^5 Ef_oC6A}WFF/惾FZn+ RT"pΠkı|vF>Cxq6NJ*t=QPx':ihUHʥ5\)Gɓ ρ8W3[ 'l]?be(DQTjYUI~nH Uy֔ڮ8#[-WsȦVKJ Ȥ\aOCSRP<|$^E3n(Uoz\ 4),Ɖ翲xFў7kNt^>Ȟɡ9n7bۆI /ýYB"'O[ƂFn>Wc?C1"jr9,9aXyNkp'nNqi?LGXu}ΤuאqzWpЯUx-}ȰX ٷ b9 ޻vIϚSL2 @Mẃy!fךb`?? p[N=rrI->`W֡~sō$ gN4!غ`%>9J?e s~91!rg"/+KlUߎ` @8I?8"YAVHrFoB/MEv=<8Z/!=N3w= B;f( ^e S?9higT s>Y; }w/奅.H>fO` p gCQcJrujy62ư 6X?bh96դXB7mbBD$tk˒Uu)6ao~~9 \!Urn96d2=4i2f2tvđ( /6YK07 "t$0[k@FB^10G0vjE*y"A];OJ5T1yG6\ *T - 6Z"~Pjk흩 `k9 +0;S }Pv~Q[qD@;Q9-X]:;*"'IO+-|dHTGbLD 3\OI2cwkyj/V[)5)t w,0^Ъw]o K5k.8*ϾM;L*GY)(.y .2]l3:DqڥźOoQj.DU5v6 ap GDܐM D`=S!#.3*CGwP)JĖuA(tH*[%sSAn1: d}3: 4 4j?˳1P/\z@*U1i*HHyŪ[Xq̏^  썝Ÿ$A p.YsOyS'K\V|1&Y0?ᅂتԦqޏ,J.+m1:"&HXoPkjm"]@%k-, ga SQF=<@#YRXnn?nU+%ۥaPqJ2bw Y:YN2]@-6AN~<~FlA1N3ێm~.Hr3[ ӢⵌQuXTyI #1Z{H9I:!B]@sM>`RQ6& 37:jgv؎Ta$gz6u$E]f.Q>,B'J J-wW7|x'T;pW>c9]Dp5 _M-'#SNfa 'UlFwG!Pc!kBho(]44ᏨWZLDoT#,FTMd9f!PT!{)S'mrW\uP22iEgO5x5OnUhEBY0>{ ,.dq.2vSfy7EY|Q% ^qq=f{4ƑY7.*oL=,@͌4oy<0'h[<R8-=kAͪNĖKмЃn]<)>f\OdS4:u'Fs"de=G%$ljAS 6wޱ~| !_ m]}.du nOd5 NL7='O DS2)fP8z ks/Q IP[:b:ɯ[=\kk̑^L"_"L^/JZy]$R x +d)&']vǓ!Ag7CUe=uIQ`y4/߹D |PȂ~,/c%ci>J L`I?4SyixF>;*rS1=uLj85_ @ӒnVkts mS2hFWձJcJ.EwލK6s#cԾNr+?ϧspX_ \T\G4G$wJ< wm}%P0<)A-{B2|Y5֯=/zɸlp\a`UUKk]^Aj1O{4:+E!'e 4wVj~г0?ǰ\/-gڌq}d4;YyDßʋO54&>_qSoM9E>.ź7 O's\GYggͼZGB#%.C#R.[3AX{ {cP* F"/,558/050~rZߎik'n_/#; ހPL9DN+~1`}.vV:@3v%FKn+k`--5&AY>p}C?=lͫJz~Be.9K RdyNqu["4$ڋu=C+~Q25b)ij,So۱BxT ңuve2H!RM(wZ?@K[藛"&E6u8q!>BoϱkG} iWvtɤ=]§_b`;; xwv7QFОiȩ^/ID|wa?M_K.i0vb5?2WR_)̫S s")8!ٳ'mͅӚxMm{fBLpg5qTn-䱏ίmS}dX~J0wgEjHtʘ8ԫ}~O7(3aL9;E+"פ,iN~F’3576xbG;WL,~ltO4 &$dYn(z`\~縁Mq2Ѝ>b_ u:6V&`eσ%EGutv|HQ~M`/Ff2B@0"X!s#4,2fu @ n@mE8{V(J-3ջp.zxfa:QMj8N%ʇ kU9UF n{Fd.;nRLyz^^WO VHUU+8"W>:o ]T@jfD/S2礚&=320_mCQW{y)bo>IBQ冰@3iQzm^vL2ITm eve$C@=}|o<1}*@Z@- )n%3L%a[IJ #Tłu(vTDE_+sɵee ]Pڧ@rvǠ. Q%O;L5M(x'1:VΓ&];Sx<|t2Ick 3_0ys/p  X+bsr c? kxel ȣΓȻ:V!(Ot[Op뭺 1ޙ!]mGi<y'9 ~~֯A:#Dhܲ3q"P[<~)G=[@ oj".'!{[ p#"Z a7( ms>A$@E @(V1pWcR%(v<^z;5:cV2 "Cۆ_Ž%CA ֪Qv\DYR?F9Nx9 'rhZߡ̔3^wGls)%do]uNƩؚ Ta<|դ?.Fen;r~)!<YUwlqiH[h?9y*4nyH !HrޱL ['kt)媗~u$/_ Zxzd} a~8tkO"1.tb?sN'hQⅴٲi@`9wexeR)򐾳ڽ{sL\<s#:y@l!̨}b(t2rqi [ [M̍ck]4&N Y8bbC渇+Q'HW}NwH!ҪW'!6ᑻnvpI^4.+=, ,)Zv$&,w`}pHDgj"/]Gs~&N :%>%jZjcpw-&!mbw|Hs@L?fR=ӳ@0+I_ UxAi߃>5sSc|y?xؘ63f.ԽKeS'KvࢊfTvܡ˶_]Q؀Ӊm/F{P3/\ί*͙RDK7M].y9マǩVK/͌"WjqNOv8#JgsAJWd2g?hL"/kHwbnAv입rZA#-)y W45E^Ax@cR@q.Ala<_DQ ҭ@ ՛˗cP ^3IGzXQ%_G|bZbN IN($'d7 g# o /dĎRs|>-Tz34e-YWr׶ lMB !te_yQҌF'um"iY#PXHͲ+Qg4Ftd])Tj#9ܽtw.Hoevk}:`ș"alHJh h 3f^C}uF]XJ%ط{옭ώŻFfBU DjU+q`ZŚ5gEܛR:*'ێ_b=2&إQ9>J\SB:?x6cp T9^^5n%[\XnPGu#g*.ΆԈspx=-]οuWXQ g~.ѫ=Ill ES!*Pjou }{dEf,RhTH)(w\ݎ9|3$B  CA\#d`:ܥRށO2KGu%?a|yZ%,G7PW]Mb0c攘c 5;iywQ<"u4#oO oOCtMVK|=bbߩ:!;@&Z3MBͪ*f8bQ'bvGhdk2!P<` ҪsFSCؿ߼"K3=NB]+Q)qվ߹r=_><ٵt G;גhm@(b cZ2tXnjLxU7鷊H^KNPRzeEZfn~b 4%S%("7$Zߔ<#w+ah*rTZ_dKnxP˃RX&]nFYk U;mhY~BM>ꂹ~*5bt 42= " o=A` E7:/0&숦Q$  .RJ-힉%A5pgնA9:f^1z(-mߑ0 o2ZrEb2}Ri`h!gF`Xz= <_>a,xds6n=ny7IY|fdU-nO%CW7 ʱϋp0oM`@zCF/Rugm@a+T5.{ϗ Ϊ_ % <70$3Hj1C*Lv:0dUjD~[sS9_Ю YL].mMn^d܉;  _&К߸ r.kV%K]#!WOݹI/RBF 8w?9ʼۺ`Q^cW3^?4GmۘgS^a5n$*N)kh(]B3켲@Z}& %J0Gs3scK+j2^3POc剪`6v\dt!QTv/L;wB!K2lNrb0T2X^QWGo/h@Z!Ƶ1͵J1"jW7;0 ߨ4g]"*Cs|ub["hw|= L3w NF= 'eVԒcM}Hz @sSr`{# uc(Q5r2*%= -ߥ> c#j68031iH eT2!}U6 bpQɃbhL+v]j-:vd#%vO]zkX1#?8%,GTfCR{ѥ(QNF]O5 T 2E#wR\ o4 gkwlB1FBٯ7jM}R:/w:I,>0 TM )V0(K0h&l럑5#eq #7^ SD8@ Ɠ#n]3D6݇r[χ\膰]iJ+^0?I %i  s YB^/b+X 7 ˩MIyӆ7I7<ZX7znE`'Cz<4j \On@韡NJ\q_Ltk \z 괐~41^ep#m6[xjI}eVEуv>z HzPҍkUEEԒHS Vlt_(8[Uힳ1Dҏmnf])FRw>skl!aH?NEϵIW7k'TOLŕ! s˥{nDŽZT(-[Ǎ~83ŐFF"s8r2b4Rvu/94G8|R|֟bN U#C@ ddM[kdoAݔߓ!g/1dX ,T}`|:p a5o]5A%!2܄ ;V4/ښij8љ|]0Sz 9+)f!"3lD$)\^.%edaJE rF ߅G;)nFz1wxf'@*M:|_m l"L2ZӪj lNF}.39 E_C]5mRpZ"˒տ}bx[ &`G#giλK0,okJ GLk?ɶ _N6sB^l#FiGΙ,r- p?lE52~d47ڮG}bF˩:HV)ƄHYt4Nь땷,C =M2I|@Ύ <&`:LJէg^ۀyTGiijZuw@@[Dyq,#rcxbMˡ4%źO/"1Jm-˰c%:Fɀ'g-өa{ Y#|RRXi8zYW5pyvPj=g ImɄx1A=ZQª"[Ts,y9ɜv abEG-).Ib6TȒayo/8|QR$$[뷈6 FϿd+}`ж^f6@0jp5T~vh/`]CIhݽ.[[vUc1.L72#{'mʄ*2\ׅ3s~Wa]O(?F=ͮ$6X ZA5kG\ q9Yr&X!'r@zOF"ZB€ϚBE֟yƓou5Ȼm}BO.>љ-9툒)\Ev4F:.)ɑ3/-3&pHPC#?ֵ#F!/\HW%X G QPPPg xcަ(gC8&0Ѧ$ nC~h':.ڷ!;o K4" %VW祈tڷ+/ר'uWNx}HI8;cY!?4˘?)QawahG??Y68x2ZcQ[g?Iր'+"&ªewxB;-KF3w0N```4b?urGv`Hd̟,Hks)ѵRr WeS,axٙU`^,Quwx|Wr?͡ [+Kfj 2 >J&#KOX'VQ_R jB@Tjq{L\rALؘizX%56zi/AlI>,BFb<ЉCEr)^Zzg4Q.9sr_S`ôL|jsuN{R:΀~_Ze,;~Z'6/6Ֆ &R#n)ޡsNRy"gt-;b} W/oi;ryΰV1$Jݴqi^?3){gX$3CyJ4⪈4gǀ =.LsBR.YHT;6ʋ+kcOE,uCA-~oϼpwxݧq>P{' )OtHǜr9cZ>Ï7n9xLG-3#R#ĉf_4mKٜ?o^#8Ώ {oU0YQU +XFϣB %I08y)K++^zfj"j<񚁷k|p]!d6"2[v#}{ MqMÞv(&gb.Fz]ӚaM V['=ﱰah}~,PJC$gᛀf WR11cD?ߴ><i+8 '2ZT{v,aF%j6W ы@]nocSLQINԠQ<<jo<&4Iml<{ʭ=|Vy̔<(ԁՀ8uD ļKEw ? ;C3P47Xo)tL7.MοqtctJt D C.-К X2iE2yܚ@8ȶfCi:N2Ziǃ!TΗMn|x5ȭpRP0`Ժ*Cts% -b)|jguaJʅ8٪TX@&n0X_ƺX D-Q%CB {YO&Q8eG@iXhv~% E1l֛F_q(C[ ɤN@X2*ǜU^ٹ|J-RaMf9iL2W [׈_ρR{]1-~4k{QJᣉq{dW&wOItZ#F MZfU$2u9^y,ƿ -mKjS|5 \ UQK+^?&='-7O0ҿR''m z,65Zz0hpϽ3q.@ÀEuŏ0KϮ ځ{1f%H~Y𵢡RL)/>uɉ] y_bb2@P<ͻ>5Ow6ϱmagWv:Y\Ш[LvgGL0 -d bC {eaLDYffd0)] ]Jx]B6!:Kg#{]NX޸gOwg4:2Emz18^':@D6 %bKy|Q@z*67p`UZrpưa7=8P'o=_n@RUX&?b˜4r:PhQ[ihj{ϐlN'CVZnSn d 8);qH|sJȽeJQYZfP4yN(۪1Yڊ2~k l cϖ9d KZ Tx#IŦݔ4I$#]8~w5p"Wgyew,}KO阰a0VXy鞱3v,{;6Oo`=8-k*oCpUljl vŸs[i%(roB _PoH!IzMe6uG8FncKOk!.&t$W9F-V9u!E!Ϯ^ 7RvHzՓRSVm9*8NyϾD!EA6K=\1SHw҇EPn\\[vAGunt,OmJ 1VʊxqM92 92xuzӾMntϗ:uw!AjtRW'i/j=jv`\ ~$35)&;mU=jYw~Y3/V=''HV\ H- Ğ9+Y0::gi&ZÈ|<,ȮIfkut.&"!&/iz5UXZE@$]Rkd$o>_dX!`Iـ;^вjV_Zi ;cUG\)ؽ}tq"4ܳyiJ9-m4A?f)ZD`ߵj#Ύ{_}8=/)E_csxx|TkF7M>OdMDא~yg;>ZMD[g'qD|*j1γ`]7~h0֧>zpdZ8 0gK Ǥ<鷫D('g]~36dRuW|5#/`"E34~Q}=óc(|T*{U'o^[V&(^2t@2Oa ؤse>N.:4ۿLRpjDl漧Dx,%mwgB}y; 9eb ?d(j<1v؋~)HQk jS<;q:y,+GLMŭѳ-JO"'8ܧog>f~Bg4=ڈ<8 IfnqT;p#SbY72jJP8aOҤl^$w}M[]HÒyeNܵ^JRC7Eg=?p,qZ{=@pTc?TJ_FhvCT&'G[<;n˹41F[b>jJkOl :'VjCerf6XW銙 +~4Nwm.osP2l D4`/2x4#Pc(\d&SqܜcJ/. Z>$1&m1;l{(Bj{oPvN-'L]n[}SYw/Y*#loP7PLTWet(WU9 V*|-W߆S13'.