samba-dsdb-modules-4.15.13+git.591.ab36624310c-150400.3.19.1 >  A cpp9|dֺ!`.-5ed,4Ys|Rp9.p腖59-rnxvI)f9lYʨɕgMSM=ԣe;DE 1lz.gaz {O.T( ^KIMo!{o_h+d F ԇCY-r7jB.unb@1v(>T:^[aw19ƦCn 'vRm8+>)14337be502f869955c833d976280d64ca7653a4a3e5cac9bcfb405c5990554163a1532a2c27efbcd140794ab7aab7554228c327b23̉cpp9|_9 *܈Ogk= < vRBTwO*-ٿx̌]8j…g8 m\e5 +8#.XkJ2$U;/>1:*uHG-/WpAX?Hd1 ? Q ;RX`-|- - 0- - Q- -4--0-ww)w(*W8*`9.:@>Sy@SFSGS-HT\-IU-XU@YUH\U-]VP-^YbY'cYdZPeZUfZXlZZuZp-v[$-wt-xu-yv8zDCsamba-dsdb-modules4.15.13+git.591.ab36624310c150400.3.19.1Samba LDB modulesThis package contains plugins which add Active Directory features to the LDB library.cm|ibs-arm-32eSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Productivity/Networking/Sambahttps://www.samba.org/linuxaarch64rm -f /usr/lib64/ldb/samba ln -sf /usr/lib64/samba/ldb /usr/lib64/ldb2/modules/ldb/samba /sbin/ldconfigx Hp Hcm!cm!cm!cm!cm!cm!cm!cm!cm!cm!cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"cm"55d99bfe95b057e86e8a3937a523cdf19f1d9689406c1a412615501b6958fb270389cd7c5e82986d37ed8e69352a7185744c3de8240d0b7f60cf60c5d3792f12e61225510d29c23f15a1b4662dc4edfebdbd96c626507a4735c111a9d59fa730231c569e7870764cfceb12041eb8980db73e27e42098dde25e5f6cece5ee7dcf1816ed6557a2483cba28492d13dab0486404040b8e66f588554b617d8fc42b138a8a9b66e3f2de45efeacb7ef00ed0efea0aa4bce56129188cf080708e5634d838e129b951065101fcc0992eec353a8b2fcad715d7834bfaea661e404830934c6a9fc9ab27e7d911d34c87929a63b20006fed89d616f4aac736bfa67e645e7a27a634a78307687a2ab8618f7a1e355c25b18533dc168af9a9a033a081cc13ae921506a764b2d436b4c5f4a32cc275b72ec62c38f06c1e93fcd582b138e0da47db935c7b7a3323b843b2e399d22ec7a0ed28e71515c1b1cb4dbe10c1fae00dcf5d008834d83a214eaa7a412ee7d7af7f6e480dd9cd62ef11da9b39a108cc2832b1d71e4857ca505e98ab807a8584f1acdc37b671aa9712f66db2168b121d465ed6e8a16d15b0993d4bb248b7a0ac93365869f26789a39859a58026aa17a92932a7f8c67fcc8a40ac9b05b405421e4b2dcbcfa5c55fd6615adbe6b01b3e5fa61657a2b4c596c78bfd8055ea98cea3f64f60d9589f00748a46da885a9b131b8432e6cb981491112a740502981246dde73085eddde98187ce5fcf760d08eec158283652f98a3d73ff9f9473659bd2243ddfdf474aa4632d6b47af3f3ccbe92e059540e78d86f883992635967ff1f03c3712042322427853accbfa6fe4f20018a3e7474e5ed665e1d9ca11ace1e7c1bf274968c2d8bb0ac093c3e5270fce72e096e2e750c612a86cba9f93f1fdcc4bd643c3b0db1aa6be473f9fc6a69ff8cca9054739b441b90832c569310ffc5986fbd957aca844622938191673e78f11768d30e4caee59e6cbd5bed6014b3ff89cafc9d3ee32868411a4eea28f9b5ca517a962e0754c87ec8e5815a4c81b29ebf70a71014d540a5d5d81da17051e835bf94e21a3ecb937a66d7694df9e5b80ddae734dac1ae99f884975ac39d33d99c0b16860d3c225927a678bbdfbe857a8da61bb93bb5e8d48495617afcee24a244be4c3b2dde0db2bed044e1121995eb3c57e92d075452693f1b60c094a248f15c94c5626ec9eedfeb91fe4d7b64853a23dce140817a076234ba08d79f66666738c75b999dc5bf590c118120070f6db660d9c0d1ee28e3a1a28c7d207bed0cbe6d7a2dc0dd5d93e6e125058a58dc80a4cff347115678c0b2e26e042e26bffc1646dfeebe64ee09006b7af4d40dcb80eceac9908d4aa02b5fac0fc53e319169ecca4b527f3b0c484439de8cfa75e69d2c734f0b940bb75f8dab3bf6bc0c0fbdb4db175e9bc7bce0c7cd20731157e194f60cef790fedf08bcfd29f21b78e64b72f6e593b8aaee271161f5d5b68b35b7cfe1c74882533e129812992c429379e8c6279f18771220eeb273a9fc553a7f7e1484bd1bbe006d7ea510a9c86fc7a2b48a7ccc4ce19f54305ba215362f9912f69e922f73de7aacbbac476dc48bb6db873a813c0dc8e5712500840dd9836529d5e62209f4485d7027638bcc87c48432963fb37303f6cc68d63ded67ba8abaaf64a2a12e46a54dcab8977a0100bff19dfb3610528d1b82564da58c5ccba0f3d1651d61a0b5ee600284443d79425af36299db3c6b80f60765eee19376db43ca4cccde7824c873bcae79fa6043132aa95f234557db5c9b7b71d475caf8e2eb5b76e47e856cc451f98cd2eaabd98101fc2ad01794e8fb59b8cb4d6b0760fe8b05e2dd02223cc399386fee24a82247641a20942225c246497bf3d5813e49bc659f00aa94ad1fc4ea25585b01580a67148a8c1f0e4d233fe774d929da97f871af923bb90e942de1a0d9f625c93228f78700dd7a51ad8ea23695b12e7b2f4bb4babc10dfd2de9e5fafe418cc940b198e2be2427632fe4492442ac66rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.13+git.591.ab36624310c-150400.3.19.1.src.rpmsamba-dsdb-modulessamba-dsdb-modules(aarch-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/sbin/ldconfig/sbin/ldconfig/sbin/ldconfigld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libMESSAGING-samba4.so()(64bit)libMESSAGING-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libauthkrb5-samba4.so()(64bit)libauthkrb5-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcli-cldap-samba4.so()(64bit)libcli-cldap-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libcli-ldap-common-samba4.so()(64bit)libcli-ldap-common-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libcliauth-samba4.so()(64bit)libcliauth-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libcom_err.so.2()(64bit)libcommon-auth-samba4.so()(64bit)libcommon-auth-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libcrypt.so.1()(64bit)libcrypt.so.1(XCRYPT_2.0)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libdcerpc-binding.so.0()(64bit)libdcerpc-binding.so.0(DCERPC_BINDING_0.0.1)(64bit)libdsdb-module-samba4.so()(64bit)libdsdb-module-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libevents-samba4.so()(64bit)libevents-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libflag-mapping-samba4.so()(64bit)libflag-mapping-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libgenrand-samba4.so()(64bit)libgenrand-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libgnutls.so.30()(64bit)libgnutls.so.30(GNUTLS_3_4)(64bit)libgpgme.so.11()(64bit)libgpgme.so.11(GPGME_1.0)(64bit)libgpgme.so.11(GPGME_1.1)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libkrb5samba-samba4.so()(64bit)libkrb5samba-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libldb.so.2()(64bit)libldb.so.2(LDB_0.9.10)(64bit)libldb.so.2(LDB_0.9.12)(64bit)libldb.so.2(LDB_0.9.15)(64bit)libldb.so.2(LDB_0.9.16)(64bit)libldb.so.2(LDB_0.9.19)(64bit)libldb.so.2(LDB_0.9.22)(64bit)libldb.so.2(LDB_0.9.23)(64bit)libldb.so.2(LDB_0.9.24)(64bit)libldb.so.2(LDB_1.1.0)(64bit)libldb.so.2(LDB_1.1.2)(64bit)libldb.so.2(LDB_1.1.30)(64bit)libldb.so.2(LDB_1.1.6)(64bit)libldb.so.2(LDB_1.2.0)(64bit)libldb.so.2(LDB_1.2.2)(64bit)libldb.so.2(LDB_2.0.5)(64bit)libldb.so.2(LDB_2.4.4)(64bit)libldb2libldbsamba-samba4.so()(64bit)libldbsamba-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libndr-samba-samba4.so()(64bit)libndr-samba-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libndr-samba4.so()(64bit)libndr-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libndr.so.2()(64bit)libndr.so.2(NDR_0.0.1)(64bit)libndr.so.2(NDR_0.0.4)(64bit)libndr.so.2(NDR_0.0.8)(64bit)libndr.so.2(NDR_0.2.0)(64bit)libnetif-samba4.so()(64bit)libnetif-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-credentials.so.1()(64bit)libsamba-credentials.so.1(SAMBA_CREDENTIALS_1.0.0)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamdb-common-samba4.so()(64bit)libsamdb-common-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libsamdb.so.0()(64bit)libsamdb.so.0(SAMDB_0.0.1)(64bit)libsecrets3-samba4.so()(64bit)libsecrets3-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libsmbpasswdparser-samba4.so()(64bit)libsmbpasswdparser-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb-wrap-samba4.so()(64bit)libtdb-wrap-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtdb.so.1(TDB_1.3.14)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_AARCH64)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ldb-ldap2.4.33.0.4-14.6.0-14.0-15.2-14.15.13+git.591.ab36624310c4.14.3cS@ccR@cctc5cM@b@b@b@ba@bascabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2022-38023 Additional patches for the PDC role's netlogon server; (bso#15240); (bsc#1206504);- CVE-2021-20251: samba: Bad password count not incremented atomically; (bso#14611); (bsc#1206546).- Update to 4.15.13 * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); (bsc#1205385); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); (bsc#1205386); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); (bsc#1206504); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; (bso#15197); - Adjust the systemd drop-in file for named service; (bsc#1201689); * Paths are additive so do not repeat paths from named.service * Prefix the samba DLZ directory with "-" to ignore this path if it does not exists- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./bin/sh/sbin/ldconfigibs-arm-3 1673948540  !"#$%&'()*+,-4.15.13+git.591.ab36624310c-150400.3.19.14.15.13+git.591.ab36624310c-150400.3.19.1acl.soaclread.soanr.soaudit_log.socount_attrs.sodescriptor.sodirsync.sodns_notify.sodsdb_notification.soencrypted_secrets.soextended_dn_in.soextended_dn_out.soextended_dn_store.sogroup_audit_log.soinstancetype.solazy_commit.solinked_attributes.sonew_partition.soobjectclass.soobjectclass_attrs.soobjectguid.sooperational.sopaged_results.sopartition.sopassword_hash.soranged_results.sorepl_meta_data.soresolve_oids.sorootdse.sosamba3sam.sosamba3sid.sosamba_dsdb.sosamba_secrets.sosamldb.soschema_data.soschema_load.sosecrets_tdb_sync.soshow_deleted.sosubtree_delete.sosubtree_rename.sotombstone_reanimate.sounique_object_sids.soupdate_keytab.sovlv.sowins_ldb.so/usr/lib64/samba/ldb/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:27433/SUSE_SLE-15-SP4_Update/d131a1ece5f5f825caaa77fdc3bce37d-samba.SUSE_SLE-15-SP4_Updatecpioxz5aarch64-suse-linux  !"#$%&'()*+,ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3e4d6587299733d05d54a8e4557f1accebcd835b, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=f6eea8b698e0a03de09ae42e0cb3f2eee454400d, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9ba15105bde4c7c81da5e599f05c510393fb46cf, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9bdec4f5e2d37f725d63c5dd9ee18f95e01b3e21, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=90c34fc5285443c172b663ea958985915377a3e1, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=21134a1534423b36cd59397b420c60244d4aa880, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=81c369cb613e9f8ea4d9ffb5379f6a017ede829f, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=b5cc12310f6cafc383226f66d98874175247aa99, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=917fd9b719306106c50cfd39d01cfc5a027dc8aa, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=69e230d126d817115034b77c5f022a766950786a, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=7d3ef9b1980d46528e314b71372a81efec97df98, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=99e617a5b114e8ae5ba556fad79e2e8eb715b989, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=50a9805b0c76c4714f24b88aaad254502a5a28ae, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ed39d222e8d827a79bfe232dad30ce9e11036e32, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=cb73825222ab1b3dc7409fb4ec067418d846b6ad, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=fbed7949a9e7808adb647c18914d6649d910df21, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=958686ed2afee0e4340843ad9705f2b8c16ca8e7, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=77537eba50f81cb2bdbdfc0dd2ab994811eb9411, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ef13ae9b2c3844be336aaef0c31826859b2560cb, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=947a913177cbfc378ce9cce1c4a693396d00fd82, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=7b900f30d9dd93880e80eb2ff603a5bda14ceaa8, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=eeb70c840159ddf0bdd425a50cbdda1041630d81, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=b847d457b23815e355606212f0012a75f52c4fe5, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c87cc5b2a3c7d75eed9ebbd8ee301dbc07d68944, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=63f4cc696ff21d9c9a7968952a8af42b61816feb, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=6b47914ee5b18b593a0bcf22461597c0e682acf8, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3982fd99976106e6535567817041e0f7166d2b8b, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=4408e44fd5ce51ab0d68224e61bf1c5383499b02, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5b2e806c8f0715181793ff166d6796e11223cf68, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8624742a6abacbbf3a7b1458fa5460ccae3d71ff, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a413ccc6c804b54a028db62ccaef8f0f7aca1fb4, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9cfa13d0deec45bc07733465e701608824f6f19a, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3acaafa6bee1bc66e0f47baffaa274ddc173cd8a, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=91609d36d9466700ba95cf42952e18b6df4d6fe8, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c0ef1d8146b6fde4ad03f73f5b01718a33f556cb, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8eaddedfa3ceedeb6e2d36256410931fc604e0ad, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=6d3ad7c0e745a9a2ef8f23fc41687ce43700b575, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=00e12e44b378f1d97ac7792bb36299ebbc5f0aab, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=150c22299f172bad9be2f7721d74ec96a6b79ad2, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=bfef18337f5b9809ce6d73cbc69502f20e80cd01, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=2709586860ce8b7679b103c1f0d3ed614436ce8d, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=35475391950e3029022504995d30342adc1683db, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=68d38f622413f83f56d29a6605b6d60633300ce8, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ea860158a4aebda55ed0facbffbcc5791f09757c, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=76fc9a5cf07109654df70b2c9205c7989afedaa6, stripped9Gev+FQZs~0:cp(9FQ\o   