samba-dsdb-modules-4.15.13+git.663.9c654e06cdb-150400.3.28.1 >  A dVp9|I5@Ka& |h+6CuG7wo+?_%s^?XvAnYϏzu빵Lx>dw/*poI*(AϷ_Rԁ6#`2XepUe\neܲ4LqeO-m]}9N#eP;*wA7ivR |IiSS=qPimb6(EγÑIր81a57614b593c8c40c056932d2a8cf7137510657591b0740eb815bb73403cc45e4050d6f03baca1e2da7ad3e45d188169d52871fdVp9|m`ީJXJ@tD&~.:̥8h~ h *PQN(r`9ϴ.CtC-PU2*V>x:Gգ+;@)viBk7jSg$Kp d{gKwo%6wY/!uMD)KlJB]@hNm>*h YfԂ_Ϙjf314b E.^p[9[&#8bZ7IZCTN`f2x>pA?d1 ? Q  !?V\d-- - 4- - U- -8--4-xx)x(*~8* 9. :@ >W@WFWGX-HX-IYx-XYYY\Z-]Z-^]yb]c^8d^e^f^l^u^-v_-wy8-xy-yzzTdhnCsamba-dsdb-modules4.15.13+git.663.9c654e06cdb150400.3.28.1Samba LDB modulesThis package contains plugins which add Active Directory features to the LDB library.dSibs-centriq-32eSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Productivity/Networking/Sambahttps://www.samba.org/linuxaarch64rm -f /usr/lib64/ldb/samba ln -sf /usr/lib64/samba/ldb /usr/lib64/ldb2/modules/ldb/samba /sbin/ldconfigx Hp HdS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS6dS7dS7dS7b115dd5a6cb454ce546aa2b5ead675ed248854f4e192014057961e0314317a19e92d336459ab12525a591b6b9bdc1533aabcaadeb54edcfefd1fb677545318f0a50720ba18f9e3bcaf78a2e6882dbfd52135a76e370ca96d2f3f3db844ccbc467a70936a1fc81b1dcba7cd237122fa2a314430ca019ee2ffcef1dbc94ede880b991ab2d89b9543be36fd82f404361429e07835b0b1be592fe487f746fda4988c0d22db4c46b1d2c334a6120b041feb4cec8c0697b3559de5f15241797fbf53c17a547d83989c0e8f85425006fc8d5277becdd2053ebb8172a5005f404dfd538cbd1f361ea9bd7e5e7772b69e5466cddc78e748a4dd55368b54eff566c82824b1b8fb8b08aa493557e8fd835246d73c0d7e4b3bdbf165e874d531820416da50833ee7f6efd3b0797e3c21a204696fc3f27afbfa2475542f927e066d843dc3c263b2fe483a4393c131d6b8fee817b31706a98d3944b0b0b3a854dd0fd923895ee31a4da49208729495a0834812c0339e424813898c0e88aa7fb047c339ca3ceed69f796a9b148bfc938e4dbefef0a0c9b0d6f2897827789e9e0bc2527c0d3612fbfcc0db0ce07502799afeb95cf83478409825d084fec54b9a99b2ada06a5ae3ac7ed2b7dfced9ba11c1b9bb31f33f50fa7a5361277c0173783608197eb018073eb02582ff000fdcb1bc840ae3c10943f9dd6b12e9c7ed34bd226282aaf4657be42472e25cee5ff5bdf44c17b481af8d2fdf6872ae3bb98bac93952882debb0b8a5f06ff9bb60e90d15c636b18d817df0497da3c9e629e0b6019c6ba03eae53f0990a090e4859ad571ca96ace51944029de2937e05bdc421a72ca19bc7194d0171469c8b5d17a70cade9069c6ac55501ddc0285e09f4b5265a54149a96019e44e6a93da5e31f198ce588908817985f992b3f9edf01a8244ee46db826b72c92aa67f347da76479c6dfb510c47807f0b1d8ed7171f323c54c235108ac782d853b975fadc6e3129946188ff6325b16204ba2284500e70bc73dc3fab431a163803ec6d669a32ed7cf1f671f1ff6c3d4751630bb3f8eaa0e2365dc44a6b47b75959c598cad34e0bd21bbecfe760e7e15e0e39f83fb4d9f4d7f72db579d35049bc95ffb21754efe20c020f747234c4072169524d87bd1056181c447603a9a66611462aac7c653a9c299dae592441640d65dbee12fafc6484f1fa60c728d27517253a1a9a9b2f0bfda5a734b9cdc7f7a33f94bd6097b9ebe7033ebca310d8067bf55b50453a5a6148a58320a86b65c051c586e3ff5c2dfc4a43d0cc788142fd1d539f90ef0d1816f0e3d63c0cb5011970255f457aa3ea4d6fdcc7bc85b69f4525b62886660eeaf16b9cc8dc68b264d2ad73bbea66755773e03a065fddd5b64e45f222cc19d7de6ee904f0da2a7b3dd3dec0a9f2d2d47b79bbe938d60dda64bbed4c6fb7fc22b65c0d3767bceaf58ac42afdeebe7bc3506bb227ca87625ada2b4464ce2cd36cc61a3bd94d22b0fa0792ccc3c71a7539ed3feff5a724a88c7892db9eb4c8467a6d0c1391cff9405494714a2b05e3e1914d2509773f7292a3e40888a5b9fa78e93e40306f621517a0c8c09cb433c37df4ceba549b7987ff547498b5d8b56888398dfb7bd4ce55d12d75bc7c6b11908001068083fe7331d46e7aa759a6e4e009beb744c2661a08b2fc42a2edbe5cba122f8e65122d001893d1f45405174e7daef3893774137a82280a61a154429bac7de2b5ba3d3d547f2035aa249d052d236d822d128eb9baf6773303860d4ad370c92117a7f2d2ce76d140b3f19c1233331f81cd606e4af7476fd54a910d9c1b485d4d94bbd4167506d55a02aa2ca1b4c0f93377f41cb8b46323c5eab178d3992acd632f0daea37202aa0efe65005d9873c7345032d0472cdfd3b7c53d4c822ed8f9f1ae6c981e6f80e23a68ec29b2e4fefb49bcbaed996a1c1d7307