(uJGCxgڝ$SF@1"ť_9|' -1lʶt=Iw+z_e"`ާltf]Kd~iBKJ!H&ov[ l\ppֲ;гKƆf=HT9e蹳mAϗIUԎ^d0Z o-*mv#=l'XBCjJx/$#ãueYpo҃psL4NJf0kt tAO h|@KAY\I`[(S\8cbAob=bWR/]yxhu3FZOUmd;DH}z$3w(:){%lA=hQƙZNLlrfُ҃P !R{joUtK y rQ;'2sODwXsoQHeH O>vP6L禕PC;` rV|eP}&;d6& `1n/5D٪kb$,$nY]F`4C=&9<,T$Ɵ2Ypa p@fCRiW7jݮ}51rëΛ>UMN.C}%KlO=\$A9B,`TӚNxuvb!hX>O툭hC^.f;f7gl~P| >=.YONV8jQ>TY,< [ C9P\T)"qZ)O=5$å,z2/k,][ `1oX(bme3|z"dz3ҁn"1x ȫ'\eoL\`1^_yv  ~ZđϯbR&1CL 7{HǫR3XtJ JY}1=m=inN>5p"E1> Upnφ=6pRf)2z=GvOZᐬ)pf xGwȆ٘5 U=>f}EuII$ d/ll(Ж檑LI VL;d+j͑p8 exhu#SumGUϏvMPv,يErTi^$0Wy־r/q5QY/^ڗJzkVOݩGUt&_gW]Q9zXV 2 `̘a/o;\<#d-p@wqm=ti1Lf. EY7TCiR<GBgR-),oHmb0OQD>CPoohuEH:~,lL&Llq@]RD);)gJdbsY15J>qb.i 37Q;!'<Xd(B]W 01W֗D7jT*ܡQP5i-и恁_ gTN(9ϾjB Ӎo =BzG 1TRJ Cɹ~qVԢa!\O"t* S e))G&-.k6Nd|%}/[+k⣰HI SnU UlȘCzn>3;o>eER  @ee ˫X&_`W%Qn8h<[M j d1VtebV>1Il5ڱ 0g:-Yp<%m-zY*>1D7 !gG'/pڐ6n? 1E#ҹy!ͱOk2GzK"%QёVPЌlCr2)\<"J5apLƶ] B'wM`f,*:,ReF"D/؜%ڵcL/^F&Z`Cm!ǫt2WIW=w{m.Fd%Ed?Px"0uD5Na >ufqj=&6D<+9 n|([M̵X1 y 0}ۗXZd" =jc.`q~YB@f=T /zUW(܊jN6ecýeBl~KbJ){% &)ҰV.&-lV2KS-љ~/pfz>uF,ҦzJVlb:p_s Y;q~kKZ\_Q =<.T`Ph /"#k<(dj"nbv`m_@㭵[t}{~(brC/Su8Yi 1Mu _ Ȱ:oFh,%rq\ DbdGrfn%=/NLX?S)(f9bK@h}HuinZ!C/A5|**ȸ5EA;/\&NTNLef1Ю<b GyBhBYD(Ȥ*`{Yq{) ܉FJ9(dsnSHƞ_UiTuMg6iPBg/>] y#U%+Y+!X\n ȴʙ$>&Ô]Ɍ3@̔4r"G,ձ@oGW { (Ψ@%qb0.ݱ簒No<0+D*ßχLªF]XľtS67P=2ޮ0݈\ܝ'Prdz6g>R,Mج5a=.N$ZwucL1q{x l}XNTcZ(E<3Lk]ƽE&W{wkmdhft<V"W #vpw s靛יr06 >xY!pz3Gm{o(ɼ496y;G%+c|;hޥ&{/p B|U,v/` *Ge>y*Wfmh榵}Vk8>~2o6Xp($p[ pq#6dsDp\̯l"ڍ G/l2Z=Űa'sκ.3nSGB'fۧ=Kf_ ׭XNA5f any3Mi;PYA;Jxflߣ[Hn.y'u6&TKE.GV78nJ4'n3i PʙK^m` ܍UtnxÏ_Wa`yKtSR/}S?l|)> 3@]Ę)AS: =9pJzyy/v)nG!5}_eHv9 v3Y\ywi=@ʮ 4Gtܱ%X!C.sNzuY"LƒmXN4+z_qK5eۙCbv5ȌxlY&&;M¯D2w ] k3LBe4iL)hkkEfώp4~TFKe džyl!& mpIQOo`JpNBc||bX13b v( <Am&KANh\Cu+ [ ֜r~AZ]+%Wo4z3}_lcm(]g8 g&xX(ҒY}5Z/?)QbXYp5|Dw蔡m5⚉?[u$˻jC\Bk=\j%z,Nj$XE;+2 9^2A4Zʌ^k'F`SWnIx>7OsEдaA?bjm]LOL] Kㅇk"V aHÿ:r=#-Zn`{jBRKBS^b?/FsӍh6J* %IU+s@tv  mIZ/LMQ^8fStb3˸a8E5p}n9J&lN}DwYB_rK(ځ K& ["zhQn²A0])ou zkȓsUZP%dR&L.794}.o]uh¾^Z4P1ifSoVF'EdE.i&8h ͻ/(6މ $0ym ceudDAfMn* k)Rf@T{;_ns]4v[%6nJfQs39 4k4$H8V@E R -m>D0jFيD[pq]` <I]ʩZ\/8¦G_?^ 0";ޕScuz]8.[rսCs"@gT K2fxM Pg: @[0No[t_ߧ_TBKj63 ֆǜݍHp裾އO2) VN{lӏCN#@..Rdzo_FTv;*_7+ }C4bX5@Lp4W{@4('1I,ퟚm߽Xtk}Gf{Ηp诓H ֵ¨1!{-vvD R{NV~4X&JA8 xuKCFc$wuJvxƸR1.J)㬌Qi&y *45jÄyd;a4xQG҆_TXs)RtCD)uiyD?o'XAPʝx㢉8(;%H$~ [=f:W/?g7ON+\F[-A(eix5vD8)W,_&9M 䫳Wd`EkWn$eT~*D`*̇5#Iw'1=O!. SD('dL(e3w'& qƏuxǗL`OWҶS}  D9j] fZ7c]}k:tIL"eAN^57$ y,x(j1D!."C3O%2=QD]pdJR)4!_+gA*7֘tkg>,shMv'9zͺ$ M3{`<^ *SΏ<^N+1K5bс |qǣ;L̷fXa'yQ}C[l~tgd4VQ*km4L)Cߪ&(4VY)!܇.G)uͧfwF$}Hf@Mؓje^%ڕ߈:+u, :3"`ި3)6 !P%4ιo4TG2β0_3x3"gdgP?P-Xs4iGm*g; ;4-@dlA %g ,[GBLqD f3n[¢q>hSS3n&+{6{"|9*IPAB ֜};B6RBEbm?dWCtkBңY=vm߶NtES}~IS53pΪf {ͥnEІٞ|oFώŠC~t nF! B92eX _`p(ZG43Il eh<̙҆al`?(>J8Qij V`}J/Eڏf^v)qw vØ~ ?CI-VPǦ\F *f,ם;IO=9GU383y^g=88iD/21S:?#j981e2WuSe;'7 gIa %Qv<&'/^Ӥ/J[qgCz;Z^(̰*S\@X^@aȩv5_C:ᮘ"0!klXPK=1"[Q U8t6-gZT^ hOGf_ZbX%cýH;>elh&9YB @=J0jJoPe*.sj%NMIs,g{Jҧ9Coh'|w(zrݾs$T{K é#d+NRlbuG,YE>0HX'"niTWMQ& 5|ĮT6vvbOXx)'m]Ŋص&-Eh )#(*#S>MC h{'&[8V"z)'5qfQխUɣ=Q #I8*4LhoFPT˙D&{^m6oO7>d%"#}<,G_09ڀ$%V kK//c6;LBG׉u|өG!Hbb馏OE_"3WƤOZώ}pཁ̊ϔhYm~djBEѣ{IgJrdjmoGTOHzRV\SMo$`IMjUtQi"\Tw@27e˛N#=e%X'A9,qv{^Ch`"'}'I=]ҴrpX]}/y_keQd m^Z] GAH}|gJ&jP:_w kK#]v2E=FR,-5lm \J!7#y5wnyc/΄%HmJpeDõ{p]皴I 0Z_*VN;DREì-VuXt\}.Ml%闭HNr4M2W!ÿ.,<%Gf~fck>P39;wZm/.IR[CYqVP|E}bu |O|C'ŋ_#f5_c@-9r[f(LLlUxOW?`0x1%AW~}u:9AMq&9`mhc1|ADAK#7kD,{F?C퍬}W=XRh~~HRhbS{{Ǹ u!3&!0 ի͹+5K0Ǯ=,(Wpg킀IRPFMNd ;x5(2~p)f:rT0RRyǢ_jjLCa-W_~Rga\y_v@H,Q/Ժx>Ä:B!) S#g%s\..>$U#}6(-xe=_ļOA7tx78 n`f.,<& mA=5*=.V"ѥ=H>{HB3gV5{35fGi6i욉kۤZ!O\k`??My-w8HړrAGHKl37Ǝfsr#lulLv! XF]Q <-7,0]4(>)St~,5[\(+ \ڌsw$g4VK'v?l 2Sk9"Twb|^ٿCHwG|UW0^YaN[]ۈ(S& ̹ekji+bL<%+FQ/kQu.S&xoQ4 ~7/Q{%ӣpjx.W0aK]3_僧 Mn4-"S0"$T^gc%GwH(JU逼𣔼;Ua.f1ֵ[$r HKmy9 ~eܛ`)PLw |T#A9mJ̄jFV{EݠX(؉JGj> >ԮFљB\YeHA75k6Y6 C͙)+p)id;6l2~fgۿSk`lBO@J%˖Ble@ǐiM,MѼ4ڈ1jtn3k,qۘ$b{:''*T/`hQ{GX伊~Nػnl2At\  Z{v5Fk" šOBktƯ󧣁f➐do6P<`(#דoՐ(BtR 5mP˜SI@*U]&mq:7i1ᷕ^d85[,k"ф ΣD7fsaә;dXxXɉaQ bjX8ڗӍkxƁ:~Ȼɒ10\ 2E*;lEdvy@{"֟s)hzd3DE4l󎁇&@hyr1+"֜'H~s 07Hl\fBZhP/A 5ztb)oR?noT 9z=,Gl황/RM|T?XyTrj| #6"W% ׶T4rf\t'HUEj}toWxa`R`8|pJܘoV涴t3Bd+.ZfXjp& =:2AE|HO,߿w<콃Vu d1NƑir̚d !>4h<* aLxV83QBR,◍pK)]ثJhMIS_]{k{">}DB[% FE-w&fTH˓5㳲aM|b v$'c. BANS$&OcȢ@u~X`@iԽ8 :D0uzP8kMԺF3H6MF?gƮ&뛷0u-NU@z .m}CkB<R ,!UK=y.'?@7h} nBe=uxj2Za,#!fnfQ=^ Ƹh+gX-n"[Yl},E#H C?ѕRBpV9\cWA>n[6RPO7ED9貚+vwWdVW{]TwgE%GLQ?,~RC=4VE.ԩ_{=@dy2"qe?Ifhtf6Ґd9#GսÜ~h;CcxacH <>(]²W! 7_(Z^%PfL \zӻ@&&J5ukfsA"a$""K #Y *ܶlMw'گ$2-Ƿ#hB+msi| ;aq̞ny)$kq"3ŒELWRp$z3WEo,KɱPڳ "?23DJhm!ID l1SߒavHK>$q"Tz6 Fs)NW KJs8 ȒM:SB#@<;`?zcr .^R+16M": ' |'A D[¶|͉TY2|oGo6;51ƢNAϸԄ1c#5lk8B)XYߤRlTniXeށxhDܗzmn}vkӫgZՇ,"U|]mB-0=ݨ[;I '=ɪ@BO@,tQ5o~kٌ'=!&c6vO@+y͞#c H"I0@bV͜hDıZW.C>^kkۦs|Ӎs)dYb D]({&骈VV}O/-, D4cm>he1 m+<'KNUS& f+|>@Y@Z w#!b: aa>\Os#iuإ'(&;S,tCP&QOo&'[yގ#F%$ Vr^ᦾ>*'Xf}_s u[&\ oyNlʱ@!΍=oƻ ~3SD!]1g% gU_Cn3CV62֊2-N*AAs<q02Ψ^fNA`>[dK>iD[ɠBӲN`J>jQz% '~]k z/ē몤:1V/Kfpz/Xgz9k@Y Nac묨qyD~[wJBpcvVfoC Jżzd%nҩB51'˓oX86r&g -Wrlf[CprmQ5vLI9'eW)h0 r 0+ěڸ3s. p[|SI縁(vhJ L8'`苚cUEq 5?G*# E _|!c i9~|+ᛃ Dؠ)QCbit:kKsS ^!oֲH^x@]'azat0"C9t#%y~* ߅:փQ(*h@/ *{}G]mY`}ɇcV I ̢[E>"JL-b 8ߝhH) hk`=Z'T~ inkLU8EBoq9eC"  FL%ٲgb[Ełأz^ZLp&C=WEKeU3&تK0I>9C v~^-@f2Uk2/YۦtA6bnXM؝(۹Ա*x\Ӹ,z=n\a"9F6kΫ;G8F NL}չ ~N,8BŠ_ݴX"F_ BD쟖9n/R אCcHAm^n6Zvh(f&MK j9Pi4hīΚ8]XrsX)p|&Tq]jZ)v04No Pl-q Hm+#b9f+$> ZwdQX1KkCqS|!D; 2Bڪ"O8|3wH!%/}&5NT4 v`~.6Lo f yLEyXMa&֌$tj|̳Y `L'TʘQokzv|e)GC ؤU6롲 :G`Qcz^ oX ?MCb8O4%eHW`I۩`b3\i1@:Ua*qfcV~g vmIpn <:3?I܅@O/$H!