samba-devel-4.15.8+git.500.d5910280cc7-150400.3.11.1 >  A bވ{p9|HLQo;Z%LqĪ^OZ &~,([Ԇo8/a &Iu U;{^kn+@?7+rU @3r)a-yl,+ y6Oe5Pk9JsnLC4r<$ }'/33583@Auϩ)ؚ$K(zfg&!fnȿ7!R༹ܔ%g6995544b8ca20eda4f5b9dd9d0540070d3cf13ea01a8cfdeb7b136c13da8df5d58f4ca274af60d3b05a4d6168b3cb84bf627a570bވ{p9|*`,ay] }YA XN.'~J9; z`fe} $?'P)n\ bSi.r,ͮxP" !h }JH]s6ai3o_JTrcYj8jL_J}fn蠅]J~Չ$эCԹ{}[vK]PIy5-x>pAk<?k,d) 7 e/ Ee|    ! $&(+J+-$0l01(28296:G$BKFMdGM|HOIQXR,$YR$ZU[U\W]Z^` bacbhdbebfblbucvewexhyj,zjjjjk(Csamba-devel4.15.8+git.500.d5910280cc7150400.3.11.1Development files shared by Samba subpackagesThis package contains the libraries and header files needed to develop programs which make use of Samba.bރibs-arm-1ySUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Development/Libraries/C and C++https://www.samba.org/linuxaarch64( p=A@!1N  aF ENTv |H)KU +d`@t2!CY~W +g > v&HI!>,'I:l hd Z=1y<u .Y3T4&{66)w+3'A,;BG\AA큤A큤A큤A큤A큤A큤A큤A큤bނbހebybbހebycbycbydbycbycbycbydbybbybbybbycbycbހebycbybbycbycbycbycbycbycbycbycbybbycbycbycbycbycbycbybbycbycbycbycbybbybbycbybbydbydbydbހebycbybbycbycbycbycbycbydbybbydbycbހebybbybbybbycbydbydbydbybbybbybbހebybbybbybbybbybbybbybbybbybbybbybbybbybbybbybbybbybbybbނbނbނbނbނbނbނbށbށbށbށbށbށbށbށbށbށbށbށbށbށbށbށbށbށbށbށbށbށbށbxbxbxbxbxbxbxbxbxbxbxbxbxbxb\57f48e6acfed5fa9841df0f458c77820b6e24ed8279bb23819c0698df22bbbf19a87ebf5c3ecf098bad8fdc2e0c08317efd3ecd4947169677feb755c5f86b325aa97c3dc8a6da5e8d196a73bfb4bae250089de7237665a3a6dcf5512c71503695cd7da44b981f9782081d3d97dc2d2f26726208f56b10bceaaae6e1a3b497bfefa19c5bf4838b4013a16d205238e5fa9819e04902a006a08044a0da795cbaf34f53c103d9d508de1883fac4df0fff12ac27300409f3a1c8edaf31c05c054340a1dc2974d9c574811447befbe13fc0f8b3d8906fa58ca173857f5b73359ec30f161766db604986021c872a81bc3e6dc403b8960c06edad4595f168293005943b8486186e935623059f05839ab0f3604f56687ceab73bf9ad6070e58a7161041e32e3a21a55901cc3c7a46d6560c167ecef63390fb04b124e508eccf8156fd650dbd572ab4954abffbeef5c35b30e8c5806501278b70a08d6041d8a5685a69cd65ef487680f99891e461bcaf8245acdfac7964fa40fa4a298184528c2fe2b51b3066156e28d7375c095735fe583c41fe10f68711a286dd7616111bd0ba9a6c39eca72b30f0da89b141671dac7d0b96636639545a74f12fbbcc745e7e2597d71b4c7bcfa6e9c2d3666eaf6fbe6b63194f9d4b8991619ced1de631f1d7c854271bc4d7d6caed90f3ed522fb13effd5b3f9ce1d10f57b87a233f8b1cb8bb000a06b812e45f1d76df8d2fe7405deea4c26e6e1ccf3951c59a55836952be0923e7928b343892fe61c87666774dd2e18e31d70da33b45c5986aa1c23a6a853a6cecc906960aa488b92850596697a2ce4811cd350af7aec0b5278c15b3700ff5759a3a9ac8a09b87e376224e944e12a2067e9fc485ece8ebfbc7d5cf0bf573e0500c5bf24c38a14ecb5e00e24e7947b8517b8f39a652b5a4a7cc6ed2dd04dbc35210090e571af576c5ac08f897ec08b3d0d2d5d40952aa94d082f5550483c051b99b33ee65aad7a50a60ccf805be82f6209c702e0e7f73a5ae774d0c68b57b28dd1821c1ab067bcc678b898c16d290afc34539c478fc1f6b47270a45b389de9fb9ec0042b98e789e2e76a17d01c1684441f27e27f5c54d7d8d1607fb9cede012344438922ffecaceea8800ef2175f1046485790f995229035a56992eb9f80f586460519b697827df8285c4ebf06595b743e148919677ae2a40442c80549d7aba0bc0b696ca55cc095723a52645cf7513c55934096218760deb28a607b5e85f82db7c1ab580e91df20133ceaa62399bfcfa07ae216642332bf119c5a28639f3e6841dd74e2dd515f2b48efd9117bd5054262dfd09a3617405695236094798559211d988a68effc888123ae63e8d2ba5b96004c14b3356dbf490b4e731cfc7a56467079075b6004265e32c0338f01e95f47cda607f72abd98a2031f32f45a1470dec6e13f4c8e17e93041953c7a33ac4dadb193dc843bf0dc47196230f74fc5a9c4ac1989654849afcccbc35c0a397ed9b8ec9579d7a3539a11d9a1f4db4d40dfdf2846bc81f966b17d69a728af436e405c6653b76b8b1b0cea1ff3094b88f184043efdeaaef078ca39f9c1b6ffd2a287d8380c0ea5cf53ceb43040bca0c4f8a37c75c1cfd40923c16ebfe2ac820e071af1cba5cae4b019dc46eb22b6fc37174d15ac7b72c723c10d44a520b2054944d0606d29c16714a4196910a433f607fed4e35d63918562c260077a6a23b99eb7ea40a5e790a7d97b17c8adc0fe8152598db810a35a439e0fd2184591f449c79b6bc5b5468443920523ea943440534df04294b940ce1c00c0a68cab9a5eee13b0a18e6e5b9d87693f25c1f804ac1878bf03800367d25438369395e7f2006fb647db68043d1590be759478e33b123ff9a54bbcf1dd70a038467eb6dd4dee91c9309efa27bed7b9d371cc936612a2998c16e815dca6ab2131a2f005b7837ddaceb2598db386c1d34c1a777baf0d741ea2d153c399b4b0fa22367ee1921737df26ec3e9fea81c7f525ee4076db13008901c9ca9f404a6db835aabe1a026f6f3e5c05cd08a28a339b762c6189d4af93a1b6a87f9d9483d5833fd883506b51ecca8ad6df0baceb27177fb6499a7918703b897a45cdc7605a9ec9315a0f82f2518db30b753b0d4ca10b18a94c382f3ec70dcc443437b2dc9e3ce610ac30bfc17aba981efd38215a457355b1f19ee2e93d26cfc3f6127d4e633b3d89ae70e214c6869f39c6eba1bd4d835c031b67bc5c4f908e60816711e8d87e6d93f84fea1eb1df4a7c2bb8a671480afe65f9dc7f671e0e15cd8eea8e37927520f3ac8ae6b63fe8f7aea81f7680951eec3ab67f4383db52789c38b254cd5a9e4766b17aab8a99813258ebb4b147bf98c9f0b9ac8e9e07ad86cc4811fd17c0ca05ad6fa67befb082b2cd23859d7002fa75a5794f15fad8157402985d19cdd5ac7bd4fa49f5e0a09ddbcfc55955cb5487d58b781af3350912eb93b82075377d870c1acf956f394afcde8741c7d3eb9c1f0d24e77ba69ff7eee8ba90786ffa6c5f4ec183f16ec4fc964c65b35a84e0be1b1f830b8494c8e895196ab132fd82e055cc808ec43d0bf84e5bcc059302e71c0e23a257f197463a9ecad24f59aa597f875a287795dbd2ce8b56438e84f9976bb4b587c364e2b03cea9ac7bfe92f670c4d88fc1b382789f66d991a6e526f4093a1972e1391aadde980420a1dec670f3549f87169c890fba90086de0d8498f0fb36921439a3568cd3a29c34bc8fd9c25772cff89b4edcc989ff5af4189ef2e0ce0e37872c17ad0196c4101f1dab6f2233d4987af03f7dbbfcad01f857b4576ffbb67ed2f4c6cbd9f0a9cd2192a7cd36f8201ae7dc5c1bb59244752a7c96d0bcd9f3e3ad075aecf96bc9006c8087a428c2cbf46832f58f5a9a8a1269d77685a6ea46e21b05e9d22e79fff5ff59e2f6fd5ef76604c85c807b4e3fc0dd84beacab1ff25be2672650e35fc5a2a04de281d9dc535f9718a0c12832630ba0008a46bdb263c2610acfbf6da60c6d585687581e877d06ac2587e1c560a57a924744d428603f832aa43148df878f81961c305f367353717bda17d2ab1d3df620a04711fd5a61149d16c19f34a48740662395d01a17ad400b8e6af775cd8eeeec7fa786bd0c1c686c5562fc60c40b7f0fb213627e0208eaa36a7262e7680bfdf38ab43a302de7a5ee1b18fb5e5a69c693660e5ab407d1696c7b4ac8f6ed075a178fc967e2e68e1bac448bf37478948a1f40401d26eab750f4c70faa63142713b1ca959bdea59f5c83e1d20b52792246b46127464459c635949c3f779518d0e830d9f34a33bef4b8d49477a4a648a2d279c88584caef10d814fafc233b2ed62e1b088b7b99fc6b8017b38dd73cf8dc94a4e97837ae5a7631da503521a5133a57f0445a4dfa2427eeb926d7ece4119a01cd20ba4acec5db90984ce61844ebfb044780a402cb880b08cb0e3b6d709b17117204b5ce3a21b987f0c33c9147e5197c8e52257325852c5c181908a3f4082b5520d1cf8599ee8c5ca7e8584f8e6deb53c1682692aec09dc7339df4507a69a44fc4e889663a695d0e42c4ca1819bd7e814f21ea857ca7a1cf61daa69affa14cb497273b24b2f9adc344da28391ae7e27ea058e1909f8fd85bf9eb7fedcd7dde1fddb48b6600c8b61eccc6409a5a5391dfba7e45844c4f2da58e90d275e42aac178717449816161fe77e2af95aff8ff703003f5691ae2280c0809d15386619c3aaf0620e8697c3c0d494cf0d6a2fbbde841699930bd1f5d8c43118be577f601d6cc6d9ea72bd4e42fa96b0bf03b1764946f28b3deeae86aea0bec44e3c3fd05afd367128b4e2513a6a73ba9cdc263d00d43eebac1c05313154d5bba4025f00fba9ada003bf6e08ec3717c956f9a10aa3bcfaadbe145f7723177bebe2a8119752430aecb7121eecb4e1998b5a24b456197855a143c84f2ecaf31540b1f5457c0a2fdbfd8f53f9b9b119b1918376d12eef6aa5248f7ac7d7deb71f336a52fac364750774f797c061e915eb24775ae28d1738bd86f5a5b902862b25dabfc4618da50b85e66272bf52218a6cd2e26338d04c25404fc53d6b230205d0351470ccd8809d4ec02d86007929edab0432c4386098ef7d1c09bdd8cbd6e9b0ff02a77cf2d3de460ded50b04f15ae58b86ce48bba579542df1b00f69e97fe1427fb1031f6930e7c3b058c09850bc72e8361579d8f0b97ce6c33df91db1edab5412d88550bfe89e5d34a73e8be26c6cd20a922ff73294bacfd6ab37123f9f6304ac62b5f3f2c020b7cf90ed8279bb84b70e146d0a47d12743138659271122b65de007d76a54634fb3fa657a0e6c8a3cd600d4be43800c4a74bb5e41f57bbf05d01629d0cd9856ca1c5cd05b52579c70d58b6328de9543dba02672487939e41e910f508c1dbb0923f0726dafc2b4fac411ed2b40275fe0fec3322730f62b84daf91fb23bbb081489863168493d1d893df191dd1a0597fa2bc7c08eeb7f3e7aebc136e2d47f375bc7a94c423e7e2039014d674fcafcde30352d9b8e26bc709b7884d695d7d6bcfcca2cbc89ec8f2fdlibdcerpc-binding.so.0.0.1libdcerpc-samr.so.0.0.1libdcerpc-server-core.so.0.0.1libdcerpc-server.so.0.0.1libdcerpc.so.0.0.1libndr-krb5pac.so.0.0.1libndr-nbt.so.0.0.1libndr-standard.so.0.0.1libndr.so.2.0.0libnetapi.so.1.0.0libnss_winbind.so.2libnss_wins.so.2libsamba-credentials.so.1.0.0libsamba-errors.so.1libsamba-hostconfig.so.0.0.1libsamba-passdb.so.0.28.0libsamba-util.so.0.0.1libsamdb.so.0.0.1libsmbclient.so.0.7.0libsmbconf.so.0.0.1libsmbldap.so.2.1.0libtevent-util.so.0.0.1libwbclient.so.0.15rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.8+git.500.d5910280cc7-150400.3.11.1.src.rpmlibdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develpkgconfig(dcerpc)pkgconfig(dcerpc_samr)pkgconfig(dcerpc_server)pkgconfig(ndr)pkgconfig(ndr_krb5pac)pkgconfig(ndr_nbt)pkgconfig(ndr_standard)pkgconfig(netapi)pkgconfig(samba-credentials)pkgconfig(samba-hostconfig)pkgconfig(samba-util)pkgconfig(samdb)pkgconfig(smbclient)pkgconfig(wbclient)samba-core-develsamba-develsamba-devel(aarch-64)@@@@@@@    /usr/bin/pkg-configpkgconfig(dcerpc)pkgconfig(krb5)pkgconfig(ndr)pkgconfig(ndr_standard)pkgconfig(samba-util)pkgconfig(talloc)pkgconfig(tevent)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ad-dc-libssamba-client-libssamba-libssamba-winbind-libs3.0.4-14.6.0-14.0-15.2-14.14.3b@b@ba@banopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2.libdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develsamba-core-develibs-arm-1 1658749698  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~4.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc70.0.10.0.10.0.12.0.00.0.10.0.10.0.11.0.01.0.00.0.10.0.10.0.10.7.00.154.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc7-150400.3.11.14.15.8+git.500.d5910280cc7-150400.3.11.14.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc74.15.8+git.500.d5910280cc7 sambasamba-4.0charset.hcoredoserr.herror.hhresult.hntstatus.hntstatus_gen.hwerror.hwerror_gen.hcredentials.hdcerpc.hdcerpc_server.hdcesrv_core.hdomain_credentials.hgen_ndratsvc.hauth.hdcerpc.hdrsblobs.hdrsuapi.hkrb5pac.hlsa.hmisc.hnbt.hndr_atsvc.