ac9a9fa6a013afb001e34d8fdef35c41ae8ae8c73b8b7bfa37fce11415ff22a17af6e5aee4fdd58e8fcf4b0a7e3570d2f49e43e1a246rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.13+git.663.9c654e06cdb-150400.3.28.1.src.rpmsamba-dsdb-modulessamba-dsdb-modules(aarch-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/sbin/ldconfig/sbin/ldconfig/sbin/ldconfigld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libMESSAGING-samba4.so()(64bit)libMESSAGING-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libauthkrb5-samba4.so()(64bit)libauthkrb5-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcli-cldap-samba4.so()(64bit)libcli-cldap-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libcli-ldap-common-samba4.so()(64bit)libcli-ldap-common-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libcliauth-samba4.so()(64bit)libcliauth-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libcom_err.so.2()(64bit)libcommon-auth-samba4.so()(64bit)libcommon-auth-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libcrypt.so.1()(64bit)libcrypt.so.1(XCRYPT_2.0)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libdcerpc-binding.so.0()(64bit)libdcerpc-binding.so.0(DCERPC_BINDING_0.0.1)(64bit)libdsdb-module-samba4.so()(64bit)libdsdb-module-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libevents-samba4.so()(64bit)libevents-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libflag-mapping-samba4.so()(64bit)libflag-mapping-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libgenrand-samba4.so()(64bit)libgenrand-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libgnutls.so.30()(64bit)libgnutls.so.30(GNUTLS_3_4)(64bit)libgpgme.so.11()(64bit)libgpgme.so.11(GPGME_1.0)(64bit)libgpgme.so.11(GPGME_1.1)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libkrb5samba-samba4.so()(64bit)libkrb5samba-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libldb.so.2()(64bit)libldb.so.2(LDB_0.9.10)(64bit)libldb.so.2(LDB_0.9.12)(64bit)libldb.so.2(LDB_0.9.15)(64bit)libldb.so.2(LDB_0.9.16)(64bit)libldb.so.2(LDB_0.9.19)(64bit)libldb.so.2(LDB_0.9.22)(64bit)libldb.so.2(LDB_0.9.23)(64bit)libldb.so.2(LDB_0.9.24)(64bit)libldb.so.2(LDB_1.1.0)(64bit)libldb.so.2(LDB_1.1.2)(64bit)libldb.so.2(LDB_1.1.30)(64bit)libldb.so.2(LDB_1.1.6)(64bit)libldb.so.2(LDB_1.2.0)(64bit)libldb.so.2(LDB_1.2.2)(64bit)libldb.so.2(LDB_2.0.5)(64bit)libldb.so.2(LDB_2.4.4)(64bit)libldb.so.2(LDB_2.4.5)(64bit)libldb2libldbsamba-samba4.so()(64bit)libldbsamba-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libndr-samba-samba4.so()(64bit)libndr-samba-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libndr-samba4.so()(64bit)libndr-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libndr.so.2()(64bit)libndr.so.2(NDR_0.0.1)(64bit)libndr.so.2(NDR_0.0.4)(64bit)libndr.so.2(NDR_0.0.8)(64bit)libndr.so.2(NDR_0.2.0)(64bit)libnetif-samba4.so()(64bit)libnetif-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-credentials.so.1()(64bit)libsamba-credentials.so.1(SAMBA_CREDENTIALS_1.0.0)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamdb-common-samba4.so()(64bit)libsamdb-common-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libsamdb.so.0()(64bit)libsamdb.so.0(SAMDB_0.0.1)(64bit)libsecrets3-samba4.so()(64bit)libsecrets3-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libsmbpasswdparser-samba4.so()(64bit)libsmbpasswdparser-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb-wrap-samba4.so()(64bit)libtdb-wrap-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtdb.so.1(TDB_1.3.14)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.15.13_GIT.663.9C654E06CDB150400.3.28.1_SUSE_OS15.0_AARCH64)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ldb-ldap2.4.43.0.4-14.6.0-14.0-15.2-14.15.13+git.663.9c654e06cdb4.14.3d-@d@dJc@cS@ccR@cctc5cM@b@b@b@ba@banopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- secure channel faulty since Windows 10/11 update 07/2023; (bso#15418); (bsc#1213384).