_8/U`^}X&^^xN!1Q)8O4ϗPR~EKWX,`C5~Y `={~͙€:dŋvԓIJv~-sbd_&x+ ~Eg{YO#mftӹ}DIrhSqޖD"r a#Qϡ.r8\댢Üs^ו=bzp ֿ .9+'}Ff)j@eth֦ 5'{_WkpʷWnMG6Rl7V~%S|1;A/#aHTKȟ%V )GxӶ(}G̷ fY`VuičO6MLUñv5 ~9Ā9>ЈO\k9w& fY^:hֳlΠVZTuׇa7PZʞ߀4a ҄ d^}$ׯOī*zVG$I# T˰d'6j|T@y{,C݊LD7R%!y)f W gWt3_)4BaܵgֈU,а@; gC7|͏0>wHQ8zPC ,O~&Q1- uEԇ? hڨT:tOֆ6fvկOVϨW !uO$Oջd$YE|]#c/Wn4vWYG櫦6uLRhא@F">{J<~4Ermn};oxGkncޒvݣ0]#R `i..L,耄vxRQ]$dSOZdOj6oR,E6V B2VE؞;gH9|vJLJgPݦ9< ۶Gp8I`"/#ɪr䐱Y50v@gh&Zh AYR Ϧ490fXֈWSr`\Fӽ}8x#jo$c@$9;+21.+Wl<4G/j[sӫoy ۃ9 IPRu1kt0% DC: ZBag>ǿ3j_$ r@:%xl1X*qMTB/b4Vz{txg:KEQ뷍Ț'O.NZ)a5uDЮAZ^"eFolDm1@k`7srܯ% 7ns;?'(j_O Χ"U-p.8{rZC(+d4bK{iyӠӽ!<@z \uѭZߛ8~fQOQ%PpĽ]ΰRoҠr06l2E-*V8# %kVS ݰ%BPwqo4Z|nGP2-'q!;a5CbAѿBU_\o ?)fƉ\hYP{ch}?LaY^f=g._FoF;;{vd#@6}a%IrLtlGȘ9| l7"Y-\A@ƾ*-zcm\D\\ʺ"r1Ò!m*$:ew>EtYh2%LY}F|fUDp8 '5Fřhz9{@ JlAR;V:ЮN%a4̳%D@E$I?f96%}AGNȢ}~foS?ju*\]e=pw.뉏 ?/\M1.R&/ހҡd7HC(1Z1%꼕 nn̯ɏ$' DNsZ/vB\bɐ h;j!׺!-7=bѱ{4ρ=># CU*v$%= Ub"I6n̿ B(xMl˛RƤ7@"/1.o#XKxF/F"#]I=:Kq7~@ N hCZ .]O: //Ǧ 7*M t' ,WK?_۟SӶ?}Yq%2 fXn=OC1t mFn3 =@I3l| 6. @㓸 |Ɩ'>K(! gĹ5T `tOQ廦)cT9`)K.k'Xq#'FV,J-`!7WM๐y*~>~Yo5 a+KfH-`bՏ&FR /mQ BzDot>ZJoFissYϻmx=u/i ZsY+cA:Ť)L6:yf+ mɲ{T@c~,7Mx{?xuAG_.#_ThU,Ʃ>דR\M)/Im%IKz(o_X5IEu4>Ë$jP%Pdz.$菻_osàQ1%:Hd69 As=]/vȀڿ#\MBq*|9߻ANJ?}u;7sx0VFv"֯)ًmb HCtkfU[&R[KYW`H3/oz*IZLJ1aٕys38{ 'L[OHsHD F6s%.%!p&r_W+{HHj<}>}ݸj١)9#<*E_reF]3dTW9an] xYw{ZX2;0$Z/8Yv@í-:\fKR3-,ǫ^ ^|BiVlupj-+i "L }Jո$Cp Y Z4!Ii[wiMLrnf sM^'Hؾ[kaIr9Rr*2#c岟#_7Ic|9s0-`G@A'JvqڂWw/~n(ZvmR{-`}9bwP\ADJx1@T -vIj_ @$f^vͺ ƾ'B5a=H4Jh4:p|xaٍ ~ aj|&I8wn1;;Ů s1Re}?t$TeiVIRL8XM; q\$q`E?Lg7X-ҌP)%ԡxo/!E j/4XpAdR(Lo)Q ^"6[T :4!&cK!qgQfmxWؠ->% F8rH9NYx.0\V`()=eqz6 f]H.\ԆC.B(v?@my6Cgcl)zPT׈>7) wwGП0KvR,&J%ӄaT3 3Kkj?|ܗ{ǔ9MwT(D&vEa8n_.yvl9n47* |sˆe._PrKgkj{Lhf6ceGIj1 q*.*tsb4 J4ԾDnψc{ߤ*|+U.a2ԱQPm?S^,(N浰?;M x٨R8_bٙ2`Ѽq%O,72(b:|Oۻh":Op&y ./;:HsPieVYż8lR{*K6Ѕu v0ԡ1Э^`կ.D#I43]v\Gw{OMuL{)Pv߄ P8C16*h+"W@jQ>KǧboF7?[ӓ.w75_^kn9)ϯ**΍ϣ:Ovd#^L&9XFq`I -y/Bg^Hv| ΎW. R*2!{fKF i_VpokL綊7 bQvs`yxKW٥`X M])=T%wz 7}9\[ @Ud'e>QӢ0{GJ@|9/WײZftSRQoy&Vhje꙳i顪Hc[}u7} 6lUrebޠuH,2O`F@ ddjrXgq`D!8"=^3!AI<N2I%ɖ#T{Rx+'o|l'loK+m:^SA-_Fcv'l#T|oMU[SDD? RZ.ȣL"C,=5&=Uuu5K=,{q<? 4ƍvd-vBu¥6fz? *3< Xzmr`72>zQU*Xgk}Ͳ_ CXT&-Nt^Y20w1P'[ 6 ٦9xexǑ!AQUw4jAIy8 $="k1o3iEvIrf-ˀFC:zixG< ĎN ch9>Pe2%je<DZO9M.(> /$h.D>.AfuIZ A\pl9G!pbk2kwNfz  &&Be6Кg4=*xdbyjép:=]=gbBn&6;/x:_rv>O!Y`˧c=i>yMp!̖ Ln@8~ S#)t"EJBӸٌZ}V *c.I̯G 6 3NI?lat8]n< ̗N0g@) W#  ؁j|dWd5xÌGT Fe^FlBz 3XW Np=RE*7{H=h)k`-<ۺ8@&JvwF Z<׋h^Uc?"=2܉2U;>D$2 A,"oF_L۩ZIU%j`b$<D3+q!L+r!nQr籎!t:㛘'?@pHw\O>Gz5O4.pyj9=Ե#GTeYWDjPPCʑ.pՑ[DEkuTahs'&fZJӇKKI~^ X$Q,)Ї9- *6FZcIeiD*괗%Kրo@7ѣ9c[LB@qdcU𬌀fٚ_|ի Qau!*4J_(=X0Gჩ$<7ꞡŸ[, -Dp3 W%IѤ:В^*{HBV<)!/rT;L@ knƤp/AVhw9`JB&ϛ&AVl从eGCb=,"Xh3x, %8!N Bq.x bDxuB'8*(?28 ~NQiKO}/1A|>]#S-_G9CiguwK}fvZ%*?VVy)U]2t"=S3W)o܋ rsƢ~YS>ZDμmz\ fM'ͶIaI`p rH08wXE# ΁׷DuGJ|Ef3|w5?ȡ1*iXp g_ٯ%X F[$V $O@W6wj֐ڀȏ^o 6@=Ǹ!sB\YQ)8(0HA|bmrikZNeә4i@ݶ\#½6 }+^cL'Jh/kZ\^gX|5%R{FUFi^1҂4WpIyrtt[]f3!UﬦeNawͻoHxBj~ZP`0P'* QzqʿHcSހo@zUq`%mo`©N{`) 1E4r0#9c|6w>H # s6}?w݋ŻU蝍0M%?/ 䵛?!UWB(+/ `頎C .X`=hg$Ԛ:TOH/ b% %>R_XQ9Yws/ ES!6~,~K%/Q8t^"%-/ʿs+kkp[}S]sm3kgW~Zрs%$;2a D3Uq}8h*H6 )*P*z \oF,Ϋf\52 Bvէs'AP4ٲuK_u1Mo8k~nQ7gG Zf:Z8aYo;rv^"=R7H|ޯh:?QV5r$JO% wyTe߂7֥>u,gӛؼ EyabKU0|涽˯R_nvsx5L?Y]qnp 24˽AN=^ɻ N%}j!& z^>)Mi "oȻT(6,.)),Ab}yۤBh!&:y̥kڭTka/Vp›xu4Ц }sA'xAk1=H+u%Ipd8%ճK$8<o1zu(/anmk/ܕφOͪ G~g ,:gϢiQlUS-ۧ1z4&s"ؾ(.iG VS8/hd7̄۟zO_&搿ts q $ɔN!^dHcF~E+e۬]6Xv7]ֈxD 4,B6~&=鶳政̻z gB=n7 @SWOVՂV ԥۿ !y7`tel™aʙs-pɑ4/fNk[Js6*֨ն4`D<4W;?:UHٞ=neBJvI 3uڪ(R{X#F6}v5|Oy y%?=d$;8umD=9%M, E/5brBu{S4WCTZ9nwPXL5Z`gL+3MBB.2 /lC FtX: {%ŬeW{[0<?凜?Pɽ"R;ejYf-M ת= :"IJ>V Ҥ|wCWJ}WRF{u?\DIkVCJkbEֿXhvq\cKO؛RK)i@u)rpۻ3,ݳPKF,ZP} &FԞW/!v(͒0oI't$l4Mؐ23}.{ᙘ]T嶰B/=vj Ui@ߥ&%^xuET Nɨu&x~rh߉2كiAla`C/8.Ij3xRWM%k 2#@ JaJH٪w zs_#{볽&@a>ocO v,8rEO!L0ÚE!8&tPm>tr]¾$J!n*hȌew}WA\ϵ'lk|] n?J!V*TpNHsgLqHGϫW\/o|k*Jc iqW@`p bSM6?N3]3F[Q֤"W2?|JK|benᚨ{3_fYMFRVa?؃H`[OUfD:eHVf/${C\YGnXIO/9z@- =N be{{69UaW a3̗B >:81hג&qӁ01Z{14 ? ;=ZozhWcFbٟ6k:Z9-\c%-}Ӎ17V!qP)wT>.Pk!wc4_<  @˦޿_]{\/HC5Gzu>΀;*PzX{d,3Bz)Xe c]Gt4|cYcWS-]&2H#;``GH VY#vLD 1Yí\<-V9ݥ{L@z|BΡii¥kT)^ }:\qr. LrGmCB(DWzS3y;'ʫ0rY_]Y ب|Zݠ:w_Ox(9Cy}n)x%:Qp *mr`Z९) 1r YB=%+$!XοZ 7M5e.+z~pI&h5y)Sr1*;ir.ln>Vmr&ARϕ i. vo[lo8XT_@R?+Xɼ_WA+)s'7d-YߊHKLs#u(.QutEP{+]z 9g(jRu\u10Z0TV˺JCaJ9iIQ͆[% қ4D0.Ջ(/ rmS OjެS\aݱ N Y*}qQ~Qcw*7 ʌ v} |:3 ڧ<R,P2`;/@z*U\zUkKAaıvѻf: OŒl|23-ͭ# yT|A me!8žBh[$fQ6\;ou)lL,;ĀF-^<'l*{[֊M5OxI^ASh@a/qZKdckG]D&4娷q@k tPws@gDPv(r6KXNdL^=?:תe~$&!>zq1ku?Y0"~E4xr{ O{ كTal=#tf=r0Tf6R 3wi\@w쪤KlP HTBaHg>vZҬQ]I TjEm &R "E9*!qgwXޟ4rh G V@~Sd$|t$I+톱.57E9YՉI `]wz'C@ ҏiXF2UǦoԲe6qrX4ȉd(Q&OyuX=3R z 0SZ 9jY:QP8Q6~)SR@6: 8br8K4$yRIS9@7>`*qc׭/(!%f^u7Ct]XBq;Ğʯ/`ağEOZRJf+:1A-VUIʊt{ꀶ4~YbA+#ɲZ=pQ"K9,HLEd7ɐLU}.R}VGŬ-vFX$Edoݽa C9}hkVRՑfQ-l^<ȅT#T7,Tؐ=\8 ~v*-f0Ξ%+ 'u'sTS:֠tWIT!D&,}|+)O# FT7H^[XWI`Hi,qu+L=ʺַTjߐOk@^@d-_'-Gl{1Y8wo"S4^s zbB{:%oXjQQNDXf<<_#O$sWT+8os__2w'wS~r!ο([ 32) BLhys{(J;U\o.tOvq$DAzEa%b(,i[Q+^ D+"L7[f/5~U\B1ǥtp\ut$v <|~_ɋνi I_7س6>U-RU3}޵2̤mg sQr`F?@t38"ViG|rw^Iư &bl vzxfe1p|)>a7c&"1Kh0g-?3%yo@Ȇ)ZO.(^FR$hy>;3/ϓ5|Wgsd H)dG5"4쇼)mq7OLʋ< vU1-c{"+6M<),Ziz\6!іaւqډ~ܱ4#R ё?`vL36&߀20o]غCs8~Yʌ^`LdNJ{~el(Љ'=ͥXT=pI_" OZN~Ft:H/C5}[P-k_8-[~JHsn4oCig(oJ!>&g:Ijϧ^Q-@$ՖIW"6\$X < 5џ;ҁ4&iץ p>ŕ49Uà{4cnt.c<A!d;#?쵳b$gV/,jC,ܒ_)}`Pۢ83?Fdl+M<^BW}ˏ]p&=C]cҐs趨o)\ ImBPU H5(aE=۝E'@d<]ia\АJצ/5jĿ_nXQ]?X|:E}kx6F(c4'#pL( jE|Z 5Ts^H}0jjjJSN<0!!>||M(LKn'su_n(O7R!J_ p 1 h7 *vRQ! X4dya!{nVٽM͸aSV-m"`)s*S[I9\VMyx:KkA"_9,rJE9dYi>" Bl-R0w ?6L${v 1eٵCͶ}[w`[J~Y-)ntBU^շb*$x$58 xW=p͇An@C Ss:א޺b_,aZ'odF8 [yjdz3:_A "pMQYImC6yžOgI.}3/}ئN8(?Baz9P;1&PRN^ˑ<49pu?[ [jBU %Mő,yz(e爖c^ lƷB_fc.Mz #M-t)L*mZ ?"