9 ) . #  R\RVR R?R+RRR RfRER)R^RRR/R-RR[R*RDR]RQRR>RUR(ReR,R RRERVR\R?R RXRRRfR^RRR0R5R6R/R-RRWRDR]R>RUR[RQReR,R RR?RfRR\R R6R-R/R[R>ReR,R RRRZRR\RVRERFR RTRRfRXRRR/R-RRRYRQR[RDRWRRSRURReR,R RRhRVRRfRjR/R-RRR RURQRgRiReR,R RR?R\RRfR RRFRER^RRRXR.R4RRQReR,R RR"R\RARRR^RfR RERRR5R/R-R?RRDR]R>R@R[RQR!ReR,R RRVRHRmR?R RRoRTRCRRRfR/R-RRRRRRBRDRRlRURSR>RQRnReR,R RR^R\RRRfR R/R-RR]R[ReR,R RRNRERLRR RR$RfRAR\R/R-RR[RMRDR@RKReR,R#R RR^RRR?RfR6R3R/R0R-R RR]R>ReR,R RR\RERRRfR?R R^R6R/R-RDRR[R]R>ReR,R RR\RfRR?RXR RR^R3R/R0R-RR[RWR]R>ReR,R RRR\RZRVRRXR RR^RfRRR/R-RRRYRQR]R[RWRRURReR,R RRRR R/R-R^RR]R,R RRRR R/R-RR,R RR\RER"RRfR?R RRRR:R2R/R-R^RRDR]R>R[RQR!ReR,R RR^RfR RRR/R-R]RQReR,R RRRfR^R\R?R/R0R-R RR[R]R>ReR,R RRRfRR\R?R/R0R-R RR[R>ReR,R RRERfRRR RRSReR,R RRRFRERfR/R2R-R RDReR,R RRhRLRVRR RfRR?RkRjR\RRR;R2R1R9RRUR[RgRQRKReRiR,R RRqRRLRNRRXRTR`RRVR RRR)R^RRERAR+RRR$R R"RfR/R-R'R&R\RRR_R@RMRRDRRSR*RURWRR]R[RQR!RpR#R(RRKR%RReR,R RRR RfR/R-ReRKR,R RR"RNRXRVRARRTR RfR\RR^R2RRURQR!ReR,R RR\RR RfR?R-R/R[R>ReR,R RRZRR RRmR?RXR\RoRCRRTRfR RHRER^RRVRRRR0R7R/R-RRRBRWRDR[R]RRYRlRURRSR R>RQRnReR,R RRdRRXRfRER\R2R-R RDRWRcR[ReR,R RR^RfRR RVR-R/RRR]RUReR,R RRfR?RR RR\R9R-R/R1RR[R>ReR,R RRfRR R/R-R1ReR,RKR RRR"RLRERVR R RRfR\RR0R/RRUR[RRRQR!RKReR,R RRR^RTR R?RfRRR/R-R]R>RSRQReR,R RRhRVR"R\RRR/R9R-R RfRRRjR?RR>RUR[RgRQR!ReRiR,R RRRR^RfRbR R-R/RRRaRR]ReR,R RRfR\RRR R/R-RR[ReR,R RRRfRR R/R-RReR,R RRRfRR R/R-RReR,R RR?RfR RR RR^R.RReR,R RR\RfRRR^R RXR/R-RR]RWR[ReR,R RRRfR RR R\R-R/RPRRR[RORReR,R RRFRRfR^R/R2R-R R]RDReR,R RRVRRfRJR-R RIRUReR,R Rg\H1utf-8b5b2ec0cc60a88bef9f1e659f17bd088d64662eb3b39f2458cd00a0f8e3c9308?7zXZ !t/_] crv9w2$(Ї%R , VN8$|]P64 1pީg z}+g i푥g!5:گlD$T;gu~,u|dTipNxR%c`-(Rel.7l.dMr"DG+2(D7Nx$#YX1EٙzRM 1gȊↈ͸pj47xIĥ%ˆ$cN?FuB3 `je"pU*擲ـ5#%`}Xly0Vj1_MI8EvVt5 *fux.T_%X0P%͵ Xp@Jqc]BHخhq,40X_.(gogUljrb*ٜp\ {_$7)4ԭqj^^x?t'a<1h]yX,%VgV'W.c.W‘yD&(Ef3z ;ɳڈŞCS1cUfV0lP{n Oc)yAgc`  2fw"ѱ/u_vL[rZ92e/LG)3hAӐ,nӄ o.=""ze._ TC.˧)v.>cmԥuXNv0%Y,x!U:\#q CW然(UL|e$}gJ8^oqWL`2hጵX FO_pt 41צt"|,x[m B\#o2Aߕz*fB2C~S:qwGPKޑ\Cpa%Za·t=pb&ǔCnp l˅< nr$*X.$!í&x׀BKq ?5}lFHtؼeZ|]Ar@&C,9ܐ*[7 $.aE]p[64V%Ĵ{U@ʍ!#5vإN2;~%],*^jš')zmKCyE?tMԿO\@VFxHEx"&Zc6..w?`!m=sDg8y21Y_&_8KW܁T{/a#KƳݴDhkH75~p\As>Acv{aU7@c>oxаt~!ز?r"O0zN6>bvSBVʘuь}HLNGR{vFUdoV7=`.`i/ _Ah mjH{~rof ,^2(r]ڭmXnۋri:iKvmBqcֹԎ)BVp/ >k`XZh.\Bo` e{.0Aߛ#?F`R}E3(7tJ0hm0Y q\*~\Ƚpy/ -1č6hCS"9Ax/pxmʈCSo# 5pn,dp,azh!p[:6*H^^nyTeq]/q(Qљ51+ܛT")jdi\s[i=&G BuDѰkb_8?4jT/%j+,PkP|eqc 1:G|ht DrtWʉe"2°m3J܍0_ƭ( ?/_!Qp-jh_BP|{nqI!d#dU*{X۽i~ ),`gÒ VJ  Nj9oNe1fkGЧ(\k;}{8Er2J`?xu-mI FL ycj==r" 3HĬjUٙ<"zm@eW,ܕ0 sM^+Wt|M\Q]ǔ[uwti.m釂~(w˶p"# (/upYCI%?żp`Gk  nij'o{ 3鼧%\gwq bΩxKU}ݿsꞪFTizB)ZGD1p{< i IbyC[Zٕ*r*|WN] w׳WmšUSz {\:^Ol,C )z3(_$R2:t G^L2ev+CC.V}Zd`qUE>wVMpoJNH8UYdJ;fM=?T! "y1$l GX#e,ff%>|zcdkW ǰmY 4ؾI䋜5lR>Fxɏ&<(smu=n`msW797A~qpw QBDKe'O 2.7I;οԽ[LD͈j\iCC Q _e՛BP]Zr@4/ ܈Pb$91^&dÅ4!#保d҂INkQ"$ ts5|1m(ץ==JJ X2b 9X5{pgLsX&@I[\w*}mktiJ4ʍSQ 8]3Čo`$1=Eڔ)>ZKH S= «BE9J0W]Rn,QMquBQytE=O5W/jTj j*nX6]3^Oc6Œ޳hoo6B\LEeAetf,u t/oƑԹ5)r;!^L}SRJԈK$A8 5֟;T-pā\}MrZn47N xُ/7Ǝ_}wTF9nK,D7'H1@CYq~$0Dr8Q^LYtBd]"& }ؒ/'_<Ҏ+"fVoM/רf(vG"'TZgY2 $n٥J>J/E0f fG };"ٳ\9 4G A-Xu#l*բHPh9OQ:Ʌ q|o'XvP&i"ѮE"WeCy|$⹴,0'$_&glgLJ7} '[2o4=I_08;{]8ҿnQ}OC;.d ӓ1eZ`~=%BOv2A-qrާ|;Vj&#Ek>bbzLZ It j;ߤ:af0WƗ] C@멯Y 0oHZ0JaȺ&T;,HYǍg? )(^DwC4Mgh U韄^9;qQ?+Rt4f Xcd;9=. 0+H)HrmA ]i,zb). dA@)VmDll!hgL3 U zZqÜ \$Y2SVE8e Q Ky||(\J; MLW4,0 Q |0E3|릮CHӔi:UvjgВw|6TGrDXn)cqlRbpYƀ,)u0t~N;uSZ(2IkDEEF)Pl'Mص_[24rVp1pݾ)cjQemBHIm"J֦j˚JM+F=w*:V&3n3w_?ټ87B>20P[wh~c@ LE:-QA_AtVk+/H&//(PKOh-$rAFL.J:|HX@D2U|yFM >cy%\ )~r2Z1D Z#|N 8Vo[Skt ?(O1w@kqTGUG4Mpz3PXd/txԷl?e6-uX.1;QG%k[[|4x@qܦ;p /@8LS0*.,u&n%Nm]*ژw_+z K\v4Y2bq?VnIKE:]WS3ގpy홸&+BY8X%1Hqo-pE&dt?\B:*Sy ЙG|(1C15l UH,7.&&ǩuWZAp:ِ̘=XK d" &?xw Er= A-}GźFPaGcd*D`$k<597y5G'k: wxx=) 1K޾P F a"ZUE'NRFb]ܙĒŮM;h֙q?TkyPTH1"0B8?^F߈6 lff \o__k`}yIG@j.pXA|%3:Q Ӂ"^~·)Cyѳ[@ޗ'E*:J@ıRђ(!c+ݶj9X,ParY{ݑlj֦!G R;L=ai}Qb1#nmu-Em.lFB7ښjL|4Є{A`sWe΀W]wCdMFnsK~>XK7w { q!}\=ֿv=!O kB=1~8rR79 hDZDnݕAm.2NIfO4B*=˿L,o,蕗 fd/qF:PB<|]l:r߾nKT*kw Dd(0rwgRhab0dLFWNr]35*rZIW4Q(+!Kl2MT۞NBo Y7<ͺAYVݐfucîی0܃7.'=2ChZw$ iBrU`<@W$ݳ ,#f/vɮ`m5G bCۄ;cgh1 F*Kܙ*ybkH*ѫnHTx Kb57 ]z":.9$?V'WcvܭY"L=))+)\y52˥]Ȁ`D֎]~~ۧ7+Fw41Ÿ"`xB^t6c5TOUqQq.tngƾHeq9' NJϤT6*Ke-]E<73@#5fN*V"b] Dof䒓܀Eoʆ'p ҁr}vw* T^Bx*Zޔ V<ey %j,u va!F|_H_odL2>X};t*Gpm+U21{WnY):gT|6U? yk$ZT}.4ͱ}t{}j){/fCcfĜt&0MK6HIPBij A ފڛ3{A}ӄDSzoQ0lV*.r.A1pHiHCe_P?Om߼'\Bh/g ^D5X}EsLm&L{#(('j|h]Y ~Ыfix #뿶ۺU<םǒ-289jZW<]C20.?ke_oկ"KIY%K!}a k-kIv͈G{,_r^$|&7#"HvG =%o"CfYF`Fd,yeh ^E֧FOo1%2o ]^_laE+O70ih&TccGη a\o%!]nξz}Dh%1q&_. o^[;`Ջq-_A5*]|rto}gHc 굀S#ju3` 5K#GgjۓKoL`!Ggcv3 o\]PAU7KvadGxEbc7ς6pJ~WY$.m:6GA͜n%M}R7'),Q֟2U'Wwlz?ʠ2ဪW+ϜY1Fv$E92];_nm'.d@.oee8akyrQ/bxE@E|#dѵKZDFrZu[#=&sKU;Q$(ya engmΧ[D ߨ,FLdvrIe`.>uԱ|*pL"B\bh0¶JJ!<<7@ } u"dd `^=lx{;U_t?Qq[\1vZ}> I)|߄x?|@Uf gĊ}4'TG̻9wU͠fE}İ;S>CZѣӈeh5W{iK_/ݞD]@;.+H3 V7ClV^Ïb3~fЇvp-eˏG5n#5]"e Du΄P `AݽuyfxvEOa]c ߌ0]U5m.6$]BD?~MwRahwc⃮K7gD+~u~WTAV|:hKp>7uUHTeNs~<„Cex;)я 9DS>$ÎUnnlAL!_XWևŇ*}He-*)t2#gz87>(t&'8\oo W$1*շRZny=/mU0|"!$~e쨰)~0vT~ŬLC¸gÅ]Ϗ!~oߔ2ic!u!(ǍI :ӓBWP&сAEN36FL/E mXY~ wˇ_"kprt PAKNݨNH0/4=w0sl2cp7 3zlw/Q0r{[]`sY[nˍլ㉜v|Ԫ1*w%,|N84ӓoO$ې uSYN{ MA@tRЅbg@b"`s :QLi8Np-gP;z9\^[EM (@84K|YC(̽?`r\GINV̝8T_^T@5'\,81,'k{YӯO_'͊u[#4lqjW4p 38C5ˢO]cC4 ؾN6+ Pm&nS.&`tCv]مp/lxסXm_H" {A2HŽG'HJ_ʰ;ȶȶ!U 5W*W_2XQ[QR*c.?;2oZ2TeGrOy a^>Z1â+uB ˜pƅ⤝Ol^| ɀ 'U'kLdse4ЬdE:uߧR2J.6k]2HCA7A'zvc$M=@}1aT :L v˕[&&mF7HzoKzDXf眍'ۀT/7 &,ȴ 䆭/4:cVU$LsNp׻kcWٔ >)nhN_3*7:%@^v9$p7 7[at IbXΫbd?KۊҀS{| h] pdN:x a ^$1]LهY %c T*yjKB F lyB#e݋v< cLXVX+)H<>^tA-(iMǹ*(ǁ&N'޸mnOj&W^tmmL&ŨY,r,TuR pۚfr%t=|/28DqCYUA6oׯuthI^2}`Gxi*~l;#nbe3^;):({~^Qj3juPOz|k{-+`e#-!ȵ@7~K5IPrHj6U/NҨ줱|8]^<-jYV z 6-BB :#Cu*YpP <1El^=!dptEQi xxzW>H>riqX0IU|,~xϤɣcH!WSW @7A'Z௹m|G[}Q7[0nX"fՖ` g)a+YjX]Y3A`wʦß BBN":roޡ>u_ "t T#Ue=>MHkh_5yjY6 ݷJzYNog(\J~5-h>C^9Z-('7sps>^[YB[ԵN˵zM3\mFFDm kg:GrpD~l5ȼoǥ[TYQ=>VɿC3t8>X=+̣,y]zO4X+R@9M+Zgd,eFj{5 t'U@&[,lgF0/wTNfsl1y%hGjDQS齌 xW(L-)ƦKS g;;R{8YԵ.X0c1Ԧj=C9Nc8 PY\ŷ|5z~e7Lpb3kPy3.`,cgU/3H^7! }´ʧ*YYCctq).FCȒwG]zX}_jrq!T{VL .pu[!io{Rkِȶ>o =US;; 'А5Az|D MS$Hu"о9nyGk;ۙ.9r*⧙yPd[BR c]Α]~)2%aCi9n^5U;^4muo%T6d'S$uNJI0 9ʫGscCUMb=DXԵ%ctK&U95u,"Sqex5u ScLO$l8=j\FwIq`9!55}8k(H@ݳtdRNJ2-XZ ҇5w=: 2*;glL OVͥ,1킒[O @u:8:L1~ #fe!H Đ#㸹FK#/$mЬ@ 4_6`N1(;4:h@CLnS?OV` fWct/3ҨJzOQssg_;ʦ%7eЉW0\-ZQ@5_(OIMjdCWC֥>qG0d]rKs dRiFC%lPAQUhHbi ֣ŢكYnm'O)dʸKTꕋf/;9$%ǿGdPS`yb6]麖VS2.e\>?&Wl Kthq{i3`F\y\ly c[zS$zkbFhY$)- 1a Pb皚w4dS`pECsc=Xi^ )9ܒovjmKvM!5Y, wPUߒ׳mFkAs__y4o/{9W2`ȮD{.TN:m)pf_͖8)s<Edc=lJyq:ǵ{F!P%@GAazuQ/).އGTy}[c-xFO:n*7 m7w߷K|)^}MdҞdfD,@y(ߴ|!qS4NUnn %%VZ%7a3<蚞5fU@:E,pD_1L\pI \Sʔ{-͢RyFq*}  G7bϔDCC?%K~z:߷Sp_L2 (7^56? n?G$VF1 [=Unor5:Hs,"l5jo3fXW\2۶HmԄD ?030:!ԝdvm(串/")BH9nWZݤ12VGJcZϑ,߭]n>u] :FH*Iz+L  $- It*\Kԉکdb9ub18+\GtN*;I&3 C,,˵[SnXŷWk5O[(zG4QiEϒ:-oسl'S2jI݊OqA4r z7|WH~Vu-y{e /LMG [w )ӗ?Cqʑf1~BSfb=Lrgh#8"J&\P;Sk{'D^ىwKucׅϦ-С1?mXcq+<+U";k+hw]`e2inb;R㌿8k`IajwDZE{vvk=T:gx٩J0Pb D œ+sc g{S@X([ n !y蠑Or GbD㸝q NZ\7w\ 38IIg>,{Z8L*p EF=.*\^r73hܣ"iMAp]{7%! ]{?Չ}.#YA;52@\Dpa&bq<)?Ǯ X>N_ )Y3h > Ur:^P]d˰_㽽{OGN/a@0*ťsړȅ <@tJ[A/sw'XX}sWq Jӌp{4UlY. ,"QrxHOU.5Hh?mnJff,8Uf^g{}-Я\U 뎕!.n|tW_:+㼐-_ ԋ9o)@ڋk}"&#"Si&qX1w>ar)>0(g+]0of혃삑c1+s}`(Sv]!?CXR |HSl g%Վ5ZFsW #(:| 3~* R{UBUV_7LzTjَah~{bvGӐֿ !ӁXL>d䅋O1o 4dt^ë\ ?"}U9OH@V92L=v svhN)aZg?3p(Qx6]V8 LHɃ}0pcX& ^t{_ԸۜM J}d?FP$xmm}&rNk-}:?0ER1l\H|X"sT]P<{)-D-Vm*{cGmb8{=O'l])^*^ѕdh1N]^ yQҟiR7 /L U^&pl6s?>I:l:@tOte3{G r%X4zPCy9ŨLVIc/&DtNo q5:b@^IZڢ}&t F,都_ge36C8G?r@`\l]{mLs>3/}Y4ZK 7+r$wGtnvеZ`_vhSg UX%{O4lPf4I2WҶ8"IꔐY3-EòxzՏ}:2.d$fM6S= W$gܾ_[P"y`y6o5wz hU 1.8e>G:[u59=I>OњupښLb_BoosDI IMǦ5ӊXӫ t 8*ʀj%f+1IOwwsq +WCH~B Kgտq(iLћv(/-湇fX~ qMR]kt &G"EV,(˯{}Cɬ؃BYJ-X{|jʻ0'0nyd^R*3~'p`ǹxMq!'P*16LߺʽYEyG}uG[/Nߓaߨ1|g[Uw޲kn8+17vG3ԙ&*$y.9Lh4j*7f9D[>rz!pA?Ghx NP[J~u!G3F`\,gD(gJ1HE):J,n%?ƪQ/OcKjƽwo|DX,#1%*5-u'8tpuH|Nf2Y!|ŲRImy%붙 ǍxzCa_9'RXItjn^5e5C>ڬ!TF ik||o?hN-e(«+ca(#of8g;hN4V{h` 8fx32e!|d =?@BDSv+}f`k5}Oة QS,Z `rJ8j=Bi %wyC2U"h\Ҵh `1]_̸:"E!"F0.HAituG/4M/$zPqL|s\u0nȑlY<joZeji`)Fdc5H-FJw'2ɏH/L}?@=e!V0o0[[!0qqJfO^'Abw{/\yX3 OsR"9מ1rSd^,T%qMY)XrXlEG?+sB)Ӫr{< iG#VV<̌O𧅎Խdo~3W9*3˱s' {Egpէ:kHR_|_p7kQf(h$²LTߕ|a޲{SNvȗH U;[a",} 뽯:%LG?$(fR &b%ۏ)a0,lz<߻Ăj(~.8AQ_o9F4voPK,o>ׂK-ܙf =NƜK $y9hݗot,Z8q{ky .㨥<7:tg$m X$= {V,uh<"$}71uWL-3 խzto"S#UqFBGQ/ dqV DǁLK"=eLiI@ 74&:'̣,Q71;TX∬imUp`{j[E5O&e[{y4ZlR7UC#k5!n>I`{5^l쬐ОLsWo^nzeYvDe꺐^KUt2rL<@F6TA6&:)cbD`i[)z XB/l8]{"BᜢO^h rQVT &:}3a^2 iuř];#,L0WvKіDҖ ``,mP"֣j҉?aߐre? "KP{ZsVny=5W\՞e|V0E%da7|IX8nʁw.qNSjk(|PycP a׵C&}gU[^e̿jy/$QGB`tyJ;0O%m&D5+%9L\ W-SFSc?]n S d 3Hiv_yA4BiitY\܂hLZ|U0eg7cۺRͯ|%}hBj 'еj0Xne4#Br:!,}e.[h+J/ܙ yR_$6 .B+lXy7T!A/?9<9 η8Hs^j zŁcg eom2MU2SQ䈳EqCXډ^bS@Ag4ƃ^Ϲ>̀:P\Ca~Uˬaͺa+ ׆\|\f#!>IܬA`|: rN7r40CMXx'wVǗ @pڷ"d@Cq1#k61u @Rc9jkn *D +SHΉ:arZʛS}=*{]j =;VCoy-v>gaSqY/n=Ȏ^@τiM53y;G@ju];a܊7{Ê)"_bu98e*NPS-CKt $DŽLL1~J`ֳtm}.VC*1̧y?郳2` PR &\[Yy[yZЊ'a" nlP=tEvUi%Z^` PGTkW:}GvG<R"_B^߱%=0!d*{rMl9Am:to~rqԠvх!G pa+Ljg IġOql\Ml;fX\CCSD*p>& 9t.Wv7q{"S599y8:T[ UDFaA.YֽՐz=-3fOTN,<2z5;p#By+9@LwNU焇_A)\M,$7w?'k4lL#B*%qrq;fE<5A-$~i"124>4ȁ;{ʘK*fDKmA". A͌w&2kizyλ{pD>a1xl\ nR382Ϊ72YZ 혷yTiq5yT'n|`TRd Dv$F)}8׳ }Uxل۟ ۊ24~opjқ jb4x4%ł_\DA:!ijĚ4t[e[F5-9p%1 kHƛ~!( ֐q;@^k a,jEt@*ɤ[FYS73MpE<7+opf`wA"ֵj[*LfyX}]ߧmxjVx5lXcx_t:Vd/>l?Z8 ֘c}ȝI).A<{&»)BbrTًd"X^eWiҩm~N.=gvnG-QKnA=g:UQê+kVu l "2En͉UL/+ r6^|Odu|YJDZzeUv>j7ϛ7))6 ]8NJitߗvq(OG}_;Aupk(62"W]X ٪W/0FSM垸gT:>{à4;z%#7@;@^LGb˷co8su'?qJ9sTl ,ps9xBm(&LI(gufdȗOo:Sm2&9ٰݤs)s֫u9?$;;-q]~?@(޳Dʆje[xH!%W_Bz;iVM_HIh9@&H_DGҖR>#`甑7\$`cg}ߖd7udtxRZJkUq )aWBN'NW1L1Rܛ"d>}8 ͱ k~AE#3U\%ԋz@a /=u!tw\]kZ{`'5n,_h 5N2wd# at5XdoD^uih}ڰ]TT+fȇ,ӃB_wHlF3&ܢ(X!̸NM5$9rb ';VLks]!<~ͣW'5p88 %$>].YP|tF8A2#r._~Kc *h5"iHubۙŇߞ)C|OohSY8ڬ{k:oa`u_X|[O 3 I` "zzm8l-XJϝl AI 3SorPڿ/Ji'0mmE3[QmcG*{Buk\]%HS:OmMA0.T 2g705y0w yvߌ(T@ŪÓ_AckH(0x̣hv尭q PJhAet8r20 ߆O.Þe5Ny1HHX%YOuP"ѸxWЄ3MKSڷ>4Ӿ2 ƞ |\JmM W:,/Xn}^fCTT_hӿa*1^q3P!o\dXxsS?*V9W}I9i"B- 8w^'Zv%PK&$mFh*u0ĮQFةsEG4XRfI{ѓ `{r]+񺶷zUҩׄ(֩PeH8{&W 1!y?L2&2Ww%U`s( "CR"3Gסksjm$AgX8{)nD@.x_07RZ+ ʣ^APa#[4 ?Hʌ: ^3&EGϰ"Ҟ* f䨊!7{Wl T1/bo43ACi B-4 JM'6q>=9 D6h˰#ꆙHa T+Gj,_;)q1{$ߛ1i{VrF*Xp.(RQf;3{xKrbfkr^H ]$1r8ey?RK֡S2jہ%u)sjWMQ1An:QXFdgDƓiN}T]Ln~[lDA rμl4ck-p"KLZv20M3T ZwrE,n`ihJ$x<ݕJ{8O&khcm@/|۾rb %(BhF= 2S8 zIrԿ43vy ~6|kP|DLʃy0%wft dc}RZ'zC~1SzZsq)s+ٰOtshXѼ.{fZTdҭb:zxO1qRǫZ"L;@qRzz~{ae~ڡe+9~큕rn6WI֫ўEi6E5*?<5.ru  ^,BD*XLF;/> 8V¹uYZxkgď6.q #Ӻ`'μ wGښP]123wdu1pX oT@4ZƸjͮ1+"ӭ-X[P˽h%>!"]PԄGmt"L]I?P|/3@E 1\‘Dm-;iふB!ғlB Oțċ?piG4x-13ӯ uk952K7K^O%zod⭃aܾcv*5AirҾMrur[X?nBrކlwOUai%+AotGǪ^kHDđV윏g G!؆A}d2aEDDXWr( aj/QtQmUEfZ^Z/j{n=R>W:i2\ve+o?:d xW,>9xT^Se3kq~˨e'*fK=ݠ=yzupFeUg(s/֛Jd{PUkOhuSlW?w6d^$s[uJ/fF]8DrE[+hr}RսJr1c¿3 &O%"bX!s$z*yS1Uᇏai0cەA:Ф/cD|~#OG;%7mEFI A.N=b2. C8_,e8hgj'enȝxm[?H5x\P/V$7LݼkQA'~VGb,~X;-b+6#dA:kjɖ{txMyB>TΉW$viaX-jqp`._bߒiB?0hq+Nh8&;2@kBF3z  b_W]c[cX:4fE9RHŭ{'`ON8VՂpIЩhE5T{Ei5cZQDs޴)l"xPn>vRٍ0E%C@yr.*ClBr>|fLM]vƻP1?U9=/4A>{o~8,A7Rd{ D{̟Wx/l6!_%kʈU=|?<=ʈ==8nEgyrϹ; XBjHtbnA04Ŏ ]LPȯkc26[|X)|Rwbju@bgp^JH1=o6K ;wJ9g7f߷/;T59p~8!KU 4$_È 1 @.46Gio1zp-oj'=|t &*d-gBI2sX%`u+s;|SMxFXXnQ^`/]A<ǘMMskW"eΡڭ{}e;~mwT6w_sHCpx3 簋bl 1 8x!3`!