- CVE-2022-2127: lm_resp_len not checked properly in winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174). - CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173). - CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172). - CVE-2023-34968: Spotlight server-side Share Path Disclosure; (bso#15388); (bsc#1213171).- CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords in cleartext; (bso#15315); (bsc#1209481). - CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users; (bso#15276); (bsc#1209483). - CVE-2023-0614: samba: Access controlled AD LDAP attributes can be discovered; (bso#15270); (bsc#1209485).- Prevent use after free of messaging_ctdb_fde_ev structs; (bso#15293); (bsc#1207416).- CVE-2022-38023 Additional patches for the PDC role's netlogon server; (bso#15240); (bsc#1206504);- CVE-2021-20251: samba: Bad password count not incremented atomically; (bso#14611); (bsc#1206546).- Update to 4.15.13 * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); (bsc#1205385); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); (bsc#1205386); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); (bsc#1206504); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; (bso#15197); - Adjust the systemd drop-in file for named service; (bsc#1201689); * Paths are additive so do not repeat paths from named.service * Prefix the samba DLZ directory with "-" to ignore this path if it does not exists- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./bin/sh/sbin/ldconfigibs-centriq-3 1689670569  !"#$%&'()*+,-4.15.13+git.663.9c654e06cdb-150400.3.28.14.15.13+git.663.9c654e06cdb-150400.3.28.1acl.soaclread.soanr.soaudit_log.socount_attrs.sodescriptor.sodirsync.sodns_notify.sodsdb_notification.soencrypted_secrets.soextended_dn_in.soextended_dn_out.soextended_dn_store.sogroup_audit_log.soinstancetype.solazy_commit.solinked_attributes.sonew_partition.soobjectclass.soobjectclass_attrs.soobjectguid.sooperational.sopaged_results.sopartition.sopassword_hash.soranged_results.sorepl_meta_data.soresolve_oids.sorootdse.sosamba3sam.sosamba3sid.sosamba_dsdb.sosamba_secrets.sosamldb.soschema_data.soschema_load.sosecrets_tdb_sync.soshow_deleted.sosubtree_delete.sosubtree_rename.sotombstone_reanimate.sounique_object_sids.soupdate_keytab.sovlv.sowins_ldb.so/usr/lib64/samba/ldb/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:29824/SUSE_SLE-15-SP4_Update/a9db2263b02f371b06d10263f4402190-samba.SUSE_SLE-15-SP4_Updatecpioxz5aarch64-suse-linux  !"#$%&'()*+,ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=bca670744cf5816ee5c49f787620c36f9fd2053f, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c4966914f8a4c3c51d575a01cc9f5c1e3e00d998, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=7e9b676c051119b96613cc2acce7e84a512e8a2c, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3528511230db9ed9a259d635b6f3ec100e646f4b, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=e1926d9d04f3715eec11053a21985e9bb9217012, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5ab0e6fa9670b1684847b0421230496e40e2a3d4, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=cf340858b6db2fe7af14803ba97de7e81fa7be5d, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=57cae1363f16cf95c08ddd2c4c48e68f92d4797d, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=691f8336c0b2f08a65b1caa63df25b7dbf3c6925, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=643faab611b632c3a8a09b5d0deb538fcb3ad64d, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=bf31bde1371486d0b48d124aeb55fdf44a660473, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ad3cd66a8b69a93acd4f7649