ׄʣ@`fO5)L9p z4D@QK' ʍzUf3C?{حá[p(|5u&]v&ʅ^Qr5MYKVNGv)uI11U+g`-&1i8sCj _&HeꀜV_'!HE仒횦|!$b?2LAT*R ]ؑ6| ztz 5X2gTe-$Æ(,G V3ȼA~T|'DJdPs38x:EF-aJ@ݞ'w°m\V:S:֡$k685M 5K(ƴT .X"5¸TEDZ**{I#RS[V=HxUְ >I}gW5'"$KF:Pv^;vzGl?k8q+=aZ^6"ee)b LߧeYUHC.<N6$c9޸Ep1&Yt{rE aщu,&Cvn!\W{~F0^)y*1VJopkjPq@ǭ —_/`{yB#Nqub$VC5OZ<VHtS =zڤMgGh# Z3et yH]Wi7{N1ƫ>r:rt{cS\,wQGsDr> _sFs{zܙlq-[S /1U f K;aų7'N$㺲Msi02(R@ \6uR؋rؕL+?9L偄pKN-޷Ɍta>"t>(ǎ-Np7TU>+]Tx&!4'mRz2J^y"dtRd`C`(8KaOb~ 1RK*KRdP>5Ay@}U-WB"gd-b m9s?"ʁsUxnj8YQ'o}L,R@.0NOm% 7~"AF'Hqrʊ Ph? UTD |gҶ=:Ou|~:Ó?dYx`#wߚ nvBԾBtq~=@Ip/5 ~Y f73>8Nkz6G{+:v{ L Q/:0Wµ1]1(}.ְ3egfsrGn4 4z\&5NH\kV N(w?uO4'j岤ܢR54 h0<@7y]bXil ]$ r ]/Uo, ((,\ 3 `et&jwI`E'Ycdd Ϫ*5n _[DBϒ_RBrKSz|uM@o{*b:A5ŒhOq#WY3 9&DͶ("m-gpLh kJx٢Bvëk!X)h%5sL wl?oz"|Q[~0V3̫t{ѺV(\pk8a6#kHyHz̔~eCY ?=1/a<-G!ȱ4By\25~!a:=0ט16>".nLmm٦~i- JDbe0gL db?^SɆ8^wUɝDJd$RZOѡVv+͐ɺ؛A, 4^lQh~ȏ5!k!c܊|^xv͢+Ob%0`2^@ #}\/YpAֱg>)'4TWjRAw^-G2OɌGW '¤,kC7}-5fEMQ£ ^M eJٺDH3#9ZL @nCh^HXꬌq&ho rlL>h+J~OW Y<&=zMNqWң&(,^f e QW״^ AcdK?T9M K[z*i AjsdML:΅sFLNZtx ,A* |$8CCnn_,_"IdH34NX=zOn4Eo0ɪu3^OjQ2T4 8Y9J}"ZFM.Lnqd&Ii,`_sYz^CSFC]/ -T˳em\1qD}jJ@x!.IEρe~LvV1=$nG7.)<p^台uN;m /Pn1Jٴ,&i h*?CJɤ_|LUKH iFc%Qn@۟Mdk17LPbfHw-i1nqU8]{zYnlj-\5m(]Mb?//`{t3Ѷ|wn~aID]&4x㤽c PPQ.M7-»1xԿtpv7k?}+v:ŵʳ+g/+k",Xfx7*rP-Ui,?EMHJEHV4 Ah<1Aq ›)}SV>(jeYkgx~0:.\$Z6*arGc펮$8W Gpt#@)o֦3?ʘrdY/q,Hbd0w9c[ns@S#"0l}Akjroᐷ&N_Էl3c!zMZ.*3˺JF&ҪD3BD1 e9^~΅0=_vOVǁ -EϛBYqݙ ÐŞ IVq70aiºL/!ٳ[dHZ?gpD|:y(]:\ڣ;k΃)ޛ~! nZ*ۗi7tHFic^\ S?#׫9ZXM㔧#$?ˏ=1B-ʪL{=oY4"v/`Li*=|:x@%sX1 &[فxM=~6y;GqRAm>(@aW |C Aa Tid)E{U/Z稠x),IŰAfldQKnt >;nutI e9J]%ɿ1PP2;鷖}(a|)E+a̸N1-p?w4*'=FgAi a8GS ^hX]K}5;lF]jYwI &(ZG0l">Ǐ< v30.jZvGq #;b:m $zp揸W I-dx̦Li2hibK!ALlgfl|+sܼc7 Z@UD `TPk`Ɓbef&}'_]$af9r.rGmfva#.M+ޝUE)2ˤC}h&W^7Ü|0w{5BL+6p褾@D,dğKBEUkgo}iҐK9K*?ڨzAqp*27dmposY,AdT'*E{,gS6}ˎaT+ױ24=jIJ2ɀ؊~R\e $*Z<異O&NTL x.oPxg0ؼ:S%clΎUvj.2?BzG)  Qm_^`eA |k쓛j9%+(*Mh٣\p .>WX&dYBm1ۮ»UMi+';O/n,S[@w7ԧՉ\bbE,50-髓KN*a6eBx4؟"[)5蓁{n/P^AsҎ1ZqQ@uL}b3 pChH+ǗāQOԔ<|HsT">Tg[ E?S:PP1ikɑ%Of";_p1L!,£fiRmbi%T/gn Z,cd:VM5aI4WK z.`[OGC1)S9rW< 88^:MqTD+vtFN 1ax(Iri! Gy,,gQkɧg FZYYf8^mݠ@yHx&0++ӚY",MXt =aM%|;ch62OyYB\nju^vm_ YJ*˔tX-i͇=m5*{&~zȕwW/&5"EQVKn8Pj [a:&JLӼ=mÑ+fD.ȇ!ƅ*M\4'g 6>P'q2>wQHւK0iuJ)+wv3j|z1Ҟcwb_RJ%5Dթ\q0bwy<#%E5a&uj/N,k D*?uP]Nj05VYB["rHGX©k$]bl:v\$ƞ0Ȱ!IxT$$(ܾ]9LԾk( hJc#u'BeogW7>U&ކ{(%~m"zvHS8;n`P3\o| 8ȡǓ~ .ERY\oT9:c?9z2 8kRoF1~ћ[)ܲ7b}xtL5/+zѨI}PE e'rcB4o=^zAo䲚CF]*%CLۮtpjᎽ0b5iΜBU4u*|B\kd@7=2e^ g|h@pL-lFvؒ"Ō> @KU VlAPU--vHf$qa~ 1pg?f3?gfz=%3Hwv?NUҶ"rzZZW[Mj!D=|EL_5=%Wf 6*J0j[d7.ۈ>mo37{an8Y ){b4ԯ; A(f7K<t,@Խ(>'j'X*Yz#&Xj*sW&UС;JէG ?၍ lGSSQȮ.'=Qm;}Q %,(ҐsC5kf1dGn <k<0q[{]@RYa),ݡu$bpMN,/uB3slMUGq t]ra=S#IaZMJ5e a} */?x|b=z79T9cz_Jj_&(Z؂5DR@!#(DSPt#n&]Ϯ!F5ٴ`}$^pǧ|yJmH2h@a4o+^,e-(%Nxj 6K6'68T7MaH+{+9;,fgNLTyAMF a&;\KޗyB6+X9I$f+uԝu%I>9p!cO8퐣(kR"E7_C3Qv-+9Zo5Bݞ'u-TAѧrnl΂V\lU['Y/lҐ@RTl~#ޤݧ(Gd]e~,!&Av%o?\`>#2&#^u#PV'&cNDyeF$ςђ ~i=Du19.ݯZ%/,LA3D.{\gynmOu7$@{~jcKO0s&2&pR leA9hȊ0|dO?54Lc)dg6W$~vؽi\d 6}CBJ{pY2Wd(ٹkk.nwA`"N],xSظ1؉&Le8Z[/ٲq5;GW8E;q"ž%ԯ/LkAy> To'.pI XhJ͠gټu譽gLzP[s%`9ii=IlHN))"V`իm+Pl4hv}OX/yu,#|g ElBXHYfHpEm`II%8O4vr,PkA_=䫨{Ӂ{e+gH?ﺙqRnmYV;h}E\[ٍ CƱc[Ǎ!oɆM~ (pq@غCnD[F%NVC"ldu+2}0o,KF]!VA/oDaUPȲAzCOwicRcː gDOW%IQ 6E J9?UN0`NXlFyE=xq_ |U*ZG7G$ DNcbX?&ry#fa.D֯CU PΌp݇B<%#ɇ"P*WŶvzߞ=?:-C$ *[K"w.j8t ڬ+|;od@ po]EtkIʽgHZmt_IXȽ?M m&+ 0|ej}*KUyz@tUhsc5z?ۺ*J.ti)A}BeɢdV%r#鰾v,D:kAc"9fFvlF9H$ |ZiOG$RT ќ!UEa;Y*!6]9vMu'_@bTUh]ȿ;5ϩ:ɭW(Q2>') .>dTc&lk͉ZoڻC)৬B>$@cf)I% A E=5h @rdWY$?#!p5Ϩo%᎕Y Wt(tOt1ͿUM2Ax* E$۶̘"#?fJ ? R)u+km᮵'9X9DSO72s)['cNdL)^"e?NG<U*qgE^)Dh10irꞼʼnBmFc }B*Ug%c;!Rr?{j^,}~tV^A@7i hHNnS/MsDNQH$ `՚z bՊ$B=jLDު{@T峺پQaSbȫGj1 `My=[_o"drk K vˆjp=e%T<$Hۢ )J%Yփ8.z$wC qm%4 ߪHNNd^( ԳtR`uZ~…e+־bppcpjV47Ƨ $< Y|z7+ 'S }[}IHw"MB mk?mmfE^n\=]"1?ݩ lh-zbK'֒1U.ihlwUɔjT[H_.fJ\^;Dwv Qߩ_<_;ä ͼQWKiiI3! vi?fJH?BTHUFC}o } `TGb5 :6'A465o5aG3$!b=64 [ "I&n54I?6 ?T᩟ITǹ5A\f2ĉ HS#q[;50X3ζ)"Zzk 7A޳A8=PS1 ؊緺{ݼ1܏=L)Uh3;2EoILGř3._ qR_265fးYPoܱFn; .JW1u`LLdEp(]*%Nuyj<KOeA.hfc%A81?LeHsdz0\ۨȠfc5v1x$P0zʀϪTd1pxU:hPIKQ[\%#&Hw2Vr%|U%[[g9@̳q5Ȃ[c^$:7g^d>0Nun o bs̗•=ά"2wǃ1zzxaX^xd2iϻVf Nm~ slمV"* `88 l|G 0areD(IۻtKY-+wBj=>r@>EX0x1]ĂD<8$_Bm@8dNks':jWF|dg8+\Q0Ko=FJ Wo$,Puzub祳vD(.AJlb+FĎRy~ӗ$9YOek rőg3gQ^|[B(:#e?HCn);@0:a\!{lZۑ=6\ Z2ME5)go"'t {ZhN?{ˢBj(w  !"~VG 0$ /甁B똛`OC}+Y=)(}7{cXLSУlܬݼo ꄉk=sS =\tfܕO h}'+qzi0ϔɰCx)VW`.qs66/6 ֯XkzD)d d xq^ 3s$=W{l>fPGa9P؎F9G\)ֹM]~@8us~ؗ EqOWOg >=2\L` p9QN=FFd *W&+*/ XpKnǼ*n0j(~4`"Bp UlA9s!OPÆ< ȘvX@24|\-tw*?FeX*KvbY`WP&Wm/{|4\o{ Z :~|O(1$DY*q^p{]3 vaKb%+P~y5̏0QP+.[4~?Z<%.^O',6S6$ Ұ{<3>h!M'b݋Q[Gظ.c',͠IԐK"e޼Z+2ǡ*P14<ؾ|ךO_ZK:]7U# EFUھd߆ F~%OlXSIBaF,p_;e7&x`x)8FY"59e0T-'A*]{B+;&F1$lXc@ƷG^`xU*nČG}m7{RMrAUj܊jhI}|;]R;1ۃ蚗Txlu;{CZ,}(kCkixnaB~e`՛C( PP gFVwRF8CEIY 7ʑ5: ]i[LМFJ^rI箼>?NNnu5 FDAud,IpT#?u"TyW|ԡ4im~[~NtoŽD9; -PXћ^e$l)Ǩf{Vq ͱ;G3Tw5le \Urdv5Ȫߗ'˯5Oq m^53*W^1˒ -d+Wd Qu#r((%`a|٨J˫;u/Zޘ7wZPK`ACdԘxygӋB_%%ۧM.}mS.(CCmKw&)`۠Cuc=jwk>PזmpmA>$,E"5I;2?r9?NЊ &/v 归9 VؔAT}'DĘ)e01}6#lܩ xG++5)!=mV$z"Klr9bM"Ԗh~|\NR֓%+Oa=8ƛX ZrZC2xUb$ rt JKW9c% $ ,TRQ&0ˑB*5 jS+Stڹ wGQ-4B6$ï]hqJOkB~\TN $nCaŏKxre1ˆ8 }Rz7"&ӰMIJ\:y mn.za>z A 찛K,1з{ujRm=3#B`殝MˊbZQ$lqs3J5JnIpf`pLCLˆ[a0KA?sg:#ˆ;Ii\\6י1BL[ЮJS~n@1p-@Suh}R1X;V|qk_e&z\DC v AEc0zύ1HF2{t­%þJ/˿kC|\k'jdf ˸=t>7'K0T{{j~8Yv+'{Ed>9Ur}dܓW3V"5B丏 Th 1c!W m|B|fՄ~4&Q L$=\YhҵUi!d!^&ő}5|شWٴS0yA-4"VFx1ͭ5 .D⍪X?W xwQH>pX,7s[|gRmLdr'#vɹ`]1#O$}*bVzd .Pl5׹H[ |$?a6|ظ܋h4b_G!T_}[< yф91W4+Z=\08-bE:EB+ilj- kRuH'%pwY,CTlU$w yòDkC}dH3ĩCJ'HKFR ,!2P䓟p#Jc{608t{`B +ց̤.O[҆hW}aе(НLLeY#_1]!592s QvPP.wN]G 碇ESVgt "<4A& j@!PȮJźֈƑ^U: .wMJӰ:x Og9ZDO]!8R_SN*P؁Dd)`]O۶ɨ/ԸՑL?2BdGdOTz:T0Nگ4 #5q)湚B݄;;QMG5AqV-j2& (b6/%o@+mzm( ӒghaO.