+BnQ$a wb4ٚoj9qCX՞DbY~ 弹47hKb{M T INK_哛V3=up;m:oA SS&]HFֺW7*w$5 I30ɠь=l;ہpΪEPMӂ L` ]ivnlЊ $Pqr29:;!8p!/$)x>&pFMcj =Gǻ:-τaƪa|(] pcz"Z?P_[HPۓZHhF dDeԀao͌wZsLM{8읉>E.Qcچ@̧B#,,]33z&pLC ObQa=xՀo|F]$,0,E8EZQw =`P!wTU4rB%GOB2T&xlVqI5WB%"S*FX20ˇ`ż'd)$anG"@ sJSIaWb[x\b-.t 5gK1,r}fʵr1$LȅAj9F˯}맮zBL|gDi%Zy(ۖܔ jW{Qx[<# x4l)[ _҉*Rj yz3_maV`Wt7ˋ]"aiɛ_^n5Se{>bBHjifmEc Ő/fd㵅θXdnw]UjbmCodcnd=TPer*MأTt>qb%Y*zkhCA |*#FRV!l15AW5_ @݉[%O;dY7< @3NV58[~NyvOԅ =hVi$'xfvJ!U 2pu~IxU>%6}$TzNJ*|$xo.7͠'URߥHa4-֍2;XrN 4|@&ЋO~ATrps@_8e}pz7ZsB]QXD%g6ti6B=TOM: ǩ5_eO/0SRbHKtg1%FD";( k (,~=CcB 'B.)e۽~CPXs[&F 7yH|77"{lv}ܙxӢo+ZVy7I>B%onam1l68"i$u`FWpJ7OTA]s7>t ?-L,P۴um!g5)t 4 ÿUwC;&RmcץƮEWFD5{bSk_9A<C86{݌Mг4E4p*4Z$t{ c8˛9T"O-bx0tTZ,JtUQЭ4)EsjP (_먝OxRf`S𦦡YzK=cj6w<:dpmݧjIix)t:w}M6?1V40L>54N ;:ƅIӥ Yѓ4K`_5 gV95 yI Ӝ$@kK!%CJhLwYѥLKɵuX3a` :Uuy@@d1}!ӉM5 ;hwSHZC;TTބ[c?ksP/nl"Fd>F C!ܚ`!3Y~CBHf2:%'|*J DS#\ܷ/aMsL ׻'}POMr4)kk _iq [9*}͉ǒF,&stt W9{o-B#پ ŋ%ʍ* |BMja~ېji~2".x8.rM$ S Sxƽm :r jB1G‰m/yйx_@o$' +n2 `߰^%Wk[o2%RKtFLL x^i{h2z+#0oy?[ Ouy4eF4oW@B_FU o#G&IU@H^ ;p GG0?O6/o)Td N*}(]'fts) %g9:X8w;Z\M&M**<>D,7/xI3ACQq 8|x ^iFfu$`p[_4&wN~Er9myO0;!X|,u콣)`vT9oQ+Ɖ=/ ^՜I]' SӘb9z-m HZJux&#,+ׅ F=qJu5XULGqz *o$]79/ Hf _~Zlwҳ0d/*;$ F3{g$6Ik#lܻ7|jd@GCd=hn~LQnj˚(:}daߞ^Y*+!SXpOrNҁet2sxIyuGX}Ѷ8 ]XA`wYEeu# 6,qvAeHG~κFZӋĺI [XϕyjFg,ݽ-I*gtܧ0O7{'Ib%嶮͑T|4Ubx TĮߟp&ּtTQHw{z^_^V{5ޝcBz%Y-*zQHS%ҎV@-d;D'tnV}Uf K<=7OY"&Qhe%Rް6Ix(eUSPxqC|9 |=tԩv26UzQF֦mlt\LE7D'0#aLR|YћM qTϰ!w&[UQ5hʝm2D+ Xd@#BK?taꌃV욳09|ZI{q!&0 8/ڜ ^=>_EPqK!gr;DIq;䬜TߵGz5s1 mp84@~)jhּ&% dPޏ,WJI^Y+f@ח ddU!z$$=l+1WmV xVsRdD/=],L pq7L- To[ V'%*BRnjKTvBwfҐo"UfRIhOpk mx[w&2dhwfE {z}A`38e)e%Vwqڲp9W/1s=L!T),{n0 :'$CG _)Ғ:͉3-wS|Ǯ 5cV"Mp<#GD*z X?s/Ԧ 1܈QcПmJ!.dRgW"\֡X]kQ= ;=79;cSB#x J\ק 6m/$v, |!C6H>3<YL?i!>,}`t 53GdPTkW1Br; "`+2 nd] CvOBqi.O #Zd)6 O?܃/.;Ǚ4\ҏZn{l'cq⨨ t0*o^_ #,w)u9a8z$ x%n@$:AsKr| Q?LwHLŇhm1w0pI-tm ҝNm&JL#QdV}*)X[7df_*P]/9u >E;jqj0|h3h c)ݟAMu0Tx84 J.S~ [^,?:w †~|mr~UsoEk-]].LZ0N)ޗAMF̦ “ܘQLmϫ pqO{%|-I\%͹:Ю[cI+0#[$g/"4TWD~XSHt.:6 t.H2CT)d^\)sv+h@<_G< .;b:#Ef E05 eJ5~EF|Ο8?;{= ܇Jg><@`Jes;:%l Z`rǟ& Ut eHf+(̫mLkqKFT(5:8@7ZNdlȆ(D_/3./b-NbR_b?|4}dD$|VhNapэn,NȌkRs}BU~a߫i>1L5PYB옲ʀbz:[wb(p]iiݻf±=fh{˝?ӴĽ{wI?V뵴ѣ B2R$r =eiᚍMZ.%YEsgp2:Ȥ+(4TYw?%FaD2=CI e/I;KGJf wGv<C'btzҤeZ` aكÎqz020o beP.a!fu2SmOa] (=X_qF|!r- LI~i׻j2 [`yY۔m)">N!us:?R4h1Mqwey p쩜l@VT"ϔ$+s;hF:.Rw+?gVM8kPyw(uw[i$Z]{{ÛgM.{ɜ l?! y`a5K_MM(Kc,)Va+^<򂮍b+OC$#9Vьƍv89&>|}@zv}Tv,a0{`ك%HGNfۜknfBuJ6⯐e-^ aw̝!Q!R[, Mbzw,QO0i)2{Ov\sw5֍_s7[~-Jӆ\SAr-^fWA ZBq>7,\Wb:gSb< (sf]`MU׹[? \)kC{O^Wa"GH O/_54Iz7dе)L[zjt2d9no భQgCC"xL:%G4F ϏY"0M#7 cia,d\rG1چŞSC4"lEzV_;6Eiaj000NcK%.\!|w?3=SBK#8zY@@BjJWxҧ3E&JedلJ-R`ӎ参H'jhDAZ' 0NU~뇺3) Qթ(:,"n;tPQyr)P0RB 7my4?"ݡ "$&F}oi}٨ fO[n32}ײ.#Yv5.IE%nhl+m'6$ER'Bˊ0/#83@$rE%7LY,Df 8lW!sBMT6kXX_xzV`9j9rl8C3gxu&N*HCp'V8(@Q{&KGk鋬tL)~k:#R$V5|laسu˲p2%C.)6 l;˗(s:H4 tJy*@ Y_@w~/{Ls3Sg\`W8/(jO (3wOTayE-q?q󇎎s|\ϼhtŀHA' a`zpwE1#ŀQ.jc/67I3sl;g˲")PcF ^zCP**})vO@FXz 9=*6On ?o>䯜𪇾fevCO=D;Sz 6"R%1,8K﹭+u:Bu;_m I s'A_#wlRFZN3(5_I/%R%]/Z cBr/^c?Ê8%@P:DnNjKD=`%Ė!RJ2إ_\!ށb^^EU'UPFq88jf|᥃fO[vc: y>}5G(o4hC9Th}]F%3=LFvEd=FXp!0jW=կꏿx_[x`E<atZ303N:L|eh 6aP7t0UlK5>-*4w_-bTy>!VLQtx1͂g+how(R2pADg} V6g@(S18)Rdx:Q6P|Цjc9I("#FYOE@V\c8b^Gi( P`7ŞWB!OkmC-_ſ V>n!7ʝ$tn1m?zvP^rÏcpwVW(=eGlmCFˆ𲄶Ak sN-Ur,7{ Ń%89;rB]㵸ZOGFKS6y qQzRޜKv!L;3{x >~Lc(\ZZV7OWSm;ԗ.,O5a opV(:.vC^(ԘNK)\R]c/s^8B: +Uzx4beD=֖Nq~7رImȻn& )MBּXAm̞1N}^R o{ r'1Xn`0 Ε@ZIJ73&CS5E"{CU6 dRMæ4d: ZnX(7-µ o],riZPQlA|} h|y xӹSۻPENE٠:2/*^ hl|8 p]A EI8%X^ygh2&8LB®zԍK ʩJ{+#\xKDUk+n_dȕ850;\DC~%>!4lզ*A 85:ۯ_}C㒚zs$S޵t`P+[ H'B%z!"j?X m%GTU$ȇ 5U^N̏keR*DS=F;|fmE FWjJ#&K0#?I ˨B؄2_73w-. eI~uO߶JQ,YA  fJ;puVʥCr&zl{y]_#\T96zzíVX :ZX;@쁹 I7}fu~~*sAi{T笙\G#\I5apA?]b[1IGjUw4dঐU/Vh݌ /&c ReE{4G!l<ZpLH$xj6MvjrrfH۟17Nn޲|XP),Ȼsz:eٖt-1S^rpiq YЛһڑ7%2/+ZѰ!9`@CNͽju!7~n,{үL3ѫ+j2$XDpx<)ҢZGψ /ю0T9Np-2%t^e{y9^ֲ3,pIUQL/ u؋TZy?dQhyAe@*gFu}̐S^F}LyRznn+wÌ&y9 k~u5h/桌QfyI}+X9o_l[#\N pDe+E]0ͥlC5p f$΁PPVs"j p>P/;dH#'c2ŞjX.wB";$Q%g|2^2a9_.Uzp 3?p*Θ+Z2OVDǭ:7IQWA'vdUc̻U.BYcZ&c DǷR/[ =k)Q kVÜ5GQ Ճ=Kf&tDjZߝv+1c0{/9sl`bcMq9{7*qfQN dՏ #']c1J O!%g . Y gfv]1(DzpPf c$ FUٕ6o?65?/HGk: 4GYpB ^ۏC⭈MsĉY`J ͙u&+~i?mY;mǕY6 1ՅRL–dk:W3 ]FIaEr$ |ʷm`7]pwvqvD) }|'EglkU@5Z`o*gbal c2-]:jPg[O5 ?׸bT~͖K;zpLs Fal< 9KZgv\&Kyq'[mKsH5ʑnd+8pd_4387ɋL rYB]i_RonSQ:EE ]f3k7tDNj4\y17!Opp~b QEEt)+/s/S[NCpSc}ɐ5<30)!YV9"+JLCqRa|W]S#蚮X*ю Pjt;&gąIf(ej,M &:(k_\*t9ߺF(F˘#{uC+~xR`tODkHNk4fҲh>Jlwt·&J[+`'Jͱ f充.`u*˴ezCS L}VŊ_Vkf y?U['X r%zL?C}7`3ŝu~.wJX 2 2N3_?[݋)L|մt;ɑ |r{I#ibd\ۣ1B5z]B׮@pmqdWFϱNhxLX*: l½2ZtqQPz0Yc%nK.ǧ~,[!R> qۃ:G6VyFк>k)KHxr4dg(S/}0ŋXT_SPH }@Ma##w0o(7RO uzorqh ~j87QSJ;]͡oF2P0H6{ql%_5 ~07fkSq*p Վ;o{@~I;ߓ^W,$hwn:I'a2¾3N5 M>r'a'7=!ٮm7mF>/]\~!񼅮tPdV|}ǸBfk}7 C7,0Bn҆⢄*}Yi/VJc#FEΙXqdf`kc<⃀h52Nn}Hy뇉}{0qpEuݯ_s ƖTsD:eV`gֵ(1[[hk"܌}-T1J0h[Tj'(OZvesd3nV% _fO|,&E@߈}m5& ӳ(ٚX*<a)C3垌n`XS[ٸYڒtЗ < Ns(9u_ ߪx1huei0c >_>qmJX?}K[1eߕltaC^&l(#ќјFD!@<-f5d&>ʛA|/7d`1 QJf7[k0AƪOxnun lLʗ;ie/7d>0@!,'L\Vͷܖ yH'{,jp!}4bĘwpI]YV:m1с[m볛I*wC,Ya͵bR|`ќi᭟lQ yxZT0B`Ij+ gKBE"S,aU BxҘAd~I؛s2&4r][lC&b FV%@dj%]ה]6MS״F,=<( ${F[\rCvP\Ʉ<" {L}Y/ Mx{I/c-Gre՘6V߱iBVTx(Jk N4Z]X#on՚ ŕk!G/lnze\V7de;b _{`|!L["bjKYi C_"19mcX C> roqrpb^n˶ʨQcwC sl& ˀT<9j8نZݲv9be][m禒zY(Y> uI rʾ٩^li)c sd4dtH(_-;{p~kآ*-2}8@5l(oIX oG,ԚR[l>  h|ԑ(9>W#Zmӓ; jy̌U}d-Q/`AUo)JVJk`W:NBOw [X9:.OZzvݻp[醾A>uډӥJ$ ;?  k(qG;rEPt,^N1INX8,o|]F4?Ǟov;5ߧF,QJ.-3y]/a -l4zN&ZIZjap'k Z +yAK#͎[Қ97ÇJVDu4 (8`ܾX*_˥LCdr 3:mizUhF,bbR˩Ӻ;+?ʹb%`噐}8Y hl40mOvQ=̣ʉ!cPd%|Rdt1d5tS$ W9Gh8#]o53^hB(6^=3kfhaORGGˁn}Js:r/7ѥK0R:iN>I6AҀ[J:eY*rLwYZL2ϭt&jI'cOOpˆROsBX"|%iĴE2&'x0,ar5=h/FSMù;i8q׵[ԍA(PZIðIJ?{-&z~#[]De/rMy8b"hth(lsWFˢ6NPOf|b)l#Qj`xWB="]-,VTep: ~G7z% :W/M4-B-ZCOOo4Dc#~0LNFةLK.Lz?Hц"Wr-1լ"WLQU֌Ka/4S8,"tudr ,~lKXc"X f_N|U4`18Qbm ]rY_\䴾rd>P~ S'@odaFvy0'?eYʖ9ΔFϡL [p`MSCvUؐ48tpHQ۟f-󚕴s; /qk% :a"o'2`ǡ\<64o r\#*v~kz|a`T* Dw1"l%!k ~Vc+詔w+8"JPxUP4Pr&7'* vI` 2s>'WrB%˼#7ˡD YF¦gr:5Dh.]TC6-_]lyQQ S>XUucʯxY <)e>G8zw'\a'&E.,2zu3@tr;\ٿ#Ni|"V?3]nT L~9?gPnRB HtC/H67 7FUό9a~-,[M'k90Q @"Y)U4DyJ0&_ vvރXvT |^FB W_q3 q@P A2N?V05ReKvIw_R=a,Z\5_8kyO=^~] SВ 0]=>\CqEيz~'D"o 8S%3qW{_`QJrVG#A^*0SoWi~fe +o0e%=ו\{I ~gf=Zy!¸q#QX(Bؿ6=fQ`M 1 еy6E%m,tTL\C!f}Z_8#eXT: pd,yE=  1>t#;nMQ{w#j/tYSlM.ȭnHg>{cEłV 2Wi~n?h5nt# ScWT2LGguO5&8{$#0m{7fO;dRw1~=_Ptۀ'A'Hah]\/Dm+a?է6Yƾ/,-vM‘CkGߕRE1`=]1 Ҏ3iͤ)om6&?0sE˭H{r*,ӍȚ-Uu Ӵ*X5;o&N6B)TiޔٽV7wjVB)%ή&NA]+_ӵYbr m+R J\"UԀ1H{lO0ȑ1: [޳,74,:ԇmyd$6lb,x;JV@ 繻mv; `ZRW PBn]) -?C$}MH&^ȏl }GG (so6m\!ci<&lj-tç9{c:YxWƹ\T:ɓO> `í[үjƮ26n5:~{G~qdA pvȑ&YEdFi.7Q&v;5r3ȱKUU~ƇnO#;p2GCGi D7//Y}fnI*[FM h ,7r_@`$1_(c) +-<&,{ B+ )Z,x;퍲b%pK6:Zl&c8hbS~*D2')x @-R !QǠ<'KoK]Ax`z饤2~_" ( ܵj=3}HyY;@*7;x"]I;QKkŞh_O%33>՘|U; oZ |R4rʷSY6DZ}I^/q"UaW+0WfmiF 1m3}%!ϟ|0%)YcN_i%kzD!?F>̌ Ҽu[lkOKf T TkYo݀z Os O$7F^:}US*댻eΔNo-φDVC"e\$:u}Qs B7m4Fpjs?EwzJ캥7&?&\Za_IId410T;lāzmF >(ƈ$}bQe s6o)G.֮#)ȋa |6C7֞Yj; CZN,f9q$#ki42_H3ʋkKJgyn^35vFSKjCv/WID;cPR%/ Y AJMs|? 3{r'3գWIѭGB]%O{_1w8t7NFTaӈ(nMvk|NJ9_jYq[I`U~tJhMO{䨟 .<뛙44 g'$"2?77jn-?G7mdp!d^-:*WbJf/[c(~)gnV2lW65ޫɲGo ^QGR@>iTOz Fcd.]i*c=z1*?!fa_D7wo 1ߜ pБׄ')V eG2!PPdol=L$xz ,pk>8YC~ӧwVBOĽDLŒL AdS_+:B 8k  aދig6ۗs"-NRX&^){=FD!WDEّp[b/ &#m˩;Pvh,y #3;cI2l.} c"\ %nƟ_/PL8Lzxw OZ=Kljq=EO/6Y}VCpE:3K)sQKa7/Xɺ Ǯ ]@#UMm'Cīs!Ws y䌆=& S{zE~7@y Ѿe#rJz,]jSK,!.2\F0+ l\uMK]q4ƗNE<.$ȴ^b/fڬ?ƑLxqЪv*XKfx(rC+TF,JO%_G-Y@\b{ ga 0T,/ɎKm3:JUKX+~h4 !Ε*_ 8Hƒ)hW[5;jieuFu/khA5W_gE%3epYɌOP>$Ot}pEvAH 30D^OAҟj SxAUd`Dc`[3 ) 7ɮگ`57 gD}J^PZlȹ.ITGRWEޛeiCokj?Rl"_m`l nZC_l 3x!ZݽZ7^_aSvO7 6Uw4[[q7i.aZ w &Mw7GxE9$H5!^kYFT& *H*'2@ȹw'C[.'=FKml|MC ׾5iF%7֘W4AIUSJ pm%n`Z01 #y~ ?NfKujڹ)'Wk9CX1dDB3r\0`1٭s ~PЖljX6G*q>_tI,u=>՛% ;5V8z/ #ݬ[ eDý:g!Qb~X_jfNEb^=ޠթmqJ* tR# @KT蘝T&Irgh3sZeK$5l[8Zl񯎽NfS6&;ZvA oE`. higNuG!+}s6XKm9rR%u8P *| { x筰߱!wO}k0:CujFeI,nLE "l^$cx{/ѯ1-sgbĹ~5iLSd䁡A2"sYwD9[nG}ʔ?QZ}"92M#U!wV^śˤ1ΞB%t:-V +o؆EUiNGGC*8oW8yekeLG- <U+珉,[ OJV9-w;{PBsm\ IBꤵAo~kHA֏?^t:O_,̨|ϭ2P %%bTbB} )LsB6}2ֆ is_$:j\?='q~Ud74͎RU{5 /ìD{#oR^8Q @﷊#~=#n77H;#C@wFP>PkjڠoVoxUE}Ep+%9@Hk=s5ݠ$<-h?5E 1D\HMwSaseqU"\J8]X%`V ^ N\i?ia[)X#ۋ;*IZkx6Mѭ O`R1F+7_EJ6gw5%{d:on0mcۦ+thNb؝ EW"ⶌgp; rӆ`U}Ӝtg<\^hf}" 5dA'KlgF;ӿ.$ÚtO\v: @:d҆ =&t(΍)TGK?# _׏[mTGaP~jx=UۥUTK6\|Շ`F H5fLkml= dZdIy"00GV,+XziIXL ('xBk:R:IѪgDsl'`ȏ.DPg;Fs1HM0Sp4 n~|cY\h9@bR8 }n8f"ʷ.MWL+ҬL:ȍO_wA؛e;T+B@꿉 q{WJO|`y>ǻbx̙xbg16x~UD?qb( M`A5X'[s@B[~#jڥQOqf(3(×%>M!`s7&dn9@uЪnUw)Gy_+d84 b s"p?cm @$ƖG9 A6E }q5LB :OId('Y'!i*,7d ^f)횃v5MN; N/ҵh~O硷DQ~1Lx(ah`|F85ўc"t- wqSo5(ٞB2ǁPM!yqh'$M^w(GdYӱ:,3:h(Aa]u%~( aT^5hvSgN9 i{QpdcrWД $dm/{OtᆉRMToe M2 eԜP.<;U 4E%Gs@koaaRW:=;Zk!Or(  *B8fD]{ c؟^5r wiIH(spB F\}͉[J*vXՊHWQ6k8F_\/s̶-pdENy#,2Jy"od D(7>=`eW07O$A\SnMJB@=A̮qUoySB BxncNVоx؈L*@H=?%zE?.iONrs1/ ?Z|4xݢmV{]_;ZV@\1s9T:OȿYEyה͌ȡiZwak/K!7D1<Ô"i}%oP@3V.?woa$#$!u4QޭuwcLzI.v}bkZčئyLԬσ)aՁC,d8oemqMI|tA3Ps)!H{ qWF6~Ȗg;=]0`. R ޅUj֒Χ!EH7?KnO[Ǽ_@>j_IG5 Jf$$6ψl?}IؗjOČBuXQ22PF_b5'*}:3j+G[^,|:d6ش`w~b)X;3+r'l0≔2͎0 uZ.H;Z/ ྩj,29\>:A_ #H/7KIGً5AwQ+ET2w[a3;[h Xt6$3&\ڌݏ-sJ{Β+z9X(0)+xc%}@!!]m"R3D[dUOHفKݼygI@+#qyXKJdoCu.X__0^+ Ü$7> Q5d97o) г*%Ь40j*E1ک ;(ť\ވZ@wij޿-h5zw[}K̟ zEř?6;8 HQ=57aQŀ)v`n "B'xMܟf\f-Xɔk#x!<7H;m6^@*4p{ph.JW㡎I$^cB5[+)\kv!T97QHGswدU8d /Um݇w 5FMʖq'}ϔCȎyq~sGl|{=LIStbGVYh3Ѳ>fuEsKWQβ'9~%-c D ;åvj7HowOȁk }gLHذo'[ I\\J\hݑ3, ۷J ,߀uΙP{OeF.OƓWٔݎdhKV+;hcXh1?[-Yٷʙ6ԕ@x=epi;'lrH"bo…f"o@هgĤ)mW}YxqoYԪoc769BmQc;:ٻ!BL?X)ܺQ39J$nЇ;IRhZ,7_0^z Sym! MZJIQR2p6$C*[[ZhpuQe"EV+&` ._:<-@h+Q_RBĀj3hKamAZ+ {xJ9g,Co@Bx|,q7x#_] 2jk^-+Ȳ0&iwlFV/.Sݽ3U K`&ۢ!: @u Iˬe³HM<0O qr݉|/nȴDz+tZBX~NR߈N'ne},:>PS[+5EsP\+GC}x1.>dk c \Q~7ǩ-s0W}ltto睂qd` kb̯9Pkz!OP=0%mrVmںOĢ?49O,liDTѫh>+NZ[=MʭzcW$_7㓞)ZVߌl4V+dK6~^ Un}K"^30y`ջ;2  L*m]SXkАtR S"[zT9÷stFN;DQ&֘6}榰#]0+~Pˢ 9^|p yq4cUxh]0c'o*-W;탈3PhP&!{NWT06y{z۷:9/$ٻ*vК}`h?&|9UVlN+5С&f8䪥ΙIyϑ\Y^ULT*p?1kZָ,ypXk1cwbL!yT5ObCthŹ\,‡^)Uu/&}G| 浗 B~TyUnƺ#wuׁKLB@NN5[I @PGݿ)^)KxL" ݾd; k<۰C)ǯb;ɚWJK͠{#7wzJkn3wgrg)shL>NݟSRMWT\U)?w HR%~msP]=ݍWμBZˊ2!j`[ǘiŖY== :L 7Vv[|z /bF-Gtf+`>x…ͭ[+稶r Dq+EAsagL6۹oXCs!P d"R!$nV±rle",5QX:AW?8獒P]FM(#b06&C/yNb(ITޭ-Q12#$edY:nYuFɗ;4+ <x?XRqs"ުumWpfZ5:JF=\Y.}pڸ.崘 < C,&jGd(7S)z1hKmK_=-zs>Scp:}5Bgىc3ѫbg!"%!c[Vt׋Tlӎ39pb?VSv}]#ͣ"g0[G̙̏Mi]؟.i U#JR K: lYp 1N1a=Cp5\o(˪y[e*Qx$ưt?xӏN`N>Z[ DxG|]]%̅ q~1vjdpFVzp/jɿ݅>=O^Q<|c59u+Atj -ǸFz(2/TuZ#Ijo_ߏ?32d,Op7\rSC~h3PK _GF} yX -#?#R=ب,qz'ֳhRbc2~ ^rlvpvTȥ9q$ xAȩ\7-4bʹ_D%UTw*XcȣE))ҿiR`hMFJ~jMrwۈt.= qp||`>5ަ{?$+0GDMHyS>Fj 'N^ ~Ls:y3Z I k}_Ub!3@GN'LNl# afz"O8$HU>,Xn#bf&G,I0 )pڡtx ୐ǟ̜NSFJ1CkBWQh݇v<^Td`gwמ%sW[w/ ^V 2( 5)ҚFk̕$5Vdˇ1YTU۠ϹkEt*۸xp_[B19W n@`b瓌TWl$V ++EQep-zhb4as oNQYݚH*٫V,`=΁2ʇ0̨@$p /օInH3S/PE6-H _^%I N?tYSh9`*WK&PU42Dy`f'5#+4n;h%8(#,(j9vHxߠT E*u`Z;c!Q 4'\` ? h+ .g=뼣 (èQ~ (,tdWE.iQЀ +u6Eͽ8ֈ)|PjM:%]FݚeEg7$DDzFB;daHա!.avŪGRk"?8bw8y4u_|"I^ޯ:m,`Xk.HMvZ(;H>ݍUqù !6Hr`$W,y]@`NS4!]!q:H-0ElP/8FmQ{}-[7&_2Mr?"OX4C_X)*z{?L(0mcZ>˾'Uas$gTReyص)E4eVFsv6FQS؉7% \qcT'YvNOHDKzeT%b,XCޖ)Sݢt=(gؔ70),f @R#\dڿG6PRE:n!t}mPui,՟6' ` -nV"ªp+/ C.Mh ͖Ruݳj!FhD:y PrI OFd(HêGT 2#57tgntgE,vnebsLAԻ4ʷ~'e%X:Xc ̜'&뻱wp?6'po'y?r`Dn?\teW~!zc #x'i^_un<#o\4yjJ>pY7,>9< 5#lCPCB[VgLN:nK҈J̊#Z<O\hک }Ų{($ *96wB0 O&K3@#v7Un6t׿2 Gq&l'8dm69g"5W<>$,J`W?VgA`l:lB_L5N1._Ŷ(ю1)gdbGnR?8qW{6(0֜;)_urt`Is0(łj%kvGBTqΎ8R̔Fk^P0UvmS%G5 Z fѓA'FU4J{>bi"}Bt%.ҒuhjC]IRڏ ?1e FΟ&R]\A̘) W]G]iH_ϑN!VFJ|Ýg˯<"QIM8O.œ(,]M(fЕq$41RS RiYQ7J'y貑U$'FhL-e3>Rjs[IXMC+PsفgU yeyM))?QwyNJr^Vz ANV|<Px{@K-̺2?kt(Ҏ|17pz6Stro=AW-D|+<,@h8e`ܰ87Ύ.ʢ|-uiߖh_@ Cn$|b3`sW!|TZ[ efh|c!:a7aU_R~JÀ@K858J$?y vL$ΒG=%Ҭ}Rg]MMst_COj!.n.u Ds%}uUHrD }{i8Rt> Jw~ι`Y󶙫R?}i ,\53B[]̩V6g2X.s? YG9X3w2:t|`م }7a( ~ȭÈuxb~IlM9$ο >Z9Qc^3#т_U:J{t3R >( ljvK eR+\ׄUy= *xֳNyjyB\BYS1~xy1ɈgCbM4TI 5^72?_T tĜ9"'&,.YAc‡舵-&_)X#,&sx~zهQ՟cOv}腽8762946_k>\,CyCq7Ⱥ-ءcv"Q)xJNVRW9#{.9 3':<݃fAP$ 5P_v`#}K < Pk'18DOL2y|@D:<#&o#Tѯ89eƈȽ<#o\t$?s$΍(/>nUӚ;cv%ep|GVߒ NW{uC:eoJa5Yx™Q1uEC˞D`~GYECAx=|m"NA5ȾCеefߥ+NgnIڎ:-myN>Brd+ݧ `wTpdssw~yyQ݋6Hat)@\ިowN_:9eԖ=p d e-`>2^ҟtl`$G+lj+G9Vh 2<]Ec@;N\;` Խ/U+ՠMIߣwHøXR%io:)G`Nx76򇮫+vpg Y'M;l'g䶼7ޡbk?1x{aheUe=C0{FYjK gNƍ9}M8a)9d^4 W{F U?u!_jvm. Ѕf5iSNa޶25 vU\mх.򩚀H$-QD>2F́L2w,90*LYnVWrq΢Id׀v-y_ :7,0*0Am?槚FP'O ì16RZꇢ~HQAxrAۑ D?7^c JT c>ؾГq$T`|BUZ7A2ji" 5o?2Ris[V nUBK4քqn|=wVR82YqZХ$<1nrz#wyp0W4 sENn)_V0wCw;Q8= iQPfKBpd\@S̴Yc]")ڎ~$WF [`݉i:xЏU Aآ^R՚xvvL '3rb.l: h8daA} )JN:*Ä"?4eb\Cq,xl18[M]Q'{e rv`*&JtIZ+`>Ոۄ | ̐z]]$F<}B"`v.H _7զT'.фmlیQ݋53z-Y;8KUAL34Gk~ۤj)#!VIE/.R-nXy}v%xf .yf7uZݯh,ߣ[8,E=`* P\1\NU2P<.6|4xck{ 7+/آ814B1BfR -5msqC;45ΧJVJ6i}ZlXDW?ԌԑdAiS/_):_7E:cثضa&"1m e|1zL f<&{zVMDÔ;LHY\\* d[W؊u`k|+k-NS `t -veB3/.0\*\Uˏ芵5l ʿT=0^?7΂YYŔަ(D..2Ad;? %Ym=q7PܺW"F2g n{^K8e}۬q|qd0ʊWWYcD0ޚN?#hVMa 'nU0r2@<`k_V/[- Ҡ #;9;,M \{?Bm!K[+<#lBHڼ,.