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_misc.hndr_nbt.hndr_samr.hndr_samr_c.hndr_svcctl.hndr_svcctl_c.hnetlogon.hsamr.hsecurity.hserver_id.hsvcctl.hldb_wrap.hlibsmbclient.hlookup_sid.hmachine_sid.hndrndr.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_nbt.hndr_svcctl.hnetapi.hparam.hpassdb.hrpc_common.hsambasession.hversion.hshare.hsmb2_lease_struct.hsmb_ldap.hsmbconf.hsmbldap.htdr.htsocket.htsocket_internal.hutilattr.hblocking.hdata_blob.hdebug.hdiscard.hfault.hgenrand.hidtree.hidtree_random.hsignal.hsubstitute.htevent_ntstatus.htevent_unix.htevent_werror.htfork.htime.hutil_ldb.hwbclient.hnsswitchwinbind_client.hwinbind_nss_config.hwinbind_nss_linux.hwinbinddwinbindd.hwinbindd_proto.hlibdcerpc-binding.solibdcerpc-samr.solibdcerpc-server-core.solibdcerpc-server.solibdcerpc.solibndr-krb5pac.solibndr-nbt.solibndr-standard.solibndr.solibnetapi.solibnss_winbind.solibnss_wins.solibsamba-credentials.solibsamba-errors.solibsamba-hostconfig.solibsamba-passdb.solibsamba-util.solibsamdb.solibsmbclient.solibsmbconf.solibsmbldap.solibtevent-util.solibwbclient.sodcerpc.pcdcerpc_samr.pcdcerpc_server.pcndr.pcndr_krb5pac.pcndr_nbt.pcndr_standard.pcnetapi.pcsamba-credentials.pcsamba-hostconfig.pcsamba-util.pcsamdb.pcsmbclient.pcwbclient.pclibsmbclient.7.gz/usr/include//usr/include/samba-4.0//usr/include/samba-4.0/core//usr/include/samba-4.0/gen_ndr//usr/include/samba-4.0/ndr//usr/include/samba-4.0/samba//usr/include/samba-4.0/util//usr/include/samba//usr/include/samba/nsswitch//usr/include/samba/winbindd//usr/lib64//usr/lib64/pkgconfig//usr/share/man/man7/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:25017/SUSE_SLE-15-SP4_Update/a5f316dea5f06e3771d2e9522c42f892-samba.SUSE_SLE-15-SP4_Updatecpioxz5aarch64-suse-linuxdirectoryC source, ASCII textC source, ASCII text, with very long linesASCII textpkgconfig filetroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)  "&(*PRRRPRRRRPRRPRRRPRRRPRRPRRPRPRRRPRPRRRPRPRP RH\+.R?>utf-803e015fe7c87cb6be48e419f3f85aeee38a067869cd3c2f2f6b156c7de74b884?7zXZ !t/0] crt:bLL D4rg!lAoHf(2nL c2mOw+k U*1NO0+kW{buL!> MxsҷJz#0=Nw.e d|THVqZJ3t/5mO7a,,cZ1KݛD>;BJE{@K"U vgRNy D$#T0CvIuۺ'+xGAq|ڀgܭdz3VT8dƴ/?i W&)omJ_ 72s:#cf|2s7Lz)~ë$&ސl_tPTfwvmY`FК_$ҘZh_% *f8$sXn0*駌wfr ]αw0nrT]Emg<]c^J/8 c|,o;S)XŖtn |>ŹI$$-[=btY&ۓEur*{$YbolXPSGfӚ6ΜBW0++֖=37ɔV> V)@VA{4:yͷb->;B5rQ[y\ghKDRU R44+Wo~"~#u9ݱrf bkq9_车@q`yyMֳͶv;+/oopUh%nuf3>}5 ա$dr Ttpy|fUyJqÂȉY , ݳd/dEY5Qyå) 4"RxuU@ :l1/^0 StGSVoN~ XjD7U:%|)EaAtM"Y3=sc{O@Ps(Mn"TLdc(QI/;&& ?-&a|FĿ%׷,q |0_3N"yd!Nڕ%v?x! 3^p3&=}#w4+>=@*+aKTע/"KQ_nU/`d99?Iw4M_`LH؜N5Ka4lX1 E@0+5ͦsrg#3=JF\`)c_〩 'i'pmP cprJ 1 Wy;H>nx֒vME޽vƮh҈ECБ R{# #Sɕ8>xZ pI:~CI};fU]C,qVJ08K݉e=ybx͋i1DZHR$c| SHuz:y?2e)kKJ/mӤWG+\ @c4]RH1Ԏ}!r=*?JRheVނhކ?<6|hfWk5n|5mw^Oz˔DohF9<#CKuӅO*Ж^C434$HlQbUVA @}g7-姰iy,wޡs{Թ!KӏK:VMRBV)S$F@1fQ(rZՓ0!VMw*ڏ _s2l'-vҳ#zUBx%  Pq02c;J@88׏UXRO3aoU"&YOseی%&G^'6l>27{~W(cL^ONM Y֯F?YB,ΦL{͍qܷ >o^HVZi"VO#1VX[H!gKD #tSu, }J:Q%&+r<3I:f>C LX4YlԷ)ߧ#PFe`it^'*{s5h)ΆAo K +>Tc]!„ZJy1)5~G>VXRڰ&y>M:oTnqldIB q e6i&:.v^~r?O]t>t4#lH?=22ӿCӱ4gL EUiZ}Is>MH)56E)8'(!o62{FGEi.avᛧ,l-88/i']h rdsZ>y}0T@`j^k9uj~Y"a 0X>>A;͠ s{#EMNa]m?;hK-u>FgŸ)nq0/?6{b0DN1^[-<3쭮 w9[_|coKSEՌ`θ筸7|监2xfRcC1ORM-#;Z@x XG t9DZ[ H_m@+-=Pk2TYLd̫Th䲄$ >*4+ _Hn!xEuoCT p2}SpȇbQNڶz{ym%ܥp7* FUPgxz_cjNOt^VgA / aYD@pлtT1Bm-Sϑd`hہaýU-A 쏘lM߆%MxPW-G]GEkUxMÈ9d' eM3hԯ;Yl`9n: rFώL0rg,G([(nّ6^.>zzTXqn яjOC"p #^0D>?wi% @-i;jl,n<%Bg@M$EMp,0z]Zߍo ݇ߟA>+:۵^uUB,duL+ze=U0=;-T f^i'q#G |NuH.o/h؆9}tU'E&/X:bp.U!]<9]P3FM{ugZf`dFeXIE罄a䓍x|VÈ]vOp9ݨnl@49s.WwҼcP°A2}Jp%f! GNW!.ffAxW6=V W;no6P'HMcjBMPӶ2p[I*"HuE\&ChhG+]*D9wNjSR|l;-*[B}3NWԳ"t(saN|ށ!JdѐV ƓsIl _O0~QHlehTK<4+ ߞ9Ր.:-U1i}z  [^Y(_m Ym+ yY oJJOUZt8;'-6YԊM ?v]Ab`zRX5f bQ,Q6F:Bɘ2֫ fgW)&n*!!n]T27H?)Xp2͠ILE?U xlc`6N",=ůYh=ֿ6aU_;r{*}D-nmmu,c?X}U})p/1; qc=rzO쨊๚\"e4gyV-4aqx-4'6:T[ ?4$A*Mf_ ?[o@m{(e!&8 #VW.!k<J*6iJ; v N;\g/"/;k\*i|7clYcB!O$1伅JIAd0#=pF/QDȬcJJ[ D_4_s i-wLř(zz2"YWqS2O "g,xwl"O?4IuP$IJz>6*7r :n^Xu~S;=9y0E6rQm?q~MBq?c,rk[=*>z:6岌io<%h9jWUTeU"Xe[;Hb@/) ]](͞oI xߐZ]JX֎ ^>h]$s'ba-j@ya4r$b9MZ T]sݞYS% )yd,'dףyyG۞ڴ8 |oMetETʿ)m "%? K_ma\Ԟ.g^i̡&/A??$9V}([u'T!ʟ+'#p \:%ζcr!{S nl' gμDV^zw;>lhdc&!w{si=~\Hy<Uʖh1ʵ-8 M S|8S <&0;+h$)y^ee!SŃ yKlĭAә6 .נ}?p=eN3C.;oG|0䚼\la h챒'Vxꋀ;m8XAq_xӉFXbu1,G S4 Ѝ)Kc*?C>=Qks#OXfa}k\qsչȻKDmm hb[.C'.(I*4[ ynm/YH8;ⳬrӗRc^@ZT#qu,4y6Z-yL^/rRv4<N*hQ0sH"|k@B~ { J( NƬ?OJJd8?#8 :'Kq Or%=/M,d:. >3Te=hN P;$=Rt8sQYCn~onig|Hog&{r20QRA A}WUE4mX$44<k= }GK4ԞRKN25dU :{\q/]S9b[ǻ=Wdry 887l \ WmYg55IUC>MvaI8DfƟX}og?{lqyn!B +,X2*O|&~D:m~uY_xd5qޅ|!jO8Lj)Ee4s~Ve쀄}i=QUD=]W ;ӷHfO5@QLQuDrez u'0˹,-f}NӨYblDVҼU+~#4hw~Ij2iz T|> M=::ʊS )pb\[_:5.&ɿ$xF{>%*5w_x?Oݛ8\;FHvYzֶuzh#KvؗD ؍V g]kxDN YohNh9ɆHk`pg{5Tn$vi ^/"xzơ)Y,Ucҡ~ZhÝ~pIH,b-!k"^Rͳ0ދv5g3; 9C1Y/ZmywZ`,"%0,(KOE8Umk}CH<|:4v.O@ߟF_+#j;S_۴z&=sr/DA*u3cw!L2AERTnDv)F)` `ˆõQzU0qfv$1r yݴv?,y _~["b BI^2g-\MuJ8C19jlu7E#“{0.*4Mp蝛"~u|C:QJ<垊!M ,bYBsxsGZ٠ҽ$U;v##qA`X- w{5]j\럲YٴjR@"$@-ǻkatK`Q@(lg8<\*kp`bjVdxvʚ^G^X*He)Á3m2˝h}uQ)-F"W~M3:m攊"Tn\3~_kpEOY2hF"ti(b\X1Z>Pg,638f7(\jZ8qύr$Аy!=#~R~m`4|Dito B(K[Ҩ!' `sz)*tP]yGf[mw_Z%]^uwgF7XvF_}yvs/^ pc<иT=3ڒ+ʵ\0c9 "zpÿ Ǡ#rDصLBOe&h8hBB~$-k=o,ya &D4V"vz[6{J5q.Pt5lX= ini1~ȧ?3hMHYI;=E`~ԚR/aҵJ ɜAP;@1<ܕ.`t10>=!pYn?]bPJ_7a:s*eB:gmk8~I=WWsÄL.QV}bO~\M4rДHF;!-p1 ҋ~BxlNX]/WS-Yӵ#!wɞ^zj2icR,E[ލ\2V<\*K al4kTS?sIYLjpت Hg1aƮ~1a3=|P]uȐR.k1]Kڍ4 ~Xro*ǧYڸ҅A@bgcE-D5w, 085ݮrN4gniD6BVk I2k'/xg8NtSZho,Fձv72KRƇ\.F "Eޚ\ބ;;o;]?MMC皧m,Sی%rj&' 6e#ycH5cEM(:KN[&ˈTʮF> Bp|-es6Wu*3[ޟ_\Јs"|Uxn>ߝ#)mE襸&"Q]~Rh$(~PN?AW=<-j[yˈTGh1#t_4 G x0au ?kĒKCz(ݡ[ӗ8LUԝ6+r\?reHm ]sǎ /lo-rW5[N%Q!:c5|q:mf5xͱ)әi) YVmyy7|9``XrPDaPHjT%\mFcbs#l)H`z!?!kcPDY4%5[T!(LbVzSLM :cv7{:/aҶL{;Y!$1*~(ll^vBѭ3J>.i͌$)#~SoO2d"+)dVzs.F' tH+5 ͔]|ve1Dњ#x%Rbk{\ ak>WoK1eB|%Cnn* Cr.__$VL'*a9 Nu% ;^ ƙT|3EhƔG:8(|RS{ }X*kN8cP̿ZKdZɺNxA# -.& ZM_0UXqGu/DziC+q=d-6%yrXE^r|DE?Qʱ}|{\~ sox]>c=8 O}4τaf)Ë0,Lh-rTw5# ŏ*3N;&L/+Wl)VI#[Ε>a3׫F:ZI~ ȧ~Ahl5rSDá}BywPǾ\i*T0%y8s1]rɛ~Xĝ}/mZSԙ΁yqJEF &w0+A,r/?s5ӊhY; ?$zp춡Wr+ٲ_t^Vӣq@x bF1C[6v |K۸ze} `hnXzdTLlRK0b\_oʡv2sӴfǨ6G[f'a?7>>͡*ET*F}O͹!KX sH'+EtG?$ujvo Itpl=suPѰ4ъy'_I~BN`3 a91N9HS351{N#xQn*Q&CbDyl2r UZ6}0^Ii/~j_Nxu*Qj/"pX(>H࣓c@1j8̰PFxt.4@"fwɊk RG"igCxͤC.y..Ћ \=-if5M 5-POfxCimuC=v?/Bj & := !b $]Tā7CWHRYtBF\ 0GHMui2lohWݧ!T$߽C0OD% k]ú_LY& Oɶx kJ<ԖF.6U׈I _@`,ZD±QUfvpX n(KqMqjL>$ ^%  n\g:0sƟ=/FHK3o3֩cF #+0&7Y8n];''T'NJ,>qm |yq'wW=\Bp3ώ֖soGM@!Zd 2]Ҡ#.D :TQ䠜I%4[f83͋%/͌ (:6 W~g=ѱ$#ȈNTFf,9\QPMwpub} s25ۊH 3A {`OFa Juoj|!Ne ePz)t9#^vi>MSf37vJ{{*!F'h7 *Lم >G Ezex ZApӞ aMȬ4k⿒ :u[ԝ2RIg"# ͘' g$nCɻx#bTfbh`N>5@htW U{_c X3!}ɧJKNB]ʭ4yK(i:gH\ɠEq{0+ e^53tt */dy/3/2ײ،4T܈;sÏMIF[* %e lݭFjK-j{Gy;';Z۾'L^yݒQDE"i $#dL*po+XCD u֖Fgװ !OyPST:Ll~"-G<3NUX GnR_Q:3]/a&za&-{µoP%peqݜ>D$XX`Q$y櫁ܜA&s{>׉į rtM*!id90$NodUa^1~luS*T0|6ʛr(?>Dž}Gd<ڠ9/5g?85H!h-P6%~H [\ц PStw~$a Gߏ`H J!肓[PJ @ՀG4EA#+MpZ]5聾G6R#l@k~?2[mDДRE4-ߜ*G;fr:S>0/2#%z͘{\т0ʬnvK[FspQJ!a0K>̀.C[r< ٍ!'2h-pc* M-+󄁂SmuI :iI9 <6T(@M P3w#=v5THw&3P| eBV9QSh#wk{2J:%Rc4L,໿ȻQZkbRJBJ&ޗ(d/j4'sQKza!O?5t=R!*XCԣCTnm0)B܀õrK*V ܁D@ (JwJj|PnfD: #y ~B=2)-n3 ;;m `E$2J'&+c{ al S6ۏk 0DEc Y%*6R46`)"FtJUu>A9ɬT;\I:(/Wܬp*큶R[3aN|UO P&aD Méʏʱ2Ouai8!>dr"Z5uZ,M6:7 cs'_U{%N@t,EHCcXھ?>s!!?q_ k*Ih2(8gܼ8t֭Cx&k2'i%dF !1-L~\x,MԙiUfE}'MK@6nOM2/, S5W߫(Khr'f6gJ 0nVC#i'fq>=e#D{lR^v0C@s=yIa"0ZQ˭"\=ndjb[Lnd ?0/RTg;-V z16T 7۟#j;=:2'!܍8A:!pPEN9vfg   F`P#B,|ﳏ*G'j`=G|cqȘ$i9d5 `c&d·Ҟ HA-z`;NԜ2 SCmKLC?ˤ+ J=L/<<_MTތ`YBe )D5u PB+CGvga;j"R@fH-s"=͋WlM4Q#+f:2 ;`ByaGL~kF'oP u{Y0'g'XĨ\?4/8?0+RGX# ws99n1lveR@zXGKM^ ޾. tz^rc.,A~0+6A'ntpjŽb1k LjB~*D^HFXϢHf&|+z`d㰡\c~سVM ĕƑg78oj~| _5;ɝph0n'Ւ4@1C:9jRkԞv-׽h`7ue:߸g_aDQ7 MlvdDd Z;ŰajY*= {,ge o#^\jt8)weӱH-[U t[Ĵ V Cb)CHG ~+i0dWW#3刍P^eu  YxDrzpInDH)է<L: ujN 2~w)J_,1x9#u1]]HxS~̄zs@bx网 KlSw!x%N Q9jjItmFIJ$SąIaW!K>Dѱ%JnVf sIf=|xz4dgW@GzLuR:1 G?KWJjbf# @V׊=&zRVT4GŒrПi{A쇿J^] C?iN@,9|9ϯ5TYCN : H |رu(G!ݢ<0;;0'?zjFR:RSC m 18bОgҧdNO%2Tel|HeΏ(ҝ3wB-/$@fx1`ZQ{'3wY|Q?)f YB 5S 'FL/wΏYM.P(bU"ˊPS#`+Ľs`T2`C{%~ҾY.B,Y~)qKfe 6K?/9yo멙ۥx: 0?׎)?=c|+fvɅ~>~P?NP{XZ9_ЯL&_:h7Q Tc+1T7<}N+*3ԩҲ}v|%#}bLЄtYb:>JXY& ֍C[s}ݒsѽ̣vL=bc$lzٛVUyd&;PKnʪbjL)]9X?b^ȹc$/sV<մ v U Sym3sugVX8`|W\ֺ!;qjzLeyf]RP7`ݹ.*1ۯBơG ) R0m 7~ h#H }U7qgpk^QxB7jsSrNlL&#2e_.7͝|s}xӳ3b*43l@#YwjO'h#J;)d{sxk{Wz6p90(DZ{ t#b+3By 8)Nf_Q"l0|Eijpj *@t_>弹د:[z qF4\avHymQEFZ,9к1>;|A~9zKlΧ:_ ~5m.krvE9%d#|Saۑi%^>45^0?e,)vU*I"ba9pRt6:$EzV4O|`Ն51nP؁QY0<nTƬiޭI&q@5Y3UF9zd4W.1 x>b4 k :EQ޷8ѭiRChMd sjWEz墺m' ?U q+9L♦6[Ш*Zva M#Eac\Bb˗+E&&vxvl@^*Caعw;91| 4|ne~Y& |@G?XQ3n4epBd(u]>qf)F}P JkPX-qq);d{!y>̐H@|B5J`5{֨nq|5 ImMqy a_>G;z-cV@dEKEĂuw,"S=ܴHPi$"/թh n_$5|#(tjxIVeюJ[<$_IQ̺|ߪsLٰuPzRVT ,{D D9|#T~R: uCζ&߃RHg;k{@>i?HYWj9)-GbtBٳs }!qX^8y8qllF(9H*!'3G%,;k~$ˌs TN"M>t}Bw=NDD\;p>ax"o9{Oōaw-Ds1ϯ@G ~Tenm\m6†b6%>2U]:vHø+LL_̅iOWD(5" MBB+(YzU S%BmgtPx!N.5@|;8ݡ|n)]G9 qprY'wYqv _X wōOE~̣aFg̜ b(OCA&Uʩ Izce1aX$Ȟ565~Z'y4f^D`7 X?gd_0 z99sy<ȑl}Þ0_[0x3Jg$ I/$!Bx8o$B?d+'-U% %p!rETh2㝼wW{Z\p])|_J5)YnAiG Δ7쬾p՚xƖZ&8*eL푇.N|󏙡%N{؏?p{?Ξو~.I@+nz \J*#;AZ~Y9 .`mުy4'KGQʋY>Qp$UxW-OLIkbh;+~1ȅcALF* rNkcy&_N2nfo{`1iZ^C}]<| ˀ)F !_̺ae*ʑsuA4sz[='$77yW"i}uwD^H[E&>摕~_cN^Hs37;8e}F̅QrbU= AGV08j1$sTN6apt&|vI<Uv`QE-㣑'rИinvA9px\I4˝Ź_f %J֧ve=b̈́jK98bJ`BL!]ޚQޗ+|G ,! f9ҹ95D@~DbS%}=1@S#ޤ.\`QJ5: m7N^9Fy^ZUakk#(|UFZn ~u 8iq%[2mn.TO=>s@X"pXiq/ޘ919۲pԑMZQ\ u𿳹Qs !Csp6KbK}ĿRG| pjOԻПb>OaO|#ѴϿIm 7AOa V-| & pʹH (}|΢9g-#g.nK摢yu]N{C `6 + Č10Vig>We"W #j' í{e$4|U($Kt 4.De|I_ޅV#OO},16țٻYU)  jh#/-&Bɍpb0CNnLLch`0w9Ow%m:8F#"q.]Cunöm8(g|^#$t^#O\Q2D}ʋaϓ5l. ,q>6|G}x\b pL-N=,S P2vģLNf8vhpqzAM\p%wF " s7Cg е),%5]yUuy"hQ`IdvƄx038)}^L49QAbn/֘{;`:~3oˉ LbtGOT|ůu흉_@3R"uO ls}d#uD8 G*{Xi'6Wt5d F2^V4;nz}Fл̐wQ2TQf҈Fط,ssX*qzQ}l4`9vRs$n Dg_lzOpȟ®v8>?eJ7/=.:gp8?ڰw+3'&>;&mc}6TpQC2"!O.WO%hJ|''M'SۇF#.mOSy[v,\nGfxR_o {{wq@>5*1IN캩<$CVZsxKtVQ,Lyڬ,\m$B[~~t&Bhj^_5xj,o,upp ~#d[ų!vԒ'GT6SfW/9SEcx%A/jcm|g6g_*F7#RE;NaRŰTG)6a9#fߥ#H3E[Ddң#NDž d0u_+ DP"|} BU pã&_>" a3`n}ۍ'iK\^Py`=Z߸`> \5lugW!wL6{tNR h.P &a0T\{Bڳ0";-DQnQ)sNr.ߥj5\I}`I@* 3Zai뿧bX\ o<1GK2?,nӣ zμR(Ls/;`2MjIoUOoǐ]/9N>?<ׄ^ޯ."!;JaJ#!v1JcFuPUWW̩8^PM㓔 1heo%6EecyPՑE45>ぷ/5&mu'we[K|ӯ87 ú'K@[Cڋ$|7I})vb)WG$Sf,5ţft;_Ͽ@Et jf͉Vhno(\~Ή[%ܴ+'Cyr>ING29MD=Mױ'7tմ:D􋅷ԁLVܓ3nx2˜I'o +n>I)a)g|<n_ar~X_ *]rErl-+6j&|_zLC%팭ŮnCeyljCdXk¢5e[EnCȻslX>N=fTI1) p̫"҃2w DqVܘ*: lFrGD`ב{Uf @Rs49kӹŔ R9/r:ZS-+\3>΋gɷB?