-נ ikQ e5,@GJW@HڧsH2LC s@L!dXl| U,oxy [NY\/%R+JY1Ī5L{~wLA2}@Q aJ%ɛB]-VAE aʚ) :dF稓r9@s R4yCdİg҄XEZ Guv=% +hǾ5BfU v3 @ )uM{݃#$}A-ǁ6Xn*/M!o/By|u(؋13^TL '$@*.gh$".ڀu!r йluoTuv]a^{Q Ht0rL)mnVͷ$dw'Ӈ/qd0HZ(z@?a;liv/q! !wwCQb9(0Ћ>)%wAiU\y9 v- WmRi&j$(2*g\`wx)ZIE-nHE^CXpF8|YU$Ri41xMkaSṴM6Ic1*~'G:B7w|F(8;\7#7kV>{D׉/I"W&=}vy$/Eq hV,<(dׅ,@ IAQ*,l"GeDR'$$3|6i/e!7ӍXW=CM~އ;^ҭ`ZnGp s=\ ZzWHKn! l dAL53Ti.pJ k޻:G" yY7vnT#@E=z`{j)+=̎ʀcw K^ . +'${15Y KGb:ygahjD3Rju_!8/Pa|IH%!ƺ:{I.#Ukf;=`}3I0P-u(J‹5\t˥T=Q'~A!h^8[c&+[?n|M#mu׿‘9=_*z 򈷇&qh (< |V̋l?3sD<lF^G+ .(a@2RܴjԶIXޯyjl{op vf?tviIĘO(b`HϢ,~Nd=7+\\)Z߸a^~gsdֱF }IVY%#T`.I + .C05 3~JKSiW |~=~(P,(6DWeC3TF5qȑK=No8xَ9иS`ֳ1 Aۛ[mSңn1QW]_y')TYjvN96?=T~կN~2G#TŨY w)][r܁!qm3{oL٫j,QUéiߺP TtT\'x6*|7e3/|Fk@q{ڢ%њێIL6#Hw^`otʠW3ڀxU ſ P$VZx@#Hႀ AIFIsB02{6dy\HiR@JKj#hՋi-wBX`4PjD#Tƞ(rC6\eCb (%\@EU#?rT}ښaZ5ۼз}l2nSo5bf.HpP›)A`Oen 5@H!m4nr%ĕ,Yf',rngO|6PfKdꅫ$)=/ӌhGM!$y ĒWaʁ/X*9[haFͯHx^g_RO<[ :~7F7@y* (?[WMC= [|5(VYVɅb+BbvxB=քCL3-d0G'*CԷMbQ[x ufTU)Nwّz= N3dDLGCIݿy1ޜnn$̼/vV-=/8&:B@p:oI !ͤ6CKԳeGBY,p6MY~WRIR7 qt(1fn(#"Vb J3*}0.(**pK z+!DTDA;,ÄһI@YӠ^x2GWDhZfd}Yr0ōr$Z+ 6}f0ɺ2{ĨE1_s>'E q%?CWNqPBؓ;$(pўTxdnW"#v'0{eթ^!9=xb6- kTlL򖋡r~Ӹ=6C1EPF*K"~`/#'Z8.B_Vm>h?/%I>kSL|7>mhfҢ<<ӲP{w&G)z88JaBW OOVDGvOmcs@0[+z[5zSit,(@nHV qiQެPkEg̰9g: 73K21 G;v;-49ybZÕUzcR~0< ZZ/$kO2%)Dp9* f4E0}?2*τ+q^Y BL;VꂶoRe>H4jQ!M43d0n_c-pv!p!:ޜ>NyH.v쓫 ghވ/ޑgZ⥫ Sa{Vsk/MJH=yCo+pQX;0. N):ӱ/( QRVPCiHX"n77:WDlQŚ_V-"x{pvnVQ]O3luk*1Qm0ܱN=˿l5ƝMrrt05P}!"̧@S,7OE `=]@ӽ!B.ުӻi?*n$֤Vb)_mr]O^[5OZ[8y7+jo:kf%xi-vb>rih j@W*7X^sKH>HO׿w T$` qWGC *C |Ѻ 3]40,4ͦǿ$^=#KAr&7z}Ŋdʕ4`8>GwzlEIIUy3N4amZ2pB7\gkjIH 9AJ03'sN b&-f%*@a:6=*R{Ip3/VRHܕ0q /fDj% EU-kX1nCޖ"t$4LlVKy%u2ՕqZBs9ٲ7ԄCǖE&?$0mM_ȅUr[=hIqGJ~X¸I ZMь?$DL\w,^N"9EjԷP&=69udq媀NgG͟q4PJ,M)lWhq0+=P0,S 9D| Izxm"_,@n!QYlc F#)"wZ/y`4_pXW<g'tpg1ǺV㐷 OeE⻸Ѿ+DV]b9~Po^pY2.'BYf!p4Ov4Gh\mr$$s 1iu0xOmN;R2* |!2L;K׎o Fx4eBǙnDkLG>ױ%~ kg# h?Óġe㊺]mݗLVӔCS~O}TVo2q FWGTߥ#Q,H8D٠"MU.&mlVa8IXtưx{F|ۼ oA˫b} ͽ 4v8鋑XA]ӂ Sm6 //|Ƨ8:;pϡ质k yl`@ipM&mRh94v]T PzOx)5`I} {;VG ~$WP@Wc 3sB応F&5@ƒ(F~>1((AC>NDPv1Zמe8?rL \.٧Š6j_'qE'2meT X{IsQT'ã9&%(^I*;ewiPvೃI`Z_ZGf R$%%4QO85ب(fSDą0 +N!F擹:&9*Wo˕IF8^lbtfrSXvKMS7*%^이l8~5}4P5'x좖Ԩ+SOw^N5Qں. ֪;G-*2o1}7[N$#* :"f`vp+-rrjӪdåG$"M ?]\׈ rP c8=^NP(W^ЃSJ4gy0Tly)zJ/5{fFlEv_?2dﭫ/8Bb5HIdiu3kP!&1(seA\̯3}_\sR`FaXAx_Gl4euOI_L:t EB1"~ecy^ƌA$=u.栱no>j ͇kęc{ ?D@Xi8 VVbS?~k4Ox3j4L6r[Dn%ƹ*kCQ.mGE6U6 l-#6%mL(bLncg$u@l6}9 # P2h3j1XbNZ<{~Of7"(;D6X"E ~ xuG4i"v}ach1ZiUţ,bm-Ch%ӖF{qR=&̰o¼*/b5g?08G>'ݚڞw@6Ak?\tʣ yvQV:v"9rr|KW$}^a!Ny2&;j2W%| NZ d: V<\AhFẓKdk2] "/ Hmo^\R)}Lt۫(Eb̍8K7տ]p]$[T%Jư:Fv)dm^۞~"j2Et[,9TH{wKYj@wTo,adz𢁱j<_x% y?9AQ 'N,sFQ GsO`ARtBà l@<_6r4TYeuk+_ƻbN`\ VQ q"cl\O]p 65ku%,U>!r\ߠX*I|0mv?}Zg&7VX,CYC*.GRs$Fp#B5A17.8[S S@2X88835929\Uۗξ֧/ n@Ӂ6_KO7xiE 5C>Q?~6,;mIO4uw'>t,CU8m: 1i ~oM8"UW.(3~;@ȥd}#_ /0>ڋߞC.e^=P2\^EAU.(Q#TlZـ^QCCoΕw 6#Ar- Spm5'Χ7Fr!vV5B> rc@s2K"ʩ3>$`oAifd jhJa.)rJ~X ? Y#kxƎ 2 {:=VTۯW%|Stҳpܡs@CBB0 K;dەd"n$4 b+f@ŰNfn'_X%#f /PbڊgRUȮa]Sz7VrZ^).ĒɗoQǖ7( g;OBYOڻ+$:hӇ3ͻ]fih Fz}6Ywt]`IJ_\~Lj*QrPzrNlCLHvnv~p噯ċ k2?k/3M5]k^d~lLp.8Y<#rbzT7͟VknP8s– ì7IՏWƒU\|ht oC+;)|tW)&'dzhB~Al}>H]ϗ)yK .<1N=З#bd=/%a\S7ڲD΅$֦(;Wݞu9$Y Hw@ubDnuF@I; TFup5 l\%m}#˅S^6Y(gs4\]m{w(!?t\ !JguWH~G}ߓI#<ؘIl} 9;B\iYK!k-|πh \φD萍/d& RŰ)'`Z̎" (܄[,p5 z:ӫ 4 UR9|YM$Gl{WPr>Ƽv.7nbX^U-G4>cO8XI*  & 7dpìI+^PoM+A:Y9J+[Г>ǯ_ƭE4ʇ.;m5s&oQp͈>wgEakRT >,@wF`SXdf_W|`=Tm4 aPzo7YW!hTcA 6`# !rRT3.aZZTO|볪*dhH#tT[lwT;0Ne EQ 0#~E|'sݏL܅S#q3ѷT쐻A۱덲 JU6}[NPNvÝu4v@"1ίU8,yt_Ft"\}= IDQ}.`zkKu2Q._DP6YZf!t8Ҷbh,_4Y.p %fj6;UV`akeA{.d_)$Ɛ SZ54^0UO@? Vt~%: %4Os:'#

ByV563aQWwܓj?whg3 `$ςMff#{n6bk2p/x8pl, Hf8Y Rc-d -{%2O)t#/ {Qg_'$vs])*R-1|jҨOBE t3*~:'b{"Ѥ1xv-ƢzEX[ BDMt>В9[FgUZ6V*?Yy\$sUbsT+ 5s*k]'tyR%PiiNµB/ĿpN(̩KJd% VLϧcT3rF22X 6(4%,(MM21ok5O}[G05I9qʎ9f{K\jS?'.[fVП)l.BAz%4S4"*k#%aL&2bicoJ^-Pånr~TK}WG$?(#hV>M_>R=PAAȲ[Ab:)zj* }SĶ6GI=}ewyS|s(}ڟsP˘#ߴW\cqQd O^063ޯ;wt{3z*kS;0hdHQ%],ySxm%JBNNpPjW KvzЩuD9w>_ʐ Άo\V\ʘ߁p8xLZ)aOp!tq |A$#tfxį{jiٓ?`tvPaDP2ڍ%^ͯiش#3]:!EI7 d2)MdVAFPی5a4K-yPwe9:/S2Ű p("B+H[$3)RI-sh# e;X`H1. d(!Б%.sӘh=S=H"YoN*d ti9i77ƭQ֦#O1Cxi@wY[˾%$NiD9˒(Q'˗ !::w@ xǧX&]e:6Z'Ҭ#"̴(#jctG; 䕪,Zr9ݯ}ʥȱ?l(7M4n VD+S M)P2E/ե $.Nk}*I{<(P-6#b?\({doc7@Z ތUL`ptP^!no9;\Am14\.!aXHXDU~u8 4ZR)!k&&]d'zX\`(bQ- HküCT"h*9$ąO̖ .RקVɣiU+A6i\KoKf:+ܱm|u4Crg$H:v(N5T qAv*rX/Ehh]T =osiK,˪L6cjKraĿG!infCv3#E": cA4+AP 5~= >S ao6.Ip-f$]"0㖶|mf$km:UcowTr=h]Z`]*Aΰx%hj=Ye?"NlȪ =I\%xO{q>/7pL.A䅵=`DYC_̘^Sj9[t)R| 1Eequab F\Z@H@O%Rxxhs |9d^<퐡xh~Sg p?0[JK;`q3 xD!Max~[UeƓ[r.E>̓yfEcݡ@QVqt()Mpq_Cȶ~yF WלtbEpRq@"RWGH@Vճ$km$2*[QY(M!jO@ۉEH͕p[1|mi3 h-myd)u8җSI4b_'}+/X"+h|yҟ>T+s1>n%p V|rodŲwCZLh_zhKM;R3Xɨ7" ~rkZGC &UPw PL&YFhK mLH yUנS3+1aNcѠ/TamFd国ӕJטIӎn( a`*Y9E 5(MhAM*DQm4ʒ$qk5rp,՗a {5L%b9e3@ݰ>IC~cR9Ʋ6)K֯Lb靿eڅk+.%q_33mGk2gߔUu>]T ) +Nb?d|:2Z;.÷# 2U.vBZ:.fݤ@bP^D=ԂIf*|UWPImңmSc s,5r)Ɍq ÅfkB(ES ,DoAbV.cl \ 'wƓ2edWrM'fS@p)_k0ٗ~=\ 9TK7-jњ=ˁxfYa㰌ZO2QKDڴB)0QJߩ(q<]ˎљeʮ_rrz͆Ayrjjz" ~שgP>ɖ>0'leQa\|-<_ud#ys#Gd[L}p*/ORȢ| PB&z%K`N3_-s&Y]ޭnT:1oR(Ci 6B2B[5_N%ԫN x-쬒O7P-QL_3CHD_cgRJ3!aX 6Y!k} Qi`4J^jQұT{QjT:\4h~] n3V-5l+E' %99M;}G?Ďk*'TB玖 %µ–Č%qfSkZ'\Zg|h Ug b$;GbxD>Dү(cb ñ7v0_[yŀZS:V&̑*6A'g  R h"y2yKHf|W~řh﭂e\C?#). m n'8k[x+gi޻ISWhnGnl ~adqGTr4"k?'^ g@ϝFϾ4ig襳yDUަ^woHo6WC|q)y4wQ;\ƁrJVX+/z!ԕ3y+`j؂͜辈"򄎹G)>K2ex=bfo۶Y,-KӤrH=u4BQ%5 jx6*Pӏ^ zmqf}!јNW6OG-~6GF ں7ahpz.}`!xE>mZ 0 . OLud\sci\ę!WVruƬ`?<f8"#cŅ7kArӺ*sp$Q(B͌6yΛ߀0-cNgKuy.7l?\[kݹHd)Nɋ]h{zMWDb<_|gqC\Ixd<| 0g:oKQN\u6XnI"ebE;F <'׿pFoB>ۮ0,SV{(CAX!T7Zs5߳_t<Ϙ(uhp|A> Ց5G#|Ҟ?~ڤ@C4Jb#tc}LXe8xo0^XZ_sYч%rXU&.y .SC=>g r{EVUg|!