^5}lΫ>7E.LVD5-vs1 Klm*(q ^`"?9ځf$-x7P~?UO!T[,vnsAi3ǁ?lJXDn^PTqS2;6m4 }ޥ c]2J甋]+~r&ƒٞ]t^ @tM耒 ~ Q xӓl焔 oG7}Fb׎81pewػFX%L$`2.D9U:̰Y᛾ u(<_JqoPWMCd@Q9C  ܉3h$P| 6m;.M4޹bW>qRB ElZ@Dt*X"* 6KjY ȱNZ@c2ܯ KɲksWP Nhq:L~BH}"_!Yl/W GR0Y\M.UL*Zh5` 1=۳DQ5}fHWԃcZZbԶj ];䚲li6MbbR34 fS [OH6K$ՎYb$I<H];<8 Soecتκ}'/^ROe(Ûny14@ n7HgZ<~ꢕP3K$WIk`<84i@~A&~FwVLrA GSmRMj9hy95YOsA!CY[|~7)||*́:yhe%XafrZnẽgґ3}.@](:6+[f3o3s]3_41 i~1~X?lBkcZ&`xl .=4bpG%sj"rH}V>bıc(ux.s2@c%))ʼn: O[MTcn%eZk, {H <P5J F` t9sx|+jjj7\/;au3$ Uǂ&p4"kjb4N,PHH9b,Wl6BnRגcY"}ʽЈ4|s&VTYӴ'NjWm  .9הulu-zC4Ę"+ F{kUƂT*Է=٘[N '-w(l+7c>敼'~!CtF {9flDo|rU[<Pv/g [}78+:]U&)(wWr=-ov5%[DwaDHdy% #ŋ*NC@ezUJ֝us 9N{lY8tZ)xn`Q^pEP+Re%v.,:fԈ\=.q;ڕXi'T;ΐR[ЯO%P2c2A"tqJ?ЫxUpJ )7J`T76TK3IHn%Hk\1Nݪ;ˬf >@%U+;`r`q:BsxH[ymnηm@Atp-, t 5iynIbh v8])*wQIPh敁(EqeL403UJ)ed>{L E:.V`_\Hs9y|G  ˵3oυ[ *-tg64SәM5HZQO=~#l hz5}XEx "e^&gHQ> <KluNDF[THwy?Ka#* i[S{[ufzFښFX; 8w6 ]kq!/ӭA俲P k |bRmlݚ2O&~Y]w#Kd{ѯo 7Y[U5ȯ9mLuXpuvQ^? f;+T,uK+/'ft0 `n~=i%$w§הBV-э,4_fCqR??8esBChǶɔ#;:^][AlA-WL 6Q@!VW@5Y?mA8\+uaFwV=P;L:}prxOlv=!uUDŽ6x^#C1>W u_G;NDCzѥX "@+41R[W\Yu+C]Ys>իx!ã%zR@Lf!PlnsjxD-ID3(PtxlI?Ӏ!;S#kRW+'O1 sA[itKaVɼKbW?aNof@vEE7vuwOԕȿ~rGw a I3a/q.Lq45[len EE y6_lB{frVWB_bUtrE6ސmhlfN:2>(fx" i4ؔCֿQ~] }9;\,{vNȩoߘfj>1-$8 }fM`A *&p{Cio9 5H2`6a@Sb~rV!Tu(v' w5b5i+t]hh\4m}9dnM0i=F'Ɗݧq͹GVY3TzH4 D^fX.u-XMjd S,(r`'t`!=m뎹um%I5;-JSf`qa汵1U.ӓr= 1ujʴ*/R Ifh@,$_/­ اȒ+ABR0dd_('~EnAx~kgڶɍv&Qnn|_]Id|4ݨ MZq|)SLWj`[НZ='o7YxPtnG 3nz)^ V^N|ļ4qiW0׏ U-Rk t쯘S ~MFߘ:[ h<)-Z񱄧nyi=m*~ 6)dx"=(ʊ.@pM"W9~ .YD~^;A8 -Eŗ->OO֒9Gђ׳*emL Su߆"܅ vT 9>U=/9:7Gͤ\+t 9Migkz/&)([~M\۔6M@r-̉ymA%\[FX&L=0W ((,ʝ5VH;/-$"Jܢۊݥ3{.5sCf3*p?Q]ςsjE0Z.|Vhe,4 72Ra1 +e>h\ێL"[m}¾%JI,t >7=fk0Hk\4C2OlJ.oOtk<%WwpM= g]J`EEaiE֨"-m4gr=_f DmU})y?s&Obuq貣/NZ4iٜsCa#te5#5A95J]GS2t2> HvC{̾Lh.(UFuhDL!Cϕ2tRTۧ ' Y QQ;a`tit s&SᧄHA/l:>)%mOXcz[8qx2a}۫:'V7N;5Ta]|:jUXVs]P K_]4q"0– |Xo"[Б? 9J`_ك2N9/^2I0LlEl#w8l߽pHɍo' #mݞE囂FhOt)K/ކ~i nWȔ3ܝVse avm#-Lk U,4H:TH; ,K;%m5'l@jJ_,23>[3<UϾO y */&QHTxDN7gm>J_*SFz[,*І ~˫>-e2#`bn!:]~`(|4+w K## ]~)P'%1)T'GJŝY,X.{gCB ҧ(^ACry;Oذ>v9GE&֮Tc)Hz~h>?*<4[^yOqkT;aag4ۮl$5Qӝ2%O9WQcX+{^mԧ JzC@sv@D7 A0R}̟="ZSc4@J{i_jf۶mzcmJְ4pcE"ÒI7YEvw12f/ۈ/9H׆&nl;< \ǜ:{!NiwXV ycpv`ƺP7F{2ybZAs߽q O[yc'amV={C;f;99Lr ^VZz(/+Pɟ*oIC|LqP.8hm{_IpX=dl!֙μ0\\tZRnp9~5P^dU2hua7mHGƎǡVyK^V\H m JFMq ^O.ybTArGQB^eO@igi9^nVO/ Qgai?&I>sgp@_HC0E)ۖq}t?#Qwv"*;&}vBZJZ* 6Nm/%V]wfg+(-Q [0Ty>DƱ׉?'8I;2ҝw2}oPզiY9t8"qB.PW҅K9sPcY>{wˈi~ Hrjz38 :&<n]o8~u1C9E5HE Y:'3i}`sQvkp-G]fTDNP^\\ȃ\犀 ?ݻsg!~rL M,LrFnXxtrG56RIn:Vܭ靮"pJԒ,2&AlN8qo8ߜ5xm\nzlŝx_;BN:pĮY/<r61XO"8qY]B?edh#&4Brl=R;ˆ41ֵXmp7d"' Vh@ִ8hR|0;Qut}W+*OaV`YKAQWa㘾4Uv$#"v#QF2:.3Hy`V In V@ kMD82'H //#'pʿJ|6OpbKU,oSz'ȏ^~UGH5XR sʋ Qz/eƺS q!$u 7*?tWâ~c2f9E\q!k%-,(%VIm?VUGDkGAZ==ͥ8?xrޅr@O IRF ali3e:9Zζvڦ޿"I6|@=[YI.pHF&8~?7$8TԚ|/6ETK% j*D49z D˲VD (aUM(B Ýإ0^9ê@T(*LV (ŒFZ^䮈m*\S$ QF=vRȚþА5I#W,͛=)R3|ET$|vmEpVo5bD^LT"-yl)jNe1꣰)Mx|x)o6??{! GP:H=Á,gZ..(!d]5&%ɬm\> {'FY`$g\'g/D(A.8&\hMdL' O85o2Q&v4G8|Tjwl6i3i1=Wt8lQg閚\2;mL| ⒍c;K x>660@{؈1>OE+|P4569<b6^_ݳGAFsL>c^Hl7XNE[#Ik{pW~o,&iSe]nHS=J[]btBTO`^wp>3}sԳVv:\P#'0 g>saGUZpcb:ڦ ;\̥~5PYl{)d oNP>9UI߹ lVe օn-4RcY>$π uVHڇJe6<_w0*T j(T4DWlNYuַ5!Q5:8]7iu](UEN+L! hI}|>aTYS߬)NfAGAW0*.`DO};}Ye#κReևB|Ta6ވC 域"T&]_໮Û4!J]bıׯoA~ XIE3oFulzdz#,F1vԹq2۞{|m3n=%k (nU덁&+k*q/䘻[!}:V,]8)%5@.:o胪i OXvXS"7f%~zɿ*ò`Yw뾟v7XX QcOė82y #+,=(&Vvt1/~ &<-Ҵf{- Rɥ/0| \V"{Y1op|b|!T \V8Nyp(xKBdF/0fE@ 6Vؿ&|d<i*`^qI Z[ւFIsI+^6nBP*<P҃F,qbsrjP3mC6vY2]c2o$[UU8 k`c΅& Z>&LlfT~G(M)*XzleIoFh>!pg<Vi~U|boESkruO3}@t, VT`oQfWd/BgHmMD %kW˦%rQ~ g#kLDT4kztL/ҪsU>MzȢG.r楪| ]JsgB13!"a|HF(|7xZol} xUH'0 <:!QfyVŠ08ի A2ϊE>*Eg>uh읶DGb.* fTnj-u"|5DqӼ^|[O0<?3X[޷ jMt۽BZF [_QDJ⣁N2 OC\>]OSj#۵m]z';5ݵysEx.ślCPHQ˥՝x0D4s:ܩUgL@VƵD)v(t]{.;٦I>^_OU8Гqf,L$52F%}O>|X( z-g8D\J̜p&ef~߲0z:VG&?{(%xK;-]h4-G {5K.CkbUS "Oc6o-{KMUR.qX=m@X)S zܺen-P>$?D93u*6 >sJtDfmߘ\66ht&/`$sFqY^HC#ɛߵl[ #ը3~e ɜ S {a.$l`99k2(-/!zB&9eOH#ʳ'?cex3[aW'nBLzSj2"s4NfRвs$>܅ Fzϓ4-Ktl ȆDqC_ܻfigu _): pgS& yЕg1B~N+ɨ,QCY-Fh+byP Qj18K/; =}>Iu/͖efRJ銠(?ئ- ݈X ǣ 2%'Uᔦ8JRTGݷa{`nɖMAi@QzHbv +iw)%MgY'\ Ia 7G:*"&rh@}:QP;hPt-R饉}Fnޱ#QfyPf]"XUoHn[{iy˾ڥ+e |bFC~G M>ְڰ$ 3O8ds7^_sZ_F k {UDj:v8{.=Zu|qԷI?{f`/iyY(s0CZuqsL1z\Zq3gГ'Yqc.1:bG(>kCEDcYF6/EBa 5$7ƭO+Ȓphe\YF[S6ޭ0_htP/ڗK2N7t 䵇/;Ӑ+,Y9PJ6ĈV9e#x.PF7w%/Y^Zd]ͧ& \ޮ@}FAQ>H`S5Cq}%Jц`bĖ\J"Se%[Kz|:*ssE׫b7Λ@S]('=27_ePY_ű]%Qg"#HЖ"DZ\nܟnELb'6T)H8n |҄;6$ ٕg;Xk9I&?n_LjuVvB4d@&]CdG7'9K+_n>f:dVr7兠pudB_ )VIm=o".,uҳ/AfOF˄SK6,Z%YU"c=FITt]{˚VAz;}g)oaA|.gA=Ȁ t_Dx^7% dؑEV)xdj bb9 I=L}cjT:UUHX4nh g2^JAߧG-|.t:/ձ޻&j8 ڦpjD*CKVD iί1W"{(qȤJ.@ewC\-ՁP"OB]T n))cSm)!@qe'-4|JŮ"?HY>U䂼_3S,lP? 7NEЮM(NFJ8'_~כ>Wb䀪e*NerNp$ o;pĝL3ۚYmJ))b'!CssO`>D>In9YlLirP_2q] FW?A 2vv[Ƽ!:tز(yqw8P$ 5ti>.IƋaD&Qsb1S^kpm>Ea:PK2^^Hge5NVtCڇ F(=x[Jn1* XjN US+T-~.z/pQO@7,2*5=Ci]ְ0z0rN&|}$ i#&5X:}={$NDܙm LS1,I>}Ծd+t 8HyWx1[\u$胖dWC;WR ~vijul|*+5^c{,H妆UW- `k$ykXU$lgĎUvuәP" p;h3Ḷ 5_ X9t&UU2B%49?ޭ폤1!;dS*7q4t(pJ:M023!G?j;PaLc,٧-03N ȓZMChLT5x Z:Kv1p i'Pw3w QC6dޯ_oYn]rYJ8} C]EK=%GX+8yRQe1A;UK_9GB C,rvlcYSN [w_ऑ<{C[Wz#at1aޏIx4-H=:jW摴QB߇pJ)Dխ)t=ggm] NɃrt2M}^Q=YmQn9ϯV (.3 Cs^CeX&t}[%˗2Du~^.3^]Mk/ ۨuv7*{%]DkAJ*VS0[qtfxC&" Lӻ!DK*: oxG;Ҵ}DŽOUf,:٘RI:O^ciz;K!^߲,6qIRDdא:(\J Eli"#zu1,%d)dh7{3C/Z&$ j`a XS~C|l{X[WbO~W?tuԡ+]Z-d'N&DTG ǏP.. I6'R#xdBdMls.hɖrIj$gA(r(4ҋ:bQG͕ӯb\sSarlK D{O `JvsT)/$obtǾr %ܤՖ߃ȣr\VioSݬ)K|Nl֟ty6tڅ(b'ؘFȘ"uLfP~K6ϻ6Fg,,Pj/(kq; nl+Emf*ؼ:wq&}ݣS*#Ag&&D1(X'4o3Hl;Ux sS~SSTsHZ3u ;(^`ی|7_>=UWȜ-`p6c1Kp;Q#g?V-}&)1tƦ%,K,oA GةVqS'aBm.I3ϟ:'F2$7ԡ-^5nڠK+߯coea*{QB>ޒ>ʩPN}H⠥<"6%~; "WF`HJpBrXQt%H~,By8VQh=!:/o(_kan($pkx ޿‚RCJm6YhcdX 8`euj$HyW W)ZjexV&c;<Uμ?4m%pRuҡԅ4{Z BZ_u|yL!V-k6"g$c&ȔB!+9*\4LiY~@L@ɮlb#U/D |Kخ61Cjr+}LsPU )`x ^}_t1Pnryl{X(dk퓰y.[F;g/qPSgDpѢ*)3 t^eԕa+h0}6#M&Q¤i%I`(@Nsl}gىć',7N{]> i흃Ԑ%x8 o'udʹP3s(JDw2CclpsH~"ѝ(jW bWlFO~XkEVHG?^^82^`i%0߳7M@ a8q(zxyWLmYcFZ 2E _ Ǜ>o#'רAk{:+i{14(0R{cPWO.J (;搽h i}[ZǭoXGRkqacίWP"ܻpmppwrP 3(xS+:C@!j3dIuU{\-W}Y6u/)gK\ r.M+A{e~V…?|詅#sp dP|iqJA!toXTh?Jv^Ǔ;$ث:ժJI_I=f,UqQL6%lx5r3yAD k12iJ"0yRW^)%dG9XS劫8ML%'~)ȊU ω4B~D?uWq}I/7g {4 ^c{Nnj}DɝQ3U%WRM΄dio5x!B^xڮtFU>-Eix*\Ꮩ]l L VYSŋ -~)_FiV3~ Phxr#mUmޜd CЙ x4qu w92ss~s;1 jd!JK?Թ<^ԄߤlK` D~/踙=֔K;uh _+>, Q A$GU >fDY7 sZ[8 VN#BeW݂YB!D8]Zt)S͎@i,NYUoU0@]iD)L"EM,[ WXa۵H-(&4^xVH,>'ۂ56@;ۑ'[ܪX Urg|KY5eJM vFpSnN>E9XډqJ UVNwDxY<팯.mxpPq4ߺۉzC\k7aW 9]i^T~p.t./'F6iKy'~/08,("03pWHSj؅/9dW&B$; oko/(Zoݎ-J!| D-8Rwu9eAH4_ ś? mp $|`B_X+)Rۨrr9EA6m4+XN.VGYغi5뺪Žt kXOeM=KE^[W"S̟ sKiT:[Q'4Z:CT*mPhd52qgtf;4KMxّ2{jм]zd90SubI1WX]mFѳ&G+~ՎH/K`J צtTy OSwޕcK q_Âwg'$Q=Mg0JZ/Hdk'՟S+ۊ>'fxH÷bo\q3}w1${io.5sCj^(DS=38[ ȸؔ5q/]l'h7u~jrR KQģX*.4h09?ݒ@)!%nЗ(V[⬚AaƉt͛<_ӔNR[bBL{#K~_v7`Jn[ 6v6;Pos#6TF[)g:drҶd-iDP,tDzv DC&RI !>:]glSnѢ>bW$Dq=Ǯ["u8 8i#P/e@(\QPumXDoNn|uJaP/O?ɮ~]Ũw;Q[(^P ;x9ŎS)`kʉM ,cf-Wf%Zl5Z(ܛxbVZ=ԣ-7Y=uj H[3a{ TÖeVx*`olb Jxtc,cuUkZ Vyruު0=%5H_fK;U+< R>d Az]ZIh. $_2e㤟U(W`PVkm|Y{Xi(0Ul|(In7ڕa:3c@4%oΒ<4ϣEz`ocY:2{v=xDPɼSX=Wf]q&k|y<xs2&3-%飚u[%eZHϬ?#H^q+$Y)_jn٬Rڔ9tԉlnv%zrm:ڄ=g<7Z4Frk?aա$N4+dѾ#b>+Y-_K ƤkCNMּ:Ϗg/2|oEBymמ t9,ҎKSA ?BvxSWyRT=V~sh4&-_(Vs1*(Y߫D َb7D(|E>07(ޮM mFP  ʄ҃o4ݖi)@K~l6Wa H!dw.n|kXtv(^)n-T9EFa>/IȇE^Zj#<匶Gv9~8N"U x@gƘ* 3eV;]x?͝D ,`C(JA+龀!|u^\Tz!J3w" ^5é@lj$BӨ} Kkly`F @R&㒃wB|[ȼE ۷llJc~JQ<C$_RbN ϝ(Qm /Fh7t"l4O*G6ԕz*# 'E¬=;ҢLP<7 pg#{|Y*%٧#~<sj,v/X)wȩn9RS |J%ZT6~!r>1d|7~,H*Ho<O(z\n|Xe $\{fk~p~ς35`+@$8Y՘-~a+'׊g$:KJ-RVƤm1zҗr4Q._dE ҷZU j -bh|ӷmF%a"+]n5;qkqpwmLRx7E5zX[=J g#FkoN#qZ%c^Yh>6d*giuiB}p-֯ޑʓq!qb|")I;2]y*LP9R4H61˳Ox+l C,1/ةڐJsn0>ew&`9w5E섎IoGƺ^2q[XIb ˅ǰas=v-GE.-]~<(Xuy?58xZ~gn~£up]a#2.RGj6 U4jCM)ΔAp1B(gQavsx.HVR.9"80`5xםMԇ=4qGȻ*dm X4CcK9:/Aa q4JUL}0\" Ḛ]qWtgCB DpyhOtOw+Wsg*HrF 5$#ZpcsaK,5Brt%^lS#EVD?n``>?8mSo{Bb^FTn:Xi{ r=#i) }-#cVIF~S)R sܥwq)'ԍ׷)ۭQSݶW. 7QD^- ,֩fIJ:.hE kSGNܽ+Cì:*&S0'wfrVʛ`EtaRw2^VF?2WkFl,h;ųe-(h+87!=b6(S$`pW;*4t" WxO%tRNj5D7j<hb͖pVزzp͝-+lOϒ.gn':DJV ۊ۶&,F&ypJJ甠rul[jƎi{¹ _Jh'kۭ{b׶]r;]'u@a&]2"& *+35P?W/|p6]av_Y0RĪFᯢ01P'0Ս:es*9l0cHWiI\Q4wԴDp(AP%0+Akֳv]b|n}Zm2`L :OhU-JxհcI]n#+8/ItT6 e3k1 wvXpºDzK`X; yQ;@]S#7K& =ew(EzTpZWO{쐫~b=8$?: ,rN|^} {\Hl5Ǘa?LjWi<!;WXM+<}gW 0mN#xNaR $7n>Zzms&Yr,aEUds-С/tqp{ád@d=":s;y⾣jgd\EZG ,X@#~/1gڒkb'O!M|aQ6|Se8}Ov)m&Ut3x74 n/Ρ:4qx (2ceUS W 0ix~1)#UM< 7=WMai5? NLw|hy`:cGw *b˓}w\AƯM)jg>BM=RPVvꁀBE\e >B~ '?܅gG ^n ڷs[~:?)FPfwpRG9% _k7{v ezx+<:o,d(4uMˆ\p*8CG#iŪ8eox`8V6bם#u۟/Zx| lͳ[*rE{Zǝ$]L?wz^oڶU&&9>ID.֬s"==;r^߭N'̲fEd(͕8 y-!NR=,ׂw0:$C4ʜ5NeA+Q?)UyFj] N{}#χY@q(_Awە~N/Fnoɠ92e6vUM*p:傖Il &ĕUyUDa>~:Q85sHo5-*Cú$/E{B61nԢTI̎g6J'}#VGFGA̬AFXf='+V}Zaz{R6WyAC;UDoP55fϕT%YrP=i7%j{FdQJ06T0PXO6U'[jgR sG!"-] O_hX8$S b6)kN U>֋ LFL6]u;<郊ÁV-gM̝N|Behuz&GG)[;?AO1/P&htXwW K&0P_@k*xKnɮ.CMxx]n3`lkos?Oô84-4<ͱ;mMGk(; W` ʣ#{ЋkIY뒈Ӻ)EÑN02pIumb}=&Eđ_Iu[Ud㈉AvIk׵&:7@NVQ5).<n*ۃsïC!(d_i7b2jSKM:|$vs@6=s 7x3mj"TS_`)0'd3 /l~J"}2B0wIKM"7Eh㠎TYXGD K̑Evlkfj?E'SIqeqi :>'z) ,?u46J$tIɔ(KC oRKEe'[r!xu_|YOst)Z Z C s'?ճ Z4ɊP1#`R}\=H۹p5s) j}ԷA?U%^x(|ZoWN694)CU-xU5l\ڿ7. Eߋi&y,οQ%G e5Sg }o*a8_˓o]jT 8扥cjMߣ4*'^XDPCQ!hir< \ahXR>W;M9=a$XhhwcBn" ]OD7ПI21u"acox#G|y: j h%|BQ%ƞ@Z}2 (KلDko&rzuf\ԬVbh繍E?CY{ixօkTG*K'{qCnt)E aO(fMg7@63N,+w:kd|&֤ﷸ{M(Xx;˂b_HxNzz7}|_,3{,qx=ESl0y_eTcp;:ogԺL$نSjd,☂Ia!.K:sWHZ7 ") aqa5s çMލK E6pcchA=r"{~> IWdllkw_:oxL+#^c"ob{@j/uE^m? y>RSvͰWK&FxTLNb2~Z}W>c_>mBw':'p~Ԧ]Sj.)%pi!m92q:N{K-h5("9tiEݤ`G]O?bd+"ֻl!lUUVƘU?NE1QBX'.le{;+]X2UQ $;\ GFazރ=+|ΖL-@$QBk*2r8Mʍ6T7!=Pdݺ2o]tFrl%y~F/m}6Ą씷mT4; 5<0 @Õ|MI@$YJ<ޜ¥ õ}"mH4#y|iV}̉`<ȺFuLT!goNvJ@Vuʸ(vdN#WHŵM.$B8 kH۴-qUR ~HnZ[d mIL wCWt4KlpD T5Lm|bU˛)bfTd\ǘs$C\ txhr^+H4N)SDѾ0ه0r2 r~)u jb"V.mP=PSt#v=/%ڵCkig)"9 Tq_˶#7 Ld}*ժxۭn5g=eKl+ĉ~aCG962p}f":'RF򨦮#"k-TjBQ @Ωr)6|H~>`~B F!Q<>I疤WwE$Au{H(a%j& |$2נ|5dS@uަK%WRhN0{^U-gaI0!솁HBDq3r'1t'14_ݮb; 1?"+js@|n|S}^-B rΧҢ5N=HPA,Ϡe?T{N:K:m)wc0+z̓ b˃d!W %*T*Vsf$q!c% jyrQFA)_ݖ0h$6Uc%Zr @Ƒ(עjM~MIPDžs֠U!fu蓆?Z@ڞ}^4yrkv|9$ VK.sE2y#ͤaRY|2;OPG;B1A4qBgW;SD5.Q)]xU7ÔJJhJ(Zit-DZRD*7rN.GLךH#:~[|+tX\x$i!(bo2;vAE^-髮!a+W WPyDS/MǀDq U*yKޖ.wwp%.NԘT4(Tnu(hnW^:dDAbr.ϗA 9pSjͯ)qIdU9)*U殫%HTwl%tCrokdKqgdb;\ZtPr1)_r-R7 HO/^:-t˝& a y@fv*PFfTu*=]I-  K 4(-s#E졢[\J3VUNBۼ_$]+1> EA,t<a"2>iZqRx[x X(̚PHCvH޹($4A%~bz8)@ݹPh`ҽ{ͱ+*2G%D+=ZrsxC8(~zŠ{7ѬC:k`\<+$չaCU htqFM_++. ]»Qa1ӂS(D&=Fs r +3h V?4{3?U\Z.xۑ Tz)LSj 5ൠ,MvӗvI4V||[:8"㌀u =Qtb#3#e_[j7#N (tRHNגq#/.my(-s'`ԫSh}&)X $ҶD0UoT4cd\GA9>2L:uϹch $ 2/k9^wLA9"%˜}q*:;9+Vz7r~KC I yz96@#98aPo-u2'x:. įGL)P ցQ>}`XUw wF`Fcy7d#V{~ܕAcu&U*I]NLЁʏP!D9D=fA d~įL$WHىԳc695 j<1bW&E0y.$ð\Ԇ7=mYzC qk\8uvZnD'yRܕΘuZ&yU9Qꨪ8<8Cg'-%a-eC`S^8˔bQ'-OY)eꂿlQ9QԡHbhGg~}sa7~quJi;| $ U }/cgB*R m6 EobXieUYiPI|`+0R Qt\G;HmՏj 52dg;ji&vj'L.M-sg*~ _c\oiS$h Mzh2$§RҧA2@+ (wO\3 U59YjDΆװ0*Ƌ'h̸ԮWRa{1U @3h@dŹ;Slg36p4Q򨩈t:✷CKGS^ )c+m}"O֢`E [_dD k{t4H|7f&l78~I6S;mҨHY!ksz;; ;JH< ?6~BsV**/ᄋhڳn;˕nhdXKm>VEo#qy4w#L%<@b.~չc|~O~h7'۵:ԻmϿ(5S!W$,uД7F3%R՝)5B*>b^˛aݶB5.R0#QwEcҬцƗr+ig5էcdU|$LwOG79cyv@p#zmΫSOW i_ଞS$'>r4/~˰ttk)nQ{pj:Y$A)QMq퉮g<̈[o%$'t^C?:v&~;cM}.dۛrea.28m$,i>dqgI1X##H˲(E:`ǧ874dᡞHκ K u ӧODZiP V7&J ߄@1˛s6ߓ&:[+<6lJ}a:* _Y$6y>'XWphaU7Dq`,%A٦|9D ; " -[e[F72qVBX<\hLy7Pv:?'55@&<_ 9:g"Z0ݗ=y`NCPȬ&fORY ۱i0_Vtж?F' wE7:1`;`fAr!y v~Zp܁6e:M4Q.5iL,`sn݌:3 uv~-R㹸V ́ 1bM]{Z; 6 y~O7^e<ǯ Ԇf>n /CmT4[qiRz@ .<_=d(/O@(ۤ($\96)doվ-NԜ7FݵwZa@aT&XF+O|Aa6drCSS4*a&"JCF]\ MoHQ6+HLYO#?^`U0vGء$$L&)eq ^} Ei+*_rlDoW˶J7k$ɁF0ȿ)(mXdaGO;2?HXK}1T]g",y>|^O߁~Imbvsa1v?Aȸ'M?t%h]|HvmgDOmEg`Rzda 3Wpg' kD5Od)1V5 ,_wry^|׻]U]yW>ć? uL6V tfcE3[skeU&]5%j掠i[sd 5#^Z3p[\|?k^A=|׌-~ί;JaYSqfܶO*^Yݭht׋:k/+ܺ$,KVvMP唦߹ |DctY Ƙ."n&ʸizj_RF V\"/Y$XC8sZ1 ]o}v`"+*k .iV9}R8~oZEՠ؆< OmFTv#(07'OLp-k]yh>6A¼gu:Hw>\%taJʆISc%u#suU.=^v!ˣH5Xl;SaJ#͹IF1XEم .:ik;wuNr۲i7ㆽIG$:{gxJvĀZp$x]->Hh5hAcɅLt5 ׼?ܯh4y , @ \: f5z8uW^pF@,20MT6^v 7>ͩ,st-AwvsZzp EZŽGK{rfCR|Xu*rt%C7OKZS!谩x5ի1bG|25< w8:uRB #Tm}%8k!M,epXh`IiŦ]&B4 6֍6&KUE~Kce$\?EsM^`@o?B~Lak(r)s$ꦀ I.JVڍJ+GԾѯsmPjf Y&EDѻw &7Rm+ 1E_ޙ E: G?z*Î+ejQ5ITz3jŨȇ5Y\d:.'x~NƏxyx)Fz&X,"{2kkب<ðCU0Z*u{*Rˆ@#p$t._~c3GB?)6-^^ٖT;oh⪢SuB6Se;hg [fV̓UϞi\h:9q.7F"fk1q Z{/]wHt*+[LǾㅡm<\q+Ⱥ(գ^?H \3*X]S[-.qōN} \QJ6c%1qս2wnj1cb4}/da"_ncF$M~]pu3QReO߂;TUE*vUڍ-+DѰ<3}t.$)VFK 0oN]qӤwXqv)> 58?ݙ%n_c9sV? ʢ-)"a/70ܣ0P?n_ T2 Mչ8|v.cz,49YHT +Q\( u (='Vү4l%I  NV^o#@/Ft8Y$," dNU*5១U%ٯn/MZPe-بӓuBA 󴽭Vd5\i:p%[S_"f8YKuU` JUvz\*"# 3:AIϝ^N`~kȆ1/Ag#c8Cw̐M = |5 6NCX^3@4Cb,3p{ZDJi}PlfnnmzS!C~/[`!eDc2b ݙHC"J=xBЙ)yԒe1I} V)HǛ.@Afm /N"(ġC^T'7Vك&Ӽr'%ecNgRxnHP=|녜[jˆJTI%ip/rN?; <S\[aJ~dHғvKɲY;_(>-=!p( =W9"WXQ8tO~P$ ?Vo7kO_TDz>9'"qԟ~38FãkTE 40CguE=LTaқ;qg(ߦ,jDa]آ5YN{XV≪|Ғ Xk},އheK2]wDO[¤P&^FO,&-S|)QzHy[a">NȋM:m<5Nc=.ܝ!n<|v Ig6c^g~$TJxzXۢօ˟۱uNS瞪t˒ᵬٖ,V y%m.!I(Y$Kuoqł Tע[j\y|1I~ g(Ր}%ދciKC06fTc@}y,v%&i hi4ZBRዐN:!Lک;mV_Ffd!#y< 8>I 5&GS݊9v p>6+A^};ʮIe;~gﴤdx- H ߈ "K¦ qڃF5]| q''jϯV䀇`>H=ɆoRտqA4 #o˴Ʌ;(d.qO/NcDݲT)2r|oIЎ6YhÃ- ҃T[ v̨ 2Eb^ΧVT{.kQ_&$K˷5:Pʚ,]s ̉ݠiCWX:,Ne*jԾhVnKPHWaXqY*QAJgU~-wDL %Υ8; e0Zm/ukk*>8om1~2?=:1Z_*9遼A⸣`֔X,+$ \KRլ|lIߡce@؆it6".