ab291cc1661a1f3d, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=6ce6d2f6676bd6e01af5161ea59fe5ff4472142a, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=6c6e98c2eccdd52a0b40a50a922f6b01de4b482d, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c865293889a3c1adda754cbfc51f03cd80149c4e, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=6679b16c0e3a76ea158fdee21b4428b6614ff633, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5075d0b10606eb6070c332b475f6c64dac6bb5a7, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=2ad64c2e621867443f988fd3d44b71311909bdbe, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a7d6012a2b6e9ff67210befb0f56314873fe09ef, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=457bd3af21eef90fdc965be1d1ac33d9380564b0, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=bac563f45aff91a505f9a620725093d344fc68c9, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9af5cf0a4c4f6ccde2130a617786b1b1e5ea5920, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c09f86258e4235cdc4868eee073ea7a50308d0fa, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d2870b226869819af23a8fe9cbf407cc3edfd480, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=33b87863a4fa0ef0d4c4f83405c1bc8c12b7cf77, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d7f07ee279696a1fcc3202dc2c0f2deff10f5950, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0b7c6d3a9f87136c52387c57e813280762df3a47, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3103f7b2413f78f4c74fdfe278804f55399670c3, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=2a27fb4db0f8eeccd0e7dde87c06b22f1579029e, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=db6271e7e75165f47f5fa9840754a69151a0f73f, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ab51ad6c891762ab2f848c3654d9ce1ea2eb55cc, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=b1c4ee47711fc7ba6ad5e9a812ae1b6209f47f3e, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=1142dadf4ea961b39c92e7aa6b082f32554f1e2c, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c19fc2cf8ff8611506e5072c1aee5e100f434947, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ffc1e231602d33ed22856ae568a3735158001132, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c928b70e3d1e55b579b3cbc350125f678909f2fd, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c67532dceb219559fd6c9dcfada33f545e4e7501, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5d4bb555499674da6fc3c31005cc640f7cac0ce5, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=531d527e47b6f15d447bb73660c341dff1784781, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=77cf44797ca65b05f03fce8b5ea330f341133d15, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=982e38324beb762276a867da45a54caae6c33646, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=1e658e545dab7f796a5926c906371ae186a66e71, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=2b7e54bda127db22b66b42e2200dad5970a64026, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0c87590599d9a53649517ff3bdce773c6b019191, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=181aa3a708fcb9a05e76f6ecfa2b8df2ff802acf, stripped:Hfw,GR[t1;dq):GR]p   9 ) . #  R]RWR RSR_RR R+RgRFR@R)R/R-RRR\R*RER^RRRR?RVR(RfR,R RR"R@R_RFRWR]RSRRYR RRgR0R/R=R-RRXRER^R?RVR\RRR!RfR,R RRgR@RR]R R6R-R/R\R?RfR,R RR[RR]RWRYRRFRGR RSRURRgRR/R-RRZRRR\RERXRRTRVRRfR,R RRiRWRRgRkRSR/R-R RVRRRhRjRfR,R RR@R]RRSRgR RGRFRR_RYR.R4R̼utf-89c8cd6142abd383cde236d85600f20d1758e60663ad17bbcd5271f34463c9626?7zXZ !t/D#] crv9w+#fjF:i_L?AX0e9@bM N t #J,,_K`@g_w%L[5Sb{CKE.mƭ( K~a?t4_i|P8GA}۹LB3/wB_r?j mZgdذh,[TB5nIz̨6Tr?O쀴nb 2b|e$^5^*%zxq{hw ~/g,^.jOg;}t. rCpQ+x3/؁O~M_@>v. "blIhLTD":Actwܴ^)Qė"{r#'|1PjViR4L>78m2|AX8tN_p.e^^n Jݙh_.