-?X,%?))Y ċA:z$ah>~fakbxlK^zvسq2&~ZUu9N3>\f-jHs5K92WO\!h?W:VH@Ԁ*Zoҕ<[6DA H7q. U`J1 S Y҉6fHNV^{٩@vYIjL*q+=~‘0 8(8X0zbDZVoTHI%RQ^elrat+Hh f X6[Mb<ɤSŪzCJ|uɌV1qaMF`"]D <ÐZ纍'A!fcO:aHD*`Q6e"c}3 y},hnEjRڒ}e¨|9Ō|SͯTYCn^[W2:-Y!-x@և{VCg_l}d4_gW{8MEれ-anFpI WV_*D_C{jܺ%˃:PqD*."U霣wep,FZNijT?EeN\`ӊ.HA8hvS5!h;K~:ʼn@d_e97}]Hn)lO53jV1Ukws:|PQq}VycjHc"n_/Z|rv=hH8-U"?S.]WL q|Zu|}콂5OhZ,F68u @)s <:N`j>Ȳ ^Li<<4]L2<zcKO[NL>Qh66=KLb a:B 1?Ta@.1Ŏ$DY6G{ ye- IK'T>qЏ묗AԺU*t7[t+B*f]INnl!E;۷Uyp}uA8ф->M%+ۋyH%S{!?)p$U_]Lf%'T,\佷"ey+o%|$C  * :N3GIy^Kp'p].giIuN :NW6KQq+UI\o8js$ߊ㪞cNxϝm ؔ Zm>SMU u!SӲ%1qDOF =eְ[xn2c ܖm盧ALD| T(l7_ )KќMp=ʡǗedk>8'hr@*QCFT%8+P@o#_lE8Iz7B;ţ~F:xM1Q^gR`&%Lb'v x6c&ym }Yk.&#w9|14 nqTj.})uM^cgb\Wl7`n[_iʞ2`oJ(8ۥ#͛ajueygqJwndO:OM@5ݰ&ʼSFltɬyaF4{,"s2+ʈ-ҙ2^5. !Gs6yow6]q4\X ]>VV4LPg*n|3SHҖa{tNΜq! }~@20YԦgC e6KJ4k$i"$ksUd|B .L: Dq4D1XRc }{3pr4撸TJ3\MǕhϳ`a\$n@q90;ve'YC+ɵbQ CJ,[ Sk!fxcOT&P9o 2%ƻƖoنV {:d,(J0v%wdGKRǺ]ɻ hOzjN7Gț%:`0:\8&:3Q?^ߩ7B/Ca;%qCfz <_x[|26_0=wD=7 j|пII$RݐwVz`F͟ ѓXͨk5C^~~E4C6~ĉV?ndum#!x,gJNgI)niI45ph޼IAmYz5ڣ 1ZaVQ=k+i~{h9ijToDbZfRuݘ2}'N@/Վhヱ ڞ+mb \C7B8O>]u6tFok$}9ph4d|hYjbE3|Bn犿gнzsmn!`ybRU LX'vK * HqXyQ1BLE^@ģ9FuuHDȩeQ-yMvE˖/ѧf/vPF)Zj7 "@­+0 (jM]c/KīKfKQ9klU۠pĖ"UoXk1="D\;pzo5 Q.?Й˨KeNW~eJ)3)6t /̻Ć"qS(3:,/ӻ^$SLrcs}#ՌRe`{Y[ƃLs獱Xn"'욘p5׍".唥I((,#TvJ",ɶ!]l7GB\KlGf&M2 p'ޮ_/Іq e"QVduRz@#=El~1ޞv5Ɲ-MW"^neQ#©EKEOõ@6]tHm"'d <{K!D.^r3B}#DtԁHOo{/&U٧̍b1Џ8/ jI~ʯ_fʹ5! v&T1vҁR/%|sc=mͳ|l~7..N >4_JXY|=Y;=K9 D J%v&O(8gbQJl>΅{YAB9g1T0%~OgxJނ,KýduUYTw/u9z j7iY|C"b7p"u#n`$/1A`/tsQuDȺe68F*:uGt@m2HSo\~ ĖKi?ftois|,eKlRʌX < {Gkqh9`%j |_KvC&i<zhɎ _;7) WՕPߛs?I>?Fq HS8(byoO|*awOIz$CI ?۬N)\ V! V[0vbGExQZr,zx' % "nw)0pfNhɮKacؽ9AAA2coa˟X# Gc*WȬhI-'3=!c_Q֔yjCq¡D=+C+W|K}P3ߗW~z9@Hc2@M%>+Ca]@$ǧ~ۋ'Wp3N)sPMͯ8?s0ݵA"^!@{N삉 }bGti .!~4n LR|C'MēLP#ghkO5؜|^s YhW6jAPžL_iqTW*)67Ѹa*t nxH|tٓIo{kQFS,FN|mNZ#/+G-2qQr7\>Aj*3̴nC 6PH!ZRRdr7څZg)KEG9-^k9Vy= $"Fjw8 ǎϺ?w2NLU:JMά9SrBhY6C88xprk) $RO\yN1:T-l2&2D_5T} n\C LH1L8 ?ޟ_TrE+1C 㦉 y o{ TwUy@E2K=9q!'؈gJhܱIĈAr0CYkQc ⋭l"f'OW52W"sDZq(/>%?,unniE !EVO=>okb`-X_gOb0BU'*<'Rx7T$5ƌ̶4gaTyZc/A/z ů qաj5:Yy+ M _\1mVBbmj(@@(Y! vj;V'W4(#fِW(=0fhl K7:ȝ4t;9"d~XGUL{h.vPu&Z+7(/R؆wкWb5e&Mbqeg\[HYߵ{vND}y%;ނB1P` ᰄFA5u!k$#ɇVR%9Ȋ-tAJMf_?A_d`:p (X; z&IWq_-JGWHk5@΄ۨ?[Ӡ&|EŠ.u:h.`׸n6g EG`mhF۠N/wbĘ/$Tz$?vJj}'TZ%Hcl-)hL4)'+›W~[/i7uѤ|_sfqR,g捷IT´yG9@(c#]8$@NLRȺ::^yzط"C* qA$/'趜_j^A2e7͠aĐ33DJ7\ip;ѷq?j2*iJX5M`:C%Eеy wT,pʠ K 4x䗎ذ3ӎ!w\\t !{2ա sV0d,@) у PuQ6gMv*˒(pZBHOB@fRRk*tL0 )X.Q-'M,[/RInut! pkH{DT0Nac :J) c-b](ezJ8E'ło-D2M?ʬȯ襬񺻳Y嶃=xR1)>.:&,*d9Uy JqtҼ,[m[ͅFQnV8n4C&āCLx޷N]@bAE!=!F=\Y쀯X&YȴbZ3ҟsj H14;WUHgy1zNZ X_O^ jt|'H{i)lMJfjÄT+ uԚ i"o`?oj0Y3K 5!3ClcSZY+YV.|O get7#'lkʶ96Դc).(-Ԋ$'wD\U@iQf.Ì>&g]E!U*wXi6_!2S؈pwZ*nA~O[|U{)7+fY, VASɿ/ fk'E-8CYz' ,]%`P/Nn?/E)amne75Ɉ>g`B;.\HD=K0tk>`wX9eJoeBPXlT҈s(IiTJ |Svu| 8Wdǐ߾ \4 0juiLHvO}Aq+DeDzGILS/Kd=H3A0jr # j~795}XfK2j4:0r|z6W4,p^&NH W> WIcR59,Q+\q付@r̈́2D4z8 7$؝rӒ=\7F-(#|U]l{ Dz0)S?)q.WDEh_}A7ьuq)wdh63C9!7UeqE/OyWy}u7U;?1WD;ζWA)_ڡOZ ZLU<)cŠ]Rdd7W $?ĤJ x@(T&Mw+'1CU+Sʹ Y)DOFm˻zk}z,+F^ʋ-B#2qi4+_ N.Tʽ5I;p).OLt8VCXǽQBո=R𚽵Keh @9^T6cftY-SJI՟IIЇ !a6ֽ "jv]_Qy9^,)1Vqʤl7%(LyÕee9 dskzڦsL閹5σƾ>]~g$r.'¦.&8P3A-$vB?a"=$?jC6Y!;.?\˜7wEp #I.˵ORZ+Rn7) ys+AgrOz< AG?qM%@=vi?FLmsgڥu%ps5]#hM,f4bݒO4DI; 1WYe){yLf 6=N~|q/݃-=LfJ}nMXd :F^V#!`ЭHJT j].Q8> Gڐ9GNy48FEJ9T(,{V=hZӜ J\ijQ1r=}ͮ}f. ]cpbtarBGNdtIֶhR; ʏRz.w&=Vc~egZKcс_;BDj/pjx+f5Pdːeff5u<[ߋyUF {+8nAgŰĞJݿ@;>83(y6tҧ(}<*LNɔUCY8wA. &?'B:nҍ.%a"k]u_alGi6;q{yrÓF|i0AE~l.͉ˮwUvqI{)R r&LWIիMa)oũ\v+xNMif>5?lnov/Vy$ '"=ۘwN## cxB'>LpĹPb=˿ƕ. ^T]!BÃo5V!{ |TLGa[FQBEuR1@Be@LjVN?f5uvs>5`Ì~dkպ=z >W 9:!ZJPa ~ 9FLݠg8uO?TUH ُE+dө㚦/10}n<+9&k1#Z)зyQnF"CA(^^1}y8v>.$~:pԼɃ~L|%kIM68q`1@gMtvZ` WAdoRR-db>KP'[U&mvrS작;̿K3IG,Li(|nй=Va:[Xj3c^(wڄU-dbj dHqr`6&Z q]]&hpS53 sUr p})`V.ڠ"5h=WD4Ԍw{Lͤ)]KҬN,6ܱVKr ^V- Up|9嘡rJKUu M PdwZЗ9"Ub#3 df' >ыѹş+P] N!ɓ..:lݍ/@o,8Θ.skFBe9gONed*Qg Xy;hEڷ+<&:'DZy8H`=Z7}}C% ٭25RzJ_n{ gpweWv jZe"`L2LyK^Y'q*IZkSG el*0[Vڤ}iwf1FqƉo zÍgmO|GT^=h:0/ 2=TBKl>t| y˦>\=437F->Ӄ&s|{ )#7o܇^^tFKl:Cy76x!#lR=F'o6}ӊ0ܭ> \*F{Lyv 1?G~ UVY.Gm(ODЗ= @AajR5t55]"~zK-AH06 &۶!_X# pq<( QbikCAagDmKƈGܨ)dЭdֿ#qR\x'wr2x'oT2C:5?VgěC"3f" B[ˊe^.DhrA:北0g5(2K>"Zh_w2ԝ/ o8)l!#Nl(сzP55EH!㎞}S ?lA87I϶`::\aaΌjD&[='у= D)7mNm:h2ݾbgЛyzB,J_B}6JNm(nbtlWhH5iLI"`zjJB:8 KH#:ZEBFLyeWZq1\1zm+ I! BS^M.u͹c pQUUGwDFeKP~Pʷ ̐DsͨKK`0Q,u*FFZ3<[NP3`WOqWcbY/1gCLnѰ~lJi`i(Gl|sܢ[@b vfe3U \' dB̡GeJ$=uP_PB)Vx\:}&Q$WcTSXg\!lZ!|#һ])A0a/5HXţ6-%FP/Krl5wYd Yy='zѯp]pJ[1(6¡_VĚܟOw|ex?g U.NKjn3bUN0 I\+<j;i8/}̈w CW$Ke^8ai9X3~sl;C1m%b~BƳ^g{򀱉4+R86QIL8 \ syV_'' Tv7MJzasHc<ى;SЈ2p5B$ &9K p,U挿7(1VQq\Kft-7*-n$HKLiDJxR8dBi?e52rp(rQ|w<ͤϟ?qT  0 %>Θ8$ȗ%W9 {=e!."6׉̠aR#1=PNt}\!tY yTW .2 |ڱGL'kōayR= ORJdF/VŇAi;̜>WrLIi^vLptEY_6["sO7AChuIm4}</ ל#9k9TkMC1"g꼝H[5 nӡ2ՉGP!j@GU!=H]V"3CG86P"*Gzjxk} r }4-F'wzDSvr`K\V`c!02eb\аQ-AE`%}_(j!֕r[L2='17SM@tF([@a˃HDb簯1\e3+I[uP3/Qq*|d`؆WjӨ1d](gnsǣ1)![3` ^PK&Z0*C&y6Xf7T֌pBAgw/\L\,ZqU4oE 7l#^Ƀu]M"JtGߍhDeInAߡ0[NJG ]/)egGoW?(J C=\'Z00C5n>)EnWWqKJʧ=2Um/n[j叧YKa]FIx4{Y B7K爿ւ HZ2`f w6~ݪU|b &POȨHVۡu_sI)1 VׯkRu GT@>wiH'cԙCKmL5Ԛo֡ MNUnV1|YN[!bͮiL}#E%͐Fpr*{=xP$3EQm[-4oȒj'`>e0mvb9Z$lcHHvy&jk pH"U٢l>?}-p<(·1Zn[ 0G ݄$]I +,OJS){@Η?Є)@C+_% _.X\Q(/ն:+#I?pW8{ϛ;æPRR.`hSw9Em濞[ʘ̐i#_v7u"2WvPOZ ' Ac\+A l䲖17Pl4 [W_YP!\ a.ˬQ_6Ei9:&vQyf}P5Xo8}<]XUnC"h{17L]ۀ SԚ|֯.6vAjHXrVm.K A&/Y[HDXuF5sgޛjZ=B,Z3-V}(&VߝF=3(7N-{:'>5Wx8{>5#v8gC>gNp䎃^DT!F=/ӵpie &%"3LW[WH#x=-#olkf ʆ0o5"wFCS]GAfFƨAI>ޕ5@TGj \NۋvdF;V_>x숛#֟ڣ?#uG(Q%alU}JVx $x*w%/#qnF>NwctճwqZAJݍ]Fs$X)oʊ7ibwNG%CTyB|rMFV^>;qOx+)>Q]P]Q0~.g6c ͍Iű5#l@{h65>ud`Iv& Pf-zniƻ:k5̙n%Ye^脯$S#]{$x\o-z#9dm藐ױZn%Nct{vT_U I+ir"fƭc$ל;#b"x3dAឈSZpJgxR$xCOly|(kaKs`aQoEU%E='}_cR*OFu,T~~ȹ*Z3xNOX+~N=,:~Wzi}" hxzpGJbYF_IN; @- 5=^u6B4*'$IF+]+"OsJLnΟj£@} QqBߞm|:- p;lOVY.lv.RHhlDj8*̧?