>ĉ $.I8zPk"=-6bY'I8nV蛸݉ h{ I,#~#KF[2epI=VFmSmlBt pM-T.{ .tb*xcA,3+J0٧GZ'Zg"J^v %' 'e,Z/L0%%8-m-Ï構 /B=,؊!E!9̅@ChD-|ˎb(}w(9T[~cMȻTsNa 'Y۝o<'W6cjI幗U8^""%azRm@C.tBvoC[)|30 !P`/{zR]0+hL;aU3Л^/ L+%#c6m+4)(TvWc֬<=}nAcu ۫/ Wr#lӡ@wjfT|mHZ`@je(dQoP*H~BB-]x*jm48C_A,?ObE-:RLֿrhWDdO噼[T "Sbnx;[J$W7{<;L*k;ܴ_ $7`OG< `Lm d߳ֈNĪUF Mp :x;9C%sLƐxS'w7gE\D Dٻ魸NUP;/R" Q]s4vXM=olćc1vqx>Re9D(1kףt$A&HG.*xҔXK)Ddc B k ν#`v Y/|^3ȿA*M]]G^1oI.Щ?mEs8o]+xVsXt;iYTw}PTwqz$LЈ NSN7-q!ׁer}m< [bY oNH :QScT`0Aղ{YBFf(<n&K5^¬6 ?teUPtaWY ֪Ķ1CRv u[:`\{,պC`K[!'8A% Ġ)[>аd̳֭ CeN+ӝ7794% X2_ˁv1ꃜPXp=ɝ&U(qW=N+EXULWBP- AH[iS%pjoF,}b 1S!@T~.#P`v$pgS)Y3CHWSmȀIe݉(4!lOcw#)~4E;;!Q!:_SYdz Ya3<,HaM[UI4~uz/*8WA*Jl`= O8Cuv)ߏd%_,XĦRpn+`V>?X^]N$S[YsR \GÎ,oP1}t)p"B.I6t+5-'s[{%Q^bs07ovhqֳQ,ԸYU&&.\(.njݐ%8pDqo<[ާz>#ߒE0#Y4Ȇ;]~K+^ݥ=v ;}"1ewX:BKXa!Aѩy9ipɟ}><&䮑_ue&OᣣUٖYۊMO*OU:v=:T+o솚D `,jg [>!ݦx^ib/>e|,DzqK+/4M%(>]N*c}9LYoB?3쿸6^*m~:iOL7CJ1Ԃ-#?5i(P=hUg_31ōV`g)UZuw@e8cP ۺ`_\ޝRc_r+U¾(.MwN(ɓI& 0bIs TN6-ur񩼽h@?8\`a#9 <, 0sd3=K D`@Ң"˨FG[^?9suNT >!]E8EMj^&N<#/\_Qi}aH4jp[rbϺ!p1]2hҒn3v/ h GiSŭӵ/[=~ֹS8i@K LԷ8Zޑzѧ ӀB,*sNw_hG݉XΗA2(&m߰7lAt!El[OkpVFsTL@Tȗ!TzTF[͑gd.\otE˭5zjunT5kR0SS,lFȤ)xF p!nF0 )׀U[=وTA~rbnoѽ]e!ҤFXy~'#0U,m5*@@tϔ+VwZ*jcur&tkVh#W.£G$P+S%KkXYPf>4m°<^;klV3%eI/0c{ lrWr\}V-~5’/ }zdT#>̧(L{/(11j5@Z\e(x2z¼fuWP[ru+>eO4w :+Nu/?Ūi0Cٞ<:қ3kkRf{]0TYuYFgZ U3ּDi>fJl6>a;+ x=Q X/o`X2 $#sOaˮψ  N=cQX_ 2Ɓߺuyaķ (9lGk9x~Ί#o\gmT.2{i'Y>z~QM׌8\N0p0͔$hZE w-o,uwO{!U\ "HIPᖄH峇ѭ'~s%mg&)LPiA];;=>;#orK8MC|3Y'3YLno,{3I7̮[3u}bwJpp@;$X*I/ !?i&PLkڊTb\ڠncdS3*'0=IACXZ-Ac̿XL]w]ov =jI:A.hZܛS1vVSEP] 9h]qY kk3KI0Kݿ TN;X3XۗIfs)ցGo[w>h2 TUtb&L!c#g^/Ȑtn՘@q]^X2J ,y-| Ku`GNą~x*i& Hh @Ku"6E E'N$"x(9h۩,Q РpOҜXVFFj3/d;v='z;]N |*%̱} חJF?;[²t#ѹ=Gԃy;igϾ1y>_v.*z 8'[\~YК߳&Sm!7.̡c6NM0AB lyĩ0ޔv4 j`dIt"jFޡ}xm>JşhVA뤃#Bk"[JIRbӦ?~[3ݗ;] jU?6>:BZTN%;D`tǀQ3(tikShnJ K`KvI5l)ʌeP1quУж/;vtt?JE~(-/AR*[/6^ɗ$ghX_P}/]J"]G>  SM2Iswn)`nwƖ06-'b 5&U 4ZgBb()@$CoT\?mT p >Q!Z|SG4O 2JKNS謹 ִAVV״x_ԧqhKEL|-NwZG8{@erBLR _g8 Rj=K{r?nj7m]]73nxݢy7ȩY~TGC[זÌ ꠢ_: G 搌u %;&MuILrwzP6_Kk~uDݼ mVx-ӥfS T'bX~? ۥ#;5}`Kfbׁn81QKo*n+/Nlatr 7 'QP!Oòi5G \𬄚P^_hC.Wxn[x-uO?q4\?u)7AZӸs\_DWپi.^y&%gQ֮}yPdfMƀbk4# )!ST"]FYK `7ePa;[]M葸s{sKGe9+rsrҺ:/uq=&$0!%?s(7,-A}TB:Xg:D۹etF#4"h3)Hv?$|'7Q+ FǧcG}VPz!{ ciJt W/G z[LnNqi]ing肭y=4N%vކo֧lm.ɸcO~&2]"QSyS$ 71]w(K-@ޥ Ik^i!LM4:$’ '5#]2)u;~,춊13~ jR:7HeK~֏ӐmhL q-nOHJv[غ=*CyS]@CcP\n?nxV=2x,%4,,6Ǭ)e~8*WzkcL2q_3BN?;oǚ<;u3{) (9c1.#k|ی#R3XTP 8:T@h-ބDOB^!uo`9oRjGVRYȑ2=a*SqglvDRj^n,9Q.gv]%VZv1_ 16ꀸj߿\3^dBBz$(3"}?ʛ4۷0$!mm,c#'L ҤJH}0x -Oak]O<}?̶\UWcksۅF4I߫뱓 mN:9O;r,$ㆢ3Y0e)!yHu`s6qt;Bx}"U`[HcD 2XuT4=ymXz!gub\d!̊ڨW?kjrd@i&X\ Rx vs}"b9ji! ;av48x[ wWv694,I-gTë1U68'NQ\N"=F|'~,4F'֏Nj6i뢒vi2tnCA{0uO&XŜݦ@Gk|q(Fs\ZO)JE7:M9VZj{*AXgqHRJfllֆPeHtW翗, 3o#dq mK8O* 0fPӿYO~`?[Y5: hi@4L{CWWpAI@{yl7> ɶ\S#,6%A̅ eQ,rz!خ]h>Ud rrd| ֒oV'u;cdޒHeE!~eBd|/MR/CT=bZ˄Wo!ӑV{y/ C~orHe9g̔DҢg]u(UO lφF3}~b8gvecKLBm&daXJ}Qb=L7$g@rX-h*BW|>5IAIV$* nPV'/+Omt:]؄=Z{7Ml% ʐT`fJL6I#nW% CK zŧܸ0'Z˖޿h&3Et/a>.H6e ױ[IR51&` Po/{?Ka60QT&#L>2 X/mS[CY~J8sBZuy?1"Z=ˆ.?R3 m/qGO.dpV"̿x$7}{y{>t3|zJs1:`Evʬ~cɕV`TuF2=qAAVk Չ mrEm^/ZmE*qX9l{;=qj05-z⵱5;[pJݺ;#?94i"L]P)䁖evݎ:3SPl|~>^:?eˈKkoY {8uaXږMUCC &|# P(u (wBzu،ԔvsMQkdYxCRc TJ7jx `Uq?с03L$Ia?lVC 0 j[bvezо n!w 7o`4,Ĩ*( Dϔ70 .=7l0%͝k« HS=<$Ki:Wd>Uf.#I"x|5YL% { [Rb4V !w Zy!rWYs/~n$yCSZt#_`1XMfN9zVji?C* QWPr, :aPL@{t9}ͣP|NP.M,T؂vPVB HZqviX |6!WϯñM G ӊ6Db`D´Q{IF[zraųo Sw8Y6s^}]wAV02.Dq81m兇B`ìx/5tU&& @&"rHГSOX;c#5C4ww(yҚ:#prڌ~sLl5fFyXt u~6 G/}# ؗ1fJ>(؜'8)fpϯ08,5D!-ޞ TJ7EDU(Ok2ueƭ/~V}pƮg X2d4m}M#?0/7A4 _ꫤOW)ziV/)O".=6:4`U 6'w*6 ,Hs)*.28ՏE; ) ںEJhiO^L]DSbBQJ 2VOQ-G]*Jeܹb>tQi ߂W w5&Un=fMWtQٳxK!u*+L3j>TP{ݿ0NL4=r⠳T wz#da:0r)jU{k?-e09O`D7kZf /}b÷\wor鲐¯P9v\o뇰(gS%E"<̴t6zcNs(vdE5gnlSЏd߯S4D@ZLjlݜ@#[8ZGPѭ)Ǟ4= ˝~P,Xvzv?#\5EyhK}MVԯ6 ٠{6uD>fJ[Z03$u#8"qۂ0PI +5s";0c3Ó65)~crFϧ-Cq§caFr`EvD{sܑr(#DJIVA/s9~(~%/u}:#[xTubcVqm,MG};:8r" )fq "%<7QU;U逭} Ӭ CɅuͽ ozm[CAܓOw G`A7($3͸h@:7E#PT\]ru#۔>$qmITLO_k qASDoOe7x#yB\1UdYS<$O( ܄5Rc~yie6li=@#Ѓ!Q01Dnq~;"e˞j7Q0kA-w,,#P yܷS)Coedɬթ.bDW{Gt4s,A={%\1jrBdW{]9 -aND ŵ~iN;J|=zymi3#'Uj/]/5VdT+f 6eQlȱW PvF)n CM(& -+{^)øE7\DDn|mKqRd]ŦxQGW>1#@ޭ*.u!An!~>*ܷ8Ӡ QP5xWyz8- aFpJ *tW[M;WG i@+֥`B!\Uzs5+aч,Yy:Eu75SRaUaHC7Zk;*c1fd )yJ8uPѣT3\^E8$BoOcd}[1x" Ȟf!ULj[žbϫ?Ng9!>&<+w4` ,R=pg}n͠ ݧ]df;Sx%#oz 3iP$y3n4\tL<0+~D~kqERpqzlt`\F.{&T~~B蘼 ܜ6!.>[GǶ2Xk(ř:2l<(yR/iyoѥAG:?u]"W<sޣ*]Oh-XT".4·\P+)C^<:ʭ+ Iv/alJԦo1"^{(POA_> dg5;?0= ޱSߚ˱;*plcx/[k`>s;d:Sn٘YQc&͔x7UjmzؕWxpcD.,=V6); pӭxS+ 򨳞 4 ;ԋ-tTtQ΍DVŸW֋ݸT4|,̒rJ -o ؚq lNO]>{J=ULOmZcqUK?;_av!1y L!!6 F5 4GIuu?v.6=9Oq|UB{Z? l1:[ADQ&Ά~: p=̀іP@3t"ay6uz 1`r/Djk6ޗ´mp3W?ﷷ 0ҨĶWIZɇ*O \J WM?҂v ͥD7c#?8d`u@ iAmXP8uRwo! n UN5[l뻫Jx7{nTǷH橮OkKOrB*dVP[ +2^qѥWCmenH7ĪJ?ө:4ds+}7{ޚX8w0iXAQ6.nyaS&7WPH`TU9?8QO8GMWV2/n|¿'5Tv:?GK@/A45flji^RJ l,/+7$ko0oBW"zt1*5UYLkb@޺H1Rঽ{,4_\8Sbl 7o>SC %u+KٷV?/ȌCjʤ0~i NiuU9fErSoS`Br ϝ6ߨ-`Σ6(k[$EgY\>kFU ( >p6Aou/oju]o!UL.0w`Aoe~}79"BAkS6޻-˭}C!`'Yڽmx\}E Vrh2|t&R@{6lzXR#DiӢo~C8SdК5o% Q!&{i$WٲYo| ߶ѳ;򹛟 pYycA#uFeEy{N?fMHu6!K醂9沯Ȃ%t0PW;#ƒb^&= ;›8]Go]W}}thnZ'՟+ZXNY `XWen-I{Sěu؈MmF-X^/'O_NSJ{WC#L&`SfLr CБ-~pEK!ݤƋ/? R‡%OjϗlQ pL+ {e߇QHdRm"RjJ3͑ ia%8;ӗnF\yX{MfrD^. k]B<]4 .Dх#HP Јz*j履;PMao,΀(C L2Xخ>cĹ)i#wQKw=;#>D\rӃ'3o$C STO.:HD][ kfizv$mSjE5^`7ː;Ɵ_ 9ܤe+h- -?Iw6 pcaNјsga> pyS;hWoTK͗{u z蟄z,49mٳ5ށVi[UvAleZw6_ <@4\`]²Ԧ Ț&.EC5++jܟ(KetFCtPyʪ:7vy_:j]D~v%(XKGؼ܌3 u&O8< sGf6\*w9{JM#Ϲ!A SL/s.Q99]hXPcpuޜA㊁=>jso݊(m?=y:a*s :1lp \(81hz3JjA+߲XT>NުIlh_(G,_ 쪉86 NXg@`xˋq,Fc2G na0hswh-7ݧ[^wu(\Pp93܌%ɀ絸W)91WBr}v1P;eb.:nc.|2Bi?YY^QP~]ūeiƕǐ kfZb#h0lo pCE8YQ0I|͍iD6SD]ilF?\PR;Ygo:Ú\t6TUYKήQ5(zثd8֘7u2],jI7&o͓]0%HA3X el ?2> =6,A56`yU2T |i_. ki(OZqYġ-]S7|(K CZN_U ~.!Gxh,>ޭ h^ J*v/HފIjET}H5¤z} !CYˈQ|U2?^U,Sܰl{|N Q%l[oo>Ӱ8w9ۡ_zP(  B#&dK䆾_&ʹʺ]wk70PR =kQ>P'Lah2RNPrQ>:A$:Tԥ:z &4D]f+ -H Xʡ.ZD\uEᠪ2Y^,8әCjT@SGH'ƻmH-Q&uE:F۹<ʱ0/-jC[@Rl7|5wlȧk%f&{_mQɃR #*lw٘4.=}7Uݸ0fYhMlgnGR/ZEc|ۅ,ډOQN1ߎ \ٽV Zzhyh4ДO%>dt#C1RkLZo{+`B2et!`Nͬc seOBey$b!8ȭ@ .l|Ֆ6qŖw֜>B_`m3 7w)U@Sgni9sJ=O!v+jZ s^qܧ㈳ e5ב>ͪZ"pvx%'y'GT/D뵯}]w_!Գ^= dNl3)WTdk-~'מS qA6ԃB".@*hpfc&c2XN1׬&ʭ?pژ.=hI69v15T@KЗ29jsGCڻk(ޤgFO~~TB,W380"Ϳ$%U=%[Ʃ۲A` o * \{XelAoZHtҭR^_"f&H{1e]pogva6s6OSCh/"@ TSij#-?? ,|,kK>?&dq^VfKilf9}t']nzb9nx$6cQ[-gW1*w]'T3j!KkBgkPЊs4)j7Cur ъ T: N.`Db(Ft_Z$׫1㸡(7n(7*h,l$Ds_;zɐePW(;^++@z:. I,xƮA ykg&*Ҍ s+E!b#\hQKR?mhvj | `ӧKU ό, ё!,="|p2ͯ=]%jVCleh=G7(oF_%·Pjyjc,1d''MQ%=R \s1o" /O~Ș)r(9q(4`̊8Y^nRXק_Qޞy:sʌ6_o);K\ҭ=-#_a"eCgja3*?4Ew88WQ6혠pH pf,8,'*cPA]¥ӌս~uYml)sQiŕxN-Ou=Jg P5tL`-[U&.i Po}UZr\GKI\^G!Qw!q3PRb]p΂Hr\uU2(޾T&ǘ Hh %#68خbU1fk[łǁΡ-  9h'3|Ǩ5E 9_1n ` e>H+0a+4>|:xs>*X8oSV~@YrPYDmHzeOCNBUot))Ai/Hk("(^M`HH$E²Sw^}aE·Nƹ LbگÇ߳fԂgp\ι*uY_R!t. pXcWAp 7Aqܬ5%y0zd>1}. ;i1m 7} 2?x/a:._V<*j6iZya69Pg|*^.<6,M;/ɠ U{嚱5 dm5&6CWӥ\t-|ơ#Vi}`F;3`I[rD |9QIeW)&F`4J:#@q)bhC5"꨸Z_nqjH<2:i""mNajGy7.j8'H~{m~5bmnz"YE!e0Fп3k A#$->[`[8'HzpӰ$ d7,s]jHM@M,@u^![|}&2=Oz;nyKHmz> >CX~9){4 ;º-?kl.4o ٬-ǒOO1![hC h(d 40_g@u˫…{Fh)*ﮫ^nR(kzDagtZj"9QaԑoxrL 4R1W "#4.szL4!y~$!0=F-. 10EbYI z5-~/U߷?ttKH!zkP!]|#܊Qq[ efX&sg*=D7GfْݸPG-W\̠QN<j$ ]9 z\r}Ocx@`U0ư&>5;TC8L9*w&_ jo q +5.xȗdY!iN1C Qt7ɠMAd  c-ڝ|; Ijg(+ao;-/0 MEL\WȦʿq乒‰U<#k"Xp9e "hbW!~ޟ>U*M\(Vf8ORzݍW#od,$ !ܢ =zu8#X5SQɢ zGGvZt(8'j3z_dzx֊ptXRϦ%iLo7.0^\)r/d)x>Do F;-eu5l S6RR5)X{m8b?PpV\'@o׆J0L%e&v*J/vQAPF.\ o=ޥHϟv7+'8UJ@@ʬĝYOI8L9-Svٵ!ỉMc}İaEb!^n\U`sɜKN5ߎQyĘvjA!> zpm?ZB~{Y_I6NVLkoHp^g^~.BVLC> ^L5F"6&@Edžq$-]eݔ f9s$\ EZ(7\.MlRCBj*;_@AwII$ʳz?L?̧&:K02Gi8@1y@gJ_ԟӨi bY`qNw|:ޑ4J* , M@%l4Ui|ngÔu%bX,P(Vk`1@w{5-Q C{ɢ&{uF S,@C45jfVTTopX)ҁj@4g{s@@?sQ踒-l>cQv׶Ɣ̶Qw~msvR|Ȭod[g8 r]uj@0 ?IL:v[:_[4v}1='+df2ݦא+evȬI|QtQ\(-S0fܼw9)y%@\IXivdMɐ, +!FHۋ߰:%"vJI$ 2=_ ?.Kjz|K,`oTҨXƷٺHczl$F!{`1@mtaHČabϡꆓ٧>Y̒2?? Xδai'yIL ҄<8 ̈CL-CJ:PkB^uR˱-֗v1QcXQTaAx/iF\+FmԷ G(n+ehi{_0ڹw?L `y8Czy.ߠZ豍`6Co[pJx^(Ghjfh,:g=%;^/ &>8`93_#O*DYC\]8Q{50T}p/AJGGKrĹP@d]W8 ~0OЂ} !k'D6|'nQZw]PfJc/}?߬'_JBP8b\Xν@ 6P]L_tb geG+RY,crbOG0e{Cx|73:+ցTwrlIP:W%7ˠ$t&3nl =$1lf5,wq\hc v'#y0f8Bfok)3|=7ؼmg8xrULz >`Ĕ sچָp-T5^d=kw=DnftžNGt! |}L%tdCvl964B8JQԕ92Ң]")bc>tE6ݴJ_t{tq2j)2m#8dU?&јΚH:i'\G{}\U՘MB-)7Y Ec䗧ɋmx0Ζ#aM 6*PXt&W~Ù&:glQi y% / ?!m6(x,ctLM_q/gG\C;!RW-1Jye*Kp7f+V`[NL~vT8! ,~n'.ҪZ8W9 8z ڗ@޾hTL2wCq^?h#K my5EWO'60b+ kJdŜXQrH%} UpWkG0^zDhIɢ3q5@dSƌ 133fK0fD민 R8s}a"Yؗ*]RpăO곸c60:且sۿ-\uk^Y8Bs%juZQwB{D3M=fZY4S&j(>O@Kk*H\4Š׆wIy  q 1Pc7 MLcX90+̥)jF@Ԕޮ-rG1BҚ\Tu_)Ee.IazRN~=P6?^ؗUM\tG<(HaAYcyF88Ƕj:ڳsQ|RޔG&O>џtʕy1xFE 1=٨_rNHQ08h5[b(C3?E&3 ?~BtDHٶ,Y&͐z-ÏF~{Nv%=r:̅$Y竭 Es&t2 ĩW9Wްh^ODjrw>6 ٤ :a[́N0> $􈁄kȍ/7a}V [oh';^"61PMcTJ 1$(%EJc3o; zw}ܭ72uAP$y1/b F[m ڳLzWVOԔ98kRfxEVq z(C;pWMoZ.|I uZ)}śwȔ-zhН#nu58#Ħ4Pd6,μcd3ҵ%u!%@87y]TЊTs ˁbp[EFV^TT?rbk{be]b2 FJ-;a?hRHpOJpңYYLP $VN'6aoKi *g},Fz,3DGk;yiV]ŌژE]H7/k$64 i,Ykh=|y ``cRFQ?8[dۡ :7Sj|]$ ] ok(e]Z#N-V]夜yX?jh:tPb;0eAȽ}|ubk q%TK;ڦfzG݁/]i_ O7K[,R(ѻ@"9X6%u4(R㧱n7CXU4:<#t+"c9!Z= (M-C//iЄ#{)F|V /F|׍\Mӳ ;a?y"UY͢y(1CB594S'we2ClzGbH_vB7[+ÑOn e%dnwm̝)J CzQ/SMT>faijZFe"dN&2ET?r= P(1o+i8UgR'UʫA 5iVkɓ]}븝$iH9G{ uLlpIl*a\֋mZ3c J9W$bܷ2 ` QW:#[R0sQO|8"޽*zN 6NW,-Yz5{8W cpU[7bHBQRVLcSWBĞu P6C"UL/0,Dsǁc5xwec2%8(!D'6 L!曄'XM _K9||tEyYTEBSqv`7/Ufe_>v9Cfږ2+#կsgb0H 4O3~zeQÍ|g:;:-ifFU6=v7 {ɞQ@'˪k(}[*;v 3pHKҐA~aA n0$ ~U/gU%,^.@Q0:"O?/7̕P/^ n$6݆XZF4GBYG+KV1Y.9z1l xt]t|+sޞb=d*7T1qd[Pso8XO{DJ܈)QSot*}hPIf es Q@s^VߊIMm`p-_%׈%? [LNS(H=cu8q,",JdD{RWZTjEd04+\T3|X"z1'Em;,=+˘C5.^xOr`A0%ʼBu7uG#Y)dW < qآd[ٝ^%CW3ƻo K2 |3+vckН|B_/ $yKky $PW5.OmI٪/u Ed\? 5ˑTN::7͆*U\/yK-JV2p7¢]4$V(R4TQg-sxVi;(4#ؚ3/fΰVՃ5&[z wӕS(,*MTFzHع[!E~'Qlbe P31y+^pmx!c*|f8qc>}v+"XBR~`=APkJ(ɭ\iㄶ5޲8vCeW3v+.L^ .mAO"ΑH~Dؔ;?fGkhDgJ!Qb-&F}/r+y`j,Pb/RX'rn=ð&@;Kɢ* 'TX a&"t{M"7ydbݔo")}~nhrg7u9 #; Dw|>ZMrz3ɴ:ߢ-JnbK6}\-G Dˢ>HjxqLd[O.ZC. W蹾UMY>Ě'zJ7"fqE&#ǡ/\ =N=VIsb|* i9EUOH~򉠂a^ޓ +Mļ.& 벧 BG0bVMFh .SXsW-?k)12qL .{7H>sx2i#1.;/%04F,A+Y] IAu|ÀVK 7/8KM@]Xd4ÏU92w[m0cfw-xmB6xG,8fإrij*]F z~ ^*3kl8a!Hxdf?H^['4 Ő/=m{1º]~E7(q@L'lpW3VJn.m7>r9:07W7l{K 1E_Ԭ:< D")q|]뤩K\XB=Hʤ_/f ,e}m _";tV>g I@Itӧ:$/,hĚtR1GF !1*BN~'yu$baWM`bw:)s|8Vv=YNҍq[Ԓ3$2#*Rw4ۋ$[?eMkIR]WxP63QGI`;U +Å5ec0h[T}FGws]f}4~5{iG_܂/쵵V^|=3ֆ/4"StJGcKrVHJ.d0sh]-ŊρȖ8؃Z=>~An=8'l;>xY/8dzNL=x֊fJlKK*OS"Brnt0 Hzkߙ0FQt>KzoF6:x,la4uU~[!ZXD_+SZOp]% #9Z_WbڧP}==MnvA8OU#$",V+*/蚕4_ vedF-U$Bk(T o=jǪ'Dg=jMGaT*Dfe A)U>)47i~k %?}xV98ե&[s7 OĆn nҾqJzI-oJ[z;IGs)0ix6([ 뉩cbB ֘/* #3Tۉ)ǯ9-Rցn|j͵O+РFS_?