+`m=~NW(\J c|S'ߥ$^Yq+ᕙY4ؓ ) /gϑQmD®}! ǭAN_o@z搦T6޺(_2|Fȴ[oE/pgE73LqN /zZ"kJ\Fu5{cتV<;q.W%>R|lʱ~En|K|w Y6jrc&ut]ZC|B2n 0a=3#"rwnc|gU15Z'_Qy = KX kEzk2 ~Pj?L rF/;wyP _ C K1Zµ+p|^6mc&xÚqjTh+ԬP#MS6'W>cCL><ۋ("K!72!Cl=I.zfӜgTy^D,94ԆfrZ h>4SZ/P--X?0Iˎlr+q Jk_K$ӒeAI6|C=-hو/ˆ3o _Y)+<.Y3jv\.)!ukO8d^2OdB죥CYAsxOj[Eɨ].6.@36q-@$9D^if&.¢'gubwP,-UK-^GeM)O<P PhJY T7Qvjʑz[q&iÜ hML kvGVd vo<gX>V)hըg$U,dޏr%0x뢬39J"8èXS}7t 7_kj*rQ(PBHv+c4 ?(^Wa6lgah6jj%<(;e*f/$49DvWLYbseNKn5 s2z?[ zȸk3Z`zBoVԪiBm?YLE('cA@g3qȗv{MscL&3VOLRE ֟O7Nw#ۏLd٘97+gl%Hшxs?O'"Rݮ?|ap%F|=ڑ.;|Z"뮺֥M+QߧjQj7>w^GdN^ vk DS;QF2ĬZ2v{nVE4[n1Zj2+>`5˾WဿH:їBlp/B'0G@RtFKԊx oe/kiwWLg&K!IJذ0Mx,jq۵Ru|Xʖ,qhtȻkYG TQ_,[MT(g1gnXcOJ!A(7.=$heUrרZ?9cqK8iAJy" y39 ~뛀7@3F02*␌U=gWG 0)@K$ۻWjol9;7g` 5_س+F@mˏpwV WeXATnAT`˄`slm5\S~E^leDs$i4/Icvi/gnG׿z5v=T:v"3m 1{dbі08 of VuNwrN(꺩 1 3O|q ;_z'>9GRW $g{ 95Vi"( -rxɜSD|Z o`!IW%JmA'nT=i+ )) cJOxF򖹋:W.GpK 1 ^+wItڲr+`'y:_lNu&}JwGURwdbhy?sXw-&DjpizRPFrnE~G#Bmfe^nx@sWBO˝odxuL+âC{X RUXFAqwa/)j08p+9bu[7Mc!'g2H% Wx }40b!FTbr 4swX$;fm1x4/++~:MtmL[/*;2!Gj"},5dmyO&,}p@DE-:hW8T|(N||c-kVܒ4ƭᩐ8zM 8esRI?($z> 7d2\t8BhR/4vd U6G z>ӂ5j7xZ>ALagʍVxIߩ5WvMo&pH{nŘ{\$Y4ըJ ~l܀v\_RǛ^E 6ʿP 6_Р ӽZ̘ΐ@gd)-!;4 ߰Oj&"uzjYUٿt,punCԕ5ll9NoSiL.MKmb$|hP@2gjw/`/P`Z;Ɯɫf!!h #9po=5L tLƈRBVHCR_PlD ~$8xӮkW@>&5\ {e\M#Ƭ[˦h7Qn.3Ḱ/%,Oq)J:[__ϞP?'֠ħ f_'`m&V$s^4-B!DJf_A89^h.LG43ArvӡH0Kr͚hXr%o{VB/L *@ s]v6X e _a1a? w^\=SUF?g VE-|7,~#Tt22>XPcuFQuNxna#pҩ^;>2Ef{^XZWSNNj&{ U&]৹u(Wt19bys<&"Q[8@HXo(o@X8IcO?znLB`{=~28da'u C͈^[.[ehVha- 쟌K;ZL`1z[ݕ$B.N1,7S6n#xtYL!9wNZAӼ-xjg"SMue`c HcNƩ)ױri%Ѐ<'O_kBrC{fX=^" 'z`ք/"m hMBIJ$9ἈK =C _VHii,bn%0:/s tURNnlĵ:"qbf]5쾌n6SFBm[WYOLݺwДҞ$oL`gl8ò-bCBS!:@O\I1B]Ϋ|C4YVڸ}#6fQ(!{ ?J6 nV,(C:lp_gc a}Q 쬖UTmƺ,\X8f>7z*5 ׮ 1Noᆎ.G_6jxAqC!oCQl'̆!NZ(YĀMK襶E?8`s7y0Lf EvE"- };Ll>~T.t EA( O ^W2R̘">m>AMfg".sze+14y)8Q@é)\_?ڔ|ŸЈ)tx K'n!T7wB^]ud(xDV! ~G_6u.g*-^ ozwr>M;I>TDo6kK{c~{ތf)FkE~TD$nm+‘2[ꢠΚ&嶁;H ias n/y_AxQ _ (g٩/K|!-e@\n#u N-fd+NJE麹{wn8Pיf #zһ",B]sDc)3-~iS/~s`*f dGHY ݅"pFph >D%yK~w (u6(o .T&JPG& ?%,(Mvُ>লJgf+שu3+-D6$7Č r1U]q2W@Ac)f|y$:nmNɣ)0ufHeR䞯Jy`ԓC >]TmPrwXѱGPrF%6/Rq%[LQ,?5v^&~i`AZzt"87UN{7 {4 V*"Ehm6UaGxFrJh#MזTEPHW? ":phi]_+gjg>К+1WyOxE-ٙj׵R}jZtҎӧ*8pvf $qU]7:֎bR ҡ:\rn'URVy6NtfRk_0b5^Y,3`$j-] ctyzH QkV4:nT@"҈|wFȎA!Mtׇ7j0^1* t_j&(bFXJ6X |e+0ʵL>s"Ļ:(@X㊎ǴMu(9O eA tDlw%o>Y|VeQ{H8BsXj* : J6 ѫz8odnXfm%jQw_^R\:ssv/!a@ PPl}6,+b#B{U 3 7IͲ*573̰A, pG:'mv{ 5r%7GvI"ӹÑY|'3YL9Dg ڼAO}QІPS|B|{j5].= #BtbcTKX}9ʡg|Qm葱46AL*56ADb0-n74yQ)_`Ő$g0+qE;_xo~+BF)b1yL8޳~f5Ƌ@3n٭p+ynRK o7i1CU0`eAĚɻZB:3}f"ķ0рLbpF:d¬.#Ϻon.'S\^Ad1I,S#!D ~ Xܥ`ass1?az RS8`iZF&OL^鈅UK3Ǭ>ϺIh{HM? SPMtr t J]^Qufɽ.Rr&/L2񂭰#Vv|~>BuNWV"Kr=ԾAYIwbo̡l&D4H}\6M^'פ&\.zkL:"zyKcAMgH]UFLHC$O%G&GtɬlOc(?2EHn faigZjѡ"grY(slnQylhu \ye b B)#7\G*}@/,M %C?WzƄ%JmCwsI\C( ܡ tP37Q2iY&/Ѧ5hY8½'>*6Xb(يf>]f0cRԅCm׈˻OˑJC`:} ܈aؽ2AzuӞѾ;!r t} _n%7 :S;;ΧƉyj~!GcWrN5kuʤ[ }Ax㒆!q,=#տ95]=uN@{R9zr CM k~2@ @IXw;T)JJAXe?-\]'Qq'Z+zB n6cn1DY#79b&;jD#)R(7X/0$kb5*߂-ꄜ7!A_R*#HXf|hVwVOW8j]Z*H>W~ 3T<1D§jo1Fֶ.}$%xƢ߉0Q7Ok (i[0||  9ĵ )L&5bcL5ݾ3IvoXVC{'*zN[ʖ)8@.QOeֲSsm'@qqG:U‚Q/Y?R},EP&Zr$'zh0tq0nw"M3bń;F+yI~E>4/ŨE(Z {S"t@JM&P_e]il޻C:HSoz;f3Um݆鿜_ՃP/7Bv/k6{^Ts7섛@bU|:G}S_ *8תz,IJ'9} ;f6ոXj7A?ғ0BnƴuT27Rf 2)W\SiRs\dJjC`a{VF]tm:[cT]3!5 yBL^1R[avV8cDi ,ߎ1 erGn0gvD2 9'cXTNerӡ`G=`(Wfϱ{5|k׮&?o4zBI{41SEپŐ@x4NZif@dz5nT @p09* QRa'/i/z+$ru'5‘w[qgUG8&$QdQKyMCdheVUAxE+wa3 ŏ{Yk}!x`J_PZ]{CÛ^׌y$ƢE PGjL]DvxΛL#Y384NX$wAUAS|.52Xަ&L >KbMЃk-D+﷠u^I8%-80?wj,N FX?76IJ T/BG[I+\_a]asLfW0GGDl%n5"n0gUen1nPWvU2dMu:qɦ-kGH)~wEj,q7}DSc7FamH QոjR!c@&a ܨ]#=Sa{Ep,$54NQ2Jynjr:SXD0=L7,7[zYX~/F&+\WWyey]2Ц/~p@0yO9[?Ʉ ?mLf>}LUTXh,biJXZ9SjŤ2Q(d$%HJ.wz6&:])a,I wzii3׮-j[(kN_._bau~-@l?EqW0?D!!ܳDǟ5 m1UKcAQXaF>6i:݀<>~H{NM/zmpS~ NŅNj-% MkSxy'@=#4P;=2hf͟[po;RYvWÖ,Q D*0Q^=e^ؒړl6bX˯#5\˖[CEùg?