{cRv8=2Ŋ3joZqr(OJb(G[HԴ׈wNc&E&1AB;4dj g@`iۚp:PZ7|#f*c1}BAf F ؾ)iA2yj}Kj_ j508bacw/^$4_TՂ*%//yU7wm~JJh/{;Tu6D5 *uDƶ>ËB nc$k0~LF ׏t?g .}n 0x+gI;M|Z-=CnɺQ9[ѼdBWKo1hKEOqhHn6pƌu߰[2U%?kؾ!PrcJCt܏ÈI-M,,U7x>mPTH-aւ}R%"uze"J*W.6s#Jet}g%Û~=EGD 8kLI}<C9h3mrhnx-@IK( r!JV99u\fj!; _š{C fM&+u $Mq\ KNʈ-=,8^U*:%/n/-K/y~($ &҄8;h=;NW]Z!d/P#g~eߋp%OR?P6ρq}Ws$rY0tWҒd Ȃv*[F/e0n[g74Ӝ,1|N&Lw!?uțPZr`h "@kfL%RĠeC9Q-yptst"Zܹzn?r+ca؀-{kSW3< h!W&,𔝍Zn15ecv)gAwXUnw0Y mpچ@Ѯ'A1(ÌGOO*|懇fOq\[SXoډ`.5]]y+ ݙo}o 5%*)_ h6o%!*~xe)Kڴ6N:۠c'B;YxFbnˣ1 v5PYދʉ.?|l?u P}_- ()yRu_wqۢ8 X2Z|bQlq\N>*:zDý,] |Ej!G{d3y-U6zrxe2zMI܎|l"Evĕm$(@cӘy}Rò!N7 6 ޭVH5þJ -8|sA~ȝmKfXJh{u] xuELm|Od` P=Iw`ba.l`~fLP6]!@ Pqmr>`b }> XK[dZt6%m1|w]%hnC-C c #+a^-=EJSjOɋy=tZoG]M7(1oPelNՒ? PJReBz-9'-M]vd|4dmk4 3f7aZ=p@Px+m?554ZԚ°SA"lȏ=gu["jBfwM5v?[e0T`$g~WN4Fl2TIЙsI,ѭ / g9ǎ!E~UnX$>dU_X@7r0iG¶^8+Ώ9:a\䣽T q߷~y|  w*ny¤~ $|d9: ,mQCuc_'42V?x1YgjgjI|[VM31hs_ܛ In)mp:C(!*0jn%;5NV,jd]|b|Iq:l fj?ǐh &H*cQS,2yWj> rYʳ­{lV͂p$)xU>wc16 {벜pN<{BIhS|> }'@\MQ""ʄB:0u9Fd(lIHdM*a{pmL'fF^l#b$[qc&Kh XFK Kj?H>1KL*1\G~_hChhͧCdO_pe=FC.}™܎4K@ӕID=Cksd=}96hvAL:R@lOEAz .}Ucɐ;[iE]( 1cxENS{!{ϸV`;*k)7dJ` N#~**})J>3!8`F 踭bS|uJ(vLwDu#LL;u$;/-qPN@Dqve"iy TbEj立>"p3?t"Iԩ ^kt/Mhe!tZ8=Vr_e am\SO`֭#Tȁ $9{V(Nn*ߠzWJt^xۧ󓚑1Rgb& kt-L-Ga2M#CPp˷\' 1+]0Svi/G_2JUS,Z\-a rt" #F 3K[j60yKgkWH94;E1fiS-DV@ˊgb~N=5jjDk؏AX[< {R`j憧jI&SL8\Lp{4U ё o{9,1A̤IbM 8VaǗjӪ_WP?{ʞ}[n]n9zd$MU60Q:%_sQxBLI csv*b>QB8YVGAC.={̠w+Ce؃ HViTͩ?A9QSTx90eFczsn U(!P^+/Exu rT;n@c}WsΕ@P+ǼmB g |{ʌR= >&̈*J<O~-\jmoSokq0/^2+x@ r>&FyN&gTRę Ťɶ DEf7)2m^ QќV\6yа"{e 6fffmat o<'&tJ)\uy4X;vgN Qe88޽Z$$QG#]R-u77&)Grk&XүwrUOZ/Vd-}`*\$ꕬqPKRO!QgŇ]_FEkyx^?Hy$Z-4A/Hٛ!dhσ< +* KkƂu,I\u,BڈlwG=U--irÍ9F9\ױF/8P`: PM!"9ҮeQC72 PVݨ W/.qZTKfuk0!ھ)^O֑z{09s<+v3̨øۤaHTqE-m>LsDX_8K.)3U`^BC 4-ntJdiU t\op1tB}v,̺$wyEuImas@ ŠshCs[SS@}A;ry=5eMޛ'?dHeiyEpBF l{69AO7hpo5|! ptL^Dl @ 4*wiF&[[)A:9e* RR7j؎BhO6i4MZ/Nk${_ 5/~ L@H^W2԰kr%lS]jp rX@b;ܐhjbQ\2xKX{`a1FIoRUv JvcQGNվQp iYev^(ONu$';ˊP}T?Ӑ[!ٞBMC*Gks*CWJ?vQJvݢN_H^PvT|F)[Қڶm>n X)Ķv\_ i/ɞS4fVH`v$doDE?|mb4dyR'|Li&pezg4_(*nZf=(:d;,kj`k4 tH+dMUW9A/OV1X + 6RqnfX[k\~I˨hC4ltgNܺJ_{$v!lSs_̱%)Ty%^8xWJsӳ~[Ϯ8)ɭ܈Ok*{d'[v\+}VU5r,͆1<]Qf_ff)t+oR' Yj65n:{9:~O-d!$`-?gCDZiF>`;3Cd9`;3+O{q$Q#bGHDcFt噷sKdERRsm1o=|~օ%F#?^JZebP*4|a{m;zt'>ͻÂO#wR|K~n6Td;Gǵ;2ri,i屉g C~Q 0ճPe줴z`qnoOZI1"AĞ,7H&yK-PZф|r ^qtV=AeI]^8 Vz]#V-"/pM5F [/E"m}+̶.EFZ2iHbI_*9 rp )'9l) IP' EQ8܇WX8h~j5r;<$m'Lh3n~5Σm mC jsEJ}Lj碐O1^2)[圤f"G :'^ȭ --/r^6yw}f&"[T23Q@5W6gu`qH$Z@S?qW-t~ߧo=u>[!{M؇|z5.O Jy$yhLvSt5z"Ĥm X@䝀Ox5T-l^-*F+ 2 K4_a:U;u2!A/W %WOk`qIfݙpM&B K\vrA?|f?Q] #6Jق= 6qQU)^lIn;8{N@RKYM^SXD̸]E\UVy'4q=<{hg-3p$w7킞k+/I/Jt{8zG5vAiolkA 8 fér؞cm"]i:ל13jy);@ܝ7xYFn 9{? q 멗p=lk W U: X|ڢpȉ}SDv ##t鏬`jBFY<]Úcu*wq ͙kc2X ?nKtAPҙ4M?8ցH%l&]o*g36Wl-W~dN,@}6c>Bрy[-fkVBW{ t$Hh'UINVߎCi Zj+:gGAC#x5U!?LL>GaBuzo꡻N]Ruhk,v(WkiD}')p dc=s,OH\B ." ?˜qa|:gs|D|Wê%(B퉅3Lo,A.ݍu- N=͖).]"O $eW0r kF 7KH=k*%^Dcq࿛t212[}BuT{h娼qig==[`j5%\Wݾ ^U]\𩌈|ԭr2)Y.luHXAڬ@a}{WwC>Rwͨt[ہ)D6J *s1m A %sd3wV|{r޷kXހ Il`#isD#[c> +pmz6AQSgr$DÃe]OćןpG0: rB۔'C0~k2mW-8WTVV*r&Ξ1K&"PvVˑ" [q0nc^1 ϵǤfkuق|V r\"ju=~Pɫxn<\\{طu+J ̿W+TRɞŨ&04hn4i"wH>lC/DsuA p~e9GjfElHxW\-bcKKh֓jL< Jݧ㸍E\zztt#X+'R8i;uNI{p;vkrKo}X86'NGJ NCsuN 6, -:Χ#/Q|7?nq$ Tr3*|AKvޞBbn觷mWhዧ>ꄃP(RhhBQ^5=21zluO?9pZ*B&Gw1+bu܍!N*+;OPwFu(y#K)m̥U"n&Ŝ)%dD ivÞОl{s [cީڎYqmyU sxUIgV:Sլ6Lg$LJԵb?Mo,99brBtoN_V? (:- qrk v59Aғ(a|%w sˤ*.xWKrZG*f{4-7i ^Jo(oqqZ$mLΪ(˓sxB)\,VfSϞH9Eg0.cm2zt?gW?Zq&M2L!}N2]ТÓA[ ԓXGk`^;i-%-&\26'C5b ~O|^I#'RBDݫ l~ VGu#ؗ%lG|&5}l%rr`EM ,gQJM?Ijiz AJsL4֮ke⼨]:[f9+[b%{>(s^?-#'4g`Ly6?N+g99 &=a;g:v@q8ejU~Ju3\'ۙYFI~C[}ͧ> U~agÎdS0ÚENX KwH[3*BhtIf~ONrZG_ B5K?4T I&88R`+muڮPgMV #.bPq[>Wz7cvY H_ov5ћks%q5,S2V*g>AօMW7鷋`'>e"VFGVQ Œ-t+mޥ,آpWűQw0ϛ;:_0/9HZw 2@LN a),2$X< ͨz%ri]>lYןR#".֖+W0̹Qc 6bqӦCwep eJ0N>ˤlUId? e@DR+n281CvҳJzI6R Bs '0x\'J{X@:oS`z!TrBv j_T&>>]ϘݸI`6FZ*bj+I  R>a@Or+<:k_q w#i4@]I,KE´q`<t0Dp軈k1N߾e@27' n۠:|6L*ct2NySuLag9_ LQL*SQ@6F/H@{'72Lw%^Ht@RP>7Q-XHaKj= A`˻:U$XQsAѝDOtD2=RIi mx>(RDsQq⸬Z LeMۻ$zHLY*xLЪ{y=ݐDnQGi {X:?Z -w|eƒiP janU# $|\^n>)a]Dž|Wz,ظ<d2#$O@o*B K;*v UbO)dH g.c9-h't+dT0FG/V"R2'-GPFwE|8Ilûz`HGp99*, ڽMxgia7rW3b+9woB/%8QNћv޷-NuЫ棁/ݍi=Yz$òm7FoVn}zqYhSwK8C񉹷+Uk_ famkC__n 7@Tݨ b< }5e\?ZH\)\Iomzք=sK͇I&T%Ve60AqO0 8z\@zE-U@09 OO>t?>flEǛja]-e*jm9N1'c[=RTI*t \J}Sa ŕ5ҞY$Az}n.| Q\Kϟ"=}i,)q/ e0 &8D.7mh8ȱYmIӣvm `R '՗N٪eEcs/&S4*?\sptتJ gրMK.ЗXd*W545ߚ\%r7m#J2<ʇL?'maSgf/pNh2E]:KfT\WiSg* 72BF%a|J#_=;ҚxL $$C4i../ TA֞M[Qg3`WmV&wo542Oč_Шc2t(ߒȥF"WJÆV [@o+CA"cB =I{pmfKkdUsb@/{02=$$ҎUQ:Tq s>eҴoC\e؉P(%d Ԅ`bE(Cp ׹S0 OkQaefAJ&Fӽ&eGB .!ڐ9w2}}dOgo3@ZI}yXLM9v <K`z ohܔ; I->ʆ`EDk`"2A):UDו|wpIֳT{>!I#%@Cx,N59XN4K+ǯI =Sv&gDXV|0-5*lC>&kg,za e[Y|5Mj_fpP\KE3me+f 1EplU浀:. `U_GG^ߣR N񾗷lNcu7  YOQĜk43TآIK&\7@rZρꘚD|4Oh|xSl a8F"%;MGzImdX|-E:]r{LWj7vwBWl9'óoHYux.orNQh&e AWKU˯M&RMmy*WI6Ta)-kS,ѺOai2>>񟎗ᾟVLh [gي&\tԕ *=C;"xaCc>tB<¿ a5>&Vo3^KclXV~@2RyEΆ{!1MOid/&n0x@V~8P()b5W Qpgl܄JȏB?P'M%4eCtV˺g)|O 3b촎zŷjHy=B\q)%F!qstzNNzЖtiֆ'W\BϩobA i}sJ&YJ/W{Pm $qK:*@]-snl;(/Mk(d~kxˢW8~&cFq[;+#ӱe҈`)HAuS8z9s9~v ڈa¡HHG'_ <&p駬^1'HY$]#S6}ЀaACDy=懋GyQ5fޭv $ lMAOLdŷЫ W6.Ÿ> 0! u -GނJ$\GpCByu7ORWIS0;o&5_4;tWi)zPZvYtC?OvUϊXO?"qnHξ~- l{EuX6R pT92?ttOp}TZ(aJ%_qQ`(keўҍ$yEuIW"8"pHD&_}aFZ$%f;v! (J:3f% Y[; |ħVU n`'<$c+Sua$I!+ﱅ *:OֺD27~q4nCdkbLKe?N0aYR>.DR^$2ZļFMQJ?_F##ӹ95)Mz$c(Vۆ4 GM5UQivVْR$O(Diߗa_tN ´e!w3٬q$#!٠%ᘥ6-¨EFup|+ (5c@G0]0 $>}GJY I@z$ C8;/|Oaß.Inm`&cuɻ&钟ɑM@ s{w`"֖D~Dؾ5pCH<\n#=62?= 9vZdX]\r#R]5(H} D"[bYR.37sԠ-Hm@圪?Z?ڋ C~X':7Ya8-K𶻁֦Z=dS{nLYjvtyzҗ۵vXfcloaUcsE!CAܫ5zc` eLƯm;VY'xX?l!kds\6GLHtj:$w?*zR 1&&'̦WCaC5Z-^~/ rtbǯV]2OR}u.iTP::9&쾭Nhp,-lF9sJ-(} XxUwgsl|,= =gETnG`u 5:Qby/#<&FXexJYD2"(wPOBtRM&g$Ϊ]q@Ue!=Ot s,Fpۭ4XEnw|.b?鉋$0pzIH,}x Ֆ#eiv$>g!>jˮ]L uvޡ~81Ek< 3@bp侘Z rˋs"sGwoB֍p1Wǎȕ f+uKNU>S>.S1pEiƭw)QlY=60  ;~[0 ,wN!QOԈ~9rZj3 8:U|IYMb¬ȨMō\"p-R44MeQ+ߌ \, ʞUUⷁѽe}?lR;b')|䖛EBYUꈒڷWb/P[. olUqixIQc2AFg ?Eqp.Q|~ƺ-qȰ9:sʅ% FHa$7GuhR2")=гHZ"KeV5{]|ˡZbBA#6Ӧu!. Y4w$ -GջEJ:ƀ DE?Jǎ#ODY<+oސHIyjMB #$ 0E0hqO>WiXC;c#a]bvdzV`82Q)1?Gʟ6NZ3?wf4qY6@h1 -K3㿥^ZE$9 _H(s|[TC|D9řIX9J{H | \bOh؅ݡfc[T~aeIXQb *,9eVA5C c(I :Z%?n1y #LzNE!}mv¬XMߍ*K\/HoyN{FCjp|y4="vtXDVwS,z];ȽYM?`s#f_ntLH 8V+"07x?51BɅњ Td 3ޝA*L^ܤڐs+i[aL؋X7H4ϩ;p#9π,RRS'#"bjjhfl:Ф<_iOUpd@8^ͺA_jqX@ ^ylқ;s9Ĉ~`7-L| vbHTlOk &QR!ogl,·0$Jx ~/[4hRF0*"5Ä[;=RFcm}lY[Qt?FVd8 wEcړ}@䵙ۭfKt[>iHhFOT?j*\GJprCm6#!Esjj(YPoC}yP=Pm# >Q&#ZdZȯ$4_+ٲ~U4yH!`<jfjP 'Rf_qU軽-,f$Dz3Sn-U}eݔs%aÉj5e>m,1؛+CE<N;% o?z譶 u贪>`pĠ^Sцz,@!A֦|  &+Q]D0QFCEx6z җܤ;!J#}\7%7ax11q^R-1UJ ::8Y25 q_Ia}%v{8bF v_p#Xe9WQ[GN 1!s6R~jvfwXi i4GڝW7)LgIQ 1+])RyxRg%Xl~NvVT߉ZWcUwYi> YX2bFozOWD(Xo}g;&ͷ97v$ ړYbDVW"E&F_㚟^cAAzV8,zwJ3i9E⌝KESgB6Z~^DXjYDhyn-1v3IV9q_%^* yװhXww%D=G$$uƻ;BE@͆l6 61)`q%Ze[EYOފ4 =Vc<%'iA<\+j. LMOSmmZl|(mF?Ee+y~aP,cF/v$RzᆱH89\5.0v?Ayx8Յvҹc|:R.LK-`~w {ô1]B Fbl4 *I#!\_03Ǻuq*|M--)քAծ] ՙ?b@ FQ|I3IN|lmiM篩TY 9%?^dqZ'/ 8 G| G]pIQQxHQ`pb.%? fKּt8H~"gP r88PS}9(y faW߅??S3[(cKz6FI~/4֍?Cgm-\pzodkM$6xF nmMUR y`1|FO ^j!&A_NKKhNDs9W$uDO9bĭ\@sHHnd^ɓ%qfpׅh b"#/_.ϽG]RFl+f]t8@tE$@2 [-}:mH;(G W 4ԚFxì$dݹ*?&ZRפuT8Fyk7s:Zf񪽈G5ay)xY2R>O OߟD U{S]S[˾NmL rsT4썿\b։j~q ,NbQPH 1-\W@BYE^o>41oX_e6"],#l;3lANLs4бC0;4m ~]VZ @?]"RIk?`[RǓ!ؐMVqH<)޷fj̵9r(&p3+zpntW+=]+Jx92_AE4Dҙ Vi|9nD/NSy|gwƒicugY̓Vr^*~1a Yզw,cgUQ/xZl ]ĚF^<ԉZt;ZjA0壸) vAk؀_z"()L-z}+6.7" J o#)0Ocנ·'ɛh_ùT?Ǜ2fEgX&+,~Xmh/ lmiQnI 8|Y=HfK @x8o [[`6 uԟIٰR=ԝ`ԭoF6YkHx=DK{_1a^=F8n(]wygYW $uL|VPRHpb2X=p/%폚_S{O9 iz2go '(zQR+S11 ocYh͓%֑mowFۯ/W7 -Z}dg4W`w!E R `KjS6ۼCbD:Am#] ,^~BWhԌ].47uќ&ARw2q@4g*2Ax˛סZ}ر® -u(չG[ٔ!s{v HGNEȚqbFa}uoS)*B!j C: Ӓ|cB,5Y j(%_<A)cXdGRW3kMO(`bۚ/9J{N\h_ybBV[Z {߉c쏕-O Z`ԦҹW k\%VE wD o`W2 /U~ AbWkcNm+*89ot>a06Yȝe%s[,sܦ~jw`:FIwո[HT2iN]L2wzw4`(m-cMNޓއ]f(^;/Sġn x*6*F%"_Eh=^ן .a4r&دf=a d/ʽx6HO fzjpI I7 H =tĜ2|gcwG L/ #, &zW8!$ILwb:ݍ5q;!z왆+a6SRھMVH+:89>wԧCp2xq3rQg|vf 5NBɔ4h~c}z6[\D=$)*,Y98EV}=+N(&U 8ہ֬QC y~ 82xud&rYO <0S@琀k][sn)KtTO-'>#%*1y>9C+q:!gp˷zNYEYIɽS1NmXvu I3GJy۬=SW?ެ\c+w.5h ½n&/ UA M P篺J\|;e` p#u&̜0Zn9f; ؠq9>9B`r/Cg.֢Q'oѿwv38'jWJr9C#\Dر&NDPЊ/E5a-܎LuW 5nH ~NuCطQ@ \si!`wx&$s96fN{Qm*jHƴs3': `{T*@j":x,Κ%n|7c2@/ÑYyBLΛ">t$D[e^! ~zLq/5!~;'G5qcɵC~z|.q\[j ɵ@"0DžέvKAOQX#㧪<Ϟ@-kF)H<Ճ<C^?YCћ~8Buy2tUuB^D%Wn8[y(R吰:h>U㴔qbdZ" iVȡA3 '(_NK~NijTowT\ rqWvfsȊiVi F˛+Z%\``: J,( c2{d?WU=d ٨^ Ӳg^ݒ:jjGҋ`y,ik^xTc jP"4oEB޾Kj፬Z;X Ι*4>a. DDkhDاs;HPb_0:3c!o?Hٙ3/'fm&et)i}OE ڋ8;0quuXr~Jǜ4RnØv1%hВqRC ;kޙxS"ekeB$nj "Am+IeNIUM(3t6iq-sw8[h#o;Yj=pIjJRwp(1@p:Os $xX: `ǎox[ʴ_b#vrĬY(7B%CUgLXqɧ{uH R%~OFR42 V*PG0#k[1`qЏI?%~Y*tҳ'u@\8U4n7nYOyާeڰiVq$㭸b\Q# x _0B@z<<+{+*(k ؾ=V8L~{߉Vtet/Z&QN0bEFT_E: ɍ"Z}O%gJǟ,L^zfrB,vxIlx\˴9OGǞ1:juy)@&b0FNy[uFgǃٶ'ȼeY9m˾EɷųSgCDfጰt 5P]Wta8|Ht5HM`Z{Qm(@@Tcqv ͥ-b%+3Qu~b܍u,Lx3 kwt 5xl=G 7 &88~v@ SW4Ax͜#bDas>y5{ 3Z^֪o+4sv%EbH.y/NXMC`d^ҟ dQe AƁgYiKxـ\.}gۈ>-`߿ZCt WpM5 UCg\Dd4]-ߋrb, TI:.?㲪,?~KO amfƱ)$ͪTSްe3 ,+.@Q{̺?o4"Ej#3a{k x\\[ŒHM1I0XpGJqNZ_vy˂"/W YѮ^$^ۄN] FhΒ.aO[ ; enE|D EU+^Cb^c9X=Q8]Jsxb :Ox5N+oe6FΈ0Erz!M^zL(3 Uu1ם6YXCjU3ʄ4MK u: @s<lOX}^\r~dJK7vPZdخߟ}0_zܴD?Ѽ73~פAA MM_3e•õ Wź儭f7aH ƙx2wTƆRy2ex{ hHdP!rG{TQH&{.ꁡ?tA4Dp{&J 8~@,[Z #GQA3ޑꈼ V$Pq2_U_p5]&6hXԲ;3UˆqKCx o47 k|Z!W[4gQn5(␱<'Rqn`l?3ŵrG7Sk_ VM F ak/]*[J__zQKq|rC^x+0 YXwc0p(frJн';ԛ^C\zo. ܙH|op'MnKLIRS3So6ҺuV>bQyh`1.9kd š9,p娞FX.`ԝް#(U4_tlαr.b/ys˕MVI  :<Ť>eo~n}DdkS?A^mC' $a3XEhEbJf u/F];_>F2g<~9Q&MI#WD7 f^Ɏ=G/{ZCJlWNe՟.A5R7.͆ ;BVzatuZIg/?56M&)ԕ9 fN`HIWDqFßb[9R {ޫ 8,&@+<;t6If7!aYw )|Z S>b9H#U|ZIY,7X.DE z #(`;).f4G${$ĉ/0,A:,i(EJ4iFV EyΞZD|7ȶtBEuTh>ƯyGۀ- |#>+۳WePz)L:⶛5r(7ϭlЮc'ToyDGcȁcX[x^&̢,6C2[=l2m^n:־6=H7_+HeT`Cw&//'ٿ\ lGwʚ )𑝶 80Řq=a3#.F* 5Dӡd?6FmlŞqvޚb8@{!(uhH#cs˱tey';!kRX֦[RmɁq|mLye(fh8>ѳ^sl&lz[pTL}˚"J7a _T`,3eiFjtW$tF\ wg|#|2J[6G)o E,*Qxhyryko D 8_qZ9_nc)sh$Kt4!1zgÿl"@ 5ϼ+9T $dt$֟>}qDBZ`W،3!Q_aKQnW[!X8;tz/ 2W^ N_ {MpIn٩bż{`U!p;0f_w#MVUʡ59-9K}_|5lzs!~s`Lw޾?07gYDN)3&/Jv-e2NjwR'~F=GTFja7|i.x O oź;=!z)#?|HiRPf E;tmg;O7n/Ԓ\V# 'T<(˩Ak Tjj<وp%tƇ'yS WM'BR;k\ Ynϕ|@ͩDm Յ+SVH䆿ۊyuV8&Tj9LʾzysIyU:!9b>49xaDLOzA{b3L{]2w!YH]+kw5A?~ѨKڬ5E~^DaQL_*x(ܰWw]:L]/16i~Իg+S5M 6*(Bvq~آtƵ$:UP\WKp SLmRfѫ{e_1inWhzp=sȨ[f^@_كHcad.b&Se[!;ò>6 rP4u|~Xa+譥*\톔͜Yp>lc]1%| h)ϦI4d);7YLOAĆf2[LY%Ӛ^M_(߀w_F?5s@j'b:i(LlҲR@J8=%%xE:g 8!̺>#nxTw&dVhU758?ҨcUuF?w~ζ_ӡ4;vRb1x@j1P1Jgc/Dޅ\H%₏Zϫ'H}N3HHexxf~THpE|SN17~]ZI*XG5md0*`9gN .HߴSrƒ*:#zEN8Z?Fqaӌg'xwKZ=k%a\ݺ00@G`hEA11Zˈ"++v#IJaŰR__vk{{1-nUE?C0䂷=buX aw HF٤j;~ݺh\ .9X[¦0 b{"%QӥQ3(\ J!RK <r˒@;!V Knp`/E3,Լ̖ "ATe7Y+Bs^3jrY5J3Ë 6vf6?.Ye1`go-ޒx53jof@W_@$@d3~Riɓ=F^a _΂1Zu4K- e {M']X@9긓bMwvWZ$whbJrŢA1fegPe/]8v6C(}!i|?jcU .IQn<3o/$_F_5dʒt*li.#/0lC U"~Imn B5f*ҷ~+6G~%p hbP;{hg'XD&r wrP*c 00Ef6f}e1*4}E A=#,D}%C*Q֜yLPņ\}ktThDZxi}̻.ڑP x t ; )[ۇچPAKëCW|)_~3p$Kl^jdBNn.z <~MP>L3_N.5< ļ5ay̬:"t#Xݒt1f_^ rK—zE8P}Ir ?WVzlSl)6#͉5U0RuX{{!pV ~|Ӥv31)P_ >gx' u&_c9-UTUlr1G{Ĺ>^!#*\_Ċ:Gr xSY;q67n9UOio@w;GkmР&?S= bwEܶ=!n5=bPYf@k\h6SJ3eT);@~i>Zw ə)ɔ+S(ǤgnJĂO|RnRo/f2S~Ҥ2i:SVPGs> dvRF#c+M] &9$ IXnEf[ZJajxg.0{5prΎ='8z"#dHۼypQPќqU\EXV교?+ Mk]w?h܎I"d#@7h&˶}q kg%;.TrEBȖ{HFHUNﶤTzJ.o{،wU0T FKv3FdY-I8,炍H;݅#4'x%HY!!tyd%׾:MHqܷћ +6ܵfGh5L!<STei4ͶŔ 'KOS8ιE==@ACȊ]UFMo&Im儋\TKr)S#>ʴNF D?cw"]~ERv/x_#aFA|J+-^>Ƽ @+xvhab>9J bM=zs2'xCM_֒Dz и#Nj4~2ug%(($496MvUYqej+M۲Q04)Җˢ FrPژ-HYd~=A<=?HvWv2Dqx/Cd};|%n||E"ә8+&>#p"Al/uE B gl<EPa.f {ԗl`VЧSЅBy^E6GD4\7a  U8p7#]UȖ}];Q`-{j&A.S~4R+huދX֣C[1D#ERk06|ڤuc 9;]q"ԍĄegr7E;m J\_ /$y60bB~s79 ’Cvۋam)kho,aA^2ih.?}̀Uf<%I{3*)lN0.ඏpA|[uB*ym5)`ףZ!PVA(¹z*2@RO0CTe袩 As6$8JL/(.9AWJ X_2;mauճZX@HaS )k0]FkB~BGh̜9[aJp [$W&LM,70mfyIuz# } ՚R"H |M("|uM⿶ZJi4<׶ՊsM^opLZ =?W~g0B]V%MK0^B˵U$2X:e|O(~Ѕt6ǪC| 3'YT<T6$fsJ9RD24H[Q7N2\FTGnbvS?ה^ZT|7#JOhs3fq8VƕTNn͌WDrt-O-}ryMu[GvR(ohx[P$51=X]#u#?޶s;#Ж~we'}IOۜi')C!vKC{{Z0hU"qՒ1=S >?bok'@shO0 n?N$G&'X~?늰UVHg]Im+#Mt_|هu!*f$>~߆z5ܳF^QGVSf8G${SDVM^pӛɆm$pŵmWvu_.l_k[[m;扺)(ԣ4fAEwDI8t8'èi/J~w3GXA,+gQV#22n(sV>Rk@:{rނa}-~hyȪf#CqJO押u=dgzyG/Isc5%}5Қ(;u :eR N G'*_TY3Od-0("P:;BlTifhNffHp'R\OK֣ 7whRhJ,f+ 7uI(rwZ_H;brƏ1\VgOg9x8wB|9Xx!@;0Ĩ]4pc˜-r!ZTqLW1uv)u>e7F(%mwuca4Z!}t w7KʞLQJtB/" ]pMqnukIwY>5'oQiG.ʪ jԓL׎zy 'SL;ui219i^ct qzn dZ] zp\!:jd@?b'Od_,- ē ~>y-əsAxz{a^[ZOCk# `gv@ sNQ+\S0j)uA(!"EgO򖶨Rq>}QE HbtK/oE,♃Uo&YPcRV548 T5xs˲Zʐox9 dQ{?pۜE|1l2Od,o05gkJRʷYH湾٢:$9Wuf8uZPJWg|XsXMt30J%2~RReOŲ2(PO9a,tgC&m5il@5/.]Ӏ0b8}%]#"S ;lB B?gsmմul=4f /'fÍRV1]jCydtF zͣ$ `i)۱O][MެȀYo,)βlK\\҄) x԰)fR@rjl$d8uqu/.lZFvu?wRmpkAhQ~ci& ꀲ#b!>m!BM0a3, J^ 8V4Nx">5؈V0huYDPx,m~NT#U!vˮ8?ʁOAᅮs(@56>lTsĆ\; aG0pq :?dH{/ +a( ARPG*@R猖~+坼4K?puGY:H +q1G RFe TT:z`9Wm肐 qaWwHgNg‡,zG!Rd?2^&Ju؊C;~?A+5jvM_%f|uى[Rn"]RNu#sRyEI)!kK"Oď[Гc6Z ߷D!]UUy)Q/YmT5IbZshWmF aJZ}2Ix4A*#; e :aC)ϑ6m;~ݼ"Vx&x%'R#q>} ,V(*N5ݬh]X|lVwP{[OGVxV\pϰ3WF c2u,{PJY ӥ]dRA4AWYI8hIl|%0;ZT'5[=5rݟz+$;ȥR41 R+O+,٣[zwnP^IOSmNh0&dʆxl͌uavU 3ot%5%r-Xpq=ejAs:VG-N8el!W\R4VA\dmkp'M3eO¿ʧ'ׇo5;-+3zҲ5fb^_"׹sĩ/!