@ _j}2Č{N.A%0wU(ê8$uTB7W8b b ]A* n\4z%#bHc{…(>}2~QԨG]x cP*J^ejLrΪ0&%yL.eg@*9nsi{27$1f JwY1*Tc=}Ds=k\F&TNmgnWkxҽqdNR oZP+gFLN ~mXE [_K'L0y,{zmzkw<ؘ4w. WV5r:wRc=u\~zQ-c1I~ c$؆%'0BVˤ^`n<ۼ:YU R4V4;K)I CgYxla lћȾUh(kh +\h@6 9Z?p˦TBHRpJfd a94oHY/ZF̛<`ّI(}N5Mww'm垒`ЍocIjBg|tk^ƫop6cco@rZ:jTɲ }sXyӮ3aAԹ1[.2y6|oX ^7bdCCS$g?7c^ C:{,JH݋lRT@J|xmzst%#.sГwP,5$l)oۂt6]RH|L*Z0gaEZ@\'Sz+DhS7q$]?p M,TiSl&"VZLN/wC5uk 7D~湬/s[ :vT i- c$ٌ 7⌽gÉ cvtܤ(l&^$M ab-b)ZW߂w -IS~;0+ĵF.XLo_m?2;:wBbP^Ӟ(wn@qQ1hMd"צWGp&'?s(kc3 _[ ihnDBW"7siӢ5Kn4ONNT#Ɣ"Dp3|@ 3>pOFUme&I,]d2l`G \=x玁+U@2|0FrP0lV AsNa*,J/}P5Ys$e O,:H l`,ϟ(oZKD~͕d-bkM LN!-FWTsތҹ[+!Bޖ( $aGd$mJZq|VOxÖ+i{tXak&& Ezkғ-k6:Ed?s-֑G*WUƷ ^(X-I0QsZY~7d,0ւb;Rr)yVty v2tw,il(:)LẢN!_+kUfTBI~(j<ߺ20%`3*x&_%)ФYCk*%[?DyE}Sɪp1#%\eٟ4F6!s%dLLbamz[F K{ߵ5SVdQ+2< B?-HSiү*M6_7|M8Ƭ͇S3?8uԚEbQEA2cd4$j2HZp.3:8R<Uq$i8a+40 t<tPPEq!"uj,6O+c}EJ~TjP"ho Ƣ- N@.].zZ3Kp߷;+g19#-}{_na3Qw|H1v(s VA6~>+o󅉀'4@ÅnfRHw$z?*BiC@ M)I?˷$$N~q ] եJMr%:fkx.<k}F&T'5xcJ/zzo73[W`'xc U(_9auJA .c/>+y]ĭ \QGkWqKCbU* `0Qw|%A2pH+YY/ #na! ]`(w Wis-"ԄJ>uK+_Un;(Z16J Ţ:S5[3YoBF]R..VY?(Y jez20Q3voP693YOrzgm,҃Җ>"z1{ i/yp< Px$6M@--_!,5܆QġUEǀsw洓}JgNԻջPsJ mN~` +iս!;}Ȭ!WA 2!z'w<&wI8?F&psԠ{ 0^ \Sg38ݴKZ-¬I"qLnK1ZŲ{RImU+s7C"2Fm<:҃Ƞ)$npbP`* _;S@Yh p6|9BhE0u͸@(19p;>apʮ:mcfgzMLGZ4H[6H()êmVEؒ|!3tD4~eybZ8G S硔®%mdr>h7Jb}5 /0lZ}KXTm=},50!m~y6CN5> jOZ3CAo:QǸ= $<Ҧ?'"NWaWd}S?|3Q_9㷙([B>%F1H}Iޛ>rtm.+p[ѷJ{Ѵ4db]OpK<3sJWR$W1 2V5*tC3Vr#ʺ2*`:R-^38tm!K# ɐc &-qLV((b\9ΞdN4YmqL( ^PFg)__#]`IKQeF‘J'!I5 Ru@{9 F̃Fϟ#Lu(7dm$A'r&Cz sVov~l_kf FPLj̚/Tl?Rq"}>U7oeJh#b D<X);o(WyԔFJZ ؟7E\(;]YN,ɡCseyab y吶 t9َBUiU! 2%6%͙4Mg@OaXҝ7gJ4lCgz3( MY mS/Ԫ R$!)&:-\fV2hd.<@;N#p.kc-CqU,PK{A2H,|DNGun=>+`)=e\ٕYb ֬j1}QԘǂ}(f5D++DU䱛.Q$cТ\;,e ( +gX.1fSkRy\;4i{ԉ7HXu1˛M4rЊc !+{@ŸA#O֎p9uNBvuV7d:ݐ3iL7^\ iyLS񹵿R60NQ~^3;|H=Qg@W8"*fa?v5Epp:ڔK*ί:Y Ce ZIϋ3;%m&8]&w@c7IY]L7{ @/Kep Q}gƃ#yw+.Ƽ3 l͋CVdd,\ QAݕ==]8+)/t  dA#Ga(2Ƃ X㋮KP֣ۗO#8DlvTP褐eqğHTT@7>XD^Ey[^A.+_j1PA,ǥA*ĢM Y_j^=Ffq>~)/n]R;1vzd>as2hI\3iwzf@T?~V%wmHzJaGd ""{8`6~Jc}ܨw1:@ߥR?D|-M,n"RG/2\C()1zߑ%ϴp=})hg9HD4c<ӚC<K]!+ (^zSVY)q3P_|춘@WCFq"C=Hd\3i~~Y W9aT 4 D&to:nBv4j<ܐo +GOeZk }TCgDn${Ԛ0&3J QfPhB$IE0g5XD3MZ~T}m@xyN#I3!c7E=mP:ji3~5Gb؊Y9;N"ֵ?j(RRsbT2-N3Zux`dt$[5t~4R7A\ίM#ݼ0)(p#ƫ)>an0+,<)nyNH :Ij=tm]*F &m?CYfLR![Ş\DؗʹqC^msP#0 ²ƺ}E7!1vxfhly ;oZdRwլPa􄇶%n H"}0vqsnC!0\z)jl*fH(4S> 9sЗgڨ;ht7Qԍ_PhFBt32ʤf >=tBf7߈넞Rf5Tjs$K]$,Hgq1zPD#wF@OWi] i w >yTibYG2-tpu]ej.ڐj ?jW/29hS 908SX Ln@7QJ_rʦѦV0B){b}^*[) 7.]f>&* Qs2;)N*3ld*Sr]xµ jE'r{dVZ3ƒT)s|}arѤØ[J1V \hr5X6]#T,jvP^ֵŘI%CM$xKC;N"X&ZȍOt/}h+-_!-FMe_{؛Ԭ&nsG:)LcAىnB x rÙzCl=|7^SsM+I"&1bB;^DBFy#}?SC0ԴTho9>"?x+xgopIO:1cP;fpM׻ҌӞ#74RR0H @Z"2'`j+[}J[؇]]N_I CFb /nqFvK.nڱͼ\oaX!EiNU00bB2:v[eLqxv27f%?#T9AfY? ˫L#vOЊH]e=frd^}CC Ѭ Ad(ae]^v4.-=ZpUa$|d5 ;oȼ}%j_.ossKhIt ;πr2StX]i=݀umu7qֈuKɉ~&'?ns\yIG6(v.5kr"_J[ǝITߥW R\cJ^Jm`EIk͆=R:S/dH4CKlo3TU(46Ū![fl6Zw"cQ2".MyR8eɇPPjq7lDҤl UY2 2ךbL6M ]Pz񃂤 §]Hh lOO0hةh@'ȅۜQSk@ r> .-t@ b_0k|t͛h5d/Zyʁ#' Wv)Pm*[xY6k1.N|ILJՁ-o;\+`Vp0*D;qeًXI oСIwgf:^s~?ä6zv8s׋XeR*99Ph+-[oCfš({hڀ{֑#|4K&kH {w, y^KQ5vT~odv\ 7f RcLf2Vw\3g{'u*ffty/ (LPܒiLY@ZM!Y cwz@*c\MK>*XH!{C 鬺:| [+mڧ`P7r7tbMYn/24{YکLs dV%w[2EWI{ <|%ʄW0?H7|U[ v[wUƚ2e3os-OԽA;6g=ǶK^rQrx~loݍU,)ʃB|ó)|8'(\` n$e-hӡZ_r|,YWtu*pq U>ϙB iOX_)_ϋJ^o8,Va{G&VSj>{"Ѹ H ~{K>av\j8ŋhv''m'Y$Q~r-N`Z(ѕޓLNa+}+B_1RTZX$(iIanfvUliVY12jZJ&HQ^ߎk< . )#8\%fKKdUyg@~p^*]g0P*)p"DJEx&26)uH||e._jvVUi멟d^$PIMm*0xQTӵ*ѿHx. Bn ظ|f)H_Y _WDuix菊s0U.`&ܠ]F1#9༞~fVҲU)Rn˚vF C Vꛌe_,͜2)ɚs7a<`KERWe@ : /&s ?``]xeΌ#~s1- ibb$9 ]::Qz\7ZPOLet+G%eܻBMdY*?BRɋ {ْ}JŽxδ" sG:Z.jҶ>hD4E;_(\02O;u#+#DE =nkm5蹦q[Ҕ| ɪ/% @BĿp*„IBkƝf3MwT`Q;I-f񻏪9.#LبCI7zAsi|6 o$:c?b ϐ _d߬ 5o{ā28b;Ԩʂmx-dMoiWBT:o3^Yۖi jDGǻXK |sLUU kߣ:q|7<>z$!φ ڪd{,{&rʮ 45^hBBbt `7"yK+ AHq351֔bgߜD@׍6:Abu8~|hZZ^0OqKtg/A/eKuz LzYv: ~% ޞ/ ͪ{C7ؾϺJ:KQLvE>ѡ3/]fњndJCu%RC䷰_ u+~F$/.GR٣Ko܇M 9xcnO h ]E0p#Fe މ tJbA \y5_ (3k|XpI؄$a$!+A:i-^4 rK2 i~9'7,}~5ޖt7>$[h[&Jw`DԎSE#x#Hbz/>JM6f&YɳPoMvء RhPvIR5 F~xư B~Y$ODx "ID:~ TYJ>x?XOkYdd%R!uDX}|SVBwd@'@Rߚy]<9aƫEDlm(aS^R"BԀ&0]\C̀:ʞYO ,ˀ0ȑ'$Y^!鷌-<1G%LXy{&덂MILow>g׀z#IyDgm֝(vAV@}mh3Xؽy7`WmǼUMUcNKZ?Ē9mXZØm%R&ե(<~9נ]6!|u@~-Pe!pq Wc ѦTJ슐S>7( ~?PegwFY lZ;&HbdSoĪCEr` [R逈/]Ȅq&;}rAXo,kGyCM)d6 v3D_dFbɭ:QJېJZ*3 kϜ^}X D<`٭=5sEpeAmqPBJ &w&v|>z2'ASFNE'֒"|D'uy`b84G jk@D3+k휳J޶ϔڌ}C)ZY1Y6(/T'i󾉥loh:+У.P͜:JtB.F- R،5\9ht1fiŸSM.GyG-POAƺ8lX˥?˃\Uo*%n.6RJybcFDk-LVuU{hXb7YyH0l\[6'9hIQkj^xo'FzmTsU@ /:Q t.M3ES71$rAt6yb`=b3 mԦ )YD*Ѩ$ze-TO&6MƎgR8_?W,w"7\|2X$ 81RʊW!^XpD&w=@S߅炭yrSDaHֽrA3FX_1Ѕ8MOc7֘؉73 "o\0«?JX&[[v?yYx<0`|G}Z7Y+^hbX+1mIkA'~|r' 1_=KE ŴD5=[kCJGv_ x I7m:uLGo$e+VЅǡLW%ޛSLk |N}.5Ig6_0ciazBVr_4D=ɂ-Vw3SD#ẖM8hTR^z[yzWe:y568A)iw@Sh6pq%^R\@7Du&sW%fְp}B=K";6Naz=,F&99" D[`r_D~Mㅵ9 ~#⚧3?D:z$䢲*N+^A쳨mx:h`?k*:&Xx,޴ >Ve]T<{FFG=΋, `hK@ob(  -d-dnMi=(?xo(؅Qi?}bk(j+]el_zăY(qU^Wc i R_&:w,IXQgo~х9lI4ܲfz <>wRVu)fSv ?W06YZE>F(ٞ4rwog>#{<@VxPkL yqo\ŭKxϪ89 WWINd)LCǑQyzsx ҅⩠~ &:(K A1a88K qPk:eKͯ. w φv1h;M 6 d;t,c(=8K)RܣᆿͻJHH&Ź:/ru>,"*aglg{b  Q(y; }%cWhƳ΍ -27dڔ>.iWt2^7;]]~H?E$3/מq6H7fHQ׉[0N]fZLalA&>A=KR'Gr5!<KnHq` Dh&{R)V9Չ߇>D+}9/ vN.~[2@̺(ӆ`Σ_mH3>ä:ùCa]YV:ć_jZqY*XoxW,oM^Dl|z gE1wQ DF)r2u`h]ۈL-Tc$ cYJAaNy_+|z"lwP|JGIܜ Y˾cRDdG鞍lBK+Rƃu(=:`~$ܖWF\ln~b[alQ C4b, [Ϊ]ZߞQt xs .uG=݋, dI<_W8ia*u_:h4Z: uV*R{yz^5Q!CM.06v3&_U^z(θT& wAZ"iPZSG%GU`p籅 8HpQ]ݔK/ـЃ *NeA6{6+[IsN;Q3>С9^&y筠W룗vIeVKi ~۳tk4޲XmCQcC=)^I;)Dy~dZ7U_yufy[?|:ߢ"(VlPWYĥ:!)ґ6OAz,rv`]v3l8Xwf0eIϲfXv eoÄ=kԺgH@}􀷍큒0Y{b&usGƣe3g ǁDTHúEKt(t1s#T% +z.ofw7М(^*ŻRQ]`YW"ВD0xQԜ zd|1T 8oukc`A |]w fu_`QS-t- "ȹݝd$\~_,KOL(-!XjK/󬪮E рMZ*GA 7`_qk^; "jP:_۳,ǀAۤ^v.q#C4+Nsт(6\?s!DɿE4|Tx߶j+u_A]T! :LDojK0M5Iީ *|1Hu|(@B+qm|Ar2Ͷ,% M2h.ITCZTMUy] dm"(`-< T%ϧ81ntȩg>y'r8;}WgYN$U cmc19O)7-ܶn;Ȓ'h$8B+ۤ@ !Ch]bJcGk#Cn"B&`KdaZwCUQU jbRE2E]4od@Tw9RKD?TΛ9#E'# \rc\`nvyےhrΟL675w(Vy)@6;jpNM{) %kb;qq|iɔ 3/E:mrV8hcv ȹ jZ/ajbJbapi&έK_Ш3#jޒ4يFsy1r@+Gs?62H{eH]lK2LDdrHk {X.5/dE_Zw? xېqdcP%vh (n'1݁HF·4= ^dm,qm}9 T@=!> yKǂ\Gi<]8-T|nyΦ}rvMsqHxb\$^G(kQx2Cq3C9b͐H a@w=(Y!x=V#Al݅<9kh:[=.kﳕG Ej|N\01s![|t໐c`PfaAt7k;Į`nt|^Pr@ͳRn,ϧs<8E̘RAmZm+LOżEC4[:E[&@^5 eDhKIB_e/}/5}d8aw9͌$U?>a!gs̢ڷb:`Ȏ9<u27騁̔eӔG~\AZ |wνg%x*Tқns94=<ݜZ=*AnZZjS H b`Z%lA&́O/<íf lH&GDЖ͈,7{|y@HH^10^Zˍ=V]2hKAdkI62%yJ >eD ѐa>$,%p2 B=A)b)z$=(4Gr:^lH", 4NP 1˪wK;#>A4 - JNk) HADH1n%tӨD08uu.wM bJ?}+ .u5rӱX)Ƥg#iL*'=_nsa7i7yJ Si5|%^.4k?nv T%GHVmDwX@L!>%cvлثLGtؑ oM@2莗c9Ɲ@J{nYj" j> "5g՟rn,mEa0JpNI;\ZQX -^rS-mZQp3tD 7g+ sL}[bFp7oyqY^Pu3x8fcsq.kUcWًt?fo"$8%+ kpvDIp|'sìy@?\4w~'? 6Y.^s!gս.k٫jJ SW 1rUVc ЏO4Ij%+L47JJ)ǭiBfcɄo!oQJq ^Q uP:WjO_ҷ2vMe1jKe/cO 8f 298gdHa$LF?_q<{ҕM@| [mUyI-VAm,#B䶾b=Qs ^aܖmlk}\cݟ49yvM?FtƉH ̉"-a"@1^'!d2ѽ91M'+R z+e+G(^l)<_3ƣ ܯHv`(^ 2\KQux'H9>畦QnMj0;7i%pMp4V>xWNd3ï&&$)´@&u=Mװ^`s5LYİO8@s1=w`9ng.;&Y h^ >v_m6-OMLjwr_7Q~l5ܞk[ra׍Y=@ЙH!]rkEXxc 4aFUļ 9B _ίF[G3l:7xw?Y_RƄ;Уؚvr6uUMDPSP4 ΍%8KFH7+@xc#+w$hes_mʟg迅$"_}&%1uS?z|G #scۅ{F: hᚈ:=/DH ` J!)G.Yݫ k?}!qj݅ X@T!xFX4Aƿj/޶Y3:T> (!͘ivxQЄgf߹%ռg5T 9Hr\ghO2UL+M^]9h!b{uk-EBPswW@Ytg U,D`):QHVww>2774\x|qnC8$lYw;sB*0~y^yyX*&ۅ$ xmoLc|8]YQH_)L^Q]1  jHVKdU6α'mnh*IH&v]9U(Fm?ad@$C 6-g~ug}=q81Is:Z$77n2 Sdqݪ_8Y<*DdbμJ>j)D::BxhBiykq% JM(CeŘ 5 'ӝvk&հYI*?p>P*0aeQGd6s'U6!9^O5W"" \FlpZ3GN&QABCbq,C(pܐHg #$5B\ZXC5@1׌gQ #Qr {FI}c;'C2RVR ۧm)NaL(z7UwLkZj8|f%+`Mt7ri٬Gsz2,nD)7$ ҲUPnps@BxB% i7if!k]'6'Bx-F4C[c*OdPЁ?u3T kzQ\44_zkwpwvSɓX_YA^[a C8j׳:y*#}U:$LWnreg.PJI\F#N%f _,qUS1t. x0n3t/*`ކGS-\S4m:ke9E;\40b+3o :sS/p* oFKjUo-$Vߠ7d RF$4b= u 0VL/"Wa}B/_g+^S\23N6~cI-d+LfljfUM l5  =Ʌ2sJTm c՘Cdr0 ǀ% y8q@?[禲I:V"a65c0}A]"lBO*fOݟIvLn=JCrVH vIAn=W17={_>-\,S'.KgfA~FdOH2+}Xr%ЍQ(x}Cʹi{xs?-v6DW+:펼k#CeW y@H;8Gwz 6r͈/bگD sxXB[D.?SeEBmtaB/ǫtfO"1|-yH!Q*G31Efi3{Ӈ?q5`|`cR԰НQ(!٩tf%Λ{N1thQѾosUItd'ЀB~8 鄹%crƮD}rۙ 62L`':7?eۀabKH2Ŋ!{;F+}SlC9 +ȰaxZp9]i A5OpP)U/st}uXD)^wn>1P\1pQ,&dώ<H T*F"+R[>̯!; 6Q4 L᪠vR;=Ĥ2A,3TG6y7}}*7 j}^)aQ#X aC ]FNAo+aItm1'taw᲻/~W3>Fc#_ȟF?,uL+ߍqЄqLo?6H.Ib`? <|]K櫲/vb/Ysf gҕ1AK 7lh^[_y~yΜF{͟X1i z[ b{xJߦ5YRA]HgX>M0k+=fڏZ~b^f5t`Dfx(SlxI~}m$f9,5"G(*Ӟ +lD95jXkηށmY lՏjZ|DaI{-^E?֥VޱvҮwlMiS36@%dU©5AxƸ:BVBBCId>C mud(q;=CrJ)AGgSm-za(|vЌMb(BX 6n98u38k,஀N#?\2{kąXMs j^q iY3qV) ZI%!ĄƏ!N˃F;qPs@04H!Ms 8co9$K`_]Ua(.sn2^5hjg*!Q@dEDsӆ3-2K 9e aGX"*^*̅!C^E' `k *ժ.,dnEb '|43&O몜:@ԟX2#jG+Vj)| c6a0RBl4\ xg4oDxI ,,g-;gSVWU0T)R%q f 2 "Ⱥ_ |ԍSsK10X>6W%km`q%f 7HHEcva`lM~m.P[JO/&wc, )"q?)kbhhǓ%:O^YgRüý{Qz6ǽjqB8^w~FUL+z:TL`>?btlONN} " ' {oM~?%+5#Skيa4BIbDՋPp tdhW2z*K]&uǍ9\p>Э ;xnT1ڨ/ Nӛ85O_4"9qz]ޯǽj!IZZ ?H_o5 ek Y6p¹ItLaIzZ\?DB8k %opZkkVyy#dFI4IڌuLaņ uk@?@"&YS mqI5]Z4_{&{DzB1^ !'Gηdo= &N>`-/G~^~L7WUx*wHd7 v-zYໍrbxʍFTNۅtnwl /"w1Ω8+4HjcŁXԠ`slB0 h v "g+Q3|laZ rz엞R wkAS1Vޡͪ!}s+;mg+^LU+E9LΝ`t* Ec#@6WG8KXrαu9BzeowprgnDY6 J!.{/}/@;O7'5d5{["լ5;t1[)@{M$-`oB}uLٖBCˋ>9<*kh4' %(I G7ѓ$ :%U֊sڨ@u?]LCIr[xSsFtxW LmlЗbyW[ w!8 4}Q%#["'ѶhHuڨF&o$wc@f3^4/Y; b͉f;͹i2 K_Hݐ[~pl TB#7ff;& \GqD@277j]fߏlMWDhs 6'aoZBQ6xVِ !)Ž,};w66dIi'*k_;1lslr{Cb FȂQ]1 dpɢ7M;@im3H}(xK2=`ϵ%4tsgӝ` af! NNeA?n=-toao[^\1» 1wE!! ->;c.إIy]v^HaX7hD9 Xn eA PPBjC#mDxIW<>0SdƮPN}y(Q.g(TJswcpvJA iZ[( V7:;b|1KH#ZV@C:fP gy;*^#*־4n)h.8FE9GNuT{Ի ʵ {=g:?_-= ;/B%&\cA=G ^(nd\#e|zB݅[IK)YVsa@zp;~AVs"^-Ρ@MjKz P\zâd~`ِ YGH|}Fv4 UA`:*Y8$?F%^]N'23 ˵ey$5P==yg 1QɳR݆ % ABzo(<{}gj;H9TN;qW\s9f-C6vG}m5 P$ZdRD m_^м?c$_)<~Bޡ:^+5ٽ66yFl3:paJM3bȗݥUNKK}|4pn|28bLЉ*)k`ց2dZmou3.#bhDx%2ZCE>6Sؚr/ 6򶎅t;p]IPΌO1A'(nLvdF-=<*Hdx*2R8Rs1oGŻ!W 5"lUxAHzpRa>"e?q\ vMزA rr8(g CϚ3ٍ j8B/NKIOD.tH!f:z:1 Fw36E^*[>s醙,Wd1]sჩ[{.o7:p㖃1˜K%;Ac5gDH1Jƴ+$eְ]S 7  oem0e*иukT^V^~U$.߾yO$`V0{xmz(ޚr]p3W^ Z;pujOx"2cr 50Z@تbq 2ě@I* bHt}ϬS^.}sqp$£Ϳ 7EɓbݯK=BrDh-uIZ:Y HhbKk|W\X980qT芃14BJMpe\i#|%HH,h 2-:J Z,ASk;t@b@ d2[w fZ/ eգWqyXB , UAg@q <`"5ؽңBi<_ FD_?E1cZQP_q2"@oD48`Dչ75כе`dP6%ncfO'n`:b,nԨ)hR1ȡG9#?8yf"dɶg<ePͷS]qVfH<܌g133s[:̞ww7)@6 Wdoj{|HW ƢY yGܥB=!9AWuѫB)8.X!w]qAF*P mT^+aO_Ʒ׎`%-oqdC~8[tJ@, KwE}HT_/G!thn);E}V-fEB&pk}k;].TXsݾ87 ݑ㣂02T[ tǵUD z]!Y'Wދ:MyˡTH6n$xrbVp*Jθ'Lj({b'1>*#N2ύʗƧu4W(-ӣӵ|e'WJzYҜ̦itKs[>f\1 c[!vm$ij`7ѾGhIx[VJQ+S8Z3Z ::>OKS]_+3N 13Ac"Aם:gb.zjk:{Bt d'/Ħ RaKU"yHGeN GH?+i Eֶe7qC-,1ֹmJON]&G0 h聭!axj(g<w~+Leb~-jR\]IыrC=o>pK*{FƪXƑAROHY%t_{=37i A XaP[7XY+_N)t9tGᏫ]Q`HC]?WVSH * 5{ʣOzX>$N7u-˃HH ջYYAW(7ߥcvӘqb~Fy㈿(2i0C]B?oBGz H[H=B}̭ _f`hh$%ȼ͒g0 }3.B5ܴM  Ð1ˁGQ.р;f~s͚=B_?i 9k:(DNMHDdkR)Тv^s[eDCR.x֤QdwƍV;l.oC9An ӭ2o;L~ɿYqXO: 2rz/NΣC'JܖDiI&pwkfKJ{y6v1y\) "x@QO){m8{>M[Hʂ*Q%e3a? %S9v xIu*XQ"q4]UkI5FUv`~_tpo>RMPW4wB|9L6"x1:۫c+=KԱ> sڨ}4K@6 KbM| :9jϤ*+W=CyD7a;x[T>cE [ɓ[P(Ǹyh*6AK2\M0) V_~TuR%s+G{OZFcyzh߼(#뾝IlDZ.