ǫ&z BVZetZΜh;-"ɽTtxr<SF$x$X9QfEs=rO%xdQKDFdFܴdZNN4$_f^8z_G/#N\ޛdzJ$cJ"lpE<-V! ##_Zڴ([F-_QTKNz8=ĊuvM&dE|*t-;IJР+OU)=I'@sD3m/$`q_!ob\ ^KHY/8OY*+F{Bq#/W! X~`KZ:PBҵ'yg\D^J!rRqqzN ewuyejVN UZwOpLU_(m1ZMǍOk=54ym,XX6Q}o/g_G5Ƅ4lXm]~Q,G`hWK69y\ XRg@;9Mw@ƍk+۴ցrvtI ^2*uv#':4: c<_RgpZ>5u`1T’Y7Y]~|6"8)J.I\ߓ,R) y޲>PS0&y b/}[.NaLHw:Z`EI$A4QAZ 5y[-ۯyIdV(8Xk NjM ?ki:'-C$TI q _׽z1U{GpSxX̬\r|^;&_q8'4b:KƱETk2֞헝;n)\ƤR5_˞\ce*Gd1A%j;C+³Њr?A^ ,!z$Lݕ`Rt&ÆƓQ0KXOvG=H900sP⎩BR}=}ݘB"}pY̛l>ԏd05ec͸;x'{5os9Eu8/M.2ny ?PM*Bi Ppx7jMw=88)aǛM6{Bcmgk%2V}7╲ !W WcZVV.٦ uKGʱ}1c2("1 uQk*O3VdW6S"Ldπ(< n#%r>r0M)aXFQm#EcLcȗ* Fho0q`\֭Y>ô?Xl9<G'Q< 0ܙ֔ ]aง<.!+v]iMr1iCd r țӻ{b֜2Ze, 0&+Qk 1M(9}3`Ĉ2v@w4`!T+#'IyKe#.|V:`y԰mޛct)rwjRWp'a\Űq: T.%,7m#)]KFH3)K(&FʽQ|L*ͪ#WͰ@ےL>%+]KYLVc8|e N) ϜѦslpnIV 8ƤQ68頢aEІ Mc;_Bf?i;?Sl%D[} &<ݖul`?4-ɵ}iR#TȓG80dM{5}/ۦ$~B '0t[['@7!=b l@K C3ܫMgnE WV<-_;rg: <āJe:sp<.[m7̕VQ5 $A"b^^DY$$K|uTL0 9jkxPk.Hq03%g|$<{ь .2ghο?L4451+WKM @qDeNlVcg, r {%=9^Ԏl,[~M^QLCM*py *kwQ_5 tw7!놢ed<AQ? 0 d HAXK,b5-?[Q`\B7i!>Pƃ D#pխ@DR*EWe#06Uzm1pLGj>U_ڟ*t㪣A$+>#q5Ք{thOtG%fM3JLڜEޟY.s[ r0gCOo'ϔ3sA"q RmLBэ`.vi e.][UUC2-#5Qߌ[y}扙湓"-T4[C&A2|&7Bvc4-΂+9P pB8yUzrŪ Η.+Jnmˬ#ܘxYfBQRQhD' `3c@C-ȲC*saR5W6 [J{jy 2/Lj h9,r*Ȭ ޗIvA&;< H!R&?3z Y6Cq*s@ Sa\ART}ShEz~do6N͉)cY랸ɀ]}.r#ozꛙ{j̝kj+Ͻ_G$Z':$(3,oS-azKjB J?amJ:ՅVlxC u }3c<2Q ? .n9\ 6oA]C'Ϩ]vV$%.~& 4/vNI0߃.I Ja{\ nXWtO, ^}*,? Ѻ?deKグ|gD Zbӱ(z_HZ1<ڵâLP|!3 &{JY9>fqt2P=𘿫:\vݕpc5Ui}dՅI_No @5!@.:{9@͔ZfE?j4%]%qŇHoeu&k\ yl#%Z0t !]>R.< c '.:Ȅ.jhXӟ ǐOF%;e)g=æ1-gp/ta*?7 Ch:.akk9ӂW^s~Ӎ79pfR6o܍p&~qV'9YAFEmVIp**fEk)z@ٌqj|b3PeUBcj ?F@zq5.\"qHFx3 ٛBgZc+A'~vsA||02bwt |6fհ~RzG; ^;)ƀQp3`im~̉ڇ hP(AZ&vsV Ȟ`p]Ԗ_e@[mbÕYbC B%jϜK8ޓ!nz^y+~RP$>3A|uLZy^]PB\"y@wt!|O6%uOe $״Zj.ՙVΊBOQq1.:ԋ$>-9 -x0W+nhqOk3G nZ,5̍r%v{~Nazm%"}Y4 ؟- 8͘ <;Mr?:&F"g RL?Y1I.~ZiVLK!˔]8(/1jEra%PV+<<9<)8}H@1hHzĸ [,8ˀ{qTt|OB}'D^v[kG@A6?ruQpE#W⾝OY80#3ŠF U>t[s00P . >(ϱ8ғT ZN[VL!> rLƗ>UvP!ov ]> 5حѐ.Zzl4BCͷ'# cWVݸNH*%00dxQFt`ɗ\x"Ns:ȆJ`g"{Cy4~Ɲ{dTUL@SUp S`y"?o+6V{L+rlLV)Uу$㐊&(0 u#_ ]%),wNu=c ⪣.iH .A"ϫ0r>o'o($% ЧSKTHzu*oD|ѵX7.zla%!Oyq#-W<7GAJzyuO0NݙQt."B-Joh0/[AʢsNۭ5496'N r!QN^$@qR;3{Z4ֺZ* 1^znfcY;&!jb(g3/ruK-q:3Ƀ?PTrMI.; RbdFv!a%^@ۯmT/Bu:vGp!O·\չq*%ns3W.A]SBxxP-R@%1^{ b?m$G}vG.q<5?%77pm*r9nحDє?W!` &CbRcl~jdʆ / iBp8 ~vBْw=خ }sպ훺h jGt5G ;jj WL[(JV璪\ѽ2ǐN7  [fJZY.,JU'.z/ ׶GB ~ 'NZD&"<%= 癉7sr2|qԄΘ$ܨ0E@3TgsXFk(Qn8P|kO-z* 2^ ~"`ϊ/R@Fͼg3XpرANX1([:~>B6gsp+ fNV9蹵Em'7ZN1.H8U1_ՐcN1tӹʇ h.T| D&{ׯ ~*ryhp޶$9L\p%- o`o Eu>kb J!P;;?԰(!sN7넕'_޷QO!~&gsjH%uW^< - W쩿dZRZN ~ck;(# ݫ=PΜcLbz9aPiG A+ U5Y&SYIÃaIk"RtEU9q3pH##Nz/,0=WY2\ij MSkl}KDwGVDPv"٬t3Zv0*1̙#b52<), ILE.mLot*4#+yzλ'RM{fZC KE,h>ZnR龚aYڙ*^<ul UoO~lc4m'DZlT^DOԽ\5z@XihWUBi֎8$ۭYR^h;ܕxA 4=@6|||󙊴YF0~|"L D^EB|$ky!B7 t߶o6W>7ulg>Xf<hʪ{c/r >6u8pHGN")`G;(!SqDcH8x >\S[aXe6kɝeQ~\,o9ru ޳[ftsQr>Kl~$߲x>rBw t}[ֳ@m衂#f(7ғ}Yݢ _[,`<X6s Ro#_P"<`GC7,%YQ$q0;mg G~ՆFy~1":".S5$xR,Lĕ+ &Og B̍vRhl?-6qG8Pc'p57x#eju}N_LUcj}dec\IŎHm"Yl7+[Ǫ1M؛8z#dp\g'-KxKp!|㻈`}Y287sܻs0WζiDK 9x (h3ܘ 3dӬ(8z7qI&Jϛy"͋vE sp'"A͡U#P,w#L' HƊ~fIn[(1p}m5jyݞRta1}'b,٭=A`:j aŏ2 ,+Yq,/'K`*γi5˦.?9qщsWf94=H?F5 ̈́K1fRmX(ڡ 0+_=lQe؀1E&D:L5ݖ(o\X"7<Ǣzk㩰w7_rp!PnQ7vӺ8x7S"QT97}* S 4ӭPL(.R@Bw*٧-bW>>C )W.S໹YuoVBZE*5Lq7$?}8kӔř-3o뎮=rbu%j][MR~ӀgRV" b/ CIx[f:۲,U'hp4:P9SnZ7|<.rWI#bgdX]~MZ4wt45tW`+ޒH,jiq6[nKfҥO i!*Shy{otB}FC[w. N~|!SBB}5-BSzy:|DߩI3]YV}ˆ$G5X<Վ2hhHGGݹ6ӟ}g ZȂKL1},iX;Us#H4 NaYu-}6lp 9p)5 _}Ly/^)|>9>.tk7Ab sOA:t/H}8^TX0z8Y7DnssF쀐VeeKžo؎;ƈe.Hj?o\;hO or;bovPcC^ɟGVgv]W̧0.\FBB}mm]$583an16ԑ~Ǒ AQnᓜΌ ^F^x6DIZڗY4l Fg)}ّr ?1ˍtN'rA KiiliaH6=<,Vh~K@.'t>x:4tBh0E #)'Hy8Nv 1Q dੋQjgO"w8MRMCfu &8cqN WN+ک+"r _;lRjxP IiРdyo=)Y5[9jR ſ֣WEk$d/_ wNR?"6Vʼn|5)B h!ϖ &YDmUr_2¦Wϟ2z-I'2Do*= i ƙk~tyMJBRS"ɔ 2 70v;p4HmzP8y(&:p"]6GYz䫌]2VSƧdYAkؔ>VUڭїFM4ZuuHnr& T (, ې0_#-'W|Y`~g^aq$yYlv3yQru-RT4VB̠iLoǯܰX0W9!E!\ꉷ|84d41T0i;* vp$]^d; 6lJ~Ih eEKx)~4er$jE,^NaeDclbEfZf($Nb9H\qi.,xb>Wpsk؁'9jWH˴Hƀ7TʪFKݱ}܀^#&>Y|vv K%Bǣ,NuDŽ(D:+RVL'Xr} R`ߝmm hO 49,}K$ѪH(*z ,<1|iCm7ۏ64M{Wo!)%`)(hMVgYODa8s7%-1Qq1Y"MNćԓsVW9Y|~*C( : ǫr NT tVM*y*%+Qv 7mMGF;l?3;?WKc'A1XAm/;1mT顑߫nٛq==8ͧq>sj=KdO}fܐ7cA54gE1 ZEׄ=<7FOl]'gu}cZ7S9G+~gyP(`ׅv51,"yZJ…u,E40Y~t!P{Q)d@kU]R#z7TSq<;Jq_t91ffv( fv۽+J).p-}~.pEwvٮÛ <}"wc!