&,@d&?V1ǚji<$049L8+@26! hve]as՘?x,*HL!Qۉ1 {8p`XȹaOr>6emGsi٨Y/Z3>nFw˚:^ɘmageFqD_"VyTY<_b%4g@Ue 샂2X5(D-@^2 NڱqUefFUn!u%/]{&zI Ӵ7[A XuÜcj!_/hx!WMdDbU5?F{b,Í0!86QIcvX,x@U\w*N*8,Qtd7yυQ ZTKHccV/wkֈ6t283yϹV2F̄uuT )!jø [Ie̋fe8~x*`]<=sIq_j%|E~$hDd>WTod~q[1rQEvnGnSb&B=όqalt95֩$M]KTކK\lqVVYĿ̊e`@'aS:E7rug%^&i$ ޟip3MoHi% LVg7[J< Six)LEK-I] 5%}2[:ijCW*b[i!=eH-g -eV5 Xz_]i.wŨ|"f դȕm?4h=bPq.=YQMwACѥw ~}EXsQzѣ &~I1c @d;u In9ӅĆ6L&lfH7H~}3-g*W,.$&oώ77$]oEԁzq; xj},PceTєC%?!]iN=n AQ.u%w,AWKXdm_=cż#ƩbPFxƧ-0I{X|in1SQ3YPꫲk,aq;7.:sU00bL ]S0M0D N2>y="J*6畍0εXi LH=pBܽN&w쐻ɄܹXG{U6qb<$陯D'fUBsy/AnFVrMv/h4밠*'+Dj.h"] (͸(Y=: 半<[u:*N\Kq>0tgȎYvw!_B݁MFR.qJOj f/Pw .64seA DnwWP.D=[ 2}ay?) q~oo,Xd$5761ܱ? L7'qeIf߾ʅh([YҙV]]F:(a@W8yaUWJE'T;/ O@ɛ||Όd {V.% )vpF*+Ge6(ھI$zId a@9>d =+p S+DNv*!u>AXttL n756?lމ@ȨER/|$K͗&}|]]'p8HpPՅAUx1ů[pS׏Қ%,ldҴCYvp>'D[ЕdI 0N ݈E ͧ)ySE34aVR?+;); p k6X@/"IhlRh9o]2lFa^,1xޜD^1> Q{"ڈaxYJFBV 77qFn|R`-f 4}ܟli'^B5 "DkHȆYPdQe&*z0v$!=|ꔻ rJ5iBA8(bTaވ|j'5X[)+:jBl{Ywr8zrx#s\(\27'pTnvhap<p &E;n7agf fXSjK!: ?bc-.A+{m?2U0bNDx%e+9۰YwRIډ>aYBXrʞ0[sm#@!_O=z)f9t9a7ĈTI Ѳyܸ27#r_"nTۙ*gֵoxx vgC uX*_PNǸvMK%3폳UŸ>*FE?[7OWlsǀHh0WM'pur'1mWJh ;Gu7ε+KHㄔ#q+ K&ԭ9Fւ =¡{.~}ÿ =\Pl; jhN1 n ;Lm:K)cw_Gp<QbBs^iKÚSӯ8x e".a"M@6'yRb厭0"kNO}f`J{ N/&k0y$4ЙCA82|CH]rq! Fi{`dEVG[Z?n4=[\Z 0-z1O:t_'5UasF5}$y 1$d+=2 9`iWzCI`D|AaL ]\ G]Z7;C__?X{RMS, ?d=(ŭ)Sqt<؋J>Ex0ݿ;Z%AAǷ7ꔕvFN;|s1Nz\oriu^e_w$eI#%28sK A="Y:1xXk2sjڢ0gK]hxݧN-`?sSkwbYuQt=AGWU}?z 8G .;d+>{p:ze;6+(sz //=JqK Ԡ{'dUI4(ɯ9:8:Z%f.^D4OoBvecMU9D.AF .R|NW#RÜ^[H}ovqi]fyV=DvVn.w%jf,5  GZxꭦye~^@&7F%q&,644xJBcM]yq\w:u\| `s9\lcڷΈcD 0"U#,uSOŢjqPЍ ӠBu^eXqޫ?- E66" f2viqL=5H|jg-gkiRiPk+% :ױjPd 5Q}aO R&^#p Xhr<XG$9fؠ#dFM:ҔHn/ؼJȧ_;v?#\&Q&k?֝M$_mdƲ9Ӫ¬¥Tb~h+k)3C3`Ͽfu匓5͊t4("*' As]81UIň-r5*͢7sF,Kט>6ZqJ@ l'OY0m3ȭg+:}3 ΐ5Z,ą6NKOsaz#1t> -5^?ފ{庋6h 1k:$"ddFgN*x8X_16=.xĂ'ۅI'; [W0g05lB\4,d0sU"|ia@k4ns +HK!1`CG1,b"Q0dyl YҜuT_mbD!!>&7_wVZ橃g"mj_ۇep|ǃ/ce3JU1f&RYl5$gdH|i {{ c{l\%uv~Cb3SsQ”US>ov( usgRܷ6$U' Լ4"dȤW.\ٟ(P장AjQx`{ [LQE4:Nc9ͷꨫ+_ȱEH#wER3iijb}Z*2efvYMMڎ3&Lм\wERr^,_¥ #cTji` !%PUYt Yu|pTW'Ds)re`#Y-v3cT K?a9QReNо>̊C١Di K\qyJ ]IJeʹyT9@VWbײSݙͺqO6BeQ=]tȉzƇQ Qk/b'-psup옾t}-jecN"ЏI,@uyOH%%Mh =Y``^t ^)9^H9%Т|x!{@w 凭,6ᐸ^DtK%'VsCjGEKrF3Lìr?a}(Q)s%Trp8+AǠ\RJ=(-iw8n$sxq-罐,@zu  w9Y~b腚"2_FZM(HД<#*A sj^iә S Jє[+!Z;b@}ލ3Gq3[[Ϛ7+ܯN}-935J7֬Kz JI)d `*}f̳s-5/N@l:'ıZk`SHm5.J>[dʆ*iX}?D#xZi& '!mkNF3Vo<چS~D5WsD"\ C vú 6=4en~sF?&/6D_aX_< !ل'z'[f^9ȸհdi&,a8oM&76KXzw5 _ ˋ@{d]~l2`&m24PELf leTBOR+N-Ȅc9@|+v5jP'A;eޮo4%+C,NG4>qkF*Rѽ:*u98NaN$kt^X3A36<ʒƂR0SQ5wkK|{ ~҉A,D r˛)++gn{)|g3WU?a>{B` [-H6ԑ˶7ӄ~l,%/?vc:ut%򎴣A?&&RVar^輸H b6Il@qu-W 2(uol즲O\B0^gy>?1-c!K=o5CˆoQ|4Ȭ2RdH0M-Wu蟮)a>P;7tmܴn[Iv,c!_x³{___˾J5F`dU78౭q& @XЍDAi(nt~t"i/?4z0djsۺV;]P`߂nN GAFĽ+ 9Ʊۇ(9^w%?%sZBx>!&_?yqw78[>yh!X4;˼5tFIMN+=27n@rGRS=%, Y8x9\4i02OWm@l^g9ˢ0bw]nݞ/\l\=7R}g4N] tlq[?<׻&:Y"u)Dzt`<^~Ӣcgu;? h#AAtxQwV uی*͜FIgow8\Q!U` }XV֥ǓQR3ɂ6džPt=v)%x)c!5L^h1Rq"I!VM*Tށ Jeh~κ!?\|Y5F A@j;7͞Aǵ1)+=2ՐN W-YŘ>W4<8!='S>$U!5h{* z E',!t.6dnTPj0{nīպ>4uoß?/kH^7xnllZ}m%M剕4~+6{穏Q癉 y?`~TrLQ *`D1A'Rwo\RyXxf/{XTx*g"'Ea3eC=iw62D:]6'+%pPo*^Vxb; ]?Sܮ}6QFəSzutwXd$^o~Ke* «B&x^*o2i~9H^(rgXߌ߅CBkXjNs>+p<2wCQYLCBDkA ( Ev#iMݙV\#kVzm` 1mUߟ*Q SY$j5+|zo#XЌXPdemCPjK)lrsX HU3ረwΥo]$QZn_Ή;Ge% HdAabVL0OdX[)NDxU]@nH%|;V%;5<: $bkyð)=ě~`V a&eYZodHPq1c|O6?l{m)# ϿJ`J yj;>ፅڲ \ -DC*}zSULx~P6"_2%U=ax29+␹ҋD`{r!n|>glf4&L1f.qΈ=F`Ut~^0Z.%0C56ʆZl[!q ,vF@qcPDIUMSw?P-aqE +^ eHy5b#&թDȦTVvήb;qa"wDe2Ԭ+2FEҖdL9 ;Mag;g!K9QQjy+nRDľe$_+KZ_@|2oPz>wS͒q[)itN‹Frl+<\tF+y=Cd/~+lˡXg~ܾeǏvEâ {Ii:~(sa{U)~q}&FOn H+M>c;UB6(^lӞ>#hT>.BW9?fͦPsXd06;/ 5F,gf|XJIAx߿#SDLHi:8ݱ@Nnu&Mɖ .J*TF`ui n3ܜ]b<|K yDkyGiF@wk\v9$e%~RFtM8#[N:#7a!߸jcD/Z 4q3 '^Vu颤";8 ?SD$v41\@o7>+Nwr}gQΙ31 &ҐvvsCCSK8U"! k&4[YG {M73^=`,s bU@)$ J@Kʎ# JL kdqfV`j-~˹.B&38pj5'ʵn~?WBK *IOcB6c9z>>XIZ>|J˛?6&?͝h-7ކ$1~,/Vp$Upfm6d4SFTHp; gsUf8T*H*ǗI2"8)gl&Tt{P͓~R&ПH_ 8w<k:2Qcaq$WYܨa8?{2#wL4 ](?>4_ӱp߾ii~ud*o)Ŧ?KzkgVl}GCy/g%Qzةg}GG4tB{s0vto2 oĒ XaR/ Gk۩|rz@&_߱UR_^$X:[oln9 *;0V3M%k_3{SyZ?tKrr(V'w])?#?ի}!(J9RSu r\<]Wa^d f_喪n⍲ʜKR\MVN%IyZPfyP+x[niM]GA(P 2 K='seto4Db3;⟲L56`/Npx3?׵Dv2 t[ǑARF^Է#j16 9yzq= >ӢZB˳>DD ¾nbezQ( Hl5²[lQOHƊrdXeWN"a5DʤGɥv68k1048f@7)<vД<%U(C8U+nPG~Ff286U.x~د3#kWߓ`6Pdv~; :S/WP}ƗcZHbN+ڬ@z#q`WZ9;¶`6)0vXM!6YTpb3J歃)J^ (G]II5 J[\ALlD[ԩC(n)5cIvA6O5ژ0ڵzX-ʭْ-;f{3&mZl5QbO*fsL D9D&f!hY6hBґS6[DM&#atv+uB,4EGoӨ:ao;\#DeØ^\>JܠFEH.[Gj=SvTèQ#0hOqj,e/7ތx=Vz *pfe82k-vS>yhr P2F`rvtמo?{fL!KOf :cD~kc,+*ǞO|BZgGG kKxXr>Z>,aA'%0@k1mGƵ(ff pr3(IV%nӺ-40rv{O[=hjbKQuQϜ9 tW%Oڅ~ZmĆ59QB>5,TEXWR a[Z8]0NMmL}Z6vOS*tSrBb8yŬ5t'7G5Rkt5Q}7Y쑂C?'u;A /3Laߝ;C0ƒY );{횛tVCɑoX[?~yqSVAVyNKvA9&[G*#v?p8[+/KԢYAE=D!Pګ5T9rO#>G;J48[`+#79ҸUaqAa';PbU/8I%a۠o K&Wcө)GN>I<"sD04WmH 39nf"]ieĀt$ꄜGT{n ?(rxF7A(\NlteMx$=#- G<*}A9I5EGC-?bʹw}uh#гIW?2#ܭ[\9'iSEɚgfeĉѾwѧ& :,9ežue  %q`8+eYX3_@Mz6s1,7 6"}4:׼/-+|K,^>%\mm=:'Hlu*5v ̺[R<%MrD.Y)osǞn/Ʒ6y@qeBoNm6xXCa*;;/"^5 +2}S 1xh48E P|q%U/\7܍.+4- #H5X@>ͱ3Z犐a.{q<k'ZgQ7n&!g쏕UWQ9o{ E9[o=*k?%-eZ5bw41e )YhDv/rAfbͰd ;R WZT=#pp%i1 yK*F$n8D$gN Cɭ|!سq sJIi32&n=Vlxh=\fn B]"덯4nXh!WN /( sIa`E|=. x vnBL62 SGTBgxDT)KIe"V9h2DQ{HZң!,Fo;%|5{C,+{?uc晜Psdj{_pΫMQVUi,MJN\zXeLGEDwSP8z"7I #ڳISŊ sEXB>*x+ 8*,6y1m'lrv0?/ѼT#NۄSm/І&psg$=n)X7vi T5v})kQyK&Ie ~f Vy\Zy˛^p7n*ǶF=8|YGWЧՈ5>;?X$^U6$O0z)'a"zЙoaLsAa38BH29OAcݣ?3<[ j #M3;҉ةG)5{A t"!Xb".ER(bj}[k{%6Tozc.QqNfE7Gf(k,Pmgfѯ G#}9f^#滜}6֊Tbb` u%v$tz.YA{ 0b܆{3IJ:-O~P_ݥ卵%A?yeأoD3^:idIo Kl#.ԞQ`)`Uvڿ b%<ʓ5Ol9O7.zd$pū8K?ZqY3>$92 e鑷^\dtI ƙ9j=ǀdJqOIޛgavZȬ̌k (.v0Z {1i=βg/ x%b5?TLF %]r $L\,~;ënKSVwR+%>D3jс=HGϿoy:5iE]̔t&V0=.ӦD~T!o !otDiXi %Kޭq^6_ǀO;JM5.7!"$|\xda%k!~mIf4+0\+L:?[N߿`V.4=}X!c?