&J=>3CPlMWAS[zG j`~F'vk֍[=4.|t;s-wơ b>2g4hu;6ϱU6D2MoC> +(hti^ (cm/6NrG11vUp48$u\5[ Ocf1~[5pTG-Th(ƌHK@`Uw:(".0'yz@9YsQg7d ! TӹrHTo\c_NWII6$CDcGvS9؇'U^P?^>`x^oD"ign#(I=}ӗL+b9%`Y @of9J#RL%;t ^w.M,oT!AiDUJ۴^OYXD oeM]-f?Z3aGOI 9U# m{,d;!'_{<J=F\PѲv) ņ)>)Xp4r}#V-1R|b,'$A @-{8L|+JpnRBF/H>~"UB<3I5d֘arl~4G4C'ZH)-L|d$g$fhIW5,XINi@nKaynZ h`EO1@vy(ߖP'j ]*Ba^J!<鮠+%G$ƱYȱxӑ"h 6<ܧd 流-SfY5N[Zݻ&J}PMԽ[: mlU%hmqn'%YyCĘecuQ>??ȫI>G#-tXZ~}bfaFRnҏYu~Z=<3A23gYaUZ[CrMN0ENh3T62:3~7t7sfsb#k\p;~'(GoGYs_R׺h/lgxr4INF P}9(nR<=6߈F,~W|qc]jx摠y]:UV6QǥhE#d .%eI=IXNqQTNGJ1q`~B|&;S`0 =0JSSz%ѼDgM$FZs\,M^:{֪֭I3F06՚pP,(+Kp\Fwc/8Avo"f +deX7hi{.Gie,AnZ~*N \,G SF69Gm5)uܪTkfS*xє W-9`d[Ω:/l:=xĜ$OGRCRUq9a29";؃PLjT%yzc!!ͻ21 \rlMʵZɓG:fTk.|8:X13P0e#YW_$j>GA }LZ\!lV EfyM׋#JoVW~MPg#S0}(4Mӳރ*4=,\$&&x%ԍw㻱דmǻ+/O \yocR* 9M Z qt;'ik<1y#ΕKAF<ETI;}wM%6mT%aTRs,DGT!Qck(H&>LvS\kT3;@, ^"ᨽmF~݌D㩞3u']"J #ם|%wz&OV[ŐN;g߆P+=]ⓟ gi_tjC3!uG{#M*,ȁ) ^Fd9~W"0dU-pT{}º/qɃSyv{*|\HS~cd~dȩmVE$}i0Sā 2Qu37Q(5 #_bO):).l 3ZKwךBt'`P\6(2,u֥/1a:,_A2z]Ԥ$SJUCRGG\##S ՞1(N$Hs kcu&{eq_ڐWWr]dvb ǭ t-Uv RӒi%@4Ӛ?% @8DEZ5層,YVD.p<|;!ɜ;LN/6on[8fwk%< >6y4Q5fc`,mnx]1Z\xc&$v㠂Mf"7 7>/j(Hղu0TSu4ћ*/r:k6 \sPӍ#vƔ-ẗ́o[Jv֨;#KaxZ.x:~/\>PUJ6l/1N~)W* E( >{6`%-RͰ誡j:7L (LJ1YfS| UCe/c oo*՜3F@>Au~.< zfX/2<;4j¢4=|Zf urۍ!Ym$:Ln'>h<"s}ZשE(cDٵpν&̇i)-*Դ~Ϡx+ji5h`^/SbhQwc4Ms0b-tU]&bQPFŕ6y0ta%e=?JޯOaa+z}&xSV"RNm]*xS Bt jhh`RJ *g׊\ hv30l/K:9 HNap97P:Dt϶efbp(فoI RD6 z!t#mlz8{usN>JA"9a=I}"< Zšعj1ʁ.Iͺn.u4I`,I#J$St 8VAKͯD koӀ~^~ BE3 xXI;h8%k,~_T#^ zw@i-a K|>ZOoTIM)`mjS<%wYwuS Ϲuƚɼ-%gp SQݷl(\G;u#YX#‘nnF}n̪ްUVn]v&Dј X~Ge=L0|Sɡ+ ^c$QղY$ht#5`Cm`~.Rmn[.p7H `=%ߐcAh!}2+DDw;}\[P QX T$`ĉdBa\6Pk4` LwfIM 6lL{ВJpCS>! &K4.#ĥ=b(c&nj0Gn~2r9kkNعݫ́nzS3H㊯(x[)9dN]HiKv<uM+GzIOhwO${~;{{PAQkO/%]FSń5IZbD^yUDŪTԑhDOf,^e秨O6*2BO;0r~Ҩ)#7T}/Ӓ{H *W-#Z £iF2j]i)glgK a4ZyZݸҋɪJ w_݄ OdNZrSkl]g(ZF6X'$ar3˔zgziPO 淎TTXh¡[~a9>WD},C=gW{ ӑ7l@}[uDZ~ C^)n?Y#ZTE,tJUK&P$sW>mބ2lO0]gl#v0844iXdN?UWW4[HA5ٴ!-6`mI`#³ÏF~j+y&rC6x́jN : A;eػ،I:jA6 d ߁D.+-A Na VDg6'Te:D\v}/,MqilNo E=C< ]yZ^<;Ņƫ A/Bh 1/E}ZxD0)}  ҵeP0KJ3 ^Pum+uGܵ-XdɎSۮ)K͐!._D${*zӧv;wnéo>l$uݻXMHCmAd:K}(1"m6(MSɽ'FnRKc Z^[h~%J;ϼNM&2>&X }rY`Ѭxe8$nPWq;^|Ʀ>?+(0oMz+oN,|L?KNGm&7?wD6f3!;^`xēu]~uř[5Vc7-_Quf }w@}?"҃s [Gfj#A) |Tr#o>`֬_Hu.[R];MTX<*}9%:nK@pX$m0)xbգݍ©C hP8(r`}8lð|0~r!DNLr|꘨9* sQ; ͨqSQB=P {{]yމA%}_XqF/'-(g:[8qy>dN9-ӌ%UF(č:Ȃ0iFtƬgl ;w<>u9xOWͅ=orRr7V]@⇛]h^{i?~NJBʩh(^qwBYzb#lL;EE0ҥ+c{4ǰ kW)ɟxeڨ!UBG⭢COkSލH,v zީ-dã!.޲Efp[\hف;VvWmw/ "$WiC( cva$.: [Q* +p]uhK+Y0f y9v*W|xr"0)Q&?7@E̗SDjܧu؉y]f1QX9]W]'VIN ΋N )Kt|@b|Lbslم疳xddIU2@Wm)OȭsYZvJ&jRwkr5C^>R8;ls5~(M ʲ/#3ɘVoe [z5 "TDxgq4zi~67nc7\jwg0rΐKr/oT:# D'=?JkL*e(%ںeC(߁zU|eRP7ƭU8&n*|%$2*KY^K]fsJr8{Hk*Ut)Bӣs '->->\Rv@wuU8y-9m%|q2k'yK)Ʊ ?[jx ?édO$/r8,_ ,9|UwD|fU}/jS@(:J͚y;yo ^aj9С}~Ř^Jtimi1P4s !Jo>r#B!>C3[r{6̯=oX6Yf@PVLb|׈k#Xvr+Q+KVN6*KQ_o6;*~Ut D)<Ve訊)ZadhFey\Mnl OZm~,FP;dy_*,^ pa8NRܓAFo37z}RQ>$ K &a׵EM<4K}waZť L KeVu:{hgڼTJ}\d4!pb?E|ϱPqjӽAV^T{ 8tTW=`,NC'%,ir]*ӾC%wX{ޫ.TW=gD  F+Ti}Tȑ^{J -T{P70BrI Ԧv_5ΔΕj`*Mƛ4}˩nNuyo$ Suz;zV:\&MY qA@ 7mWesY ‘-8-O =FtW%_ֽGIQHj_0y?|UZ1U$[DTĪa$#k=[}:~3|o1H$Ge?ꓴ""JFPȏ ´] Kw;Rza./ą&3 H__4qEeRM/| dyns[ȗ&^yK*¾dv~{N 14l!ll6(G IdZ+]If!~s]l6y*͡&<ذ?Z\AEe xa .$fp֒u1 ʭ>RtՐsצAQV>) NϖLOh$V댈A2dzmXጇ57> s Xu'uwwJF??AN[[gY_ 4); n.[U$[T뎦j*M 幉 \,iUTRŞNNYU*dMC=i`E᣾`)&pRR&A\`I q ük'P.ܠG7oPhjGZV2@eΤt8rY@naC{C.KU  VzWE~h{70ʌI,V K-ᲳˠvJp3V@u 4'"_,ǏQ] @.9=Jd];Kbx2^L9@lwU8`[Nu} Yo=W;"aȪ7fCLPl\8 oDG{8IJ `$LV!83ZK7(ml |dx(wŅKXb)6转 NVQLQN-[UK`eu(!󖩺CۀV~^(EHjXw$U;W:Hgxi'9ʮ7Vgʲ2W'AwpǺaQ8+hᾪ(LZU\&q&wזC) KM^7q8{5dwdRvW_XI_f- ;0h=;`Iz a8H""wmG`:atjY2~}`OD_!$;kb dgV!kOМ_;kXS|bRdDYڇ%nZP-s,Џ,qͷ!I|ʖ11*^:+TLߎtQB3yF숈 Ubs(<끌$u<x'W(3e$dl_l:6m(i*Xw=I!ARa3YTi c&Nne~kͺb l[͚#-tJpZ.ǡLaAۇAS헰xŽV+]ǡiōY%,̙L<#^(k=ި%l%c ׮Qa? R9^^k}GFH@ͷ~= aBęvA[6h;rZ*t??]}Iuۗҧ@4e4-oy:L-PX2%W>]B{+% `8]ECV(%Y1dc?0wG%Y/D2*rVzGƾ60ƧmP5za ™ѧDNsr)L(&]-mxiF=\v@!6e s|nQ+ԣ[ČK8)Qޕ\}Y~4puQ^̓JwbrcL>:#'\#͐P,. %'xK`V0c|sXRQ p^QR xXΧz ic+_n2 | .{@-. ?yFi]K/ CE!# ̍Hl"$6En9d$}5dTDx/҄s!Ӟ-#zg[vpV0ZsTessF2,צд2I>X DJПV_m ӑn0fJba% h5 y8~ЯQ?2BIW"jVF xm/1 GF 'v+jXv-Uld&K X7j/)2 |jv_$5t/*~;'R R|qۜ]-&\p:]vSeZu<}ɛB㼌֤$;\FrDx$B#Zק !R1־m׿ߺ(_tlPɲP{[*gEթ̀2&": `Wed:@ȩ}s{p|UFfVXAV" c3.{dL 7v][ E}$fX%|(@?l:·d`[>wxy a40̐0))?Uۊ$Ux`'R?zVɦjعr\rLpMF+a;ɺ=!;Љ~27&dgTW':nV/EC)A[3aqIaiȥ颲4z(Er@[p+ebCR # ʥr|K(P\#)O/R1˕2Ç90{!SIH!)LG~>hPH%$J+PuZ?KN 谚^nۢ'lx߃Ioq:s1 yNJg?O[?S*Gt>oՈ~*sr5$"(yE v|sfU.s@9ws"ΣP [i0zVsBK6m/&T\ $}ĉlyZj? _%d-d49:t2gm We :QQkIQX7M^ W̪3d!Uh'^tWWYu=Ɨ̀3&vWn( km0WȜG0wk]7PP}jP}B8|YCI3=гe zW7IY N/+CBHD~*Ɠ$U\*I.pC{Hn~<\=ILqHEϛ1VXtNHT`~ZUvPBW֏.ܮv$LXMg:9)SͷՓ6m?Mgɉ>sD8L,~YZGZԻzsrcH;H$A.&g Ј^TX[SaieYSiG"H}`Y>.nj= ma胼jlV0NQIlx^OtD\F_}ûUZ%#&\W޹PU5=HP4FK=M_Wzt ,<]~[ܨDn hGɐRiS2x`rEH%.ar稁)0`r~O}-PYdTk"'q u*x^o]%&wL Tݖ,GNiؖs%KۂA-:hW )7 ȕ\MqU7}"ʥЛuJå`e6xRI& JC`3Ašk{ r;/Wݬ= ?_aY,EüɎ*N 17_b7h\8PN]CF@6[Jxz]bfL@UjI(9t!/ݺk7_#g'zA] +s7CpŚ58_ӓj޸U0ZB8FSZ +ʌ.mSzF LN blg3 1zTy1]eƘŢVORc܈{wadF@Xl[k;1Z -DO(TK-ayoLPc2K8Ìu9FoxsQsV\“5$}Orm$atVMi(ms -HWOFl#)+U>އzmhva_}Itv+Y 7P=~2A*+Ҁf--'$2(Y+?a8b&9xRtk^׊@ DjRߚ)0`)5*ҚsL|8ߠ̀S% Um4,?i, Q]X5+0_2BR\[#^dJ-~OU'bmw%Nr!_L߅f9dd̵ xJX-.edg mا+8髐4 pଔ6:dw+x޼|Z(D.oh&'ϤR'Hsu-]TQ}킑|XR yQ3Cՠ"NҤ-%~1DU223JfH>d*ФPb&f?Sweȧm8WGlkrz.ٸ2TJm?QZH{nDe{=hZ6Q 1_`ȺrM͜YjR)WD_?|qF*rkkY3W+Gwunc3/4 fXA66cqSh&D~d df)=uؓd/,44/>zEmpLP}Y[)4b=LMa`n9ؔ=#?:RPV*bp?C;ySѓD uR0㲫.H|n8$K>3,Fȇ ?nLXPx!CveIj';tQWjiS$9dfC@IF,'5O"F qP[ ~^4x>oǩYۤj3I%7ڜ؁3 &N;1?VU} :_9S[HZ4HoZg!P!aD{kG7M*yPӊ Bpiᚆ\eHB.(;|uVO_ *hDّh@Qk-![ViBg10@z#1?Tcfȳ')34<vc8uUKom3ثH&gj7_asp8Ql@ܸO_5AZ@wmR'w]jͻi5VY_`?, ~Hpy1OEܼ0'DW6!^ md+[ctπ rs649&EQ‘XbHӧ}`VY]mΔn_j*\40#.dN3+bdk73:ؚ.lCXaE0\-0"od̊sQhձ :M9Q>aGS/OQꢼsGLNL?rMD fu?*2ϑߐc:ѳ<<{i@b0rV@A f.">}S,Q~\T%ʒ'g+~v b(3V&RZ p)LDևEu ;1*T-%o9$OZ[Tt6)cNt$f< K k.=H+:]4=F^K€ mg㌼EI pdz1j*شYCDYFT9PD{V @o@^_sʳ)g?th{gg,l9m-Je0dBMN<:ITtQH\9LG2;6RdU(}koD>QrjGVQ"UtXl(K?vr$rXBx)žrmq# -àօhײuUha!# AB&̹g-ߚxo&RL8"6Gbq4ZѮ,{Y4 q3dB@v Q0 IEdg'8J7LC*: ׯa-|KV34u5!Y=Uf+'s8i~PqHZU@]`7ox3z#!͡t[ub0M63 xLݞǚQ\:jtHŮey~cgq-Yჟ%Ӽ; dm̸%Mm|`T%7P.05 g`i7x`5nZ=X(ʧ3kqQ;gև{HV`eJi{=gPORƇjBqz? x(X,Gp 5ItkjO{bp<ªZW, >ne60FB~;|n6K|pX@"8H- &wŠ@>BgsQm>Ө09OBeme82()KTOǢusmـ-.b73HK9:ux/J]pP7@Mbvd,ԉ0'Ofvb& ~|}:l;wcz~YM1$>5Zrנ;)';|'sMnt\`K9 (yw'5fIFVi膞M{sF Fک"8GGk6GM?EShNRs^os!m}/u'cî'̿hNP1oT(RIe;z}u"lz=Ov%F{OJ~tW? ܩdhjy[%̭ ^yMPAhHs`c_V~jCȏX6Tl3(gNXvnVOsX|Ɂe w!3 0t@UJV AFSd>Gky4OxC ׉CTqR(O<&+vG";}᫃"e xàZq/:6-~l|}A5OxL߉ }^`L)$eig]c1V}q"+H;w;YcF˓i&MZjx$ 'a}yNUO ҉0(lPG>ftnJ< @9w3"66'v _qn aloqF]v1h's ū2Ji=qzHuT"|8Þn_U. @>Au6aNt;wSG(:WkmW pC&<e;L?@c]FoJ|x?˯ mD7:Ӣ{=`p @ۨ5s7K 5  [PF!{e'8 FO?j7g2Gw0%9+jiʁ5dl _A($!4E3@h#gW`yX~\616 %9m:!dڡy>oDe r"+C͗1f'HZʏQrBsVWv+wpe_c^]IQvɚo9G;8ã-0|,dY>ݓX]s-,.OXScOQ|{b {CWw0IH Faz(ti}`ʼnVy*`) 7BZr؟(beP^qקH^1m}$7ޭfD}XP soXq c[ fm&̑l+Sh)e]dҠBׁ'Vnb&@ pK4v8rhi'RHD۫w5!h3 ]E6Ղ{C:;כ]}tate4Jln̠T! ,~L6/Jߊ$,G!*2\T>GO4M 9|`@RnQqCZME=[9jKb]* \̆N]K~uBl{ QgL>1-2CfK+@Q5 j( >2\,H#L)9Oo]tzqx"^ru*G-Be;G_ja-yHKV6/n" GqKB7 !]T>[?R!x*l:_8s(3 < Ap/m]m 6lmSLP+}>Ol{6o VUX)U':1D\B[ޯK!H,]`\تx6^C;m]A4}4]Aq/˥°fRpezԔZ׆zLGG?4{:<\GOaZUJhiGA2)6T). X/!Pr*=ZoOÄ{LEi県!y׃Zp*ȪK'FѠ7 J3K@Ƥb!*l)Bv#0x}i }Jk;Zvke!D]U͟ <}ba׋ǻN eDs܋s.R#q O)}Iѐ@/jme` k.GOȀ/Y?׎y(у)# X3Fn3=혞nΰ{ MzuY"GD4K Ɉy$z,ת|3].Ӆ\繎T";sVoqfоދ@Ҥ૨]d/2ɎJu`ft@ܔʼ2*3A+?i4Y?BfY\ ~7hHieWssFCHJdFZ)~hIңX_}n K{›3q'BC˽EBhWCe]a')'dYh"oLl41M@ƞ>2J&I.O 6yc<.i+c83 #f<< H \t}3 |֓zpQS۠U|d[餶,0E='4 qҭ=\+Ë3J8*DSa%M)2p &` 8Bӕ%E"Nu/65* F*}޳oRQgGM=j`[T*α; Ӛ]BRWW_ kأnδ-kj)w)̐Z% +PT #_k5Zj7KlD:E']Wt$yq,R|@BCMG3q9E9%_MM *1f3Q ;4#K;R"X@jtz;a=be8`6l5)&F퇵 F νW9@ECUzbE>:?E0悎gR36[¾|/s(*p$1b"\l=w>)i9!+zjQJ:U]:V=řR$-3YY~p1#%vǶU~~}يfc}Ԁ8^v? f۹Y$Rj:EUXus!2KZ-ד;m.͵;Vhx- D"*0xT(zߑ W|'cE;ߢ0:e+wox!s+?+>_C1GifR@3?"c6y~.οSC ,tgyrNx$fw#S8ոLr򞽴VƝoH1u.cc+>u֓t69[@> *[/Q A,k׼и{%$$[%4J)-~jxf\?nn릪Y6GD în('d Zw3qԻ%i¿!GQFɫ}4^U2;-dƀgAS-LUm , ̗X5&)sۭCș^K#~Qo6# jqc$ؤ(EU,_=oL?V"d51ȯpH0#k:;5 rU=دv]J΂L r Xػا jmӕ{#2yW1ԞNYFuI6ݕTv0NyױwxIq&hyZ_dBQAߩ^׷eկܽK A"\Po* czǾZ}l} ;\:Eףu` YHQʖ_ڣ-bE'DxPf^E92-ۣ̈R6ATLR{t9iINAYay2aOA(%h-qUuM/s\ũ I Tz6C_V ]ml oOϹ?}Ygg2 Ց?3d<{O4 NwKűEҟv۫07É VhY8?5Ӝ-mv@Z 6u_.|)&Wjq5a=F%(T\^#o.ҝިV#gcϋg͎<գG34;[St߻]1ָE҃]㣔p!}7ř~ Oh=5Vf&\~2a]C"V ۣ$a"z`6&GM6d1 _Z8&2 6RBf%T4if|&2?Ē 3R weGh1[0ӟٷgg6tQ!*G}`^oM]wTGh0im&f<a'i[*ш@V} gjS\1,EAøЏ>2GW(=+6#;_\í.,ư%jZԕH&YlM9Ou&L, 5Ҟ8;ǘp'x>[y6^ijAqjLN$W ✠2{^!G@􉊡nBqʙlǙԛ-NΪNÍrC5*VMQ2BhTh;yWlClt'*ؼ&2HzP8B|@Wi'Tl5fҎj`"b*sQBߨ ³>j44RuJ-vLt "M7P7wZ:$YM8n9 Z]DMqzu8'"$o~KX$*-҇*JmH6Pf%g${q]>DBr9FroA1𪅍+_U^e3ką= 'L7%ݘj`n_5il8(H"Ԛeͼ" 㚓tZI qnɯgpK(y-jwv$Y0Υ Rv$|B}-$ öC"'jd|oȨ,묮qr%kԈ^;f[7cegj3Wy^|'c)ŕ\#)ppCrvtf`}_   k^H*;USbHe-~5'[ZUAlv;76`bTĚFoLZ9-Ey19ǰ4U# \&q&8`tRE,S*0:l Cm(<ʝ@o*d=~׽B#5e)"mozxߥxh;H`B[aa=@*$Ǔ% IoC w iDPU`c4t*fA?f%7mE3<1]0BfMӢSlI &gT8gU}w=+JF$j]_!FM݈fT;F6!"!] JgP\Sn]޷?MOQW޷G4O.kΙQ #U؟ 2p9:Qد8 ,WP.ۢJHZLPi M>.O U$f(I3,ΉJ15jt׎_l˲I\u F]dtitr'qI2sS=1,MUQusǺ:VO}[}a4r toSSb* 3pK,_"Q% BzWP,sw̳{G}`*륶eK8e~, rqEgBv uI,您m]n/ȭP hS _R1n(  .x O#ceΦ(ئjݟ0\\g' Z)Pߤ6cچ+ R6Ex$ȌP6JJ"򣰶V4RDoUVZi$6|z <&xk%,}BJ_ARs;`xϛA;''Ymv~8x80%} cCy~wCՖ]rIMML  cF__=L:wEr,*v %ෘٖ7*K)Eq<a؟b`wKٳǎߞngjBIֺ9rΔ ^`^$)&?vKod[&EosPxȗ&ѳ`Zd>`6Dü 2xc3w[NaΕq';2gn wzF '+$Kq+)W IUQ H[7RE.aBb͘FVx `T%Xu>mF_eZrܒNؙ氩]P*|׏~44O悲ޜڦ!sSd9G@>ìALPHfMI6 sKNTR>| mo)CBsj1YddYAL;xZ`ol zT$g4oRU!xgeD&Oa޲vSuv|bd-ӆ:bNh,7pe2" t{>UcO։U$}\oW{ Tp^C%1pjB;9#0?-N|I%nM̏]@j,'5CjEƚ 6z&sJ-8GX#[{X3 jPDv_&9C -'"HR\C,}z'͎FgFq^#R-0-„h=ꣷuSnp>U(g vOo@P)Wؑy?5p^lT64ށn8o ]MY|ĶLٓPNEغ`c3z\vgBQwTF3B=odLRujsسq )5*e RB\J|_IQԱ=hh]XJ͈8%UٓYP钙*:UʺTl-91D%`Sx]A8rf9 ~]@.Lղ>DžF@a rg?^*!YqOS'o$ /`J{h| B!"|Aq핱p`)~1^Ν_1.jAIbnz0ԃN6+H-XP)YH~TctIS؉*X!cY0̆M 6OY#St[,9 N-c-JVX{<}k8V )`AA!DTvAԎƑrKp7%z9`?}=+g/T^ľab0Խ?U`f#4[kQDy(!Ṅ &jDq@ 3=u䃜Ѡk&euv,/h"d|'f~eT5Q 18w8%lk?Aid+w86aƳx!W†p yƦk+zVܣh@WPmV$$9Ycݪ.]ڢGݽ忣9imy09R{yot3r&~SP4QGLK9|)NONBZc:q}@['٠h3M;./7gP$ _߷PM_ĈdBh=-k"6跛!nu2A- $Q0*d ni]ܤYZ 0Ѕr$ʌkQ۫$([fF-͞J46嘝zpMfG~OzbD!j0"=JꟋN[-[ q < yJ8ȢJ,ѳjO[ bq-)GY8L⏴ w:),ټ ic(`oٌ8|dNjǔ /]:[/Q:JʒdgxAyAM5L wsճ$+iV)徊vِ~ntLЊ\9fq(724]T0XږM(ॡdMchkK`jTkɲEH+V"Xo_&Wk{^Ώvz>}u`+i`տQp1C*LY>8n:~X^mnu$>o;xko T;Zτ mM?sXO7d ADgsl:B*J15ʺXlsk֘xR04i9 _[Р?j&e.YҼ^.w`"nZM-#ikvhSe[ r$O'3im/AgڸKx&PA6BC˭xU)b,Ulg{lJ^ 2;Td1M{.{ SE+FVѼ65tߥm̔ΰ] H9gvEJ{pˍʕ/5|TIr^>pCL'B|&Q7.f<2kx;/ݭs.