ƵN;4e:pVWp2/,m^RE!B2 @ QU"t߅rQz!wx\+"?3p +hC8@`Q@b-.HsPAĥc^7? "8gIK`ՏYY69F&[:>jσ8ӂQѥdva'\s}F>aWBFq f?f"2OĖ/(RLItص ~L(Vt,粁fs"pxyLqFT<9K~U.TB=vS*f\l.ށK \ZNfo7.,εgyeWhesMkC k7#n(FQq]]y$yT\(txz; ^wZ{J7j%$G{Zgǁ:.؟jԻBUō^ \rfǴ/0L4llZ~.F/Q:^7U՝#UpHÞ0x#} !/=tM{ӗ?FA~ (ۻfm%~JSX^!SA׭l""T^6vM ZOI7kI)m\̩Uojfe,܇N)CI{@|=d÷PhnK [BT~XClOk),xue80k*|)5 xV?IY`IL'Aq=a Pu ȹ;Lm LVpr`VϞEpg4(1%!ce~1hncEׁs[SUM_gk5Ib~c%m(5{E)xiA{ {ld`$c ToDvvWjҕ0GI{Ϊ\it0 A|HXewy߂il([jxvڝ"A=l*wb( =sJs#B=kN{UC#06v0Fssf(mmyźQl*mUKߡ xV)h5f8MBu@={NeUHcC.~ݹA!DV"8^_ W 'z0u0`+ZF%[뼞*Fڶ1T{]'TD36,0r1@a$˰#ɥhT0j9o>~mtPRTIj/^@j|<ѲZ34v, λfa&z( X_8e I"e`h7*C#>~rc7=A8+(0V#{Ip>a?ocUh1 V0pk>}7|83OUGDZ("a%bi2pf3Bҧ8L\jV+dX֏їNО&%bZ؂\ʍ0@E t,q%h{\;yI j 8nlQWcȕQ#'bg\q_hQ`Cm2T-r=umeA롶SE~ j~86!j~/|ó8MLE1^8$c$b@64nV2juLۍuI>Yj2EUܿJ=w/ieH&q;>B?_u}ف[@lR}(*3וj_#2$zF2?d*`=_JG& ăHj .j pCzثǀ*d # J[w'1Tk7B>^'c;XJ#ûq 2=iݷUZy ^p\xX27Bl)ŏ[_7^hy9BI^`JUAmln#/7 J.ʇU6aUd թKib ؤm @$}J3 !^-Dh@q HbĈ%5`3?S@@+ӧ&:CChP6JPH\|Aʗmd%b =#B7un1϶fM8N KiskuWҴ6# 5=#gUKaӚzlS9d&,\I̱6W4Il*.(upug/j߾P\ FZߣg K]Em}vwߤ\:xzyF1j7y7oD&0$%c(ꚇ ɏdc-4'D~DTi~TyX-e_u-YΏZ{%08wLk&U tv2iZZH`֟ԋp)!8.O x!2?2Aˇ(a_֕`hww{D%Hc`it(փҀ+mp%ծ ʏc>r #V٭[h@¼L :-`^"QQ>s</ڬzyp!RB; *VJ7&2R:z8'Xu|EIÆ+}D4(Wa.,Ӻ¯D^mE$L+ >^v^Fؿf[sɠ=y}X؄3B~?//a2@Ψ^OrXDJ4ׂl 1 X7 !]{坶b;teӖM"^뉟߫1㯺WO5r{^ٝ%@ Y$sƗ7L{Q  DkwP2lRIpo#u+"#.ikB0 9Xtö9 @]V!wHlcE<#2C[Myʼnl7A|4/(2ǕN;u]"Tߕ5n)!v&ËK_pL;5 zf!#fFs֊ cG-xyVdL KٯDfYlU\|RYjۺojGRnM `P=<9y[ncNt?<\[jDsG!06ۿXN)QDti1p1Kvl;yUM*hqM%9T]fj:۪SJ <,o{i(KNHNʂ"rU±0R@&(_`7,EGܞcf_jJdKJ O2Wpm&A1"޵>7ar")/P`,?.U$.7O %P:8P̶ꬂɸ[^4S#))jUQ. *q_1/XuYS4̤,{&Rcxt ؠN?/m)O/_ڧ_Qssoٵ[ pbpkU%qag؈EBt80|gjs /\r${ŏOڱuOL0> b??:*y=rx?Kf*$gOFW0ƎSs^<##acD5WDžQ|}J!eez7|Qn\cVK+|lSki@MBU{Zpr(ha{nÕ̇::˂4#x%07hUAV~vu.yk5.{0 KqNW0ٽ=fPx6r/jS'm&zTY^ښv#PWÆX^VcWƴuڥ1R5ht;J$$Ȥ@7ZB' fEh+`J4~z(;ۃN+ MDf.j@=3*yT0+2< /B(1rV M/ACSO`gl"׽DcL5pkxz+Fm)N6_hݱ*T? u8Af=g?eHFJx}sg"BĚ;1 i"( # ?/䄍`؈ե]diG::1]=!^DԈ;_ PXmpn2B߱| K'3-o (WEq_6rRMqPN5~J[JIj!jЛuD ~9 ?["Ȋŧi2NI6 aQIJdGv  uc(Q gGp( -AnY%2pj<U~pJ7^J3xg^8+"E.)Bm@4`؅sDf č;~ViLjn%$R\D ,umz4+M{ҁ9w% YoKdB3) !1-T8xCX>]Fҥ9+aO j J*hN7q^<} ?z|&7#Ip6ך"2q30vˮNbU?P\WER^W)ԓZ;rN?gdl{ q>u^|)4\EpMgIK`' 1 o%'tXo6]շ1y;~;O)85 #f7dvI)lVz^sOə5VQrgԒ3qU؍ml_ /Es(j_^drt *Cx֜>dg@Y®vv82`q`7rf`&[K_~r9)k"ipv!<l""jͼ|vG$q8>|फ़6gjxj5+4OO%Za-!K_R_3+ ;&Myƹ_]RYBgAHB@ۏRG7` iAhkٚVU Wqt_FUu,FQ`.n_Yߩ-B=d[o3xj"-t` + x5d.%\s aMFNeZ+=Nm`mŠlEwԅ.b7jTǐaEmZ*‘~|r4]'8yD')0Z6Ym{th-Ʌ)Xy=(N(5w~-RR[+œV.ag@u?Hf NJcSbl.F%=PԊ*毸h#2){e d4Dix+!Cau'͊3 +0ev8ṯCfC:WvƵEyx;o-JeNS{C^<-g"#x >/+YK$?yGϠzr+XɄx89e@)R=eVnҚ[t;X-xg }`O|B :G1[ @VDxr*\q1|&QZa, v^_RFJhJ8ztHBwK9/mJ&8 8CVJBlgϒfDouQeWEJ7--ڥ"t*Jvl׬fD/AyI`Z1uZӉ;F~]i)pH2(4VYԖwaUCK#3)^w1-3 Z&" O-CX8:9y'N=,;(;U3oHK̦}z?&6{񩠋x2 ؠx9TR5ƪԁڑ%bY5tq-l"xX`XUKXY}f`5fAZK~S0Nѱ6IVө11;5B+H%v؛P1}αe@"¬46.e45Y]ŊTh}jr{w %r_SFoKf oRsdkmVM̵s&)U"tmFuR F8>K NwmŘ C (ѿgfɒ`?'i$ӭy]y\zכTH$Œ~p:fw=!a+;D0C.Ƕ9(nOC# o\D>[!xk_|𨫓344 5|8As3-]A )"cܢT#ǿsWy`(WLPeh▒Jw i͘IB;5()҉zT@ϬӖZ*[K&+g"m Enp4Bz.X: 2D< IZP0>aϹY"厛DynGd2ɟoةN%H>k+>SB #gGfߙv*ݺ==Y.͢O.Cu.v3pl<.==a+Seatnkx~Lږ6VzVZ ͽgT5}݈G*<NNIW=r@ajӝx$5=.⢾,a&ohiV bJeD8' K}rp@iVkԸґ1UP$R@X h2fh -Ti¨fLs5![l[_o~l!n_>>p?ۘ\H!P3@@i%ZiBT~РpF r%.{%+Sr?CT#%̸#6E)b==ĥ9$ ki)0=mă#]ӹ\o8y3W" 8$"K[9# aM1c0fEf R<sFxFl5v:C<@W;4~eب2zvODϔǨ 96,.[ڊʀQGˀ%O@ᨰugck \$>bslUn,vQzaÃ|/4:Ghk|;'ӝߨ!c̼ٮ̎=Zc[`Nhd=Ŷ3?)TcpCz 8bDU eȎGIk_5Ak88_gԢYQ,Q\ >KIpRz@{ YK FE$"&61= 0v;Id<', >fB  7qxo1ɭB#DטlD'$MoԜMHV[/VHX o@su$mGvk-ʾ@#|*y W*?uE'7U&{ 8tA?J``N5]\?[g!*Ǐ+zG,;{ +[Ygt)*:*%'X}A^&D\vX3ΜԴ$](mn=Q´v _1yj!-i-x߷Jm7W{β 6sV;ue(\8v9OH4g@9}>Fk%<ϴ:&&8 ^4u.tpߨlmdYyȝ64ԙmP 5}'DeEx3iCT,x`rm$)}M$=b~"m_M-CB]4/w whs SH˄|'avN.f/ަ<)zN\{i(zVz-߅Ne/4|.pty>f\B-vZT468{[l>3'O 0 N:808L39IS @,.}<$^}3Ռ%}HzZz iu=@ ۰_vafhShG#qWZ E9\wzפ)4{ܴx)^>4W'-#l^*JWQKnמLS!sSʣ-E!{5{M#sG(;*/Gg-)pGk4uGeft^7):ī/葍L|έR40 T׺(5ԀB+ڙ8MuxTV!7YϕPI];'mh9|U0b)(QNC^FǴ9e1)7DǪ+pɦ!