@q6!y75׽Airg&yC ѮO8y[=/}ba~ݤNp%yzTRa'7\Z=RkQ:εu ED!cH A*3?iq8[+n(U8wĠ芭%ipW?8r4bpN'7I\;whIFӞ?7T{ {u}Ve\׵^YXw5(zXJ@ qfΫ50 d^ږqv"1=oPYx>1ʅ?%eS( mLxuê3I%e>JyƅFw0P?u!bF JUTmz2_eI1_Kl.߃t&2b~VϓThBl^~}sCZ L3j}pEvd!(zv3-lӨH4]Mo ez8dKjت@_8K0}2[U~&:^aXHg5>f6\E߬T\ۀ󏧥:%PV`cZpϧأ0:S)re$͛ cvΥ!K0Cg*w ]`VԀE\rpPxaY5dTeRK^wxFC'O\ [x:>ݎ|E H7µ | 3ڀ +>7|F0lyvN  _2lw <%q }'䅜!ݚ^ b7+˓sCo5ugҽHד|͍۠e]*/6|D&~ vxA,\S%%O2q\nШMnc{.4A-a}E>.;XwA<ݻJ~րhyTu0M7ߕM\sGC[ #}h- +lN"wΔê@! 3/Y7v$E>(8)jq~ٓ:H23ߵ&pr1IRi8%Cp'ڰ*ٗa!9A/@2GBGigzi†}M8{ԤSFX7/M-VVVޡ.ϋBÀ謹gHڃA-!N!mT<{zF8T^B!xP΂$(eŹy6"k"T> RCmnV`84bjbZ#e3rSSnbnFmmXZ\ģ҇zar͋JwkNF{EPPN Qm% (V'AKDEnLR Qi@FƖNMbDbC&(H4&Ǐ'HF ȑE,zG:*pؖ{Չ:wɌܯ}#!ߒoṟ&q괹7?~->07~b:60axI{w"@"ǮyٻJ(4aS֚?mR ia˸Jj8pwua^WASH_($Ϧ`/>2Ocfst̓4lڸ̇S/8]Sцw5Ů .٨(j}䊯~L 4n+pfcȪDFOz1&wQ CpeȓVz^{n;M( hJ4 ;Ơd9]y@:_)z]}}g6tZ+cfȹӌ.Wfm R4f!KxpH&d)}E'] 61<)ڝsåeVJo_=c {n-c;͞ sN70F[od'LD~q F[p.OF O gy8~KzccOU6DEgI3r|i}PhJKBu&  Iyod[t +Xjw,~!FhmM{XIߍMC/<^֮G.JV-Ժfu2NxeݗTsBEӵ xA^pn,RUWLB;su`'O\+1$+'93/N𶓅&?B֖\gt0Zk7.Qq+|[}4ѭ麎f '*VVFwYƑ1^6niJ" c$+  Q_fu'L}G${@cބ1&y!k͜0w9],+թ7\2tee9?uE%V2-XuҶt/)X41>#:B'YF'3T੎F)`ȧpJ>gХtg%Ok5e:%(ݻ@x>p wB?ynGEn\VvDOaO$|Oq:QH TzkA +7T{w7_"UZR ʛW%8.en6ەͰx ODz3}Qñ |Cޭ"Ar&OӢOMW)%`$-v>[l1@ }$_2~b;Nxg6moH 5*iyh+\H2% ;S,AK3f-qj>moT{alJϑ1pW_Y &Iˢz7t4b牌l#zΛ?E#=y0tY>cUE_/:hSMyߘ:(!E'O&i[ U|+l?)C.\vyF#^~.0lhmGx{J1,'<|[+!fY\iisA[kܱ&Z,﷏p)}&ϰ@_ccf @dEׄ6g_]Q`y P@QlbFQ82Ȗ& dsv%tv\m!ӆZG|dc=  (;F~q0D;u(\q![8u쳆 XU' 92i\+RInQb=OE'^M-^c ;ho?fUO8ehs.R$;]=ln^44C(?GB PM f 1JH M*h>0@\uP/ൣSU`M"7.0 BE.d e# D 1?#ȺUВuZC{iI~ H_5)k8}(#-G{q # 0]&t$]K*B]J? sMɶ 9YR@Bͺ8 qj MXm΃$*ZSDՀ(4TR锯߷[*kieEU"g'-XM4a9E׀rF.=6J ,N@ג| b~#UYY=xDG2S$c z%fk|у6oH𷗸@CU-tNZG̭Hq|&!v%,'~X2·nS\u1<%KY6vux6_ ~QlRtWCaeͭj@S젻א3>W'$ 7=W۾S]rD.6NTuyXU,y O_[m)]/N 6-.?*?y~0&Bbjȉ+׮- F$K4»1 V cgfvWZfU_-!V4[b윓\'&~f[&ڿ:!#¢J1u,KNg)j\YQhV ;TkTOz1OGD|d({57dsst@\,Pw]LoY+%~KNBŃOқ:Ra4RϦIbaa.Mݿ txvìlY4O>]+ iFm_bR*po)i6H;/%'NW1V⑚6jṬ^T{AC&ThsKBȌP̯LևyL^3М1 oT6 2J{&"秄V|󡃈h\Iy>n9mRG^VU(`UScҼp 7DT8U@T3/C~%c+畔bEUn-`N[ZRcp;Ftz6=\OهP^զw r~kn hpgHF ^HNK(1 ؔ6 !kqVzޣ_&SQ2eR/U(Nrƾ( 4A+e'{Ni F_6 FUڈ JpFs|a~P?eDDM'0qX`1c'Qw5!&GA xK Q rU-&) GMvԩvC (,jfn^fa4=` yP>FLU<65 ;ڄs?ɝPJ7${w15rDFfe{Ҋ:WfP86a`]eR=z٦RDC2 4.f\MNBD#=|,?4 BR v`>4iF$jëm" %C3DHL}w<5.@|)M4[l>&:7D E8.a8CbOǤ,wن(jWj|t^W!qx245^ՁykH0c;1>!~P!0Ƴ) Q=SU\Rm@y{gZ)/l_2]עY9 qJޮ6!̨K`|@d6ӥ_" Ŀ/]r/a#m<ؚ+z29[@y-laQ_䔓-rrbŶz5"@燳=:s5~ tw|v`&-k< }A]VBz|p]N.c|‡\#?XaGN e(DKUUw&6.?gH;_! ~G¼ &*Fj<J"S l?-ߖ5ycjjQV U!cgq(:M,gw?5уד*`;ai[U`Xz.]8<6ztUqv[ġTGXgt+Z^ʅdк+df P뽼mƓdƓڇ84W>< >5NgߔYbbN5 jYRѧ{qkڱ8)5 |t&V}a971&`TDžTV\Bކ&'J@ "ט6qK+\gw mhm42BBi\3 5e:?jRKC-1gu)U y5rQI8;͜[u)xz. Ynj 'Dž)vw"CeFQ3Ui3:ӣ ZkANYi̽I!LKDJpN:˯n.+(EWny)|u^XiC%ChA4H) OI[y{aMÙҾ)1M}Y,:QkPLFv/ghQJ8c;Br -Gaԑnpq\e܏OVb.U&`@ECBzZ]|VK>/|O4(Moe*TXDWV%cd3?nXr. q ; m #^jE\Ɨ0fEa ׫&K`踏pIVVp\6;G7ۑ_ ˭ 6Ke)_˄:]˒}hڊ\rw5[,y]l{~Uf%O߫ТJ=hfLR8փQ@{X'( 1khR= -Ȯ$[ڠ# fu֛q,I{'VoPg5[C6OhiAP!5sF͖|3688ݫkmd;|~Kc|:$e_n oRʬ#7*'qt]ui{C7ZD NHdxGխG4a|ZaثKn nW GyS O[_5r-rqT洦Kt&Lk:>]$_ }*oD NJ3Wܷy!vUw@w,",*t@ƴl<瘟VS7|y.! WE U{BƖ˱a<5G˦&Y/q9 +=%n'GM;{;%`01p5Ms` eA^2]F8G!I 3~%}ߗIRE8R;[ lA `Bud> )+7 zŚ:+T@XMD#dդLcEڷZZZ~mRE<#rۅ$@Q5ϝc-UvI  I{O#BacA#>ytJYUX~s.,Wv0{E9һ*%VuAW/!ǴNԁ^OL5t 7`>}nGPB$ӑ:lTEϜ %:VROq(xpt+yqjZmY)#ڐʷ C.d,dhugT%<]!HytkTZ`1E0I IO0 QPByiM(?sUb"ˊ|97> K>qr\Tkxֳ|@5ǭ㙈|p;>Ps .MGԈY}Vh1ח@[YnD.^?$Qx~(4MٕjQWDX'XlC5jQR4<_=R6Mk2o$ _$sMnf-Rq@![R:s3ͫj,K]]4 ͆ "PXꅨ#B ;`;7;0}xC,[ntN{Բܘ{xއMe]D<6vYP(Pi|Υp F"89 b . Z5llJ8lBGբvi'!%$(T LrE;ηЍ~5/(fRw7<$e&DD4wpXP5/F$xIe=1q(=Og`y@BsFzLqzK(7xNڶZ/E;]qT J. )Yrə1^qi\Osoߟqg")PlmC=@͗ɭvZC UNQ*rGxVr|n45=ȊG}FC1].:ԝaҤsʢ 'u&tOLzuϵ4&55 9O(,r$ ח˗̦F;'v$N^M- 3j (ub-zoުr)Z8+aMK(Qϱ2\yϽ(QZ]GVu<ѠScqߪe'Kk UG"dP#1Zky!'kABk͹.kJfXvEWi R `0ebb2QQti_R_L} OV9zqz?]Iϩʐݐ#1 TΠǸY,T?c.xY.ĿrG#] D`͸{\7P]hoVѸiDLx[ĽK9igVG wVixNn[>%eMTNQb{c/\] 1cL _hCV]e's 0dG OW%BI?Y+8JWsF`@tZǃ 7SN:q>By\B4.d+#yrn#ya{WXPwW7S_=ŖV:A|osL8bCb]h { ~Y%jR$_\WAÜ҈GB2i4_F[M\W/dn@gmtY]o=B%ɷwۗZ޹U*ґ-R{)}l+2ȫ;oK]-`E(xk_GkR&h7|_xʦK}PqvzfρHU^̇qn [UN6;o)IW:E-"UT-W4vWwDZbχrGTcm!2`$QXﲹ<\ 0]D:p9Q'K~+r{bupra+fxE '-n8(zwr9Hז;Ǹ}Ol|!U⽲Jݏk*ud'GvhVU&4??T7zi{8ra|HԲlEE m*Av_Ixppn{,Uwvъoƥ[<5BDx[ESKI7q:;zM٭X)~݅ 0JqMeR"L)`}ux<}䏑R"Cw\Y`rI>cYVeKpvJ99@ÖD8BKgoge%(kID}:]n EF5h RvUvۡEcb覸a7_dU:=.'ܛSes2H1)T7!C#eC0Iì6ȲYbnS5OV a\y+A,3n\QD$j\1}y)}fr]ޑ@u?7KG)5v:w⣍%R&Fdgj߿q63>SJȪVvb_IR4ekM'ō be+'x\(%ku|- =/Xz[@{YTHi }`VR?r~Wi k஼ t/:cf3V;]pz,"~3T~TIզW,e}J#3!h2i<'?h9rs]KY| *NMvyOJL# D1Q^$NWwW 9% &U.JѐH="E{(Oų܊dm;I씬̐CJ$ĩ3n|{BO;\osmV^v d1*;Jv7Sb\HbU; ȫ<8pнyQ`<dih+$:Ə &je*BzBk&Ԩ f0:;WA\U4Tq ? 46d(%.}7AbR a5{)urxl3@ʉS8fN@ ~bƱx\+%s(». o2.3ಘTv?z^пZ,Zݔ?_l/C(Y꟎+Nc g/Mٷli}A!7; goycnmHA'mF¢=#iV|VaúDS;ۨt eJ\^ _ T-7BE}mYfPG*яGQr<8>iz4 Ͳ"݌8\w&LTj=/c譛osO3$F $g2^~;#hWExMy^Kf?Ah$5`dd#1e@,Q  Q^[ e}%<˘- xvz$ ֈ,7}? ~E 2Ft36ݹ:wg{b(2T\r&j~n--Rt i›^UM费T;[ȁ ;E|PQf;f2ѝ2vL[WȜzuq]STB~L Cǻ_y #(#yԛ=X),CIwp~={:Js}7J=A}QC̤9QRcFn5;/q2@*]fT:Āۃ75lx9{)|`+LdS- {)7lFJQv883}kj&T~3=de!~go;"]^ |Le2x*u1fu pZJLi q_ft_h x)R<哾%A*}'i`5{ٷ@R@A&M42 ?3G=1%ͳaFEHx_ 2iA~N؎茺JQ@ydZ]v.HmNhFsB7I| G%IK-WPk0$#z_h%Y?Sj3-S`#յP$F47e89A ӻ[~,:l {?SΈn|uX]1Dyr(]•/=IdQ&94Z-NN.%TEi)='z`ǯ9oDE3d %4lV\S|4ػ:ԻRx 9&S2X*B1gW#eZxb.ْ"wp&DƱsCYm>2~J4o QC?CZoff g=Lӥ-%K^.`yZ4wr?Jjxh\`ZW|ciooz0E%%;T/]126alSEeG5ҮQ2nK!l&ZsFy4+ ؒZ.Iڝ455hH9NJbӵ=S,€u lӖMu^ fxq.f}5ݠC"uٲ*pJ5 *AN甼tӵ# `_t%[A & szօZ9X@ bڛ4)tGLLkշJs9*J:;hc:" #:"f+ wz(65PX?z] IkQҰͮ*[~u3;DPWV8qQz,ޛrOǢr8̔qq=̹f+[8*k{x`䢱,%2ަ`@~ C[9g6SQtV(QK]}@2EF^éHA1=GZ#A/?:JU#at4Έ8s}5+jʁYMzB0!U4X-ixbZn5v|+Z3F}¶#%jlQ5y [hzMHnѺ,2f&hcoa 8r(N lѭg{q(6QX7OwtqE= w.Y `M/)) Տ.9yD_[3NDP\9s5'qC`t#\ٵzC+H}ÕApsOqKz&d}"IX'ØҀo;0ER]8ؓ A'蚬eq|w䆄󆊰 : RNlTdV>;?yWCG xxpF%U ǣy(,b4Ζ?\$!NIͭYMFAHp#tF)q"o1!\]#)+K({2O)f H٘.I(Usa9TrF7.Kݱde;ja ɩ{g_c1T`.M}6Ӗ/D+ėw#3gu^ۜ̀b$ 6c+ sm*8pXMR qpX;ڌs  e(ymarMoO =b\{a2".|pCYUIQ(3TJ Xo&2]:9QWwًΎ[B0U>)'LeP'r-J_"of5[ǎWgy yxc!{8INTeFCIyLM&rG'lc+h 2&kbޙx_3DPOMLn4(`n7 _z0jrkNoIbM|^ p6[kÀskfdGLbD>z49K`g\rKE T|GL!R< n#<kHr^`,]lp!%n7ZHDѾ m0"db$ 5HW2nߣ"Zʴq.DMP5c^*py72Xǟ@M,+B:Ņk YyȲ0$隼DqdPbUa" gc`1i(Bc24^@iQ 8ئ +_1hi]Oӆ2  ZZ=`j(J%PMr^R+͎4DUҍ zM~43? _B}aA# ,̳f' !B9%y}-tǓ[P9s,H"d'GQڔ3^U"GJhM}Ò@I.v&kW <<6U —s1*7P#ILLk~T5P?">YԣT@wz~Ѷ:wqU0E~Pvz} ]; JU#B5iU\7uU X#*զX$ LV@5'ye1`ԈWtý:Nq[lau?O r`ǎŪ!6|8ZD:VP+ 3bL7|g/ p #r!OOlF@VDQ;6Ѧ~9z9B0S蕃χ7cq3Bc,k9 C(w\DIhL .MӔWR`-Fٹf#F'q 4YU‰jUfB'>^ ſi l G3ʥsfYCM32/1aaDMNw ^%k'VL W k 6%d%ɺNkf0EhA `c1ywJ2[#"y(bj"ZG0MP Ť.ijZ`1i2@{T>7?l UͅJuB[?-^KmК-V1.D]YO>ޗ8>cR+Lswc7; 9a61QDn x2#h0yE' kb8’2Hnt)$cl+c vz裡 q_}{ؤUZ8:" D?QԂЇ3ƭ|-b*޶zV\QZg<x a;x`TP=_ k vQOqg;t_`VTVt[w[&Yhcje$:5KTtm9Q(0u6-i`HuWX/cngx*jEB,BY YU``ic @Q/3";x#k`aS ;*͒56ma<jpqINzm@:1C-iǃHNW^<]R~Tto:fO-82E*U%;:8>BCTr>Qh<ܷB&Fu-K[/u .2v6nZKfqt9e$2_it%>XC1-vDiyjư /S /vc?xS>pru.+ |aDK===ˇб̴-Q"f>qvyZݨ)t9w3l猠`VՏyO%SYj]H?I.bXH%h}*wa#C=IԨDW/^1 &Ph]<8eGAIf[ñ`1{oNN飒G *ނ [Oo6>7й@7*LW! 3cJ9]ii#oqAT k7T}Ϝh\{5VHVH0o"% FءQSLQExWܵv]q (wT:)04=P5 kZzz{U[gTAͺǧ&$㢋V0ucEMcV#T#P?[x~ӴJ2ŭPEyX̩r/[d `yJ`z u.ւvE9BJ_ӭY(zQs1ҖJez@Izf ɫKjk7hǸ51JD>C{⌲폤R^oJ*9kw.b."#WeF_ tCAek îȺkk{եm`1ex+ v&T喅`[_$ck9.2⣳JY-mj,'T}p-djFVަ9"ZSLL (a9$.W;˿.aY=*ˮکB1J#i+&/,o`mU%/!,hKmC:yuCoa<ӋB9]yr8"=r'A{AZK`ОX>M3-ȖSHybZG<[ph5^8F=LhÑȅS9aE ]T,tRVkv%w60Ka~1%-&q*`(Wk#o?[UšKe^o7w)#<v]zl1_i3!ٜ0Cg2giF'GsnA']j{O)C#9'9fXIVU-5Jr1S-"R 8KL/ _vlʾqfLX(>ɚBاE&Pgݦ9ؤKI\ (NlqKO|m$z~)\B\+Z1?b/OՓǚc|-^jtwjMq|%*7_zD.+kڛ\lHaK1̗~F [E)nre)FBϤ&f9On<ɕX.H{8Ü*i]cq'uDYGڌ4_Cc*Gh1̳(EG]&91ֈ-\'<)1@aE{vD +COKݥ]|=4(3~h|ڊd b9k7!8'^cSJʹ+~&,C~DWv9)/CJXZqqqNehTWCeW2:m}vG[_)Uoi%ދ+N@*)^k@+6U|q9!yOC5Y`>k$ߖL *UkK!%l--_KԒWK$,}SG&"2QTkn 9 ~-=]} BwB8먗Bm$"*s"j¦Pߞ ([2Myű<O݃2mttk[L2NPPem< f1Xݝ SE2^T\ o:ѹ*2`2?U=3b;CrO UΘ)ժ mncUiЎXx9}L?QoK8iͨpRp[}[ hg(W 2q6 ( =˻/PevC_?yRhAZ;pJ¹aH۠!jȱ+׉ԤuKv!AƲ׳eYWTc 5_\a>)Km +qZ wyr/j+!`DM0ԣߋq,~P*LydH,Tiؚt<&Ad!8ɪqBTdF]4N1 %2ҴnVܭ[J{%] {7j` 81r!X]fAQLuv&a(cԆb-Ӌ ,'BxB&V`~DY} D".k"pm  mmZʼn꽫)|\r%C֤ak7&$&Z2%! $HO^D&I~mQ=60;Fh~2 T?a,ęB,XK16ơpܚ'X22Z} u%Trz1S!5ǹ(IU{A$Cm9Xi3bTa\Tv-7&n-܍ە;[vௐN.8NwY5M: xUv=Cafcaa(akFmuw= 8-MOq>= `9Q{0*sn!?ri^(C!]*KxĥIM;-eY9R\s_Q7e2j}Y, W/IU崔j)5&k)HgZo.Q(/᰷DR!1ZoU ./M,e v1ͪEC*Q&O50gM ϙ 1NaGSo5f..8̅gɓ_-A1A=(q/$yLu5\:v)! +oN|}[r%i_G?kKhhe4:%zEs)$J(ٶ;r'93ڒG@m]/o2%ބ&ZC=?-5[Ǯƞ d>^]o+Up1l*d߅C*tVrl 29o(pP:d\i\u0\zdn9jغVz˽+i!\륊 cQ~D(Qzp$m Zs/+ 1ByPઊ}qI:@{&Uܯ5P}ם/Rݣ3. + UT^jqD7SP;ȏ }"!U@F|}'!ڣYb!KRʊ"^n/> PfB/2Ǘ#m6C略>J\[t[nkZ[~#R MyD w6EݤPRiE\&:M&mt4ioH8\sd:a)-1ꂞYm@1<РpZ#D RjrS0'ֵlb"Jt5ry/Y_QCHr!/ZlTsL*QxlS?>PS@T7dky#3̿g#]pDW ǧFClgҏ[ŷʚxT?֐ԥ|ŠxuUfNt_"ø1)t_GuETEQ:r2aղO-rT:__͔z˸jgSB`_(M,2 C D€:20i]`笤BCp$䬆E-b?_F=R7m0(ߒPM,'ki?"VG;G([2ej^6l2c?_QvEqfÓ|õwjTUUg( ؃+L JumV7(z`v4՘ z.pujP4Ɓu.6 7~CpO Ɩov]ÝK MJU?ӣ$)@.?] l%cŧNuUnCV'=NI{ͼ^ױ'/WtBX e<0et~ `+uJeۉ&c9e^u%'^K'a :.d2*R!`oM@d`s24X=A-܉剹8 J{W^v^Ȃ6Wbtkr@L&;DZt t;P&oT}~楧[@Tj褚̓93 r`d~nrH,Jo]90X_qTW n_[*[z8 3B M[?WqAW{)~u۷zq"CLt/$ L]yq<"^{h>! gQ9rh:\~Pg)Y09_=A*}B2eՐDtKCDPd%{ '%bĔd=eȤ6# 6{ANT~}Q-7~)1X)qmnȦEL%jc!?s 9\bg4l' "{}57.x]';ЙjMFl![m=&օBbjW_ufj\I_C 6R$!UFz "|н3d]29++ 4*1浊%$\L(̀r$S͋qmԅ{J*}~T@Ka"hASMQH({pʼH"1:sswWmo,l?@py?ODr|Yi[xy5hBToρO(|lae&ӵ w jdJҰvwPU:MY*Hri>T2 E ,u;䖋`~#n ʌy聬w1#=̱m32܋,FDZD'Cŵ0ٌZ06[1&{MӍ{ֶs&ޮa?̆b*_W ^"̉C旳`VftÖ<ņTQ" ڄ &oR`b~VBNH&-w6W \99rZRވL8פּjIq0X %Pl8ThbD|k1B0#W0Z͉Cmy~L|]b#*OgOU c&w%(Ц`#] |#qv݃Y"t,m'zFp;Z OOk'dIS{_, ,_fd>*ٮ~^ւ1D&9_»S<@i7d-PRئ#I,ğD:g5BHA?%G\Qwؕb^,ܴ[V.yr ɲJw?|2bv:SQ5[x+/GfJQ\ڸc%qoEh5E(4!:LF(kY 1=6(ޔ,'f?T} SF)tt % oy^OJfh̥Q0fum:jY5k/Du{2\ ^ؕ ͧA 5$ϻUL=AHE*)f%Ẽ7͈/c ΨncMGN?WCQ@^jj} 5&JB6Isܕz KK_rZVj k}.ETj"nAˆ%\FGwX$K(4}Jbٵ;5ሳ(F@9VzKFr_:šK`z[kς*RM@)wo+,v/ƯJUI5N '-U_1[cvn)MhYk-k CPfOzVS$ 9}}i݄6oGn@wCٖGx ^흝a=Bqe7'/%8lR9KƤtSj7O!P(`T^A!NA7daL$!^ba;AUGCžNu͵gI; c4A.;h8*g +oTѠ#GFUG:׃^4°$_"C]kJ_9y \Go(0J]a *L鍊$f?H"湐"B͹.["BTf([>6nb ]BaN! y\DI&1Qȝ3`iF&G\lZrC 0 \ѤQ@7))ށטXlyTwҫN9Ϟx9m-TCJUgor.592ss'@(y Uldձ\?J^9ؓo;-}DjTF딃&xͩ&Q/: z˸<$}USe'd8j3ʺ7>2k[78-%0 q5eǵ|dj߇J)Kg;D1SQ8 K)_anCK5A2ZrQ7H@^J cC'˷4I#5re<]D4gqҌ1+W9R+q tt"GGG>yL㰅W zwִ%}D %A(\1e;(>-I("Um|M|i(AO"b ??H) ` ݋\@IuH[epN G3w=۶DQ+YGDcŽ]\7A w8 0HwOԶb;闁oMjuc`ڣwDսEa%fE,Z7[ /0@yhT,@-|K%86uApGgт{ =eݞILnd+7n J>-?i"Xq FU־C=.u|<¤cHjm yUƉmټ9PI諻5ñnHWe Z'XO[}>,qd?yS 4sՇ(Oa7' q~NMڻ% |+  m3%.+'%X nޭTd DJD\TNfH$,E]ZG\ٖq!ue/7~a#6Y{$Gi3gnڷ̰5AP Y 5n0esթ{i_rI  @ o2zBXq/Al}w,!W%q?O~=.V@(O\ uTnf |=JO$NO|KVqoR' ߷RF,%\#C;yz^Oޣ|LYGbU3Ԉ8"/dbD؂.G׹iŰ@| F*>Hf\)E#W |%OjuW6P6i8+%~ޣp|X%Q V rE(Ӯ82Cp;m\ErI`E3T^4x5q m?_Y5xd1ͩQ.8:-6cèNZqxDr&[<5?#6:~5yEHn⛻0P=}f >MfMA\Zb!Z8haG{:u]oI1nGEabK|Ts Zݲ g 3'ig}@H1On~je ytЬzܶ[&kJ+ Mi=ʱ?JnT}~NavIdm^p=OP,k@kBq.eEUԤafUPBD+⭟!TŸL.xJmP!@=stmb8c@QS'IL@ږl~gt^[T §ᰊ釢!V9%=lw3cuQ*s}F\2E)/hwv\ P!rdY'~1jccÎxV/L9kF_$؝n"ő#˳PP(_P&Ϳ}1au[GI㡀IX/Q4DZrr%)=&n1d>-%Ӎ@k ݳ.Rca6PqoA~"9ceBdAq0i zq}wwq6NpTs1*i'=J:p,IJ\Ap1BDwPAxez Ou!f vג'C?4 cDi 8}5d-fƵS:n=;XV8)*; eD_' ݓ^O'FNq^v,yDt ̻9˖77OZA$:UuNS?DžJY)@Kf/ Z}A=!Y^Uu ?-$A!v>yn"]~" b>zhkwkath;U>Z0\[5xfsb53!Tus]RN:}YS^{6f){VgX~py +pkaV?\aSqw`7~$oLh #uC,f~qf<SE:= ,+'eʼtF&(N \ -Muy+_EAXVAUDU-/Z]RsqXA/uJEyu7EACS[N|Ćαi%jM }5{Uk9fITߡHtI^Uxc{POyʕeCp!mkQ+T$^׺:l˔f>XCv+Ћ5l>լ0ɯ`>LAVGmPSzgWE2GF<)G6+o`':AI*- G8cRLwiI<ϑPs2kY|1͈T͑ V l DUY :ɤߜMD ZJJsK~XpnUb~0L5{.LRnj]/e %,2?2e";IC.Xa%V&{Yo8 TJj?ҚUTb0v}*GpeszӚۯ{Lx1~_u^2Nl:xfT0-4V'lŊ7J҂4 V}UI~$¼ArG2DUѨIe8!L׃H@l=_zazel]7i3 =RCn!҄Pl=Ye薣%9I? Ǩr[q")`]Ep"^SWO>n\wĊ+SG M 6}Еْ#2h 6{b47=#i{~;"oBsm8(> |dCށ+NG"[UP*?{k/iSSѺe)*||I)esZ TiZz"Ȟ;gAKlCzr>QpF2, F-OFڠV1銀''}͇a8\DKȊswu5G΋ZK}'!ߑau%KktD+ܣL{S*FvYn?I? ~XYq㫉]t'Ȟ׏`q+K 7 dWa[)EeVqT ȺٜM9ۧ9s5ָ-X[)H@gw;Z ;5%5(D}쌭5Jqh2M''|y K jkѨD 3{f,Y>..J8| fU21q=*Pv%OP;N0)eiğ\GN|`IPP"eBvKcUգy_&4v.!Z^71$:.`^/+\uITnI.,NB/؏S|?ydp5Mm\㏚/D_VۛZCWTwρ};.LAvX﵆V1R@yyJp0o6 X:48-wXC#E>aH@N G>&>7~><;\O<2TLpWho Enp'?Bp-M5ʨ4Z8®=*\H q!1=h ]X0|*/@DЧG㲌&RRB0 c=w)10#쀅L[4}eہjMf]۠[?rl|2@$ĵʦzF;?͡nXu|ʭ1WpRRZP%GW^rc\nX!w'N\| i%[$@F_Ӵ TXqC{' g?\ 'a(u)*ԭv|nJȤC=ǒ7#dBme 0Hɋ=\(:njtxcFkYQk 9#,{cA}Ζ'G@2u]ĭvj'g>4_O " ( % 9#~Ks%g62^sĭ {G@2C=B#|NfCjs 0<akZ?k7d:<:j89c~mms+qX% W ۻ쐻\J ) A J3 /R4 vE?JwE(ZSzK!D^Cޢd~V퓔:EFoz;""?% :hVer&* ׷-viiΡ>8)kVf>d;Қسf[#7Wv,n;2J(^C !l2'2eaRaXRj5&eRqQx \CԘL'ԛq먻[u4rޗotV S\"ڮ֊Xk5"(HOb^CG@u"q24|Ii:Ulu! ;il\,ޮH ?>V?yjHw,NIMBϰOWF1^X1Gތ (<<(8ܦЌiW wFT=[cQa^/:8JJʁڔ6(:NA5ӑ] >[Oi(h CzqE] \ D:ZXua80kjW84ԆpLC? w5 CXLP]6 %c nQ AMrE>i/ We0?+M5T6(on b9wl`MF,.dՓKE ġ L}J$(9Jx1giԱ:I\h"nP%kx.PatOcNn(.͖;;t}=Ȋ/e^/o c[͆D_߬wgM >c\M"t5~ESWn[͞0-g@/Qh_1ƴ. Œv<ُnmҘk<q[{S}\B^ +Y[ `f5\2nGd FC8ü-ߊS2fWaI#T;F($J^ VueE`kM Q`)+2tO)DvKyFsSh-}oc|K,iJƉ ^=(3 #O0/\B|Dcn ~tG27Kcc*x%95\*w`^N6/+0R(~Rő/e\uN!Kh!L>P|(b':\emST Jp);P60jO2w҃zW \('(HM0= P5ؘsrfBo<\oo ʘ)dQ{аy*Qz5kWޚ%j!Z U=4qʴ[l]rm̢HP`9z&u:˛  vRRڔ\&koߏq1j xz MPt1z,H9N=>⹡VÅhy:u!k$5eE2aR9f{}i:xk54’;0ТZ"^[ F?lzٞHPxt\)\b%NI<@gJ|$bDm N۱=$&3ɐ{t/4䲘)&"У57L۸)}:%bdM"xgԃ # .GEiR80ۡQ}v:]}QJZKDHYI<XrٌD7-|k:= 7YӰj  ׽~o* -ډQ)U*V2uN5Iø,Ic'SmQifXKb)X,Zlݩ}N{tM}ݨ^Q7I=,pD/{$>?Wߺ%[,X.DIyf2Hy/ ]|zTHeE_E4 b!Zq 5N``bŎlP鋴ϵ7kC>00M}U-bU~*2ATׄl9wa]XQ%Wѿ{ K9ء%9,{B, 60ZѬ'} qB<0,>sr3H͂]yA’QTܢ6L=DF?:jFyjEq&Ǡ>m"7QtmdϰuX0"/aJH_޺Ņƒ\W ^'[tqcQ%{diVma2]Qި>¦?)