޸=#%Vvՠӵ9Xߐ:1)+!D>ԍJ߽|=U[❳ _֏(o NWo4n3f_&B$9y2h?R1^eҎquIDebhN˱wwo 9_G#өy iE+Zq=Hv19;u-tĵ؇cbbKMw{wrcL9 n|ޡIX@z,GIƿ6ѫ";@E$씧:ב lWIڬRsl$&STYt7daztq SFFuSdoC[Y,7+}Km:rohǼ;׵3K>laY'ȁzDFO˹c9;! ^} iBOh1B|.6 f7[r[ÑI֯zN\HBqLdv:'>% dvIׅR-B\?ؤ`q*I9 R }>B?l:o9eGMTe%D L-Hq:}xDTqd%SycS[j_L\P>iG6i is^PD1i;ɔr%`"{u4;=ǙUP %B墕cy\Nz[)J'rjуqun[D많Q)ɖ)Kx8Ŗ] AtI9tF~$~ fVhf3UB~ntM _,[wP@G= #uɩJ5|? ;"DNM%q&-VLA*]RR>vi Yy,Z <-OI]5 р,U[&W bP"-y}73+B):!樓ђ-Vc* jaaIC66>?w˂+[&-XvF4O:f]}n'W9hy"/<.]?WnBS&ˤ-=pMޮ-04 ;h MiڵZOfmv)QEI%E%Vyb&1B5*l)&7.1pGu۠tVWfbϔeS7͙[(+cǏ[յaDwġ3ީ eP ;0%9f)3 IDC ŞA=4\zHX(԰U"C|c_ZpQ'pȍ<ֆD.S:ZЊ=h. i!܀!,.{T зeD6$}榢*| kLAGQ޵wlÌԪkTS_b\ KCѡSB(z~\c_X4 ڼ8RģX k߉4d!:,")A*I %y܁䦉*$fsȶ΃F~DwkN2}C=Lj|nd3,[82,$ `\*mکem%X({gj;-Q.jۋMf=յM5'W 63GRyfT@ֈ q@d͓}k_v& 1tkZt.T<u3[D6pekHُ9KHlyI*ЌKhg)m? XFˀU*K8yd fH,QQUk{l7iwDŽmb>4oڧL BSOԵm( :w>UItvOs(ܐ:dRe{v@]B,נu2JgLn2.1v['|ne}A)gB#sd0Y" ]22J Ƕ@jOD&3?wQ/(V1j*FQ8ZmX0,^0Z9+(yzx`;Y#eM`-YvLS<:^ogBN͈Β5QxSz=N% PyZ|)"{\ud.Hs:;)1@_(>ݩB.'L,T!Q)nFi>' 3KOb' 1ja`b_?j %]a /Ie﫧NّwaT7<d؁-7zseb(^v6Y Go?mg+~EPj[Oбvnό99]qQ9Y3dHMO%$} ;z(h-k=&Mgq+?/4yD]B2 m_1yjw4,_*BZr%Hs#Gb 5}(P+*6kae1{_jl.$֗KoJm&j=6sY҃/#X| D+249JS") 9 qTk-"qM&}MFw6[ZvGzgjlU&ʈN9ӳkXUg oI?Y] U (p6![ȚLREn(D\o]kg:TBb)[2ĕzz[NYp85C ,"! W"߳e`yJk~/\zǀt,PU(Ş@$@Ij3#ߐ}EY%Jc Ijw̲+ie}nJH)؃VM/;{9:5UP|`vnER mE;&Ͱ^#kk[@^Dc *:vA0T(6zͦM[4 Rw/\ԇWbR5zjRv*ɬQйK߿7描m=2īV2c0j42r6Jn2"&C@<M-L.gXVyOSJj'nn9]35Yc,=>ޯW֖d!R]jb1c wz[mk Q^dA}ǗFv h}DqT}Up{x{".~ָ~O@ =sT;hŬz&F;Ur 9k5>*y#zj `N'<7*.m2tNNFuVOcIm=t>|%sN4[]wP<>, |c<*Xg9ujw9,͕~XhF gx6+Mit>GTMW3BW|66y ek/x1馌~[CA̘8Am9|O?:Ť"!5C3d!#q: }BR%3Ξl5{z"@k+O&BrF8Z.wۺx脵OB6jw$;%=zع?ҩJ𦷟9i(p>թ0`[)o`h6JaA?ZeŀKU> +JQ Sm o%NHo;H^=Ч"r%\,zmeSUG; W.^B<'0 Sj t%2>Of]L dRܟS]PCXP'„AE2ʯ Ohe vl?.zv< t!)զށSH듃zk `;3SºVuNj^gSXux*8Hj{ϥt#Gr7OjXeY5\h T8qx7J>K +qp{9r7# Ug{ݧNF+aB=uޮ&{!h1eUjl݇i{zLѠ ԄI=Xbb(|3yH#˽*I9 -%CnJ:QmhC[&i@wg D& I7mL!XMjyD?`L7rjj;[ʃ=t0j)_=[L_hC8j&$AxC*C7_dG'S%@ד;ŬиrvmwbC6a; \Zrg=e=YGj:oP:H''nBQ7'HY`zֺ?XM/}y_̴KH/h `c٣9KfU ozWn9U\1NU$*<> "=P\i^/r CP#e +bAXq_& ;zOK żYڑuEAayOO8t B\˧b(܃ a@f(&`ˆm00`)' W#JN9!bSE5d |XH] 3|:#K5>Am!(&iNj`/mX#Hs)>N9?['NZU54tM}q_^{h Ӑi5wwua! 'RQ$s#{ `V5Rvm$+" !Nɗx`I,ޠkګV~>{`7+Na·+HC:dPoȷ ,EBP1 V]uit|#]sC.}GPbɧ 4MDD=[.ڋA]8x6+`7<@-2i5S t)dCD1DI_$Oᾒqʜuc= p3sHFU$ȶForUg1ӿ.R/ c[b M$XWT6}e|ih9Xx%9pKj_~o* ݉#Z 7%("MTwWtfSE읶۠^Ӿ̚ A&II x?'l5P D]QM>4傭m8ku$J30擽 }$Tғ@ ֌2lݧAw#); jqL$/] }J΅aJ'"tK:mt4fa%sln X"]!GN2X UQȸ.Vٔ (\LD`4B.5b%(ETA*Jy[Va}@R§\˼._mzL̶m2()h^w&WKvy Bt<*2sWl9j7чb ͓OvLݩ,Mr"ARfBdP\}L(2`pd-^Ն |WoAxʍP'_92D /jQkOO'ipw&َȷĤЪt $ZWl^Z ZdE1.2FYHb^D>"yh}Ơr2JJnɀo!F%>Heq J/1HYߴŒe{A)(4aN^v7qpZ˫H$uQ*UgHۣb̅'tϞ;d@8p8VdۦᙬhlJ=jc4N?Ȼ(biӢSk!JMdTߎJ nj%C#ucڔМ,rZ-rs1M}dFD%4~~4/R0e)Bx('7xE8tͤ5oBTE%`Sߜ_j}{.Q8+n>@0sRZ+lEe7Q#{Ŵ( N hw~2KK+ʊ,OYZe)aӛ{f%l%RKs`٭v\CLnd7069ǯCլS8ے3>БK 3]k$;foW+voo+Ύؘ%'["tќ}<>sIcv|8=~9BRR\Dehщ%6,iP)Ur@!NH2}=5KB@` o7JfLl+"}!y\e]2$6>9u03v=~F݃+\2~s$-H:l׼i>D`P,;-gbuT>(%R>OOAM6(p]P2VVL9L m= @ ,a29_SMtӯ>A1PL_LmZT9wzJa=Cӷ~[:* au}j(BUlNg:?ɱn\E!xj08Π( 6Y--=) Uߟ%Wo&tYR;!}T}m kХoGp 7Op}>y2(djㄮpi"~6ց 'ޥ fJ/+>`R\luM ҥ.&Ӿw2z+wf@kKYQ-Iԣי4>Rm7N 󥐣 ^k_&oL 3m pB8/#E\}KO~cOMF#|dPkћeBPe s ߬{^Ͳn+iFy-.h]XQ:-+=lFq3" וMUzfL$ l ӎe->4$)C ~%W|=E3uZ `΄!o̙:@+_;>NNA^f9I}v{j(76kZȥ?M)O* F=`@F{: 9VjHDٹlMA*&Xx/(ժCݗppH4,9VO 0gDp=So@؅L;41 t8O3',[UX3M&,Hg+jI' yVe6xc\ fIuiTgvѧ-x$g`GB.9 wXz~'}:Ea;,9ے8BE&^3PIʀ)h ྦྷR&{6;fqz3hW[ܻc艇ȉo3}t+>DQa2\)kg s;0gMibf w?Oiyx"M)L yfl@r_`(TfåHRvm2 )б5_Cd&F,thמ"jh\%P[`q̂q+%3: vf=.zY}ﴗwSAqؔ[Ү!g;Ѽ\lVuzٖ"i3T/fa oCKb3,M5G}!6dvDR3wLUWmz_To_⏀bo)AQc^=~'@W7[Ƿ4d|4 ^:\p*&P9"TF<0$9م'ǂ\|ȅ5mSh=B떻hש?XuGgJ&.1zּ͹)ۤNN 5 ̊`Nm:F״h#PD)zŲKŵ1rxBu{sHP~0 ^T8yP`Hooѹ1!=-e;\= V)D.p&$|R|)$JX6S_8JitxYV9_\MArI@C>&T3B-o0o+}`t'`riy`b#n;[' U\N㖲\&?t-W 3=9 V7j瑽xUf [MB;" I v+irt+[%tsMQifE\TT_ZmsZ]Gaq1Td?1lwzatȒ J)wRiIlxI| tڀFnq+V-oKv ;=SP,͘Ţ1? S?O@qָ#_?(,hێ8֍f&ߺ3~XRÑBp`+8 sZl5e TCMa 燫O>(zZ;S~[rVV:W7\O@Z}L+w'ZH=k2 Lz :Ayـ qA^7VtH=闽@eYxb!& sfy?h]!$tSZjmxɃ5:(>^c8=F.dJ^W]z3. L4)Z2!8P~E֛Jrb$fi -D6d'#.AR#L<C|ho fOvWOVf>e<z$%;-R r7NG Vx8d䈡'H7N{.%P9&mB-1h Ns?bxWdu YkBhoxS 7^ C-;-T xTOłw3;pPf8wT$?ӬѰQzi0Ͷ9B*q5TgYG %Ji|0Hݟ}泄>%UA|YA\3*%/;29!=BQX$Y<2 6|M"w\T( wdgI~%5aů0Men<(IA KriAeÍk $rnxH] ?Qy=?},i%ƾ*; D@ 6 d WM4ByJꌇ&.:p|L1FR[Am1 qjiG:Nf /u)0]3=q7?!ҰD% JT(q+fKimXV)s91uD"aRC( z!'5þ2 Χ5y7] aV]Uf7hN a>1'x U6xE%!e5S[t߀ ;d;` ,kXNnrKHAҐiEw/5mtډEt9:k=ߝN?KE-# dVa60Yj|Ƴ9tOqo9ởyz&[G IrOZ*bK!zN`E(r!:&@q_0@<,VoF!_RFVt"5s5oߠ,C[dc̪ukZ,5r#I :ZMQjj77:x7=J]MA9Vuר &~EE*鮭/8&5cOkT #n1˦&6vFͥRbB/o2mX‡mwlؕuUQoBR$*]Zx4!jqCOCLvVǩ ?uJdSOTb]i_L }AWܜE$ce!=jUHsx9aeUwE+)z}D@Rj2)vj\24K[LJ2 H FG!RBTb Y 1fe@4.f" 4ji a3sPT^Z{]݊ 3 79rD RTIVu ՟7.ER .(=$>^+"8E7\":3"žڭa]yӟ5/IWrN<;dBBм6SF6IuwX,HφT9׹VTL?gK$`KQ M1׷x]_G|qi znHj&?+zrJ=eJX_ Zfko̽!KnJh30rq+m)aɞ(< ޏ j2Ld)_g& UVuVͿ@Ffcퟓs!C+8*κxL lO%aˆ1ˏZ;7n0b7 2Յ"fƕ--ĽY";={L,9?U&04UԷŏf3; g%: 7GkE\ 4MӁG_w@%o$Y_6Ѻmrßw*G }ye2E a4*>Эp@J<1qz `l!k=L7wʔB'[ÃÀ%ݞСz oՅ?xc(H1nǬdM!*qHqX[gR^̠ HdJ< )!K8M)ьw >a- D~DVuV)j1f27i 5aٯb)4ɐ6(Ͷz<[5@TKf} 1Hk+լ#.vU[;C !XdL0uy'efNd+vET:\d:3'ߴr${BJ)Қ]e{Z T pd+9mQeK6j`' }G2TճbpULX#ZKa>~Z~s'^A`݆_2^P{vykK5<KН;h2MIH[\b항mo ~/& J\ElU^XJuT}!c '.tBK\/b,#@2xMU iTzodT!Q9&$A|zT1E]"6Rb=)$ :'J,|~ltڃOJDŐbN?.j| n"O3SUЅWaH˩v+ޣ_WVF=n=zKk"P6[GMvtf名j>%xa5]L^LW,xynƹ?Q,)lXTJ\e;1{!~![ aU P#bBxϻAV}`N0P mNE׿ (sKNqiO/%=/gRYȊŒj.5C`t|OEѫ]5'reӧi춛ۄ$"%koqR>׏__ E*BHHG睮q:7Qp.''9*=O7=#CH[w'ba//$htBr UG._wrɉM7ǯIS ڨxNiLYtS/rr:):iDoev.x_G;(q%t> =Vx{IN}-A16e afqs@#tZnΐ):U $,?Sqx}?ht+oj4Mcfo8@o\Ye=BQw#~lo}rBnt_uɖsҖTk]P$SPn Ie憆;0|1'Eh|P2FG({ ;SLt&p[ `0 %HAj8viog;( >fi6ZDsيLN\3{R/ߒh"&*tg5?:lؕO7OH 3Kx㧙J(+#IJTР oEl¯`df:q@؞y*+b@DQ.Ra^(uCSHe@%&>}J-"PB=mjT" Y5hObtb^y8:(R7p%ڳztfq؜[ +ljQs_A`B$3ZH~xa+eY\w $7k9 ?gI`Щazz!Ep){~q̺y{ { g"/^,M/4i"_nM>p6ΉLRk%f(<^p+BJG7Bjn=yq/9.X^_2*c95xVwaXC6hWpڏka (pQͿu֗c\lc8dKZ99cKj]ǯL~]9:Bre[K2)~U  KU6I1Cz3;bΔR1pp3]Pr!}{ȁ`ؗussɒrn=#+=Wxfe6oJ5l8?`pEl]տ'yѓ1 kx4m]_;D:X5Sz**mN >0.,a7`=#U^o \0l~4Ů@)۸WސI1^>;bgݝ쮧ST2ށ@@j8"?iZBIur1:28ĮɈ:+IXY"hk 2z;}tSQvޗǖ5JP)1 Ƀ]P, s\ U^.Y^ûGz)PUu|5G"^[D,\Wn|M.ߺ R(/ˊCD%BF6Ѱ7v/Ld. =qe x"3gK= oD5"Y;@f1(!A@Jx?(]Ό MPF:3] Bd!#'kE:/1[ֳ\U6N Y˛4C&,(Jy8pņ{di.[dsHЧu z1bK\Ap;@5m3.y6?Ye[YJ#c-HGZ\ ?薤ՋCPgAX%A}-JD>yoʐ7*5 h{y$^+9P ~w7()iuA >Z2!B Ӹ/R(u5r{wI+amiMK8"un43/e7AFHч=Xĺ )ciJ92y @Vo>D޵L  ]!̊t;@j6zVĭ? OP¯ r["$U 0ϟXfK^ ^z$BUQhDɐ}Z1,7#DKVz\pҟL1*=n-& @bvWnc#cn4LZbytnIaF+83dN .{hTZC]p/|mYeW1Kf3PNVU3?|sZh8ex}VƼKļ&|!hVвy G 2԰AH )E@Ac;Wez>e3b gks}ua#s(Lߤh:G,F0 jˍDAe%hr{8WSͳ2+.,1<^p$\*2Ɩؖy!y WӃ Y+6wj7!X[?cNF{i¯`^Jl9SwdkF>yZB$)I-K+ʩ٥ 0b Q>w`rA.DQh4x!g[oR<=)BUw2onغ?JI&So83P?gdvH мj8s ߇?7 jx˙{/01c lRJ,ieF;ClcZrVx:[ FxR4N#&9jN;GCD90e>S {\ Ţ֛0+I %Pw/&ώZP1L_hHɸuI/ ԫ͸`G.p(lPEa uvBj⿏ O[q60`)]L\@23QT_AfJ4-MoĀA%iQeQ֥#U~ԐEjWĥ36&rt$ XP zdLx:]Ng)7ۜA0 ߐ^c뙊6woAzkd, rsQo7y-`xu HY }2lav$BZ9I1BV_;DFYZ ]:+y~jMNmӎXrVcgVg:WTջ92'00ҏp{Bc٘)1yVtBSIC2CY2C^=Qu: +jil{InjD і8n?iРRO6фX> pt/5}.,W9ɭT`}B`N|ItPHcsV7QRT1o]y=HbI1{ɧ;7-y]Ϊ`K]\}"۵fۢ~ y07 p-v&k*@ w4R0`6]Wu턨kf:$.(eQ$Y 돊_gՊ?&I[oqbNKlЦ0#sC[x~t;emCI3@VL-/*2~PLqDFgέ(O37?Tq6;!k 2q0jSwL-ܾqF/JuB$||AWA@~^ *~DHOV[:V7,ʊ9N <#V mfV^!4qH5J*W6;s{IArf|i\8{SXZ#&*WM-G6"-o2:27֝ڿD|0hd\zӲ \F -efR#Jd1M?˵3eA^ 3D!uta:BX-e5Zx+6㝛(}33ʐ5gObk%$@3*kܔM 3Xԉ_u#gB8HT&o]rUo# Z&嫇"}殷~+cfs3 4dp ]ަwںlNgh,0Z67Lxz'lɷDJbפoR;1'bF䗷W{>w55//+f3O/V;i\;!g|Ŭo#i)_N"!S6nRsb;L>a9T KGGIl#ћ( |\cюfM=Rp/RYeXz߮,,kg4<68`za]Ƞ=ӽVĎ*Zds}^.y,R1uN)=soy"\ƥ)]0)`qt]{fyHcY ?Le*gɻN4 K}q㠥ٲV Uxa_L$ZBJ}@5^g iѾ7HuAIt%(}ʃ_Bhy_ >n-pv^m WͥD'#S?{5!IGk/yr4[B^(iOOa;UQ5:f|I>vLPm(t3`̠JHb )YvO`85X iY>q5S2}}ElpmU6Ǖ0@h8e-xZiDvLZϺym2d҇]*f ЊԨp'AG/fb"e,(6_?Wos.G3Aj[%eʹsvJdY+ !PX  ?(.',e^3`C@}hsMRJQu,+fx'nB5 s+:F.EBCx scؤ͹߁ \:}E,_ҷ+WNULkTA|+ῤydKD5"%'c7(wCgaםz&; _7&,s`X $ȾZ^7h vd>RX7CتtP`yv'G7cޡ U7Bp<)G+qIãJXB 0ڗ!u P;4q55ǿk0 Ői,|ŲزKo 83gd:[h(|%~t]{o_vp9wiYƱ٬,|Em_C2wb0iy1k5&Hz V,t48J֍U籋Q R{ NQϞ[Ei_@hA:8Ic)pWća(Guhkun?K{{kiyQN:^Ti ;H;5x3c ^QINO(dnTfS0b򦴓FoM !LHjb ({4ӡ)4EVtVP2 Ov) 8x?_c,SY˵՛b;ƹ>5 PMkLVY.|P>:\;l:k}d$M67mxW)5]v -3e2bKNZ1JVN5oZhͽ0LCa8(h+uZ 3^C7-ٗ:|]o>D!DVnnTr}"DӞI??-+d }8X ✟C  DҒYv{{qՔ4-U kXN? C?eJ~RQOsS݋x85` <{&jFV 6fώ[fy'8-[X׳NFE;SeB8S7<≵Y}./ Gh\s%uE&s:8E[u&z-tgcT.~p69lq٬̀pc?Aa4|4bv- jM=,8[ڋ)bMJv yS#$AaК}Gd ;XC|AfA2O׬Ϙʃ"E?i'sCo͝IDN}f8_y1w2ּHa;rxBI-olfʿ͙e WC~D @CDй{>B{Yj&D2 !ttv$-lS+oL%7E4&O0YIMz|uFZ*e' 7-1AT:?<3 DQsE]Y)AGj-q> 9wzՉjFSf\-z/Ym@Us axriP%c#bYIr(Z!4o[*CŸ ]S/]mM4mX󿻖} u8άsfk/,PUE([C"9~-A kW؄S33?)˂[ŜpAGTp.7 9Lǿ"HO0`jSlA4QP$2Ow1mU}]fJECc kv>ˏnOSYf嚦?s4,9甐x.{-Kz((ձ]is,npZj8_#OEH+|5*+R1OUv_΋BY$;:+&TndIev"C)fu^\ k"ma.naC2`~ ;||Y<ԩ~WC --[v[kIہū >[R{>փn̟-QH;hVܡ]=A|>vZpHY7Y /*L^%\jQo/kOb#ZqmϒlTUdQ!UEPڄVy2]JD BjYkA}K`Pş%rEAF)A|o5NCYȿ+Y$ yzU XVV|('? /3_4NN>#y }HXT;IFvzX*}8͞Y[`}&yAŦ|5[Jb}jysc3H >鶎c>$*L,[¢Уb8׃d.P-䴣npTaX[]{rA3"XL|RS=%ZФREe{>,LXgZp"ѐ`3y/cM(Jn+u toq+=F> dj>qCC4EUO)w.!~ lK;]' Ymx4VpbIfI3F)߹$9xt&GI@.]GH>,^ž i,Pn{jNsLk-xՉ Vnͤta/:B/9d"_|@`S ARqHMɲ>#ډ%Hj!xlՄ*(nOz}ܔ_tbvXAh @Br&$OѪ\UctJoD?_k\V]%?ݾ‡I(i帪 OhkBdQG>_"bιQ,6|v[%uM2ؑQpqS}i9AuI!TQ}!ɽ kT@.Yw JZ "i(aO .u"vB7BZ唦]}2&<^So֋?}%,ߗ<;bRQ%+rzC||`y-R~k 4%0oj?{\KʼnF)&y%E7 ?1ǂmn~A[b\LBFIS!FW\[LDv7_*\81~mw2s4cn$9,4?"[pHbm }?x`+!aR&8{ Iл[(O>Z<ؙE\OfBkn Gٓ|'n][ezH s-b&srHz-h8̽}s؇c/i}*f۔Qt:s9q".Cʓ0xwk9R})*Q .TfUx3 ə%taxsĤ/lgTԏO[ԅ9j#Oa Qsg}u! FWpb%?ce)= Te1^ieJtQ[Q\ Q(FGϦ5Y aVP@aÞ,h3km^5hm\bџ'YN7:]Y+W*8 )irAX6W<(#̂4a%F_X%I]n٤QY=IL'~a d:Gűѹxi({ԣE\P/_3F--.Sbׅ^؊V`vkGXxF'k0ǁ1 ϹVc^A ;{Ȗ8o1iʛ,*ƾ]&X>medãM 7`}_ \rQd]Cװn"D6bHx2tRj?\wNa trIWEun`UwsB0㓬b˥Dz.7Sm{B !3TrJ{R3b;|¨ rxuV7D =L!jߡ8bd}'Λ~\ Ztgq/⡑^ ;9Bz?P hJ@'}FucBǟ`JYfMUci5 ^;RֶNͅ0{ӁC*GA'nD{C,Ȉ"0m3 |s6g鳐b㈀ "ye /.7!V9C 4DѬݔIc ܃ gQ]@j7@oO9_alZeV41w`iFpyi(gƣ q:t6Q>y&nTlv 0W š5(ēTKV P+]y0f[?|6׆]wJiR(F" (W< sD7ãGV_pOt1NW J+n *?\=Q0ULU Q=Ydx1ް2V9C^/;fWH(Js#yej>AO#ܜ֥s_OPdT&RbFL;kϥ=[VA7Y. ^E }MEV{,.o>o>ngN(bo&FI]|><67&܄ӄ;1ןFl.AI';ױpCz{)0L;n-8B7O-+x1ͺt~|5 C}Չ}ψSoVU5dEfGI $QhYPYA.d 2kΘ`0@I HlEbV1 uyo?]dsĕYnz;4J #nkFKgz>O|%}-P6i ހLar͸<3KچL9k? 7 KsEU+6._BcӨiЎR3,>;@5!`oՂGOVLyh3JvzW—l#)JOo/j㚯58mrR MfYEea(ƽZ+3l1/tr%VI^{z+, E9gq>u g>f;)>G:";اf~\uB7r'-R$g\#|ZBr6Ou-ӡ1Xǫ7h{f9_Dsy z*n‚Zj9jAmkhf;\=? N}@H}HLh iۗeU¶{1+T\*jb<qU@JzŤ}8{HscwqH |V!e% Wkf/+U ǞhlTe+%בZ|vkddzuG٩5ԐR ~zS1Ӽ2xc>#(UI9R7d5'g}=ۛgtip{s|^0p=70U8Tg̝ܶ J,<ݣD9|9/DŽa&S7T=ҩFWFXxgw1WSJy*uHB*SgM_EAv[{dj8!/R&6jsz`1|C?u%6_X-Y. ޖ>ғ9P F JI߁KK!ТmRW+&>O.Vp}̬~ВPFMGE_3!(̴{7sPɟݶ*aOe9ENPlRh|CuC[94x>HmI?FJAOlSR p`v M=ر4Qm ݖ}Z'fI[{: `zj?KpH m0BQ/Ԑt=?l׶K~3yAj3*N4mB(o,cwR 2zB"|QꥦMd#ʷNƳ94Owt]ƭD,|mjR.jAgQOuD[4`#ņbA^,gW Y1A)Ǥ().