*}X:n9_Ey`4OCl2V:Ϝ?oxl[&zk񣰗/UpUMl.qL$ t>)#BwS+&oM:ԑpe%$]Fg=))#7@<=p]pcQΓyqn7qG\)2 Ba&}?OF܅M~;+w߮=дgוbe?nUWR3ĸnt8%`oT=9>AD.z,{6ƈ-[m%Jm"-LHe~ͬĥ++.)D(uYG YB@lte}o Zק aUf<0ɔ=;T"r@a& pTA9V ~GylBM32D.&Rc#.mZpq⚡{v@k}06.k̻T3A1]䤮+|'OSlp.૖acX`DEO $>ry0RwY\jZ)-"d5,C&J~BG>gFguKq?jpL[e&`E8%!8 :3K2,[-st2hͶ`wZHSk"Ż':0DpB-g!{Za[5+V%3ӸicLŭ0 E%$X-7HJ'!WiY͞Tni}a< Ӵ+q{у|AFwѯ@J:_d:Wgs|Bi^ڿ}ߚKl̻y6Tɐp;Dʑrq8,d֔*"Zp*ʝ8俔i@?\s;ɔ-*RSkQ-#eټ'::-0AX|@Q\9K@]@3bo(Ƕlf/7z /=P(\V,s?,1Q aMuՙ;ꏤ>\Ņac2>@4p(0H1T3 O#z7 Zѩ[^,,+C*= ܬ֖Lߔ9S0ku+?c,N4.dg/߿Rj9 "62F?F"V0 g"uPU#Ttcw{FUnMU?쮨x\rfA0j$s^%$=T;.mvR׍pBk1%͠O84DD<-5|I#HlЩQڴy*1<-Gkrc*p6U 8Ȭ9RE!{izv_CSgQR¹ o]5mfp&"JQц<08&)Aݭy3K*XOlkt[Q9ʼ|VNlE }h/OD4*b܄rOK??Yz,,މcuxh~OewGΜg%LdgyAPc%h˳w8nhF< :d\+,zUI"Eެ?f;QϭXc^d_M'>7:4p5s -j;xޜ{yE`CP`W0/}<֮dq$mx ;V7uZP˺ml%u'wu/'}-:B љ&Na\;1zցZ$Jbg^=9cD3 x_a ,_ŖixImDo[w5T;݁; D -m~=c-4w?.w8ȣJLR#x7Svnbt )|m=th_&Lr9N{}`aoV|iNn-g}460iXn\s$~ nt۪G6}$M{߲ (A* sc t669W,9+rPs{H+ɧs5Wk-ٌ$ HE/&Lх ~㒬O+(x}*ߪ7> "Bޔ.7fʹw{ iy_u IN%Va ad+V6\"Y-۟ukjb oI}w5jYx{xrS5&WQTB 瓙E '{]kvV A$nrDeLt;}ܺo]s/3mKG|/&ŴwVشu}\$M!RvőG>Uf3llج4.d:zWxT7'$,iŧEЃlCANzZu0r'8 ǔfiG Ӈ~To[eX(jF]2FS_g1K#݃ P-cG (x4􊽞ըd6|2VEr :.OzYMmD=Nv8s07\[@Ssw=t**Y`_+H +L=(c+w?]}ۓV.sZ^r?/h Kb ݒø4𛁡ڠ']UfDXP9(Y8[b(&hŬ6&Z;4uPfX۹XHi&ِOS 8cprx2kqY ^7&}&陨\횊ӏĐutKT @ʢ7[j#k86`5+T`Yj}r RAjhƄfIԺpUL%۽s/s'a`9͍k|XݫY2pGAXoGL`X y>t7=5kBii@=/`EX^jME=b -~gFuhpI J59u$zM#`2i  "a)9lp?I[V۟Ke0e6.wW#KB3AdSܚD}a֙9B' Uhq lľn ;W j=g_V_3JyYEܬ?lWm6`qaCX9j~,2I M7I/|}73HsTZЍS؂ɭYd6:QOTW*|eRi !.n8)׽`/vXD1n567 ѐS “ F/"D'ZRY}]!4U.WJDqLK >}Xk_S1t$K{=L5A4wHb-B^O8$h OnǓ`{]oc X|~`Qq'_h$Lk'K:Շ\o#6l;ݡщ 2ݍ# Gdz^;h PH ҝ)E`yLCs^b~zƑYK=z@qmE]LB!/:vfm^Mxak|S.eWc7(,Lֽbǥ]Ao4~+"gO@'gΤ,gd̨3 )aYz:SI )FTblJkf^.#Q# -c_@,պg%װ|S:fGHxq$R9DLK + Q&voY u&8Z ׹NBȕL^[lֱAM~ MN<T %?-M/N)+%!u8GoebUJNS2?m7`!DLwQ.mKcWG\[QL_;۪. SsQ7\GXN9=(\T/$b3]ǫ{{" 0C&D@o#wz}ȝ!]JZaS͚@^k1t.: xUzTTC7_j6؆Mr.$~FO_, &NڶW<9sD:Ol:+:$oC$Eu%Zgvyfb<[4 \IVh0P;#Oz~:@V=G4p煲N?%'wjBRS8\^hJA[g;JQ̙3,Ag/I*ξ!,`3 ͖j(S[Rdx~Atq~/QS8F-b[j { G 6MKZ7fJVv"كY۱r^nJ+R?:bY!;<3P(^dHe bWKk.L7S2!kQm0I%0kPPjPj+x?ķ`rXq} Ew Z Z ͎ΦSRolY $v'5ڐ3@VNhmY _K R$el! "i ؈'l9SL_< :u[ޟ9{y9͏~|h|]"$ (u4"bFAO )wy&G˧w,ʙ.J6s1|`OgN2lrB-eRM% !C־Pt@[lu~HeN`6DTi3<> 'w OyFznSd0&_8Cxf#0$0v,vh&ă~~I߯OWr(J"=s]ѽ.0 f٪^3L:vA%kH&^a K#iWs7aK+c iFy)3}NָLPJ0 F`\2w;}'j|Kϻ'>zVBTNMHcτAZӠ⛝hV c=B1(K{]n\& Oqk[#wo!}'t9pnbNiӥV90~Q@p{Yttx XfOaI ڣceDڹw,B 8嫳0^ij S!ֽ?X9TK%ia94>{R@47c)ՉK_Z~88ʞPwup6j䪀%ʔKLD#b :mX&crlvD\ FEcx==+nAx`"+Hߵ?m*i@J0;e2G4q~(RUͤ.E[,Xx|C2|Jݮ Ty[f;laT&"Pe:7L#$NW3/ō"/72Sd6OPZ žaoI3ji.b~  %>rZlv 9T*:j-:#*'B<3r0L% DT|Lt[0RL .++{^s-C䎶44᮵@25p"ܬ`\TbxA1)j-VmB[P@g,2>zQݹL 4~śy\H;"#wrD#*2O<6 5C0|3nW|䏛Ӧ!\Nw=g9( ٔ?ŵ=DK/ۑDhX3i҄'Rġ w]t{hL3bܙ,u=Xt\2V!7 qhcj !f+w[\$UiJ7x?>UsJgżS!+[uXWUfb^^ҁxvZܫ"F/$>gHyM8;o˚a 8-֬~jF4sM(웤 x)$7Z@-"LI˲!!N/.  .1#i;c]A) Ǯآ+6rÁpL0+89ɖl|o7=;wmoR9rl=\ iwĭi^ S%BuJh@Q| pra-ƁHcQT(ݘ~TY9ҿ}?$~Go0>w~P=5Z˃qaNw{Ivc|L Xa.M>wB$S XfTv^ bqRZ9t\s!sܡܧ2臊O"#Wc'y v<&{w6 g?Q+*z -(]ZVc.W@5|k5ѡ~K@P5J`-;qd怱F` އme!-نG4pKl(}/K9#g$C$[}T%pZa2>~XxPF{vjg:L|.qŖF ]>5޳4,{iW']Ӱ ȶ 5WBĂeM`y;3=0Xe p%$qWoV#+(v{xg!O|OZՍS+[jjUg[w=^H8Xٸ}_9:g!f/R3E i( :|[ՆZ>''k3bDub%d{W}i1 %7F- vw9WB. >#a9eMѤ0TJ)ߡmᖆ\&`LFh/ø]oJrvY%X#GP˛5FE%޸,l2k_plDd!V9{q][}u qx Q3$:fZEl)w}2" b{U:(a4Me k?@[hlrV=53E WG#ĭü/| 5F;ri*|ʓ(ޜ.Pmrq;&4lzZi$E~'wHyt=/iq6{73fSy;*/A+{.KXv© d@Nɻ!pT/H mnBi./uCSAҭBz sH}bh&){!<]ٸnٌS^óA9j?Y82Dv\̙.b g0"*sWUo]hHƒaVWtbŕi5 SJ?n^LjdZ27߀-/>Rr@5Ζ2RR>{$~qBDq$:3tahYYl +Ԙ:me}bp<NQ2v˷qGiLԵgaM_ FQ9sԏU*{ ᐊ͏~SNbtԨeY$e9EX&BR1t̍ץE]iזyxik5@d;|͐ FjrbEݣCI@VyNW$QuQ@$wRu.' ۄ~ b8|tO+–>>ㅟ^p G'y=NJ?ŋINd N$j֧yc41>41{(ՠ'Zwog3+>jxX5ݚf"fZgQG\-Ca8Hiw7m4iQhł+GHM(&o1@30kG$:zcQP rs4B,PgT`Q!C)5ҵZ>Aӟ֣ࣗ<(h8 smV@#]sNY,~fEUkbѪ8Ķ7PjaDBl4p~U$EE69n=fUAWGHeJwKhOus̋h*Qa""4\ܱ* S)Ƭ=QS̰SJQݏq֏B~+uFX^8!nM}BO͘O߃e* '9İ qd03+~h_ES>ĀlZCDuX6̰Ԅ 2Њkѐ8kTޚmgt +|uExix*3d۶JæҰJ dO3l54Kbjf5S]C񛸃(gO}YOd*CQ3 7=qHbILR^H6DЯ@?cK}J=f6D^P΃%>J%,}@O;,* P\qO'8-AՐ0ú:HN=KxO'Q F*$ۇ;SА 5{'&J`iŒXnWSU/Y~\؋]'s8 UPյo%\3oAb˅ZŇ`0BMFpvq5a 0RG_L@&m=yV݊mݚҖ㬸OnhDFnW@k`KNب?$ONOtdϷ.Tb}ã'̘SmƓO6TA)Xf](k2$t.Mg&'x[pb`vR^)H^=|h/1szţN^':AA|𫂔;KzcN%]vK%9yeꏙ C wOȊM+*|6lrO'd LAE*a+M4{<-t0ygHw5[!>QsWk_%vqfk|ʴ=YoꞸr4)dVH` oVL#Y3'IBF~0+Sv~WDЄsZ!u=sRoho[tF_׼`>Xn-!obX09m\f[JLψAǓ:HS؋ %$Чۗ ȊDmegq4<Gw_L%T~лc9 Ǘ6nv4wf7{%$:B}p ` c_Ltpp#FEƳMfo 2uxlHɕJ$mW}t\QŦ_sMi0@lpSs}SϤ_'*^cWсl+cx\)u(FB#ZifY;PBa6ʱ])s/W8oE/ 5_\FoNrQnJV(]T>0)TT%g]90`!qۙQ+@7QL2/EO2#iym<NRַ=/zm''Pكz v{)>cdYw{VHE _c HȽ)8~V8KhKSޢk'Z,Bga^tE$azycWod=*5TU2P,5j7V\BF00-!˹Pۉ^}$ Zd{@MS|Z:4\鯽ʌчF|>.'"#umr_^uܗ,Q*f^V)VӗodK.Z.;p_<sQPIeXߐ}j"Τ70|a.e20$($k/Duϧ ߀$M{^_ٲ*6͡3_۬x Ԑ|MX2W5== rU gD(ǻ.@dX&gR*@̙Dd€G4)/4.I1G)iZB:u_5O!Nj!=ZvcCC<;ml{ kCj+ڔ]C%]'*; ¶O7BG6 2q;ZD7שA?7&[}+6:!3gX*#d2p-Kqj,* ,2߷˂~qynMJO-EWvi7 $`t%SIN ;bAq#l~&5y-Dhev fۃ7&q:߶c}Q]ƿY ~ izh4OG}29%M&RsRI9;H2mE܎{FaQV@ -adw472Y8)5?_g~{ EX:QPeF0zas1Ղb5Pq8GW48Q? xj'xЂUaݟ+a.<.`iL f?dy5CS;zfV)[M.XHh.uU0FӍ-g{I1sC#q+nȽgJ XFiCUlWb* bGBiypfX̟ꄛlf = x+Y9!i+sNT!L^kIf gV|W"\J_lm0VubIt@(֮c>*)%({3Bh^!ŐhtALOL ZҤ@f0`@J5j, ؎:/ݬo&a 3sϹ SDIBo/- f|5%(5\E= J_#T6FjNz!0졜N#~z{^~2#h/"v q>+I&i h:\^DDڲ-LKmeփF }+ѲA=,XT+9g`C^X8W}w=7%^ h})O|YnUp2?9*SX\gEҺRFAp$d|\轢Iz0LPRVAgv8@bN}|1^X&Y gp_CTJb . Jn U0ۆ$QI|X'_ Lfh\l.T+oaנ =ǔTCMwEQk™;U\h$7-S ZT7MrpVzXJhz,yyXo}e캔k^2O$TLtv>6$l*5t񴈒:w*2r # x_" |>+Bv)\ ] U^))͖5V윱]\yp-s^o_[nuGb%^`LX>nȃxud_5Sj0F]EM\1sOqZ/e -`) {R\3O_()D1y#blcJmKov88d$Z<2:=w=TDN&W >mRI)u֢'GU68(D A]y=EEu[ 4΄yhڄliS) ޖ=0&Ü̜|b?43Yru`kfZ1`{ M6j{];hN64p{by*d TDɱZ~Q#% Ɩ'ZEbF:aYԅɐ8%| boU"uS[k5$:3߰ DN ٢(xWu%TrF'?r$[˜x: jWtl 4FN94"muj@f+@OC iZZ9pQ_ W6`2. A]$6$P zY9՟Y~aӛ(bQ \gkfVʧ5֦#y]Nuʹૅz2^HXpvlGB4iDX2kudT7 h&cU뻬SԵSQ1Yo>&\/!8;D> yhT>irbVY3X u?!IRɮ< 15t<ƽ ldPLS<@%-HU( tEp\W"" Ƣo2Eb7[i"Ԧ Ä|!"6 ̠kocڶ YZ