&ِHpwp )2XprR3pmS:LHW7hf1=L<}Zf?/gF JwVGV{,HLˢ"/b}|ay[y J]4T r2B#v}5;b*R4 PނT!}Eտ?m[_oYj.80jx,B:**FEliIyX^WE<.-\ |L{m`8_AEiH;̻GS׵nkdfL!Z5.c#i *"ݖDHdD{ Mntc.UK:/ &3 GQŤrǶ*9EV_PljPu<{n(iX,#2uD-@y6:vK}tM% ]:.KbYSuJt5i4ibu)s,.24 L%s}ޘӋ8xGC:tN^C@_)P[:&!̀>+, YB"@>lSW޶>8=R#F" riM[ :)M,@Y:R0uij!4|Nfqn1ugDxb RTJAh\< /k+yS0 QdT/JN r:?Qv͇;P)0mkU俉XMu;: LEn݌Ieb;~{o %ِc!Df^A)ʼnQsiQEY< Ko" +~鸮AqZѭ uo 1t9D'gAcrEn%gīn]&Y"u5,$C!T"-vvWCeJRnqlT(OM\ p'>\P_\iۋ)\cny{낥tN #vz;$=d^ G^1 ;PKB_Q+@G-u$ؕӎ20B *59@.zoq9WT&5B`Gx 5TCG:gK>Ӿ*XrxŲ@Jdнƣ%hQgKPL@V;ָsLbGºl귖'I+m4w S DXf7ST!M+ܭWNc}ZtQϼ|w)גp~(/A\CB'z(kVjKAlz]p,m.G%iBc&MOa߇f@Iw3{gFVPpNߥӋ XML[$~&{3weGBh阃aECzp'IRʃ @Z7!BbU;qJ؀,y_>5 v n݀!.VZKB.>Ü~::qrze<~uG:(ً)LU< }&dq|ʟn9o0MEsC,fݨf^Tݸ*-ḭve0oyW cگ_}Ec ?6$uKxAJۘL/2ۡ 4m[NGPyoݗuQ3DUd_ֲl[1xŋLja_';Xxca]-mz4bPC%欄!QcۨLvIv,)| <0GbErt#.;micS XKzAֵGy{<@Ztt)vkShVަB#Zъލ/n+jQ\}6ȡw6IxK,҆UA& Ǯܦ>lƩy*['rnkԜJݥP!7wy4i2byn6zhIo,`_bHcyK5Dkx-Iu;S(Gr˛9îBHh/!AI(X8)p=">{<*!{0̞ a3r?$P:TT߄)rmzɵh 55Cٲ\gID\pʨ?ܒK\\{Q;{RrԻ9Cd3]M\-v(Y]*C 5AhjrnƢg(7B:bhK9-pXd^@91qu"{=}((Yg.TbrIIxqTSuR !='ҨHs>Cj/+'deFSd֣&>}uz''ܞ9գkˣm7i<2L"5$.?Ys-+*pҴ <0TVc'.`N:tĔ2yAJ1?k#N ohfgdo~aSd2(PCX 7twn5|CADžzf'fNu7;F;HsJW'm &]*;Tt|VIAO5˒ i'lcC Pҿ.K&j`8'bD ].xƇ"RhGz$0x f(0cgV@5Lw1PԞ@Õ¡ !A`]47-nK琩Kww!/۸3 H {.@'TIC<4ȯ9*w)A~EPD>4uq&NR7)޴˫3(U`Tt]$|1q+b\0 ^yzx>^Yx) Y.K"͘&C'!kx{MAU}p5)~xoBǎ)Vr}50MibA v׭=N@).s=l"nea|&0'$rDRRb?Ŭ]oWmz( RHSw @='n߳+ \ }kLJSoxmr$< pB;l? 6v Em(]TEg -ō);8aB;7.ua흤@z&eڀN(QFȤa|y:q8^"2"D0q[uoZ~ ;Dļ.Z;˼V>d P7w-EЁ[c%>Ptd)n*AISBWk~Xm+f&hFJ'_0;\ \ұ&87W4Th)@:`ZP\7bn[duaSwaC}g1M fAΡ~+5h .GP%B# Մtk؊ή\ok{a) rfT)Im x,-'+,UbߣI?ɬ+;3{<w2޷r%ju ToH׵Roު@unTCtk,ʡgx@[$W:<lfҐ}xr'5U:2!h&ю{Beb=;SJB6e1޶+ vkOR<қD?mgӪցhXC'͝ENo\σ0>IEZi&ޛ"ׯ [/&plJ A@1$}H}ݣDPEBĬ/Y'^R^zm8XcoLzۄEh;~I4HYAI}2˴gʾc\VUhیcw})@~!8=9+5Oԑe%`;S LV2`lļz1aӄN}^~5-Ąd^HѰ{UX3 9Yc顨|=FJs' 1|DsbxYn™I=yhiri(g5l]t0ڊT2w!#Wݩ/H Lp*$4B S#&? OMrT_,w?C$0Əz=+cYus',O)< :O P'̙ p*擳Y99o޵^SVjb:OO1>=Zz'7ץ[DC#lm<F: "1EbԇWBkK H23UM]UF3#|I9˼I;ȏ EVV-Cq.f CP;VXlU;5y-p7!#/JInKgl0CȜW%[j,j |@ԣih,!v&_iiJI{R_[̟:)i0qa UP&&ߋ+#|߆R"chP\ܣƄh8WSt5ek~5йP+0 WK~0nP '),Įr z)H tf,tEY /qXm sbZv` i͔ڎ(d"52RMy|P.пt$d(c7$E!:0ۗ 5C}M"ʀ45A +-8vՎDO(SH[=a1\Q6@:Wx?,,^ Bw&Nbx]nx}z^~LZmwVd=dӶ7ӟ#ѿZ_7+e+³b2QגJC47&";"wQb  f]m&.ݨN\~F$jgVuά W>_F/,} 0{IdbecfpKZ =ҳ ,3ha J=B$[q<-"\aTD6ׯհX>kx>$e y@_`| jj|54R>N^<KnWM<}5c#h7eaf@~@Q) "xĜM6]g0jR\fM~*șz;-U`URm+Q' S])3uKI) *NMt׈ jX4{O 4 ޤW+k&  Z#( _̇"4/E]ɓ;{I!$M(HSuT"Jj#.&8M{9<36{LI# mq݌1V78\})[x >hu:nx7 ц~`J7faS)¬5\iYYl7-yc9+1G fMD`?f,/®\%-gK#0f r~$VfU3PǏUKwRo,/[bb_hr_{ *ewO~CBJ;R p9wb)lb3WhO.ҕ^q]7~NfYIw5ꏇu4ݏ" 뙐(iWjl@Kp6 }i-h p~&"(eXjyǭs36kUT/wJ ui0&kp} X[= m"D3 2 J{-_̥ c1r[K.Bi4ȓa9(L|kaA@9xaW8*zDBn> 1xs-ʨ{vM'6FIxQyuՎ ? iOW{7'~ivVEX.k=АX}RJ88yc@Gv(Z$'1$pe ,W=ad!3a`賕6ǩ;2U•Z6ml oůd/y;qB[a6\qs#58# t,P- j+cix=`,FDDAFzpC\ţqaEꎋf7g Mcd֭8iK,B5_aKӮo1VT?YGWi_ҭFU$Ub3F?Tamo~]dW qV睻QZ ō9qĢsBG}aP${ hxA ?^_Ifw?P DmD{ P۞#8g#[>ר4ٖ@o{~m]+'겗y{ԧEF *?~52P]V%'%وI4uE&ݤ:t44B,ƆufL Y.m V7M#ޤ$V?6I Kqȹ[('2SFx=}4?CiB#<]8 AQ;TJɵ9"$%TM_vCqh+(ǝQ`0]BTaG\Ek$"\nMۜJ_YxVAi>:dD5؆0p1"1"J{ ±n1V $O̲Ǩ(;$U!A58`W]9gXEW$=}|W&͇v =Ǣ8{Eb (";qE}$n$=%.X1lveZtjU忿Isa6\׬/yTДB!iT~$sΗkiܚ<(3[C0VPR` ~_>Fq8yfF"z/>;vZh>d;}/2D KPݪ3A*_>:pϱ8Z$+Z5K:mЧߺ~j$<n04sbe ~+.ho_'p6>Vj~,ͪc@NgRոs$a\ˇiGmNqgu(0tTJ [3L{aT7di05Rښ%H{ZD.1#k|<%osQ$,C#nb$elbkdO/foV +-11#dK99ҁ9vyS\:Qs>FYmy[A <;|ތ %.xvz~cDZ[a~Wb9 :R>PJ;j3 pjD#[0.)l*2Лc8^u֩:_ A6]#?bځl.R^lyYˠ zա.V&m'U}C;ī *:YciC'=Zn/)B6+.#!h%؅I89EW*.ρ|H3 2 5/auʠao:Nʭ#>GT6v E8JyHf(:݉!WLw@@ mKC:§32 !#9MGg$p)urq<傶DmNT/|;D08P.}pD^i6cAD?xE%D7{g`bl:bؿ>B/  2{>h y|u&VctC5:϶lw狠p wS3sk%K,Fc:)@lT{̊e S:7Hd?M^$4i7UW”Ʀ^_>q@ -KU庸!zaMRܥFM5f˶vWzFV58jDZٺhдDhBdB1<"yw\*$}Q{[An,YXx%.i R:Bҡ@w^^]&}qh5$H @@W\ZN(y^, [Wz"=EsM0W$2=Ō 1f5Nq R{Cֱ t9f&0ToNV?Y?7SN|@#'$/B>u(8_s).@aRnoCh\|c=gH4IB2't˿ms(rZH<06*o oe*axp2&˴"B秱XVm|a_Kz2 IY$gfgzEX~ZVO-t Wolc:-) $VLI?e N@b/Cvu.,Tv uns_IƏ#mW:_e4dfфucQ "b[PQuބT:w]ݫjNjtKNIΥ eo=t[a  1r3y+i5%JAzݢ!13 J)R -mѤe9#s4c1㆕۬7CtKSB9B\DZr;)ϖ,03\vJB]+U@')S>`1 s1|jڃ5_@??TtUMiqTRmvvjݚShϬ홿 y8HXT<=x6D9MB+`cI=V^.K4׮9挨 j ZU`5yMAOQsW:":CAbQqx,=P]*KQJ:# Ӧǹ! ÙrMX].My١,zRjF%W:q"^&h豝0Jaf| CsLŔwB΋K?l<;;}%M_$_*,KR6Y2ޟ1[~* ncy\B6Z#OOw#>+qNF _-c"Nfˈ٨2*Wu>+e0y}-FUi++[(Qέt̝IU$p }8ag C$~bUi+}+ 'knPLTu<}u'օx}ѣ& 8L1q4 oNv81D)P;ČAi} ǑkށqGE>ɜ-¡,)eKUAGڱN|0q"r'A8^Khb)Ҋey~i NAxiZʬҁ=u6H ]2Iw$@cK:Z=h@.ޑ ɢr<.Wv`ڦ&ZȴYcU г]ODA;S[LI]l…q 4k D(5`Ee:՛S%Bt4[w#;]aQˏz=IPjReR"2:9>6<7ME6m.,ž;aj#wǾi,;Bd"tG-f QTOoI}Bk5m NS]Z9}__r"jEZmN*I?Āt1%T߰WA2wZH> g]]=٣6hș.)=x;?֖>B}ǻB- ޟ|apA]^'l_5vVQosؼ%_DA(Kςf֛/HJu%Pݲf$ _, kvG;쫷nCoCs`$!Hɽ䥳 (Ebs/MH욼&}~'ٜ1@m㭟i8Z{@N.wfF rn/6JKÏfϜUj u[Ez>2R5Mbv)Ӵ͸__~yjoɞx`bFQ/eX w,P`xlLgl 789n\PG+$:0)+3_mrtK]nl9AIЂD߶9=9LUdژt1kBJ HtZ0T]9q3_ K8LxBWp~@e:A/nTՊrzX:Y.W*G~wDU7 U:y΃%bd; $BB 6p/+kI(*Pѳَ_@d7}n*l|()mNWFR,[ N_={R2lT?w h(5:\c˒]|`b!@P0ZBgI2sQ,YVECyR͡Jk]',pi&8ȴ+z ֍BĖMĄRpԯȪrU416Q8#3RLA ; ]E]R\`Z+}&{^u?vg[Gղ!Rpq@]&珚 TOlBMTImr)ln༌AkXg]n&Mg0/Aq{T舴L+~c D5*T}ѤQ]`s^`-UFhɊ;y2W_8杭ZTJ综ДPJuBoʌs2/ٖt-]Va'=G}RdPs}7{!iejרTղc sЁ+~|c8`z}_siZ0o2exJ K rT8@DîùX"$LG^FA C.6o}ۘP{Yv0ZْuSK1L=%ؘ:#T &uZusq)5&uĿק`~ E^՞;Klt|j}E8$X9F̸iImJ}g>-@M{& P|:?VMw[ i3 @%|21z\EG7aXMMUŨ0@L-[6<ְo$6<"Y%aw Tl(S͒rU \ +w_aOZ7-[.kpƪv9o/. v5X7%pчqg>nIYR~ȩ|' )J6[}|e>@t]x8[p8-.!ET5{| !A=ęx!vNQ܉C;`$kZCdRT&@}6R(xh88 A=w as@pzp:*R 6.7z:Zq YKbD.:nX(9`jo}">>dKzZ߳Y*16cH d=JRt:.=Q[ʕ&⢇υkY5}fo:(G?~̌DYsCXux|~`߄m#&COB` q3hx"F^Ɗ#jjh1ƳX'S&N"qpmhm߾DA <<} #$%9s'Iġc &TTG8d1\p۩:*@F@EwS|u@C).|ø/20 K]>@w`{~_wbY=bA1d[4_M5š)ݐ740jMNXKD֨+#rgרm…K mX W;>MH;+S?s%}:w!Jtt?Ik~/M!Y=s%}-Kj TE5Հw(:>[*1lWQ+%u e;OJ,)%zf1Ds貕&lŶZ]ωK FH#W!b)x,zUH&/8$uaߩqb2b_ys=f!MpTQ8eZ!zmGձ zX '8Dht/w&v դm㾿?tھEm8;eFa |1eB5(Bw1:ZYMT~1=wxE#`/< qbnG"D0 E+,|S]2Z/)Q)*hՠGD0R̊p: n& g0%ً *τo~Th- kH}`ư8돬Ͼh +x4$P#OhQu((B?=-U>Ք3B#XLuݙtt 8Guy ޿ RSYzS2.{.ElM"{*Ǵק\B8=-gihHBvjB5sz`f ÷I姼c=_bd"%ӃcbfLl {rDP2LE/J=ו=ȮoL52S]J7]˙M#bpG&359fGvbH斘f6(3sҦj.2A,Ŗ$5 λ &BefPGv<3V~;%9@)$oՏuI,(@$c$gOꠗ]?Yv3gf'P5YX3`-9@_}!!" ț{tUlktێъ%H\rbR3nϠH7p%wb)oR6WsN?-E4T`W V;y0ChကQ-ey (dy!xL sh, Rx#myh ܩE>6>b˩mS֐z'afhފ  g*2_3 bvd#zz7NGo%=zՐ3"M!e(> z,H:Yj`zSttVvφ~JLSÜ&!`k˱Xew_TFPfHCK~R2빨0s]A3C$a8 Xg ("`_+=xl^lB2Ĵ) '<ǧӎZ,OQw'N"`|{fHb4/"Ư84MrOHFmƘ$[,!q,y/Ôju#ٷH6mvx,/LU`HE.t+G%1Ve-gF6oBQ%n_<[WR"+~Nʬ|2f̕Bv "$֐S.lXyǃ{wv왯x|Q"11;/n' & /a\\B@S*~Y^,LhY WvmqhZxoӃ70So )WI610:v\B<:`󙒀JD쑽ÏN\;b]}1ٶccw^ uxP]p@J (o tO_'ltgtA#dގz}oonCisDS+~. {-lo')j2-'8{= *0NѭBd{u1*2t$V>iGJhgr J{}Q_p"skq41s"hjک u刨}RT˟AÅI&gwDmh" _𲳖2.i/ʼnurp&7\#gC>A {ww0]qFIJ%E0t#G>;ezywC%^Q״ѫf~guX);l-PI+((1,׸5SHxZUYtX5= ?羯&Hxiɱi"4`'Y=g[ˆ.Fb7 : o],Bȋ%50V"NEL9xB齯StЕU#/s_ZA<"oR d,uҩlY=+6Q*S^=T)ugnǼtt'T'͏;^Pe{33 vl0J4Mzm0i󷕖SEyؑQUͪdA9<.{'5𒞝]df[Z + dGO |G)'MR"ĭ{&)d]y5 D~e2Ya_(zٌ. =E69Fj+:3s)OW!%\_o^r,D c |])t(p{NCBaץ{ùqϨ`/6̟[uGpY0H5!a">3tP飆p.u D!=X WV!O*Sc|1d72gktZ8Jr'V 3$YtGn={[ȷ8->M ,lDT'n feMY cu,:~thC3I=!z)d k.!7{:/rsI&dT#Ͳ64ˮ {aF۠,uԊ2$TgwJLrpQcK!BcǨ9tGtL9;?~@S vfmJƴb=mǼ؜_ }"4J<"FfϱDׁqFBC5骣KI'PG9dQrMxTN)tߏbA!XU3{ bxEyCJ\[#6 P#iۈ%Ɠ,2̒TM%9(O}gL=sYLh睩@n+K?%8@>Kh'nN #iT r=8Fӑ̡>g)m^DUFM_t9fMM9!rxs;yfj]4g4=Ot,'u^JGC*u,ګw\oaz BǜZeQؾ=@z:H>KK-+(9Jͱ8}dɝ1՞ĢE-ClPiw=by˴l#y`y\JMpů4 ]䟺d\a[|lAh^vEdUeIxlzj\Y5eRn豩ԂH_ )&@Cs%Q.-ǒ~tuTs)@ rmZٔ9~ߑ+7wryN4Y9N!&VXFIDBxrb^qB=qnP_r+84 !_5ݓzQfXWbS;|8:@sYթ=~즞 X0Dq1.<iWn: ~Smvv`*&hk|X;WGI?PV%B$R.eQpրÎOQ)UZԊdž.=xhb]cYAc51(B`v% y,ܭl=X.w -P B(Iݶˋ(!meT,?G`]k$56q1Ed84F̯;t+A><";) jHUn2LMcyNmtd{Ou,GiI)dcKqk0*_yB߬}q J4o)?,<x7r\bǾS53$v̰ONjW_*ů퇌lb[Yi*4Œ:8;?0; ,d< >Dn*u^*Rnȼ agtsj*IǞL>w#t_ K`!O e\ɏ{Q? `awh8(s[ ="i\ /;YՋgV48mPb\?r} 3t~7V02* 5D"2LASAmºuOQlخsI~GG)W5j|ݟ|nrg\qg32,*]@zhO;{s|k𕸩ך;RnӒ_ _+%FVͬ3F3J9om3`z z$qNnr#_0deu -31/h R P%/m~]oCUƶʚ0 zKm49!.F0%S#U?'7!X}~Xxz@ TܸiI/ !?gm>h ^; ^,\iUF}mg@Qk_ j3a[wdgaзaL"6kH67V6F4 zGQN%&yOFː>au ~1 >H?u RnH^;c҈dIWٛ}y4 $-Ihϫ: ˌDLW|:%^`嗂p=>tsg@$prj*VdX_Je^ )UFl~e!QPɏ2l2CcI4ܖ;Xʬd^1y(s~ay\` *`;݁:h۽}%]z2:DuN~Du怶 sͮG_eN΍jgT4fG1+2"* kO8'o.8-MJǷZG)t^!3?; [s~,gxmyY5yn+eiRrc" CFYVXyqg8w7O4.,u8C?,S(FN4Ş]v? hw&/-i{6kyßG$BQb YpOLas??A/L'[0Im]ոB$[CB#Z=^qM]'CF,%p[5S?ڋMQ4d@0'3\ְZ5?*Zj+?^XoqFFlyn.X=O (F}ȟ0H}D U_ePk]<,?kS8o"[oAY]nY%h["vb(V#>;x*:̢[c44{K7 $o"T eWbW?-_)ĊǴksLZiΖդrژQd%BIp?3w,$q qj$c?ZxM<\E9"7?ڗ)7\xDJgUM|k._sfCJ5yQqme&m3Z飜94t)y:` vQ*޺mZV!'Z3(ޫ8)C|D1aPMPݝSw/)Pȼ"ABS! 0Iqsu4:cU,^MDScpՅ~2M/E^f'fAx [o |nPk(GIW<JTԣo]@J[{|>~2pJW;mz*X9Y3V@M|Ѡr<4֋"Tm J`?Ղ !NO(!Wgt?஺ ==sGH?a})Mj3νrۣ\j܌cPGޜ g{)Wp E-Q# Q:Z7{tFF9K?mCѝʘcAcN7u+,5JO?~ a#WǬ$F(\|ĬB4j}qsYaGvpG;&n3ă03pb >42Yͽ4)nH:$(1 "@[q*kw^1:,3 z-C܎=WH)Jb2'ecA _ҳ^i%|mS56K&6᪍^`EpgؙcVw\I~_Z3a1Lq[.Giz\WW -\!q%Xc|1"/ۧz<7v,}yJi8+Bn$9rOznISmרchI#B"ޓD6ԅpUw-߱$ e TJ>K+L%dKvpBdqA]֑!83flΒnTti'³Ӓb3IMȅ\'YGj8<[TO|G.әÝ:T֭2bR0_U MHK61!꒼%\>BAY$GڣOzҖ ~(ntOh]Z6LO;Z&^o(w \w-)"+J;@ u锻?ûմD|6:rp\5E*~h&.Sƚ )2ؐDOc[LBٍci=V4܆,,rH mn]>Ny}wG sq:Y6>fV Foyj(,ld50`PN^ejK 5n?\I%P!6,N:dUÈT{; \-bm.vI"P/-hNlFصQ-+A9j ZIAU“%s"< m2=%Ye;8)B99a ;y~[&lˎ+] D9X9T8q]*Fw:}f^~<@;C,2'4nm3%g9&؋ʎTi ߓר;t3J$\7.c^ı UD2>m$uyie3('S_78ض S,"$c]+Ctx}!mޡ pU% 17 7jxՀd:|)scf7}q0ˣ B[:\)"iOU'`:#=Idx%(HsvՔBEKB4V͡SU3䏠QQn!Wf/ #qYQ˽ɂTUe޽&)+ae 9[m0XewuZ5fpkaδ8e,em`I6#MJo樹 h'DA ]<:~ .;70b+aq~_ ?{ɿhڈ_Xӊ!=U̳]3-i+Av-^rJqʰa,dwG#_ ENZÊ'r(poqsJ?ˤ'u h^aPݜ,_o?Tn0a_ CBy.KL}@.A2D mbA6nd ET )'tAXN>?.;J IY ;PY 6+[<|,!M'w׸LDǭE~|)VlVA ptzPtrM@̜:7XD|O%5PrismrSv5H%|nBr=ZWPbA4DFT̰^A^Ypm?'& 6$RZ8 !;Bh?Qo|Z\Jς(y9(kM`+MU ._D4m?ۗvL ppnoG-E"̣UvH9 p v]2ʕrhW((a*t1?۹ˁUquԼx9fZ^|c6Con܉ W ,g}X7~ ZHgj*0_F ?MX'(iݗ`d*J6vՈ 8Q߅q N<Ք0Ҝ Y&SAJ=s#(.*V ܈3ԠwK{b.kߪ urNIs~xk%,g|.ufjRk=„RZKd Tx Zq_E},,gտbbRJg9DqN+k`p 0($M0aF<^Wc:n1Lzίo-)Yk,1@FNVg9ş/< 2k-$dep;/D66p$s'E*1*9+P'"Q@TeC̛߽w||bcY0E@hV?@fI)8ֶC)5lb/Jiק|Єμξe_!eDdn/tZoN5@Ň?E<w(a;]}3Nk1j{_X%ztOe<>X"ҽ5y7I-nr +?~lkW cID<6,]'H|ty/}nqɕ8xA'i0Q.>2 }N~cEΧz~UFܓBz4$S?Ʉl kK<א1׽BTDA$|kn(FVOa; qD- u6`#Xtscxk]IAs {ŊX &%;4Hi}$k!I0`+ǥ' J#skÒ~e\KXLUժ7<)= d*s1˾>'OoG(a"pӹ?҇Ae>v!׌avP^-+ ; L$*{A`ELH,L/U-}~%jdv@oN 1Lñ.Qm!+ & v3i1#դ6}Y5ΔHf5VǴoyb}͢Q)^"Uƣ7fBm)<@)^Ę_xR}ȨLLl VH<&l̗tS!h3JraW?ojզZX!9=MfI ([Wk$MtGkiS~ye" |:cht^CS|*h8lU xwm. %\=a7DY`5I0nY)^PZ7c~*#2 hV\$RhױC;dMP oE2(E;'~V# bG޴a6t@wt9| Ԋq2KsMrȗצĴHK7ш #(W(>Y@Z*3*|mHNd&| d| M'~y0*a%Fj yԙi՜΀j20"w)o*lYD!3]/!\\ǁRnZpGspp^˴LiKY1dͲk<wԐp?#7zy\P7 pMQrE@J)_/֯ ;-,RBL/1 j=*U׉[㔁GST < ^PCUtBO2_77AGq t$K'n9kS"I:>9[Go幐Ԅ6jEC eЭ|`Ok^k2A&m.:U&ҍ6,q[; َ`,_R\($q E2'؜"k5&sJ@-p /)Ųނ>š9@ z-T3DJhbΛy{?g gy`;*?5(~;T#¶kΕDȩ$W!F$q.q?.yM^sZ,bu֊L$vBaѐ2rzg݉(yOIdBCu,ihm* nA80z T9'p$ّIXU H0(2^UUP'ڟg{FU[R͊/F$Y%ɏ;em}d^^U< €X%JC6VL@Gʬo+P/n[%i s}<RDbaV3Nh687O^Cz$l,\:{lh5#g_9%Kѷ*:tGF{u;t( 3o0ފNK,G̎sDEltB:𵋬!C=-VP`Dtilz.`Wpny*G#C|_rFo70syٖf`8VBVFҞM' 9IP hّFyd {W}~X Z H;A#/L sQWbhe% ApW ZimITIYHq;\!xsq u%Dѵ1f08/v } m=ybqq_TN{;ycu]!9nü?!ۘE(py z>y% UQZ3USWK{y \Fr lA*~neu+ǺA܊DK#,-=rq . GZV}X"R cP"PfWFSYhhE9 F̐ -s\裐C|SZѪખ%5  Ô2$kaԱ]sO)("f&_|!3wC.>(ފ;(˥(IAMX$Hquтdl$fNq:`=V#a;( `zЈjVҾ |iji2'[0mQSjhE7(J9f[0ְEXaV'P urr]M< J{]lBDCUr]Pc#ơqTĔK=#䞋D#NK=Sqy>85r<.SF ;\x0H_?NlP0(P'[}t9\SX/.1St:S6EăSԡHJj>rt$_RN~Zg|oc YYZݻlV_C,PuSt`*& AFWMK,JJE ШnzgՁ胻 fWٺ\];ی}Uv}IP,gp_L&6]3xr'k/n m7ß,CV¯%DJ~A\Gu?#Lf{(FNniL8C (-L.<[ u[Uz+C5^p;?S A`#4o4l:q>: N= 5`L$@ToΣwQ@J&2Py?-P_H=Nn|[ Rip& Us?Ow%:"iS3^jv7Ux++B@rGp61:80|c,A6fxg9lu+1hP?Fo`Ѝnț"M(gs% t ll3=sPXfl+$V8gEvqvhe]a~_DĹ\j7mc%ۡofRrt⪏ʒ|ipo St.KUr3Q(VL ӔO)D;3cH%Es8yADĮ@ zj!8o&^l60K։Ēݮ2ڻ}a6jshʤ=I&UCcf0=9i/䦝%Iwi,MʙD, T*|\έ@ȗ<ݸ49׏v/[\mfQ>^邏FvҋO>`ѸhkꈡgnTk^9-LKmn 0U,%+U+!ݛM?;庅M8Tw3'_d0ƅm+Wlhh&pdS**?ϒ/CN%c,|!ud7ia*DO+oh߃y9lU 7 qxnHx3=-(w ,J'd(YQ'3q|w[e~qOO=mcKOW]sry`shi@trȓ[dS_NAP4XTK7a )phtՈKajj^]eF\W l)_tO7F ߝ^&AtM7c XU@8=nYIjGKؑi{eqtt4X]X"9W[>YCjsz)MU!$("3e(ji"M_*,p/ߵ[\Vu1E4BS- N' 3t:Jcy5g_׫ȂS[턌7&VE@ 0"- ASM ό_Gg4 >ۓְ㻥 .;sVlj',3A>B֎[\K0`ؿ$lp|~\c{=|rb/EI%RL1a4mh{viWPc&B#L㉬ru` ֪mdfU@55[:$XJ*+ uj eY/ ZkGP%һ9}FHɌ|4< Q["Eu@aRfwH{B! [*= F; 𬧀&! y|0Mϑ 1)C&VQc'R?7?Cf#C"P=_Fz]8}RTS0BJK- MfeBNI`L)&3$z1Q50Zjx*<8#9YU|US/r܄ofny,BCNDB9YxpE3lD8`uQZHeB?.Я܆ѤY&y<̨}<ɺp{n"2n':|,,w@` b@dqzy6 eP =JAo8YR<QDIt4?̽YY(:gvw:%Ad"&JDH2s4P&b'0h$j)[h@>ROAAюΉ{0ʖeōrv"?d}"ٸ:ꄒj?- }ӌV~q'"M'1&Xx!1rLx|mVOؙ|E5ǀ^\#LٱnyFWSJ_pe)琥n1Y՝`Thf|8Y`Ƅz 0{!D2?Jo;뙉bdZ}3|YeҟV9Ѩ݁-_rPZ+UI*c#d64NSQ䝅yfʱrκeith(v! ǿ'U=O;e77+_A6=O;[R073lM" ?n>Ո {D2}\ vlfe`x:ZZџ숱.G5 /? L/6ӏe# lh|7:fv=e0H\ \|bQ_L5G42~r,jL11k$u8 z1bTNkZ&ݸnDQQIޓ\XK0L'X 6fJt@ KUKs]}E+C$Pstj&0b)i6A ?Qqj;jj ,o>Ə[譁Ts1KmAWSGA䴜8m$ =~Z*9n,?,jxlViIJ2 ;>Ъ+;AjQeї٦(͖_r>,$O?'M2GU)Ug{J*g/g0e2 glSȕ\% hgG"/ 5Ȯ:d"A=?9CBLC:2MشLZ$h <3`H@{2-'{U=OwЦ2gi3K$tܠyw2a;=dPEwהO=c-f?k*>c#F2h.B!