-i.5jF>#GkNKNM2;G{؈7ըx@n5%:&!?s]y:`~K>z:!ڝT[7H&3ORe+U/ DZ+jP[2ir{Rє?Nw~*@um%+L=!wThwp ̱!{*MYn!;b=O3ofREk$/B,j>$p |л?@hx̒?= Xd3zZ ~3B)O$ܽxF,u\QHV?qʖ_wDcM\(P(,/#t ]n+P HlZ@67P/?,b2K2;DGQqWom!Pn{p >*ASczeELuI-Dq[-魅iC*;k|=-óCޝD#!˗8OdbQjTdLK1[)i K3|aI63#n[W|Ɯ_@d <%~3i̘k7zYR=G-u*+x-b9s"ȿ^Ǣ),wH}ioNiXD.>T< 'V<(z}8o6[ԕHpNǬOsI|]xюgdrz2ur"}_Ęg!Jj,0-; r^Ș d uN(vmG>87$5<5"X9^({SfI}!Etb5ͧ?[P>+dzmn~u}AE@e,런;rŬe@ m 5KhgF`s$8hu켄s$˾P gu+S4BL W wTn \s&r1C.~8iHgZF"|hOCū}F&0rï(9Sɯs`OF.#u ';=,.A|LAYtu:(aL5/Iwϡk{%KmFݺ:"qEwBHɃI-O2rn:"PturL!A.3f{b`g<{ ҃W6y%9sӮ_t+$g ={y}2;cT:[ud" 0ոP!C%'5]2exr_&o̼~xu~?O` PM/R_pe iƶ B %~!J Ĭa/[v<^X92;S2?hpGKoh";bzu0A (p1dO@h=dmf*q'q嵠ƥC\<8b=~19 U:>7w ? f=RnOv7Pl.o 8La'Pgle4`İ >.i 88Oԩl=S3{kE~jB:s@q{ 1D۔uzxZ̪cN+R𽚫F^ 'UpFq^Zyb>]uu:?3AX)g;Kk%=Zj^k;(\f:~PBPcP%QA-ڢY,#ptcKԶ6[t .Z5B]}&*Ee sJe5T|A'CiKH]7Z>mF.)>FR* OrcqkUk < j~K,jާ,1b%҂goi YiƜ\~m>A徟ht17~o2>KOZ>#dx\ҨbB@/{Թ"}R݅Bm^(xJTY:RƭH64Tڠ@&-El6y-"a|mW\d|VkpGpڑЗqH;KRVm%.k,m/U [~zGη`^TSq|,M6[s>F̓i_r y; S!gL[3=[pq0 0 YO0WeC$՗'C6BY'+@ J)8brs!EԈ–sͪ+(K$\8{9ϡb_(R!'ESYD_a;CC5Q^7,JL/ Ō`µmk_ń/edCx=*U4Ad-NԆ!^HKyJb\RP/!pW@av ?}#ļARQA@0YV;!?- HX&8:$` ^®*\1. WYKI3oʥ ".Rlyc!f[&wICR&sC9KwٓpO\>2U ,sl3ư<Ä#p>d"u SH+u9Fog? Bt #z|?4'qf)MGXiy]BÞ՟s.Rs/*3&9 VZdgǽv:Q]@̊@$|oְr]RH^~vFy]g"EvI$vΞ$H|nB(0 EL?R:"QCϝx)VU^,s>jwx3utYg,CH 4|EF*J WlԜ+0֬"f cGf-nӯ\f̷?{8-ONx3?3nO)pCO)d2БwrL0yMJ)&Y (qûƽˁڒ, uC>0G#7VQ@" N|3כ#7|.Mوx l ZdjorŚ/Iq+J1%0K/?4 Xu@3rۗltBX:"!.YEwH Ǚ : )IXl;4xl=T 2xK_b#evv,Ƞ4._8 -U^C*6\K+9&U)٭ڗo[gf&Gc kYy ؅ 鐂K!w]un#Gh2(rZQ2(i-͸Rh^ hiACFYī8[PPxoH}4bg PE7?2ZϷ>o,JP Ч52@gbur{Z׷`LN$xk@cƬא.:RXIJåjȎI{>&AT}?["-3k7 C @ /JRX:Ľ&|gf'+\ vJ3xk]nksDIr,xx뗹D1bg۽5Pr ['ş[ro7T 勪\$kn9j]7yI=~PT V 4HEO f`BH "4+' ch-V|Eq&zK%!!+yAg0h̼]ANhʫJ\zuψoЬ$jhߏ}yލu2*JC`mva'ĹcrZ,ބk{U+ N Ĵ({5*: F ,X -tQoc Nj]B$و@o*"-I}h]_og8K‚n~)L y-W<,X@g՛ՠCSDj!;,2p vGSbL0aOqOcg,^2^boD[iT6ݠ2ؽLq4zRVl$*^y oÅ# NW*f]^g*(9m;E_*_~qTyEem|5^.Yw/g wVuAw 1 ١1sEXXe'}z-)LGd,+u+QqCwA 4d"ׄ`.ie{~AbD^%j+adm<1l4 !TR %־K-4C [F{e)`@+pxl[;\3]Џ)E4xbx =[Rj_`߱6H`('d;`ܯF)Z\+M!;VW I \LDMUz+s_ßBXI.˽Ȅ *f2lbk7I[KzK.55_b^╨!CN֕heŚk ٪\ѷS'(%S/ z=;+T r㟟yϏnjzd,#shEC/QVnG^tuv!,R QurCge@.b;&4',~Q뛞ZE]SV؏xrQ&el _O(d-R!ND']&"|[=6t uåb}]`a,OQ+إyoDh##;mX!c|T-R̫:srC~Ѭ4rc9:|Vٖ>Dq@gOQ6V!,k)0{'R BԻ,[I U&X9j$Hp@}- `m N2opw57:O׮LsW]J/H_ P(\ 1{z39HÇwh4q@!#<e_Tr6:xaS7לj/`漗[u:>. kXv5RfBڶ=RAstwxLK1gIN_G5],Tȉ'+Ry|YF5̟ I5-J )̋I?"w$ȃ*^JS& a@0'ʅiXu2Ͳ [Z}Wk@P1Ucl{D[>׵ZjԻ0t@UXS<#2ȩ?gᲇ0(7vⵝ\eԪVNPIZ(&?-̪M`T$uRM8T24@9E5w`j|X}s!lN `]UҐA>U.[VB74F% ica^GSYFڿs`A[dKEkRҜb㎗A}JAMDy6{T}I7"Na+KaT{VpA3q:x|~}`hKNF+@*MhA;yI/V s"icG rg+A<^xfF6Кek@<1 n_ԑk\ ]s]m;wѧ)"9̞`'o+ +O(ڏ%A[Kl4ᔐְlj? ]let:s `#Q>(X>^Ft0lmDKg~nDY9q3~[hDSP竱7zة~WuAzmIPsc*Ngڂ0ѬXIDz z6Dyh°@\ /HZh˾CAr*yum5A %gp,'ꅥM҇I;lҿHXB  .чbB|5zlW $4C1pbkָ8Ay+ 4h4Y~Z dnLP1'GCp=:nnr`LG2uFD:/TP2$OK0P%} 1WzINs~}#-K9 F>Z6Y&x?dLeՕo^4MRN`j)N-V߻IF{SSy1"s)+\f|GyKSCYpT"bJn5{vPx|p݇4Ų[3CbI!ao 2h_F`EP~j*l m9Mߏ.ݯNㄒvoAb;2sbb(rle+02nj5:q@VǘU\nwXʷ Z.;8]!&m)"\Wct(}mkOpw Sջ .fh G^"c,RvS$%ސ,Bٜ_|Er-\*ܞň(^wOÀޱ;ytԙPs+sPڊ9=`C B+3>+|T.s[ƕa\I@+;$-m>9-ho%VmEQO(}u2ڑPB/~oS g(s5֭^8htlДWղR~EW ;nONob .x>? UsJ\ "~I7ܥl̝Ai)m$ tH\A²UdNcTܨNFzrG yd aq< ԑ  !=B~2x: FaQd2txJwz;!Q oU{%N>9u .y;.O#&e*p{<36(rt~nxqk^7p2pߏ,+EQ{G;Bڒn+\ioԃgSIben'|5$"$`0MK\*> WOT9Ut9+*mSUX;p7Q*xCĺuLI;ˤ`sE:"ٽ<߇Pnb,"yJ/HE 8Ա>~JMjۓZ\ilf߮d['*sqy 9]'uLu}idǼ zVT${3̶yN {#2+0fXvrs>欘˘7DXʰK0DscwX2%+S~íD`lCT*؏.V hS4vμ} dʩRy講]@pհ`$oT#(;{y R\b (-(H[ԋl"DnJyZ_WvEB ׳ŜQlQ ,*gcsQPў-3R*mpo[}rôǾ-IKf;Cx Iqc.t/(4{dNyQ2S䈙5F:leËwY܎;tC4 KvB߆%Y;W1 z+44jϪxd$6?S}ϴ7ۦ|R@}y~g`sL_#o8AnNR~ALY5E6R@Bmp|Dg:!YZ{k㇮4mq^魎KleoHrGezC[ē&<$Ip.'C&WV}$v̤CI!b7htbq|0E"ZqeCG̈Jkk5}fS:6 BAz}Ak[ќ%֢b}[>3ljۘ_1 ;:Trgvt2pZ3I[ Q=a*W`D5bWR7-RmQ;Jt4(BebGx{GY];0pD\$Vh9rOy}GL$CqR`t<.w;HSan&Z:>R]V}yrK7J9:j3Na {؃&>;週(6&[LɱaR!Vz{=3 9{mL5w ը@"&pt PQ- |Pvש(ǕrrHxUe\wiPnxY&S;@xb螉 .J$H|9ytRTqJw wIpz?:cDd{ICɴזƮP@ѥ=q]6<۶onSyDyn8@v*OK,/5jRO| /L;=k4F8g?~XQPo9E9,߅Dih2I_/+ R:;eA— Qr@)o}uynnc0=T>`deMOE!W<&8Dta cv3~4WӪsjj X9({pK2'.q.VN6>?&s-$G4Zh?K_͙-uFÁ e4B-E;H*83 )\dڑD`*Zbc|˟wej% f=687!) dMTΟ&y5EI6Nb"Ha23*ʋϛݑa^f3_TkH+=ŞK^,Ljf&b*b~YQm)X'5W=R7{Yކ%q#)DЧ_pWASXAӀuGH>r Wql-Xs刨i]C E%1JY pPapWuʮ-zcL-o!$t!<[|׷te]Q^%1H0pLtx%ˆ+Bjqf8::]BEZ͞;7ܮ0DP40 Hg$E ws}N6EߥM rW߫ʿdn>F2h5kFg*MzZpNCQD xu2ܳ%a>wʞzzb3}R):m 8ut;>oĞɊP W%ȡIxF˒sp;I&eL%,42'vS¶NYrn~l<[jvW4L^W'|0_"3="4.;ûll[P,>*rޯhfsAZrgV`gSsX^|%(]6Faf4oL*=~Y-CF1!K\0f~̻Ž^oy)Uw\nZ-< CRh ZTx&F뗳jnJ&?LP? I ]<(Z,Exb[u\L5c_4g2@~K%J'|wbH3DR͝=qVӨ4j-K˻+Uԕ ~k݄JtY8TaN(֛ہ(z!ƚKOLz]8\t_Ŕ0q]F9Q>roߺ >p,zoJOPmqt ӕ}{<.O6FG|UP"Z÷""uC't X'MoPd[ضjF#u7fdԸY5T@WQ7€ YSM,=|!)#Ah~b Q;!׎~eP-8{._T19,]uDX_s88~jat9dd * n,O~h y7rqy  k BՄThSƩJZϛXqZa Q \ӣ"[X?ZOIr=Ջ̑O}HUsብy=ah pl&"|'v )Ix2*rsqCViOS\\)M!6(tx|1WcD  M;DVOq/eꣾ Jv G{n ٞ3p.0t~pQȠC'Ϩ6!ڑ!NhS!XتO>VYxx)+}_Hx,bbzD5LPo7NZ~f%:1<B= ]^]\|/ ĥay+6#'%SlxCKq6rf4SWdzgL7c7Q!߃qg5,T14 ~FzÒ XO:8:Y7w%kn(k7`bA$Ozvmb{3~fޣL]4X;n$̵/w˳Ȼwϒ cBvFO QΌ90_b[^܆n:WIRneejw1P5{Q4G[Ao? o|(zJ:mL}5+-jKdI޷*W#GDÀV6s [B,nzry3t9Hi'-7 5@8= ϑYu;=nÿzUy;CpѺ2]"f)mSKyD/-1 K>&&ddvP9UURe-h1;b}W5s329'ZQ+:sm q5s\.1&(CEtڨۋv D3դs.@'e2r=G+@OE43ӱ&QiRǂhT;|73+\Ɯ>`c]w4IDbMf"k O8 ٣W fx)e \UYҋl8ލ!x5ž@Y` b=N$#Ivmiֻ`өUY&nDvP@ QE@Vkꖍ X $V^%]qIL+ n$mO2;ٹՑ*mX+L1V+-7W|=w=qŰi,˟.!DmiTvv@ */"ܛ1!ŋP(p $'QI{.൩WX0tYR17>ZXL!^ J!(P%?t8.ӦSp<__0K= PLm'/4J`o%>^;˲Yze!R|ը)6d"%57Ш bvw}j02v7.-[]*D+>r#(>ǙF9\#n) "CتZD1L,38w7 seهG!T"o-lVY ̨NkPG->KCm賄Gt*@i:^M?-֌,rz/3glVNh?6îG*-h-B|5p}+DI%gҗY@Xm$ gM~KCφq|l1vZMy`^A9qs3x; sOqBґ0&#aܵ"{ߗn|coxF/&;d{fj Lx7@ {-k/Qy3#jIƤ\ҁj![fu!4iڅ }Y*WBhԑ&2'IŲ0;>Z+UkXCDAo7gѽW'G>€ Jr/PZU~Rm{;(>w3݀w!Kh\;,4m%Y/-8 $xD{& C}*0uY8oYulDϱgX/ɼ4y4nm}Znls*r/>fīv״L6щlD%PD#%.fm6 d/W̤x5ƭ]A9d.bHP:+7`|'NuߨX!WDm~MpzoMfm 95J~4x2_GQM ԜcT0 *ᦥ8@C6gP6T$ ͺiR \qhp.*X[>\Ce 5gOiᯨA͈-pBg"]=9O%ZR?z~T)c`',Ƨ';/U2Zs:(ha.4TH.#;Ø[|T&6VxG{૔'s <7^ճ5K|G 4OYvCt-OE'C tyjwVw}C.3]8~Ar!PPY읗6\ J D3Εс[Qr@=>J6ݰ L{31Id,',._:@TcisS@+!A桱 VKHm\&}j +ߊx*A^A޶CNyY`l!ޫ+T} s6`ϰ/p?宻=9d;l uf&DI " *0Vs9UpB``Қv}<`[KDxjj4NNJ&_MiC1WwdޭVyg8̼c;{CJSX?'r鍳ԓzY_%Wj{.W43"O18rᑟ7w(Nu%qX\Bry "96l-X5 {I2 Kz[G oK.Coz4G埆PŷV8t룞|8Ffى9 .KZAĨbU^+5KRHeyJIDm:~ToKZϓ}c2?&Z0Q8&e@ 4c3 myRhQk/i)FR-XeU4:㫣sE ":Qn`z|* @)_aQVYgNe=[Mٲ`(0qQ[C˩W=O3V<^䉇Lȼs`̓'- @:AXǖQ/UhR@F)F+L)ZS _-%9(fz]pMjsL9p(*W3 =7tKԼ].h2C9ʛHO[zqゑ׀P^gxo["5a! >(,e}2~{ְnI͂u(:P byI9Al4ruvNDL_>&CMR;bRuiLqN8cwE!j#mOi "up,ױea8MWF6#Ī;\C+3)lj6+pTabb@HZN+ $|/Tg|('794E2'V۸J /JqG'ÅNsc_d/ZB4Wd+F1~r+胆D[H!wOz?.{:{]j"v.k19O㠀#r+eb% IhZPeڱ'/~ 2726-جBkݎ&Zދ7vfv<&g]*\oĹdb\9_Hmgš㑎\/vpL< yכp;zީRgU;Q% -p`{-@==&Еxc&2s˪Bkjc' jO22F0h4t]- ̽yp>G|4mQ$kLUj"yDK@*!+}<َHQcǚDMxY)83`m ]&IrunuyOQc ܮ4&@N?8o} Y +3+S -|`*g 0J2SN_ LGnY%샴6 \sGqszo#m>cAULgY秅4+za % 븿Rwc6d'{U_w5"̰è(JT[[ګpehV} m"㞗U_t_0XEױZ ;ӹ(c,: '9RSPi6&-U4 _tqW?VKqmg 5TkuFմ8>5<7\F߄8W1l MT@`Bhbhk>pZB$Rш)7{P)'~ T.< A&%UwP16tO֜Ұ;v9;O1}%yu>aTۂj\HSm*=g@?j-ױ_ E gr.wd#~y!5Zb]!gj̋WBZ Nrk$89%djgbPpm+,TO-17 v]O%2j)^UU+/?"Lo]im(lAww՚Dz)Pb83?YꪗYCU5T=([|Q -X0~ȓU}iڞhz1 s/ukۇ4ՌsK1խqP8|EU@A[AvJ {o6O%]ȹ5^bx,>čjTx\-!H4/THiTmUSJG07l^wìsn?m!A9mzCꭢ)} AZ2N*2sK=jo͵NJNA"@&!p[#MsWЀZo37k|<]x>7.Գt:vγ?KȰlE&.^(7U> <zgbvKGJғMٝd?6q`s@I)4Ys7dB>|~vYd>h MaiӢjaO;a5ʃzTc6l_={i*oa1bq:`J_ʧO)6 (=w\}wioNx ;Gṳ&^B=4&Z?7w;yY(ЇTbg{KrRFHq43/ߗNy:vpxyg;_r 9?  |I0S"K#^ f  DvAI`|FWM u6#c!{" )Yp!5' q> +.K P]QP" {iuC."J"5rK'4#tλ% Nޡ8km'N%0VReBtcVa9i Dp~mabC (*V'[k`3cq)G:L;Қ-MX}!ANFc /2st cA8pLT*8%L)͉SKbwlwR7O(gx{6:ݮrZ&qqԜBE5e5]۽2vr#7EkE=-Le$% V Xό U#ӁƢ 33TإCB>.TqZ`&`kJiQ)kcxpE_#Za/V(b3YߊBnu7mfhI'y k.Sk.2ÚIK?;2ضShQsbey('p538{=idu9uEP }K N$MZ`P?h<1jtr|=A]0WäQ:}Xнh/PZ:Q>2a:tՑOx*d>bf Ceʣksh}:VݣŘ_ so ."Z kҚ K$v@ ԉ)'Jy1:ƘKG6 y@dž 4X9 Z]zS.b(CIg+л+QXK#IjvAH8kiJʄ]<]} B$Ĺ'_'зX-cleVl)Bxߚao[zQ~f/'>iRطhEm8ϸ?ǔ_ bpRO k{}go>ݏ)IxS|8AF;dAk[ꌭ*wHNtV1|#cr6.Pzۿ X,; ϠU^`4ϸQq )d$a+/&-4BĢHV'c4jHRmgsJaKfmC=}yߠ2pO28z5_+2w d:_1Pk^9o/Wt骖vq6;>-/T%niti dz7aY"71:y@˂:-`zʜ s2џX쀭1Jʩ {XbR0ֶĄzgc[%$n ?r2ȖO&(|c2sBI !#AU4{1X y%#6V b>5DA%ߤ|:`:4ͺEJP 64H Zzl Jxt\.Χ5]6}k,}U꧎{pcDsJF#,; sXR ],@!#Ex Ԓ,104`=ZbD8LьD*S,NNhM@D~Z`8 Zd@Wz Q{k8/M_U#BfQoB+S9b:sjEFfgA}n@f؇69 !@u+\^VUA VyײpכM$rM-8p" T24hq-HL~%na"' !~}CDE Ss4`s 3|mvtq"9hj-w:幨=w˼'S;sZs&.mZ w Rua$I)0-D c3ؔd,a9qU9/jN{Z:@npn 8/+]!H pSh :a9N&uuNiϨǘA~P@sɖ8r<-WG(\x_?W5_,C[C}i(ZO5/VW&:*RqpG53U629,/D>J(cb,_>KOx*PZ Y$.\i=jN Oge1c8l#w0BNl'pК.[P=Olduxs*NaĄS>Y]{ln6But~u`(Gotō'V0w GdA jO/w)'Oix6H٪۳ rʷ;m$ad| Ke#?>>IK$m1K1}@^ޣhh/c+VB&%ttt>73`fb/6)vr.ÃB _Hxgwas;y@Y b}"=eB{}Դ3eSCMػ,-f ѱ X}i:$I)XcT&ԴJⰁ޷O?ۨ$`@!V9MbG빬Cz#?-59ҝL5i-=B"+D#G[hٛt~݅rWN33Ѧ] O- Q߃_o' #_bLȰ0jCjuS>[n$Wa\&KD#($Y~˟p^ %\Vqd0Ӑ<Ǻl]ˍZ2"g':!ZLYTj a JKO'O%Bs4^n~7xL.}uGA|};pP3vUbv'Yp.VP&d&y7o E0nj՚vMV [uj- ÝA")l8;cxL~+#;{iʧ>;N }Rq*xwVӊՙqm+Q)RɊQ=/UG"\ Mti,?@|25"tW^_@FƪR(? w.2#]zX75R09SVGUYP 0OK62<]M^=LtӁm5KgIo%&Ь*Y~W` qXXt_e]-$ s7r<:])49wI|*>T-IcKo L1DxCphG`m}_\.,>K~l򢤕/Sv*CQ_]9'%l=TfCMŮ{0G҈{LCWbM<}:-gU i\ȪPkG ]C`ޫ'J2U+o*q&$ 5^}]!N6!9V(C˂?©Og37Izcs~ѸPn3#.b8dnkdd×&R.KlEЍK#6DW7|94? V#&>G [ImI ,Gz2J`r `7=TVфy_:ݧyj4R 0%vq|øz׈́BV5 {:r#RcRٸM1:MV?|*y p௫2p+.Zpsk ՠ:ҵh.>o23i!axJމិnY(U 5U ^4t2 fkFKu ob'&2*VG$y5=4`qCnrͷTo8t>%\nb^<{ PP|GJMA9fXh>*hhg]ޢ7]34z]̪HhV,`^lba۰3;eV=,.&!q#ĬZ$>mr$ީj"w\zRE+pkkXUAdH(6yޒ"MNPZ_ #h%2]_-p)T_Y0]9i7msx|/Ӊ3KCw:1q0_mNdrQ:#[u:œسQb{Mr^H]dӪ:^'z@y !E' NAʳ|6Ia.~{~c8Ɓ-aK[ -b.g߱s6鮷Cݥ\| :fhpM0 c-{M/܇.p )E@xt.:l: O' 5gUx؊kub^v/ Iݖ7]eڊ~gH3-G |gܜdrJCxu2!"pRqYc 9gUs Zrlkl3 u]AeYP2_1eZb9 @eiu8؀.kwk;$>Ҏ?z詝*őS)a&ᄖB} fk>nYI\vIcoGVೈԱzoTOIOk$J'k |ӵs@SGљ]WTFoФ 4@ Y,I:rFTp4^̷Čfa l8Ls!˅Oͺt0:"T>F;xs ۑDQnrjv}N ~R?K ;(Z,n=|R/ mq^4D1#;78J%^@f&/Vǖ6`t!T axFsr(Ǘ}S #ym3`*}=e>Ʌ8phOۀ拮!b'f$uF-{zJ?yv~LK5")rSnỎ]5< ,\=ͷjUpyhܤR޿ބǑ8PӶƊD0%wrn}s dռ9 f4]& ik|X?< hʪMWO8BPhOXu@Zh( J*c'‘̕4s9W _Iu107d0CIN4D%YvoF<نg&: `\ҎOUٲR:|C~e{T ї[|!o uzw{@5jy+/-aYp; HbI"I{qY)-5`'e.|9[@zۏlȇJ{4JOBF8(M0jڳj'&v ݟΨ9fou[uC oĹs/ xhA;SfC2NO Yv7Znj$yL ƹ\8f=2a JwV9!* iyDV-۬dTӭFsK)j 2C@I&`UyQԸpP{<Z͡CȲ-Mġ ?U6")I' LA{匓[U{ə$@}tU|ZOqLJ1Qcîhȵat˾u-͐p*%| 2 xsul4F [3ol<1ŖjZ9/Y8Efsh( ~+ꎃN& *oSn8n qW h^ BYaW0:#ܛCM(gN+z~NUt:Z67v"5,e[m_Bg}E]nYЋWSP(jᗔ]7Abo?:U h.S:y|K Qi8X;ߚUΤ:A껬UÂc@+rRZhW0 qO=FPiXq&*vY*b$on;(mxqlnd æWouZ"50'0Ruy0.ϚL΢N|?@Z1Bo(Ofm xjҫ{*kb8`FkWu YچZ;U( Žf;z&%)+T9' ~տy`4xKml:k'q8(nGK\kH%Nh4 Q\j@o\4,\kjX{$*/ЎX 0 o%e1#N:ShRγ~vr8UwU)s;fS{[O_xNx423|Uo@"<לJy4X0}#/빧5h7J5xl{Uzҽ}OU9" &'j-2; hWJs0s"Xɾ,u۟A`_1|%eyugTU%7⎾NMXxs<ܜVܪ@[uYCSpahV;y?/\vܨ6ni?w,0t ; 7cwY8"7-,W,Ng/IaqZ{^ Uu]¦dקO|5P]"켭|7eS6qh! #ݣ pլ-IVQcgT9 96xL"o.(=N~ps UJ#&|,wz\Dm|l$<@/C8;z D(;mFtM}௷ QF ObYKE(ƎmnaԹ GnMehXz vڶ#5(I7KՖ>suu3T(K,(%*ǝp2Aq|i DA8 Gs2M5$-脒k=fI<3u: < E؀%sYDd+ɉw(,om}z'8}i #3Y gJ`=W"@ߟpJ RIzKK PIaUK>+5ya0?9BܡqfeL]CDBQ'eKyᡥ=ʳ/XqKƃUՇ Wq+ װnj90Ze H"-KCL_EF}a̭' %FV~o=_3$ŵv5(јBM&OTS[et{c">ypN֙ _c_ޕ4GZ 3'qJ:]|iH0@^plPQUuwx R*MHRsF"}D66\zlsKỳʷqqν9 ۛ;Uo?]Hj4:Y\+scK4cߙβ h$qAɶt5o&ȇx/y} m2ӵ,)^^[Fjy7Bq]"$U(޹Ld疾")Z?ļ 49CH&WG4cV#ޛ|-AF>I2AQO@7C΄fٖD{vZ*Μ.~qmmiYxBM~xTvA߄=͔W#*X(bPrbg'p2m>Eng*|o2ʣT'ݛc:Y}^l'`M 鄄;u/T)YnRຌ78D Im=Og8ɨ쭃ZSU1;kւ vؾ*Y{E#1fM笁yHD>\gBpЫv90{)Duc쪼4CaCiݎtv<A$EKDKٍh9h) uMŊ 6D2}i֎oz=EGb7n-Ӟ2K6im\ -%[з-bW G\k_7]09{1# "q8#WQ֊e[o*_-q^olZx{Y-'Fqbm|y2\V : _}kwHDeI,5(K4;e9hF(f5STmGkGPxTZYF$((Y"b՘F8ɬ-_}@4')$g&(z@<Šl x! PjLL ΃|E ݶhmݎ7nk^Jʮm.N"Fٜ[bc刀|{q~(5- hO<Cp 65w&-M y{fṆfSĺAJ|7-oL wZk_XljJhC8aA9½C.+1J0ޱ$4ip8EW#K+ y*$%k1#?Ri'qfl[VzU!qC=z!/.>:)}/i (QDW 7tbE{I_L 4 s}DWs_X~ q="9iK?&9lr" UrFj3UʠV&LkAQtx@,=y5t~tpgHe~mmFǯU@ $Emܦ:'[O2$4#pgdYW8v8f)),O{lĢ4S> `;Shlrgf0u80mApADc8b~x{Uuzp*<*@!zC/ d}WgD|;E_a ;&tU"tEN\@ƨa# )*7Œzge%&^m* ;43Xǁ^LSS{ z !;E33Ԙ.q9m,Ϫ0Gg'Ja+P[rr/hk9Ӊ@+Q]PTKؾ: fϵVO(_L9 p,OiW+䕩zmh˽C~g 'B!I,OVpZ`j:Zsx,>) ?q[']¨#T?(y&D4vo1n _ Ryzm]rW~H {vnrxmjk43,OTYܸ5gCSݴo ,4jϷ1"6rԁnMb4 ٢ <vm-嘊.Nꓠ!) Me>gSVMLUInh_&R+b$ԶDth0ݑ 93rأx먌9}&͈2&#  *Fť@ ckt*iJ02Eo|rm! c[G3{؋S eb]kp& Ԭ>IQOk5YY(QegBֱVDM<жp-sIʱ c߿OA{ǡiY_}ʻsQ"5T[{Z\A:P^ď.o(.8C]gc =-8g ug ̟b&}3/]`Z`{9gq(vΥZRn%])&Vܷc&ArZ!p'c(ҏZ˚* 3uea-t]$B'-i珆%WgOTt4*7auxyXBc? ڐje qG$#<;`M.#eg,X˄8Y*۟RJ/6 Y S"0 {ragMnaaB HDFn4Cq\6ր\v{J{ȄQ= `~Ü4E`Ri 6|=;x2 ZlXFc =&@91)p {f "@涻C*'Hֿ>oUs~>:5X;ȰYO|aI{DVnmn3W+0MfNj S_+Ә9چC;4}%67p$ v*V `F5xեVS5Oۈv i~c $B4Bwsh܍֌% @7T\g=$u*l)1e w($}ժV 4dBFma8ʘ  Q!.>C]@T@H׻A%nW jlټmd%^.;GwRk1 a:|09X Fb @\0OEݓ ig,,ilהG"4wbX 4i/~ߕ3M#0Siv4LwDS񭘛06k OSUQK}9){{$w zha "lJFQy{$G[ |qCZGO(x!-[ۡ-D=-iON3eާM+jT;+:|izq0 A_u ҿq9 (QEK~lLSLM%ӡ{nt۶!3-4TSstlHq[7X@)âEns[sh Z2+j tE!7r?cꖲ߽`i 3 m۵``J+rJV]| q .,$?p,QTwAQE<;F5B ceNZ/cmY.3B.ה%~u P&T1|₃ /]E{~9uYϷ&.ƌek/ADZ`!]Ag 5!L̀Y=ti]PEV!Z\˓ʡ<2z}ooup]Q ŚKe `=֜97GS{I R 1R[4TkNuTo+oNGJVx4Öq=T?G . C.ng(b2WRkm08}8lL[̢)@*W>Ԇr a[1t{MyLΧLFtSY$,##@36\L33£~T!@YiCB"3F)fn6C8P5-%1snԦ 0NfOPCQ[G[ d o=o.sؽ"h4N;-ؾA65:*{.n0hE2e-cU5N~iQԢ1Q¥صkWU-y[![ `M9u}r'MŸߡ`fߏ*f2ׇ` xȲ^oaDJq a" n. %l6@z+kc6{vΧv_XВ|`9^-rmio]s"ʲ[+61U)r/Duv;*Rl"K;mْl6:Zs/8?zܪIH*/(Bu+ksU'Uw{&2F oa: `%:,-]P3 * 4{zl1 Z\=j4iR ,{ɿ:=‡o u%o"@"^8~1*$5ksD*@HXc4jAI#! iasF×n^Ȝ$LE\~~FJ@{tb}[vtLIAiK:?ւ+US eœĬ%n΃c;ш7iʭqiϲ2Obef_XhmMf2YG,AcS*40+8vCnHƏjdtȖTZzyQX |WOĬ) !lt:Ҋ݌y>XxY?jh ` ~N# dwl9ueYUh eW:f58w# "mD}NF!{y@y`T#/yx;)6@K:]jn_XLBPݪF甜Lբ[M'LTg\\p?,b Z,t7X~$P4*9#qEM["H%~['"71?!CU&KyXŔETY%)nT-FLwثBh;ZY{@>ĕԎH}C8BvWН>M_{Ȉ#:!KLT|MѦE$sD>φX߭ڨ<%:p- _:WNY#7ǧnأexqJbYW;,QA.ߍ7)UK⥢MyQz 'ug`."|ɱvnKQOܗ}2\ rΐ(=ì`^ U'': ^j=;֚yE>%Ѭ /F=hCYP%`S)7y@R|HKc.\icJ`L2c1u]Юd(㟅$9TVZvJ !Xˉ /T[ ڶd=*@ ͐`6iuAZ2h=8c>]L}enl&ˌQ?M%H=K/gOZBqХz4E\пlDKi yF$׫AHzADkx~ؚ4vjASf!Iw})a;@e6 / 4Dc GOuk+ 6m?&:+]\MJaR Č4Yt@lQX5@׹v$\ }ZGΗ†Wc?-^ ǽV$&%F*b@w2K*c[wGs@dY%.u.F>MiJw=~bdPC]j` tHx|6-5r!P7XΑ3`aUBt⇉e4t18 G8K9 `5aN+X5ćH<HհN:h9b˨1W#:߷~ UU,}oSȪr|(tLj.I7AwX 1vX@g(=6-4-:g(}x<꫆PC`t6Chlb]_Y˥ƄVY8n~M5LjܐSqW6Lبmf/C6ZY䖚!ў5E)jLgN2) ( ͷ]>Eg7B /TSݢ~g U䢐9_ʽ*_B>哵z_=K9@&Kfq>pˣ( `N:  Et*Awzi,kk?Ր70A3o71 &bx1r6̸m$[I1O-ϔ2#C'd`r"^nRHvy#q&!aWCh 6 -E;Gkt<0sŜX|Je_r$ܑv0ѥ̷7 @KHOzK-49Ki-#9yE,3c :Ӟ57gξi ,z̎g=745A¡|hR\,?+DQgEV5ɹ5b9[C~)m1Ck'g z'yjkl"NΕzHun^*1L9i2MxW.AӸuA9aJw]xܖjMLVQ:sux<ԯ3Sk64oq?K}'W6M\s".1e@=t1xv;Խ[EӋ٩y0#]}Qjml;J(bu~e3**m,ub)o~2 1&\ZnO rN =/#,44p/#IDt0近]kL7q/Kov1$6(ه:KLW4; s(>XJι["IpZI=/a($ m{94Jj=;cdE#X}h`HƆpq,%q`3ciǚ/kf_-'a '4) }^}V4EȆ^`A]1ɜWf5(!߼J:ad؈5|t1.#ǔo|E%+JRCW)LI93DA|kOD^ YPSt`ĜP+(hKO;+TPw 3(1kL Ff,l&3}+|aƁו%#( @c~Ħb]WxaN'xLrp%97I M Tɳݦuqq-)nEpϕtK\BiN"L2 ,a}Õ]*;PDmYJ3$ ;Z<րM2PIXo r 7IC$߇-Dy3mMQZu5ɐփFylz۾3fN"{Xzp*y9?^Yaqc>8,Pinpkq]aJk5>/V{uF'u ^lENIp]#%ao?}˪<pDbpwb*hj6#~~obv_eT\V0I|uJo?RdϷEfbmYW-Pd a;nBmDS2ie VƊ B99%? 8S،(JKqb1C QwB*-W<)jLs8?C#. N*+Q" !ط%ȍ:8hZ%PgG-Rp/]La+/Mso1 %TF' _"='8.OKSY7ZR(M-˺ +ѹ&}4?TĖKg\E6R0>~Dd6){L !߰?6do1 1<}YAecsِD@Q:9|\1 _~3QX&P@^ ,o]E^ ټnR!52`kkfN;'(zOh>x-Zi)^1k;0#B=$ϹCsL0/qW 'U@u5ч`~'pڪȔ/iEmX}IFv7][P z82х&,J8v75@a`d 旀w2F.(Vy&_V0CjÆ/U9tWWH bJAA@p9Ic@|$]Ѧ>^wq>KL` LXwCP?AG򨣶k O Zftx^"Ч +F0HvlgӍ#PBI/K<}꘮ɆrN9?a+nx/S?&O!!;v sF~j i?#F!U8cHP}:h{|_DmHEʮ|72sLHQ&|.urC$=]3*R6b"N<#FR4o1 a ؃eT HQd\B=gdH qMb3<ǗvyfTQ{nO,쁫N@f# 6jʼſE:XY>Q }OI^P)Fdq?JaWVs heZҹT2K?ad/^r`6s؈QxZr57t&:x<!W8fS (㊑RLJP@ fLTܵGxK>r\ngn;Yo>m%9?Np>m~K1-M>nc"Kĕؾ< JQ]0y5W pSB7f50ٟaGI5DŽTcE@Y>#osݛqۗ|R\T;4)N΋G ]m$@T ;E #Ɏ97珙xԏ ۼV%Ͽ1yI>O·Ə'> 0(a-vM&_&BM`( dll}2=yarA;PִbJv X$:в߉ \GRK '[bb<^.! 젘kLC[Af;_mk)>jR <ȃFS$A?iٗ&MecV@*=Qǵi* FSiGh5,$QWŅ9ʢh"wzސ]eW@Mi\}_/Gq5cv.1&ORߜ폭!J*l4'c*AGO텶 }*S!ɼeCiU+ժ0׷of9uYiRXF}d֧]L Vy?^cMC@Iw36E# ;Dh,9NMVxIϾ9b2Q|yxu 3稈?ȮRd=͌rE޼.fQ;6 a3rkhĴ~;p׹.xS@.xV^窫^oКVWRk&9|˱'mV4<%ľˢ'jbH^Ւo ({ܔPEDu&) O&L3xM<XvEZN,'[L4&D,Oy;@dcdN,=9o7IdŸ/ꍊrϬhX$*-l>*Qkv<xkr ^ x&Ɵ}2$ .N]z|Y\FUAz%bFDM6(=Hy\u#Alt#lߤ> WݿjXŒ6_n,"G~IGT 5rCFQTirO{\<4Х-Y4[zѹ i}A(?d$h(h~ѦnyMY(W$E V"|ěF! V .I|)bi0|8I2P#X4!cf\;W7 Ok#Z6ga"#W7V5|:kfتT|{f?;30!BŔh^X}PU}G0@u#浕=QM8]<ߧ^o, 蘠:?ÎIJ!Qݾͼ0_uKh| XJ/G^i~K\MʝEx³’+7\OvAT#]nO%Y7VPi'B%yv QuKk&I`nJ%={=addRXKʧ| !7SUBX*92ꥭ@? E$drB#tpeUEP1yvAĵFtKRfZyOȒf811bp n{#,_,>(]EZեAdD"ǭXY!Ϯwqp4im.ni,<ܗHs[¶Ԑ{e(j 5A+bm&ޯA(/49dDx~M;Ak.k6]֬Xz_Nƭ%`+.zE xNfWoNel}rJq]7+$ِ2b6>#,RD) ߗizib͢| jjNx(0%c -g>.! {\pRٱd`)1qc )U#,Y`ڈs6ʂ5/λazRJd#7r@m<_!7B_c*y$Do_6Mt4H % Ax{#ib`貧ѩZ&}rI* ┿2q1AGe"&>kvyccn$ }>*n S<% 5^O\J8<&'h2I,eWl0qí J&<ȋ5{J*@5 k"z'9m| j:d .]BCQB p'!m%8# Dză&>aI8rM~2pg;WNe32rIppPbrE_Ge>EܫwtUzmp& ?nFC8ʪ0'eFzh䅅C"꜉yg6GWowB*b&k>;ϧ& Ϊc"߮Rd@./ Mj!&=n]]Ohv;iMُgV0ZP xa<ΖsMѥU^.rMpՏy[g.UfƄ |7hocC( ofw1p)J?{,f<)SPjфjL8?~l)Yd ݳ@>qyc "g-bL 5g9NI=Ѿf]tnHa.ߑT,i@'dP͖(A,ٶ8W|ԧ랟:cHu :nU pgyp1`[vDmi<ܧ?B=M+6j?/Fk֨!|B(=k5 JiˢRJkZ-=I$%ܯ7\d68Obϧ²=$tnЕOC6 έ3ē{fj\ ?_B03=!.چ4]|h\kujvq bMlr c7sΪnRNZ,8%u9 =483q '-"wHr3Sba-]`e o*r^=X59sf\x x]3/k #f[2'l[.RA OhK ebwNMǢmHl@oU[m}qGUFnZЭdkn⠖4Aݘ=kf"-e/ <Ǩ1nъpBFYd~FМ@_03#511VC#;llam.?l[lb;er_#r SynL6"TDul*6Xp' !s*&xĂRtTC'3h+oEڄ W`5ȼޚH[Q|W GaHȉ2 w<0u<zH7sI}<э7@5xe(^m<|( H cͼ*җ+Hg3Dd ?ajUÂ^%o j}K$ \QؿND9mq$5M2!k>UԐwa?uHgusHù0dwqL!6Rd?G4Gm^sRbd Iۼ5929['?P&h.)㐧K#K+=g)g!Nn}s b|Ƹ?m=>^('0@0aP1Bj9b+ WN!,t [dݒ@8=l^hH̪RCĦAcрhc!ZNq)(3l@;1Ӏh~̍βS\gTANT]B8d:2yv'FS<vz!OB NB͊(Fd3rw|Bn5sG]5!K1a7 /k)Bx 9zK$/E܄ؼÕ|Q0RIۇ౞?:#cZi1< vQcvpY TN>QN5ևP i͔P'6sgI:h4E0y%_윭FXQ~jK[o,$Jy: M Y t+eJ?&4[O@j)OeU&"ԀIl=pKP>rfQK猌_WUQ+ҕDA`5`Y3—=PˆrBdYf?̬xmU6;o|L5ڴCFȆ3y 0qՇeDQ YŤcBzux^G)rVcX!;? &9X۠v%$ߵm3m=*Kj*` +W#f3t"C݂((Pצ#۷ӥ!_1{#xQZzȶ @LHeQWMA0`K+_^4؜z3šЮOr# #bx:R(D᭽YydRN"Ɖ(H[`_w=}i:d Sژ<Xxy[,q%x(UxG,nkmfy/:d7"08aXn#sPBԭc{ 䴼c_+<^cbETա$\Tbp6kig$ȱ'S8K)n#IEf`?q˼ȊWqK}AI7r&<7K ]5?Z7.t KyE-o Ǟh]^VeRȧIs s^IXTN|G{P:@5DH(4iPV|Qt $" s|9KO6Ze/on-^dD<3PY`yV,ԃg-$(h /t xXp#Eۀ~fI{`f j7rX@έ\ tIIa-\ A.LI~ ڥ1Ji "H6g$Se?'$ݓLʞ#dj`Vk!MV]f8ir=>? Ķ~! ,nݲ !wՠACeKM8iDh䗻qb[CV2i4?@S4-Ube[D'^_/<5וmtkdĤ #o? Y⊴TS+DGwV{}8Uc-amieAOx N#\S`+5؁oK+fډ[4FRh@~ݖ~ę!é b6)HAגdC\`ߝN?.KFs(ֺobW &? QumpXᮇζ9Whe+bcau8bZdUB}2ag|8ڒWwH7̲@q.EDԦՠ}Szq>4k2U['u}3+r (: s tƃ* !id_ofDPw3Nxl^u*`;C1cHRY([hyn9j<[Ê t cb $B~@eP Y!.]}"Ljw /pUj}.+0p] }D7/._+xa4B2\U%hpv+2J=m ksɁ>vyoCC/:E3cYagFx_;FE`zbF]}F5hԧd2<]N0ܨ>ۏ[a"+zr=ɿwnК跼FE>G3Qg >8Ymqi^.k S&UUi rw-rt.|IJJK^AcUCFT<k~WZ2uf) -E$,{]7=gdz  F_ŇXF#&(('~w:΃ @FVf J|ҝPjK+ƕ"aR5||#*dA'n$Z s;pSk EDHt*¹uM+k7Y̴Ot߰hCi wSƣʕXyFi$dݐvs7PyOS7h+Qd0.>’1f _-ځ,t*Φ㙊ۏ 0(~H{,0*Gp*.g*_qI3,V"c)5[Qe * > <^`lcYhn9k! MȔ}='cY}5&, $K('ykvrtc5yZ+{$ͤa?Z*앿@ovhJrnZwZ Fױe!+Z=r-]Wй^{VdED]Qc=xǢ~uSi׈Wy>Dֳؑm7}OӍiVnSCkgau 00H3|@ZI ]0>9%F߆~N9{kVl@L~GZ>JXOIWx;-rKZ^W-4HGR깪@[bt!x[oO%ٱ@ScH\N1)ŲƉ/ 9sIA$3$C+i)Pn7^l49'^d_7a+4IԺl0J?= r*ZL{Aqk<{(#;"+P3Uk|#XxMm:])*"=hd]rdcնGrֳA.ݓw_l )eWH2p-'ߩb"w<-r5xC\ߕ][1 ש"cb}p 8a JrQ[ÙUPFK'~q7υ76t:VڷˆᅴWwlR!9OÏ[D s=@ x珫wnr0iY(kgeiqlsbg.X⒖z}uΈ saϛSU)~ 8v !}ktڭ`ֺwQGk(dH4kK-FR%^o2ׄ@Yޝ匆5!*CIV-ˆb/ӉڤjRYBj/8#1ﺢrk֬ǝe5uWϚۀuГAҀ >P˛Gut!"V0Evf>8B-ZG~>K+'0N $;&^$ m-Pb'E8+V`g ؅}\e`=7o{nYJhjgq= h$TaإyNdZZFrVg,MrIVhpHQrWk%Z,~ L{)=@EAH֚e; A‴$`XBcQ1ڳ ;CV$R^#a+N\|i^F?bUOtu(v>XhنuǤNNYFCɵ~O0|ojm cL:=N:~\֪s RVN,/ 2aOtNFuBn:Z׊ [3Ed]4 kmJ09s7B} }CwTzc2W'=̀4P+RA%rGa|8ư;~OLn{IR>ܤ]U%d~10U$'mPU R% \^tZ6EXeV*׽;K X- zE7w`rM@R^ó(e|Ew`Cx كW1뾳}:P'iD;.vNپ=L;7 Z\P0l a=eWKei,ywWc~d55X!BV3J_ivR|W*a<;q}C-a03DXT hU_IgM?@:X||I8g&tAl$_DΤ+6ԎsM(%A\YGU֓6DˏJՊl3Esoo9_>Nh%@@v&;:]#gR ,PKaS?-iZ%m#'nWV"lE453^\t=,G Es7]0ZC01] jrf *:lt+?/iW&+YJTz)?>VL6U24'3bn=M~ib0M|CǢVRXRxr,(^zM\<+Ҿ3o[3gUz=sDB)tt5r$.(_a/ڢGrPJ˸@ k"W)PvTzjhŻSnhaK L@ѭuu1 (@n9i| "( S^՟?c(pѴ&j]]kNe=rMS*_{L~bAbE,K:0H+h><,{pX?R&"yzesᵶRK_D~@\FLw:qtfmM)OW8) @A,RϢ4Q]sN7̞o;viVl뛷s [75 泂%$>b+j =JV{~iMwTpԽy3NÅ7!@4x5չ#EK})Sa`,9?T `<&#" 1Zp+Z!2?f >^m{ȔqꄢB1rBc`))A(&wg~@A r@9mp <"%-] ~xǯKPr9( %n[Ո{Vns !J؊dMc\3F;?lh^stS`|=$X עȃaܗo*74L>bs,"N_ب!BK%!-jfdG{1T&׿2:xd(_,`,) >9 |;(nlK0ϝU{ \~M@pIɀ 4}ְTz$'`ٺjcJCVDo4]jqrwּ{TF:˴ԗN"MMKz5F*{{΂T AKn9'K^JT;,X+[[a5=Qb ۺ@P5z3XC3Ο_6d)aCTp[h5Ew6_(5qJRR\YTL7Y!8P]tLs Ge쏊P!o$y) #٘tkv{iA954D4jQab(&ڥ̉dmlPDpș  )sLeD:HTLnԗ3OMoXn{7M}S* Vix04PVʾtS#9ĉnLrv8Su[a `bUOJ+ V8I¨̞.gP -cK[# D/aq2r3ST&knߝ,4!.{Iqn}-_RhRctP H:p/Rrzab 2_9[-fOq f%Q'l?%LʹѠ &'ks.SKm!, ~Is-w*k(%d Rδ50,KF (1^Kl9ވٲjG˃7 C6Ql<ݱ1E[/>:iCXVyw2=d*_e*-E;?$5!;EZ|bfEmlstٿٌW({ L%vBX(3݆4T"f6Gr%4/b ɋ 7͇i)3kF/)Wcظɀm܇oX -r!G.;h^OӃA]R!w갯% NZĶi  3R!r^ Yvif..b}/WރEO5 ^.G$H_oEH!XU \㟠yTEhj6Q\%f ԗUi߭)1+Gk2Dįʀ䞓U/ Һ\^HPFypl l4& QMwt ǿYSBqi}#ҵ,n9z:\&T LU%Hy&J#l\Myنt:WL0B}KRQ{V^䷂˶A$ƽl1c'a9P~S Z HƂy%vG_ >adKJ6o_lܾ.N ڰE+TA*%|܅a&VON2OM:nX毫U0["5ɀWR2 \i]cLXBliT+,@ßWV>EpW\C7ehSR7y41n i'9ʽbZSN'w6q6gľCoV^٦cnEaK2 YPb$K&R RIgUt!Ósq a4ʲcH] k;8 s48%|S )*KȮxsit:|T# \ЦFuE Fñ^\db: 1nX< APA~Oo C|e ck&c#<N#X#eO3 s763g$i.폤!eDXUh捫aG6wOӘAQu2~ TfaҒ``fJɾbīU^pxv!ט'd/"ra)zqn$tn-L$>9l-Cꣾ*悑$=sjŦu_ݰno |'"%юOiFl.[hЊ¥s^/3 :AjOm " J%ejsNkEn-w&6Xq>/{k b?n\هY.>nX;%bK')YY2. x0Q#(?eװK+V\of_C!v,-t Ҥߐz$u[/9_;zx$ ,90` y1!::PrJ2腅8a0d@'cW׺N뼎ٺMw) $yAŸeώF{,›y^.(ƴ_I"noTΤ9*djcW<[ԃtEk+jp gGPA}3&mj@\eRp2씜7勶љGq4L.P;:+|5dV͜OQsK hJb av@^%-eH'0LP[;yخCNPnF,KY3$S2Yg,  tJW\.H ͆sOQ5Nh4u"u_%X%4$ ӗʸ a82?ЫLvI2nBe %k]&v s֔dW8r!X0lc]`Bn8 ?oAbxV%Np WeE~gctDZ~$7Y\6+ν.&jWy/@}^;B$Fԝs-=Ru`Gga]]Α}@_Cg{sOXc-Yj髜L_b^Db/bn]>WQdn.,wA;F$ŝ3'? nwR&k&mwPђŹ[JaH+YhҋD_u*ZT\*j!7kbzaa6dLB輼 kG˶ YZ