%[ D]s]|{nE>vV#E(4l\gDO[_YݧxM& 9cS} Ѡi߁I'psXŽpbP_r98 lqaX X|˶A x2gȤ]M1,8P+N+E'ob4XEb;+vDz`.49j.vn#7Am8'Z!ϖ'\J6](r$yHw.,xjEP"[Js w7.w>zۑ^a&IoS mq0ĆqIC.~0AŠAH9@KA-Y|=S0 >^X43t!"ºȕ.s]6Rq$ FGS9m`P!s$R/. S]qJ2$Gu?B\S||- 5l~^TE'ݎvq)%1G ym$8ݖ@m\ c CI`S rEeî:N˼Ta@cXZȉ`tb7Y/wߓm0a67kEҊEe-C7_8:#E\ۛs3U?u6frlE0)}oU1YXAlu\f7 +Ș%K8 CnzTqHz,*slhc&bj{-/1Χ#?O?Tk;$m>ET#q0ãܩ毧\w㊌@<(49&g\ZT 7CN-~)Q[gmZJBM2f 96ϟ.ܼz\}s1*Z4M$(ٺJ@Ay+{{-H#gPPGxiJ2 ]{z]uV0OM`sݏLZwU0Z yE3l گ%Z"93 跌z84;;n~}o;Vwsy&?6 ::XD"_KPxࡼBfAfxG!FWws 1;eJTz;F +]-^FBMEu`>2 PDz_) #}YE(0G#]Eυ~WYX v^Ф* 0['zl%V<]n<_ oHwe ''ܺ#Ǖ'x.X#0/g~^}Yx :m*5 g3[fY~,-);RjAR#i bmb1ԳiVvy)ju&pr[*- Ս_ULXue\gH$_KfX n"j;6k+ MzIl^@PEmXXGOULט~|h{Sl4B[Xj2<^-]?,yZ$4,ISepܘg@dzg]M)B $ R6cHoCֶCw ֟fw5}lKy|Vƌn<~;Ă>IRl o) _eH+X݅;+~g4[= P{EY z)kygL%~?[4kŎQEU :=J,|U&\5~HԋkˀA6)(Rp9)/!Ou'H:fuZ+Jj}c4BedZvx4l4(s"ӦIHj&Rs|̆$$̰z9cX 6X`:1392 5Mf@zܗ0_6S>ΗBnd~c*1/[kՀI-9l$q$0~#9P@I|Q\Uw߉RO>:B*i0(nk{KSr;rΜFO|?[N4ǻPPbc]KF͇y_sG,6w3^P\½:IDaRppG6Npy?^q'7Ou%zlT?bj iW?7hM4ήQmFg RR)K%vo}R Cܔ5yq ['nGk}"6%N L;$GCe)t&Oj򬜚!Rf 2 Ch`!#^5XgsXcv($I<^$ZM:5Pu6%Tk6pJqõ_'D/&qސFϛ f8(Fc yj*ЦS!Ϡ~JysG[3IѰ;ۡ&%qZLHQD=/L]6%3ԪbFwHapt<':X$8YWv)M%A:[RQ |_/ W޶&E)M'jWg$&n䋂+5}l\;bNI4 $҄Is3vX ģsUGu,N΍l[d$륛 'NQ P;gf;CS`_UD @!((=Ӕ(-pLm\T^BelS{'KiH슗:'c(4,a)UD&QEY$LXLsjlG .8w9 b|0Jzj dۂK%^? @{⊇bE.,[Mw?NUPB6d#2) ̉#Rvӟk/,imĆ{obҔJO|]:wsy'4TL/;ghٗ|lrt)1C-'2Qj Q>VV E^)v0X5,mpDl(iScFK l* =9_/g3ECzKG7:Ʉmk2t]CS$S 0C [k@Ǻn[uDً1cc P $Lhf 8A_hvz,&y-?T.=L J0FsG2LH|VPفGo#%^K܌{4$mZ?} *d4q.q[]DfE'#ח8P/LsJ;D'[E79Q5W9PkjkxP`"VL mƖDej1b4GC]siFs0#xXHc y̨/Pd 6jaB qOₔҕl)ԣ {N%odGrX#ͼIztQ>0d c1By`Swh2?f' ˳;WW_GKH\~k̹P = IbdPkÀTRm,Jf֩_ z@O>M_e.rNjpr׳!msK0*N%'?ozNY_7;A}6ޑcaP=T34SKbLqAČ":*úɓ2oWAGhmK]34uV엋9[2کrO9U/۝3w' p8€}:A4"(tE%P}_cq-i(4>,y_ ?ɡYv@-9>Pd$: r@]^Fb=Xڧ(T`&}E5v[%f\ aX\3x+r?#&z ]$ib`_Ҿ'唨R^jӄ?uC~9`x9nEv ĽG{o=gIlDmL2Mn<"0=!v7yrBu]WZ˭#HhIմ8v70y2a~%uӼ]@ ''لd)e8VbY:q#0(VWf-T"To|PA,=,o'jSuJG/ύmYDoo:7uu h)Sy[Ǿ q)8&Eh Dj(}@w;yXV3E`X G qQJGʔ\:(u'ZINxZl 8af;!(Ur'>7OPi&L RBmt="‡`UH QLzUi~jNJ$)u7VkoczlӥG, Dž$iφ1ֆyCTMs:,ߘDWV\N,r0ڤENFFi_!<حks!#*dd |?)Dϔ|Ox*y9. wm ȸS,}G< b5xӌ ICڿL+Ld#Ѐ 5,OG;:(GܚJ$j!`b[ڼN`VXxǪ.]^9 %Lv>ԫZ "*~Hwh9UD`$RLd"|0i囒cD\(tNW, |MnU@NIH3 Im^yg+Y-!ݓvvus~-A/26iDaRbD^-zP2D"lG(EÞUCY ܌LBx`T3yT3Lvyqnaļ A*D{o9Ҳ:C-qPfi2,f-S|OS.)dʌB *ye8K6t)'qw=B6=@IԱ {L'>#3+#rC/%]aD䈔#~ ~tQZEM F.;W@dhSIϰu8ѧ&S<Z$-Z96䫱g v}uaI8u90mc}Bu0;?H8A:Lo.ēgcHY2dРUCPAsHQtnAJk̐=YLC&D&Vc[3z0hT{կ4D>g}"cT91l% UaXi +_%S3~85zհV`׀'V8nu٤B`('ۅ$I/^m9<&\f^ac6h_AxL=*0&Y.ATԙ_K{5mi?*[ct#Pܥ0C֬InPz6(ˡAWY1LXs@;]qև4}@˙Vog\,B׀}5*Dv{LE:t ZtjB23(6TfZڪ6Gr8j=mh>_, t0^2?>qls~>l]yRʂorZ4)]CL#>.A&9:n` `Liy(ohJX}kSWxұ*gc*syv$V޴nA䈏4t|,?HFȧJөy6#9h5( u:\uazhM?(2Gׇ/~tR9.Q{kJcboF);K2N+tAGN0ͯ5yb,[?a-e=CG`">zϐRfՏ̮+څF0gFssq+;<24ь՚kt#z"| .IiІ2 *!G]Iَ ,_o[?xUNV؂D"9և-sF>3+ Yh=R9fwLXnUM/r;7ƚg JR'L>?A n9MRZύXIFbW) -Fչyyj!`DQb_"09d#я2*0l mV*ʟr+E0LW]GyjLZc]7t3(ƪ]P)u4ǥ8pNj2h\mNH7|OH̷J0^΃*:0MzTϤőhFD\p;lX5gw_AX.xk΄$x]dv?/.S^1^rYŭ3VpU}4F{<#CִJdrt5>rP6,PF1 3uǻaYb!ڽ#螝R#yѠ7pgsu:Y'O&+MdۃY|( JF?ڜX j))2n)Z`/B/F| #R7&K!&5Sj̷ ޴,[8 >\_ec]1hCT )M4d\<hH  #ϛe>\\ &v| E显_Cf6 C &9^'x boS\.b'pJ_^e5B/oUQ5j/SbBh d lSڸ^lS繏0xǶbM c[׋Nmom[;Rfٟލ foJ].oxM1|f}ނHy otFʧ“>B-z8H_/ R$2wch+0ZG}6:5TV$4 tz{1&C{4FXUA=)~_k T~`} AJzQq=`DYmp\vC$pUn-zNUoCx$űР= 3AAyf`gzlQq*L(%d]ί-L4@ߙCv'3X` XnGTlh81CE9qf ^QC i mH Ijv𗜵nVۿ ǢFEOɾՕ5è#[)ɩXhMzﳜKs*ܻm! ߣ q"LYm:Ӵ3Gn&y&V/_nayME$Lq=cp(dJ"qU346.N ].cgLѳĨ]۶ԑ~dE >/>QrSi~&2hlfTht x:齪V <ΤC.@GC1`A_oS _i^(BICeux&Naٹ;Ab6HM|.' R{`tPjǠź)נQ5g-[%3'd ['vɌ/VM2g?K3N=-pzSgq'k0J&ךk؀mmQS1&DC@ /p: !F3;JA#D%7ڇ"imq,~٤r+G d%lbpJS؍F'ꔍ/ πl iA*|ZYU}^[/B^P.>7:߉[JCɍEa|+`Bo5uL-0'd0T^b<Vrה'YW?{YE,x"pSaZZIWT$Gs @ȹBO{E{6/qj6=,Mv^hUg".0:Bib%4U."8:{CcA¯!TLZRVLsGVjQޜ VjQo9c2v^dT0cj)`r5/404!#kڠw}^4ǚ ygp3' z0eBa LqLT H y;/^bM)]W-^)leXc)Ē>|],ο5?!ů.M<S>:WYQbFX% dZJ \Ĵ3s\房{;Q aWb=CKb+ RXO'DG"%41GgV9ʾWTbW(=ŅXJ/m_{sA ! f}>(X:rOI|2qf%{C~!gYʜv1LN 7.JoM}1Vf;gvT7?0Z_l=Z%au&YNsGd홮~R- SM~ ٗ| Ld5DhrwA}c4rCON隼 1p@2(:bå}}fn2Rp5]M|5ߋ=9a LPIhYV$8Ig =iY?PrЬ ` q-hoa˳FG0Ik&떿U O~eH6qҁ)I>q@ \[jSRsuR\Y Ep pf?99eRʹA#:1½:.#jY:v5|Dh_2 /H]#I&gz(2=]Z tK>i3 Kx̷&+ ʪ*+703 {DB4;?oSd1R;].KU-ƈaV~KSL})U~oZ#!,u@BQU&U%|=BEUy}3UCCK14"+yQ9.QgI&!_`"zkO؊Ԫ.}bھًlHjO"Y}J{G]}m}瓂Rs48a5>H/>?-N}Mj{T*QB$Gؾ{,-?"eҗ֝Rr{8EAnwhplV4elnRD3 \[c3x: oծ۱$>qFɌxB.v ֓Zp[OOnjwZs!b%[0iq'31}CҋPmVyݽLh̃n6Y&DOVx$#jJWuNȔR±=&Q},7zZZ$6%.0xh!1|"JLBJ|zf W$d/~oa H˚XWˢw"“<QM2s-ǎpT .^֋Sp Tlv:R=>BElnD8c=?oL | O>Y+-Bf7:`N잆) $ G]K[9S;Gןx/Zc_vgL(ė2%J\wt;jA?HZtʿc [4R-;'X_-ƅ̊LC^ITc]TRk O9E2cs s.nu DI!(-T11 '?CЫ2` Crrr5MauNU|ZX6"3x@qLp39&w*yP ,<ko(a^hv%> 7/-'|M fYe™+/V"F\IhԦYΨUIkWŚӉ})bI\U4U?TS")W{fv9:IN@kL89'Ri$!h^TtM<ޒǥ]5~P.dTnr!QY ҩT=‰i=N'X% Y"urʆk7PH8F}iK}:wk/'XuCO 콞љ O2K/v3ïfnrQobKګo?Ý^.`|B9z.LHD~.F82@?S[LJSXB,d~yJ"֦H>.ML4(;Iχi\oDT}X;բ_m&}"1YOݴx`:" L{i>.o5bY p1m%/!?Iz)k!PO'%o0[Yb.1ߨ{<CCk# *756 /~xʍ^wZd}ڪ(%s#pOp ݞ_7)oUQ=^,:21d`H)&aJ&!"f+̱/+Cy7e4}/\tVT>Е(Rԣi/%S8}=jMW}ܡ.ws\n6zzUH,MQHh6N=D/ɐ;bsٮ_)Af|o@iJdttߨZ]4GĢcyU+UU0GZio &!%F=X($_L>{<5wU!Af?Ԃ/p'Akۋ 3˂:('ǶJ x\Ǻ#PЩN+s_ `;XqMp%hB곷~zRBAaUUa7u^g+h:\sig91gK2r@W7; qQ!ytFz X ^a!E_?;-P-G7e8~i@/G{W]*ʤS:c7K* r=!pE ^X×u~"aT vϝALGMusy0@j`yfo!8"# *)+ m!ML-DE1͏mZ[ҹ[&!3=N+}49E/, M^|g7FI7ȕl: &+3Pu3ϧKO뼫l4han?_ZUdy J7F.i(Jgu 16‰äJ!snZ~ A' qXZ ~M)E Zq L#v2A4{9QN~hʃGG9_k5-5DI$d8e,D&sQL}r(RNRzV5 g[M٤"9)Qy#:y Nw92S-Ipu`c57 -\嘕WyX~3~+.U?/hfѴΫ&|q3C|QӶN7Md=ȬdWQCJe0Q{#IAp`9Qy!V,>@]M ie1ŸyRȃ ÑfeTC7g!Q5)1~dXGU6?0.U{5KcĥY&D{Kmq ES>/\hrꔒDE6R: fwQ㜺7e zk<~wh4,ZIS UehYk=)NgESw9_EoeV6zn&.x ެ(C|lVTA? e)y 'e1q|ly5fQ]m-[k2ăb}' 8֋F ψfyO݈|(EI|0 ɫs8Cfݭk\^ȢIg[Hi0C;?o=56ӶڶP^(ﭑ*m3\2Ҵ/`>J$2Iia䖴ח\L.o$:8|<-fBdF56ʧz~Я$Sc~$1G6 ,׬oY/wR+|< 0QS;BKLxf_P!\xl Mo[MRz8܀gig? (I&i爵$ ׃vmXI$~D#iK3+(ou{T:4RC$o9}6dm 0Wٵn 1I7w˾ p( SR7dK]av$ҳPܥ9pSv&hJ;M'sP%d`zov=ߗfRG5iD9%j/'R a~XA,@:ΛӪH!0dR6AVʏ{N!/Q Q 9>221 [Ux_u'Zo7C%-Bsφ2q`쨴Uka=v? 3x{ l_Pͥ4Q(%}qNs1=Pp\m*6,ŭW_b:GI 8'"b(`dp? Xnp-4o*¿_82W![ 0X9Ӈ'&hl3jxo4T@) V~8` `j@Osc ްbQcZgGv̾kmvMMOB\ 'z kR*ւ@Eb+-5I+T4F[rpl.`1f.Tx-z\D|% py9>}0 H 5,\ŋ}vH,Qz6R#iƨy8 ~7TZ$F}w{YC9+bv4IUOUՁvM^6=(8t~W8 Kӧ^֊+J&ٓMpϬE/pr *)'&)gm'XY;o@% sz.MkeQW2tsy_Ha՚47x iCaз!vOAn@|RAm_bc V%Ԁ` %)?2 6㟠C'Zدn} }JA^AU\%e1P8Wq8'o0 7J=:2ms*XN4nWf$GV NI'ۺ) ;2*եLX[\B= q$I{+X@ՂvvC3V ')A@óI?oGo^YYdf〚qP3[* _p+̲#gsVzSwJW|A nöֿ{<S0e]}S.# a2r/3 f1baW,nJ$pY/<Nkvo+j<1*YvI4zvoaf('zlmu 6knQU'VPw[[2(Uv)f7.w!n!%8[OjE!mC;Q 6iH2!t1V\5[>PϮ:C$tX@)C-&?5=-*ܢ+Ck2 *h}5vA_5pRB?EZ{ژ'|Bb0Ù_7ګkF}3V2\ p h 0ds.i&W*:x\yMOWt<]7h&0`>,ÅL:2'a(T"/ypT9LDgCzts +CQIGaް]Ⱙ]r+nG8-Z[G,Te;bD~_6 e5%%%986cEBceCc:v{y"/LbG@5B'IE}7Gpocj5 gá吮{Oh!`$uhmkS]|?ʶe V!EEF {nZZVA,?G4@rdnDqm3첻28@*kiIc4D>Zp:jgne[+G(c9uIaMD.<7&%o铃}e9]tbRoQ dzT -||LcF_0& ܇: 4-hT6*HyQΛE ,`1\`d\6+0ދWx9@ 2 9 9bl@0Xe<4KaJc9V +AZD+B _J9_R `nMq v YEK}oڮ(Ĺ9r,L# ֥/,êaOB~:XL{k B+"]G${ǫ09JH0P<ݏj=6uf5Uqz/Q;#, `W fkSZo<'5NT"o5K71ִ?Owů_9%+he Җ}ŲL<>iO SFVGrO#{Оj oXvdh`@ qHO;£F=B}Fnt\GloZI,9$Sy$#xodK_p;/?єd.eY5  9·"Ǜ1#B[f[TDv-%cdPiǁtEsMP0o`zMnĀ&J!oAWF? )]HJIY,hX"iU4o=rz:,Z,i"} OP'+C5m wbRr{bK9YX&P ۚVo/XB>t_oq`,8۾ذMe=oEWRWGo [SIFJ[QNUp3,A1hrw ȷf'䚺2Gs*t־VW  J;4C+".L+O~<1uml+*Š 4tO8Q2pM kagJ\ Opm+~թZIsg[!ά1u4o/XWׯExF '3K:*9 _.ڱ "kG' }fjg:Q\M߾I:yA<^s\U\qsdBTX1AU ';r=Ҟ4ؕ{ 9 lW6ZNl;`.'4&OJ+Г BГjb(ՃB *d>jѢS-ũc終]"-0 "[p# k=MG}H2>jЌgX͕ZB MBv:K4u$NĤ bVn^cZ8+dmX/qXЌ`ǥvkJ%R9vV+j14EY[: K/0QqQsߎG^[H 0NRW |!dPrh>AFtW'{޲7 ZN/Q'$3K| =_$Re;[-Dy V#+@G[]]\Gn^r.tJ0 POrQ)Uz9;޴4[hND~ʟ3H(sBb)7^AZbTxv2!85'"1G;|hbh!(h+܏SI[qdzSܕnb@ԎxX۰ݚ.{QmG))J DM~ b`1 2 "OX#C.VԖYgK)PĂ N=o6,;GfY1r pv`U4da$JfGCK[pg| V>>:+-^OInuKpmBr-b|` "Wl/0+)xuAp~!#'C 9wZCsI>Va^mdea&{:;ǠCoBi'PE*[x:ҠnҦW\/4`wΖ(KsviV1*H:$*E lozޅIg8Ѧ>@PN1Pif\3 "oBXzMn wɡ'h"jؕ/"pBj£3xMG^\4H?{ AxfJӏ1UIV< ;CfB*Y:  3e?` qSTBP#R%PR V#tf>wy<&,B|DqC$^Ix l~;i;~"xRlKO!S?,+x2d3 NPӸ*8Tל_1G & X?SAK(rPBkFjE'6I H-a1P*y=M Ygbn+JwKAke]'MGep3ِ:o«ݼ-tK7Z"A}cvbT[hZ3I_F i&qW[sk{*c*XsޗtOTmI)AfS8^6 4LRW[X=*l;|2$A/ G{wwK J?xN%D,53|߁JA Ve0^#Flކ6i)wC ѫY|ezTy$ x1C$eZJTA渾( K؎®0ofJwn&!x-ٖB@>^ sc9h:rB gHH_t2_A>CIf?hG#o5ΧW/nJz\?"^!eoʻ\n3sȷMuGm.wM | zvP=h8YNǵWOevI'bd+,VK⥪Z%ʽnad~q'[fAj=FPƢ"xW!"]7w3n8Fal I/OT~ҿc(3'=F0l:8loF EW?" ,jʒ^A0Y%R?jQ'oN/w;&["MfbR^j=TggKjߓww%8GL4Q[ܝ)sUX3:Iag̼UqԵ4Cb8}$NbJǗ\*EeWXEιO,`|y&3LN`RcjkRSIJ5@co0c۶vN Wr&2V.D'ױ3fnbh=SNeߦh ₰G=|6RkldOCsgm&W3BU1>$Ɣyӣ<$Sx9Lt860iR~ExBy֛Bdc8o@A^ܙL =zpl;:3FO]'.SB3؄VӠNFU~<]Lram""jxԻrQY]|% z B w%[9[Mě/×U;?#V'Eg֨EQKF %!h=JRRJV$c%pG0]]l*J<ĹDU G}(W=DbmSnhြ L &qV'=[ӕm"⸢ieF?`v~;B?\-"ٗ~SFjyIBG;&iso> k 4ɴ,h -豦5o[9aSmkB֗* ١f].D Kv$%pe!=x+T `Ah[Wt+3RcKBGUXW{OС; 19*6~@Hҿ~qNo->2=NB8GjiJ B]2w5f$/(`gK6ʹ zWKg;y$CCsIRqELwyaƼȂ` 0LP,YvmCV[\=b4uIWfkF ;QI\^J~)W\* Hզ|~ iz`os_9:|>h(n!0:O.l'j3ZE4[{w K<"r=MkZ8wJ5*`dž9 a±!Nx)>|usp^0r}ҔHw ]fVr,vWb /$E Gl̩8v્_*u]_JN% N5pT0++ژ({mCQMNsk?uudMZ`F(lUp 7l]GTE* C@VA'ф/mXφӸ:HSyvp+3a Y $`~+Y8zN=tu\UQysL!0dMJP;S`'6ʂStS59AݏmZHbDm8JDv gsbwl+浄l+J}|_:$y>6Pw@Cqesv2V4t='sID*$oh>r7ԙKmZ#GS2ӄ_g䍍rl0F7M>3=}h!=*y~; QX$ N:RMw8C7F*x-˹9WhoI=ib7 Qe\]Uտ`sdCv? 3ICh}]_ES8KnHށx~Ȅ19g3ts'k ꄀt:QGl+?]߂.voxaIL%dދfduWc_bĵ݄X)yj)6\nd\5nq>Zd'JWSyw*qn?t1YhA->Od {qӀ-P62߅~ 1pUxgᵂ(_ZP{O U5ti6T#fde~@OqZ!lF̻߻ɫmfg#t4(nv4h8|~ up_E'~G?dS5gϠ&%$nə:leݼu7ݲ5E3LH8Wg4@Mn6bW w>g^}'D=~Hnniִ~bEou(k#{3 PkF=f$^nrb'I$LrBpno:l߅3DӤS5{n` 幗{ pG{J־~ׅ^먆OΠcMj2}p -AӈQԨѰtb $ZAi}DUu  ^Wu`טRI^DTطc]J\moԶu܍ nDB/ 9ԃܛ }t8bz)25]ICi}1=h?yY@~qe\2w&suQwQxRg_/(:c(9ε#g"Aԟw^Y=҄M-mPfKH-C1\J|o"J_8Kje:DoL9N7Pcո[l?Vg|8H͟CV6+Nh8¤=M5=@{ T1lAyn4{0=i+wj;j ;Y)DDM'C?U^b-vئlH>.}|p»֦ j{CzsXP_IEX_pci3{PՂZOaO𵤑CP(:jQX_$!%(3HW [otM Qa-ݛ<\ ˎjѾ$Yz#LTL4MK;,sDWy[m1F,Yr/PvLIqMf3l[ J-5+a .ؘCTHQ$N9+"d1,53Ǩ7onؼKO~, utJ1* "[R[{xښ4tKȟwQ{2Ih˱qfԦU\{v:SS/ }K/iG(#<&>̼:`dOݘ ğ@M` yzw$i&/8|oR\AzBk00VE79*S˻vx5y 5QhoEQUuHzyp|Z١:ȢfDZs4^>6v2K +7$; $ڔR:Hsţ^+c,fQ lJKf|  ؝8/DIs\ J~ʾZ( f3Af'ݯ&3wF-M8wWڸ>1b=}NRu;ڔZ"REc^ď, ”+YFYJxc,w4Ja WҦ $?=)av0:nacekxkmTvnjufm܏~ĭFf+D0!T9Pۗ ۲Gd3*Sf-2&ebI9 6SaWi!H]XTS..ՓM.uveip(mCVb*aL!9ɹ8K|i'Z,ᖅEL1بרjE|?e^d )hnDϩ}r*~-]H5h"m{#H)DѼ%h?Ox9CTF\\ߠX6y/'c;AӦ嗦xYl䨄] mj*xi=Nl$WRjv*S@bJӦ I|R)4|GnKHe:N h] yq$#tt4~2zswW}8#곍USkGl9Y@ r^u׆&ӨI1(֘p@CsXQ~|FD'2#̇2 xLQHLռ:P}[z*[3> 0/u<}D}@+n̬ 5h:`Wj;8V{.&k RRI>*U|zDZB[=;%~ώ=#,\5Wqb誑Ɓ(殷J,- v!DjOeLnKi2I=SըpV TiTFv Z\eP_S1FKq+ 9J[)»ڄLހXR.ǢMiZB5BlgSE.V$տ?hv|[nCZ=Nl,S#JA"]K} c;?=O`&@D N˧#H)MٕmTU_) 09A Wꅴ9"7z$$b8̡[~LN휻>9c|lD.7IO!Rp8tɃ.D\Vwz9%7O oxdCdXsg(}moT?@)FIL7Wʿ>.} Aђ$}x2 <0Qǔ+뛸w(Z ?z~F|0H7a97vp>_ O=[v=RG'y#?xGu. ƴ=C[ qϚb~k'ջ"ϡFb5">l]K# `Kpx(֪݊E$ :zެU-I}}s,-jwʌ(ft!~p(`КtB)N(?P񬥆(|lvdn@Yp@aoO<~7*& gk-(d>^Ò늮WSmӟtӛ<1'U_]afl% I$4Nxemp/}Cw'2)aV|:9qW?EԝɀIxjELi5gqHOj|e!n@ȁԞ{׍J-iu<_4=$7.7hޑ}Zg($ibB>_̖=9<啥O*lY"Ǩ"ҩ̔ E jGoL2U7~zNRM@a2IcUC~Bm7c﫨K*6jh9=h\=]flf` ^y=øo[vpI6/ fQ1K狫e^ eԒzJ䛢ZHU$yjf4P 2clL\wB(wX6k{I)ڟVp>SaX(ӓ)3҇a6:hkEN=yȔK,ZM47ylHy7 ۓrl'`h̎ c@UuGvk;;ĉ*.(T4 M9_Φ9(,I\ܐ)_Ia A\u0U@@opi?\Ox#KDLլD]~9{{ U+t:1zq$J?1pQJb8]P@v;8NP_0;#"Y3=ѵ^i=O^Pp)"g(>F}mAT:,2i), FJʓN{w0aC 2’ dVvn$e"w*z偭g #-nq?5$$#GYK&W\Ou)18ZYuٽjL|K F#~ +I^^V0kBڢ.a2@Y7.g(XsdwYX>%zUM/Rsc/@/Fhp%XGҍ=Up3ɺ*7x ?\y75nX۪烁$3] 9֐R;¼/K7>ě$l ,6MֆYzlG_P_7Lv *gVl +7Kߥck,Hs&.&<=v!&I܃~[O%FZmkA`$ʿ \7O0R1;N˓%bn7Oxb~'6OTIk]` nSg~Xk17okO][9uh3?7 55~gd4a$@xMڈ( ` t*M0XFx;-S0k6YXnv}kY׆(JWdy!Rdf̈i+ h;ؚ re̢{P[c\:3zyz@柫giI7> 5 Mȏ~C.V,#eD7tFۍ#7?TT?oF `a%|ĕ519[K(]hd75/Wl^NL2x:PS)ч`(+Q D<1 Ap95KEpa1c$5WFBFS3a8uKcճ];xKhr<,J 0 W=]nhѩSs\ nzGSň}I;`q`ƈ=ZF2P->RE&wΥA@^ M8[70k~y/%ṠP CԮF!I#*Nw)Kʵ4ch84] LFv   < |yeF3m!lg$9I6[+AV.lFf n CgiX+:iV }8D݈A< ]]_M$o\E 7M[\GdU^DyNOyBc f575}-IQ.>:CeW7~Vpy\ 9%@Z1*G51Ԕ䱐3I{v Cw Mg}oRUI<qO9[!5>MGEX(\jt(׿f8{c:}PX?D}_iXrv II֗ ,LO!A$@ew JQK=.Wwc.Pn[Lt|z)} ;=b-)F~ݫjWr wī(Oo'9_Ȋ+Py{]qF#vXBP';ʘZY I lۑgDiۿE]khw\wr2Zq1MA-x2[L5k]1bӁٴs1#U D4ʚ`n5F:u>9bTT>cAIO7g0>5qx㾥C,oyi%{Cep2aë?RCX)s{nʿgF[3I&AB?ۢPZhsC4/rB?P+8<"zcHYB rX|b*N [Qh̀pd 0R52g0pT97^o'b!O.NP-^v[ eP},GjW1Q>vRJvy@ 5ude`;4xlk$75Jqܘ"hU o B=ܨvٖjt y}LSCӯXF$^%&"WX*Sr(*( ) $pP~$;łXbi8s $ G)5jn@\X1̢Xo q}0sj?w-R|վ@fXnKwNk=>>A?,pԭ\^kIhq}]UC\s~{^̄}+\RXVEψoYş+Ľ6 Boȥ"4ʤiߊ4N&UH]=s}R,ٮȃ'iIP1L:N 9rp |UOlFUAՏkg"ȴs ӓ=@&&U}D"$‰P!On.bM4$մ}LV0YY+'u~F=xjᷟYxDž.)d`­QEo2G鴩"o|Tu C2.ag7*cH7Z. ҌzۘP[2.l`(DU wM7ˡ-݃0/dc8Z,=闀 C4qH90DBZD6` Nl9CEp/.ZdHzpRNm},d .c^r&qu7 Qϲ>fY2Ё["^`^%8X#-2Y_e0-l2YF5baJNWlm_5-W3WshTZ. lu(`yq5 y[_D(l&w3 z!**&cNFlAc + l/FnoWX@U٫FB9s;Z $9 rJ/<m}hvM踓 Dyhb"]L=Fg+cD iPNu/CmOj:Dp8__ ʫfNrt8F* n׈[V[! P}H8I$eԱ@vuD z`2c3zGVXjotoi) j=oR~edd-|D_zaﶴއ@l_gR弣@A+m&TmUoLṠHТjrf^7ZD"st|\8b(4چ͘l^~Sn9tt#r}6a~P\:ssPy,P)GR=YkU^}E$SY(݇YN')&#? e)2493$RׇE ̣gȥ`2X28Bk`8\1Q<̅PYu`Ry"0G$|mun<+, | P16mYpщ}[cC-ņsEGɗE\cFλ%80͐ +:yn)w$.9Ŷo\uIы6HnR$@bBqgm$g8CE8']S^'㐀=`&]z~TUf ܤ,kllg Ȳc9G ̀ tsOp8*t&0w-f5ؼfuA,0 v%m-,r1/6'y{͛S]zM $ *%ȹtnnb 摙eJx>@Y]g 0a7Vqέ8l[=X,F%^ɥTઆlb"¨䆻}U 7hC^#?AvDD͡Mޣk,zz@v_Ϳ|| ݾi1LW>\ WpZ;8AZy5λ<h&ցƣ'd*f|5){@hM@X}+n^?߂APtzR2e/B[WƢ_Xb*qutB\{޼0n{KX+z,K/