אsToraIgc Rd~;BsJk qD!ng^WYOPt8 I Jǩ&`Uelm)j8O5 =tXiAPz|L1|]+rc٦ڭ ?{"Pllr[U#4lbaMH:7C2_%z~OE;8N ^fO9i!g`udaXN.0 iܗ\H iF5Ix$%ZrW㼬6{bNtI_jw` !.)̱ḙG`9A9 AJ> ;&/ C}0k+5('z^3oҫC}Bom$uK^d98zqz8G!Enz x[%R|WV<7I捫D\ܡaZul;LsLkWD;% b4Ȏj$jmAʩnDBLj*HSi+  s[aH00sFJ"^@5wd7*T{pa%&%9xK?+x]STLuP?dtĭ2>3Y5\ N}>{ȡ<|ϯfdޑ}V( жkka:VInB$?˖AGR}4kzM9ԟҵMW`&te'xH\ nO.ԋG߀$v7R֕)wUY^77jǧƙe& H'[4񝋑4PLS]}rMoaҢ>=7:JNʙsȩ30FHrzp'U4M$K{Q(>E ? /Bpz9е.K~2P A/;DWO+"p˩VH27DO#;6t?nP̌~*Ꮏ+٭㙔_5= n3$A/hȃ ӓND'ݺ|(u=C{Q܈7U =giy2ߚ!֟W¢v<:bEx ri5uGXZd7: a'S @8Bi =jK5&J+us)lT;nsc=)^.$Sܴh&8`yZdxlE4Ԯy~!յ^,۫x- ULCZ ~x,p8y/|—@=jH~ۻ VU<ΩP#Ntʇ/ځqi1qfZBҋ'"͉ i-|OzE{j{b݁LS ZvWv~{ODL'Nh1{%xe4!3p;PR__.$*NDUh]Y\#Ѡ=Hdd:=̻@+:HCR(rV=ְYgf0!n$d5i*8ޙϴwiNY7.7ۨˡ{wFZ`D8[."JHAЯ21^`:,kެ#_AWO#[BLc9Tuuh)~2bzݤ5 J ./ |{Z)L{y;s l=@X,@XIvȍ1%mIQcS,hopܨ35ƥ8 붹S6)j 5xO]fa8+$&k̕WmtOrjg@ΐop'PJ3?ޑ^!fLlƊˌ],%34 4WW`҈H4CT]RrDS5c'q L*葺Lr j`秌C=HGyl0oyWUZ LßlRaMٻ;,zP#dfƆ5<[k j5|wm?ㆊ[+ݕl3I9+1ƽ2N3?'Q]Ֆn٧?A ci4Uܓ͉.O-;cw-y'+)D֝?=Q)9HFL~Ш$@(/շڦ-]v6)+lu vM,o4}Ѡ/Ř /勛 fpFuu(&c0X6'–ǚD_IoҁW,&kx٪3&tX r!H25K:\}'*B!7#`?o-Eh[#T_ϴѕrni5dRS0JFu\:VbK?3uU*Ix;.+][ޢ-`9cAR고$H\ =xRc`²#+YhE [IpsCh*{yP*B\.Pq{UNߧ zn IxeڧIBJ f#W@aDks㖖MT\0A`18aCTͷ*:0ԤoH5!6f%'៵3VBMLmt@*D5e-({of8tܝ|!M,Hz?qe'dR.ЋWe'']MJDZlA z3.7bNl3cz|kߏ@9R=mopa@\ӒSG֠|Ƹ+).jRGw8וU":?&6ئY>G>qert[ӎ|Pf mDB3$ٌ?rr#< g2`D)6sy +zwc s+JYT3rM ў].>N;!.S)#u;%r,| Q#pVO_m.TuDAITZRi*FD/7 _PxO4т~ʉ?X9`CI#o[1w3(LI=Dٚ*D@/9a{{a8RWy't! #dKws5w[eǜ$i2Y ?7rR,r'GmMz"0c~ɶI $'G:F y@ZI:nn 21[ 1p*}P#>D E;YauP,gzna'"ԆX=OkuP+Q_3AS @sTi]|Ty,.l z:'n! W*6%f;.?la7 aϋJʀ>+FAY< KR@"4ө13~ ,m'd\Q!1"oEIhJ\3zhHEMeia>Iޞ9l;Lqa3>Uoj綵Ž ZFAV1uEJR׫ɯ9#t%W{DE vt1⽾Cykҫ a^m6E*P WyC-N',ŏؼ&z}$[yejEկ;Uśf'uK2|yrmUAM .$P3$6u`8jcy'5 럚vUX0~[lKCn;1~8;E$)ߦD]#LwTizynf=+ kh#C+MC&,P3nF! dil~mղʠ"0}S9 |/5P> i6tqˤ 1]g^2t[gD)lgJC᧙c3$f0Wh.XB|x\[|Cr.= 0T v'•O )Dq#7^R;7YOYB,<@b~vQg>k|IQ2(,DZ/˕`'] ^@y ҡBG~{^Ђ~mHB9?[)j>o%Jrp0b]EſGdޡE,xE=e+aԅfCYX[XaX#MdZ sTlQMnH\޴O1qZNV-RGyy K'DHEUI 6R8ɯ[##w>" >څonur n+B [JaVj"< A ~ΟFΆ/J,F02"3{;VpKYm8$ Zm/Ow dѡ򶵖CR B<*o@|Fm̓t+:oj@ 03d^&V.tPoQGfI~ 348x~|iX M=鸒{3OllF71v 'đKAXò*?1:{|\k1U| &邕VwX]$7l^J !|NZvn)ȏ%s #%-2SfFM .哋 +l`5+P) :.c}8bXrBoȍy\Z@Ȇ~rL4yHݴE\ KJ=2(0z l(Ռ4q퓫EDw<_rp<Z#=z𵺑dG98&D=p?3!#L %&tŲ.4s-uूNchW>/h5ثGf TNdY4<>s @'o@1  "|7[-ھ\/ uƉ"\#gRK(CFue[2"ڠa٤I Omylg}B*XX/rqz} L?MbKB?EDUI;yEܡks[Q Q02-^M: |MM+8O'oDc!F=5]2vƙ@%&>;. -kʂ%zmfg)CW(Ƚ UҢ5k;^i@+HqyCnb]Yk|ӂ9֋a7nS&/(K<:i%n j D=/ys]:jCaP [ wt8+4Rv)D'Nbk%vig:NS>8ѤQEev&V ä"an!U0&=x V`NH]9o@aRךw&^)zZhbx,T>]yZuG?ro3^+SBvC ?+>IjApc„ 5Pde27¢GQ`Ȓi?L糂1DS:mk,5V ,ESJwF3R?;@y%n"P/Y1ZT To7zVBIN|ΟL1y63$K82vAzQs&KmW-c'$=Z#*"9rn4dm炽%>Vhꀆ<1SZ8/a>C(Wzѷ =K3-=Z+G,Y,1Ax||X#cPA8mtl3WZ6>g472.G`Pxp!P^w/~%ԎbD`'Xd&"ƾt߅‡K16g+DW8.Q1߱=WF?@BG$Eۖg9MD+ǣ0^B\cA^9^P)#0sel34dyWf7Mz!xzoBL s4ub̧mm%0-:oa^aI.2}e8$cAeNcEh] խcW Hi,2?8J<-b#p/>L v{}*&FBSDJmD8WoIlECE8(_Q1L ~ MxZ z1g׎efU%7Ngr::d6\SĒZ57h_J<Zb`x3ѧѩ)@Tb3T¥S7. l[%3 Bڑ^<,N-aXa#i!^}ipېeCwyA%r c8og)嵈>qmhsZNA "@ddZTAra|=՜e2)>\'ѲG\^zedUkJUئHFa: UK wE]&mJg_p-Q~+nVCE$<_Ž6A\USY 7-eZwhdpdU"AI'?xޖ䒗*i'{T vq3sϸDYss>ӶpDьJa󪚼j*&|cDC@ݪ5>M: goiKʠY+^=h MZ1=<*吥Av8u Xn:]npY?NJADb~9arS*O^q9 |hĦcѥuOJV*"_^BDgޞa!u.AoH't6O>h2k#sd}[j1Z$@h!U*`&KY.s/]P-sLD{j4p+!8#[ΛZMzJS"z$X` Y 0X'*e>ٝ=NH 35u&bJ @5"8`E:t|EuT%4_иffͱ?~StũLA&seѐsc>)ND3Z$(V{ϤB}W惫<:e 1>?8VMpc\L^\E((;4}~ gy p)Ͼ<it@0Hl؅B3:lV JmaB,UAM޽j$6]b8<&xt .k#[b{uYVYOG- 3JlfZ0]YFM \dUX`l)¯?[dʭzu4`sbg5ҷ=yQ47dݻG$,͖s4C+ >̌s 6"k}V}ʂnO|QF0W@M ;U*ɨMIcrj 3݌ăm툨'Qcg\v':,G@+-9sk O B_ 3xԣ|j"p6߸-^r[cY@{7BWkAcLh<NyO)9dldž#P |AmB{37n̓K8L*|d&j4fތ̾ .v``>)sM~wuG"W#m8w^ aKOf ?VH9>qp_oM+PYb;끻aG־r]lhe'>>&\$Qh,9>9g-b«5M Tz@ T:#+T}qw"w꽭ZKeBV69\A\d\%W'KjCQeI@6/ sUbps'T[K^4 b?A Jmo솞hqxeH!>t# 'OnNJ*~P0#gA&dT1qfyK#TVG3Gss!(=FPm oE F:Pj"\9o*8> yTnwI6IB<+o@'SCma* +12n隯P(0΀r[f^UCP)lP|Y"b~a`f=1'Blr T ߢnIJ|4>^3`6D,V^J/ ٸV>N?\F;b:KvzUXb&IJޥ_n_ASC}Ce)Օ kKta<搖]xeO:DҸgR$^hyVq;B@ɑXDv+Loژ{* ]/~[=6_L~.y4Az>_E^C2RTi|;*[\A X~ h ͙6*.p3Jghd ]hb\&l ؠoGb\ۏ𓭁Uְi2kPٝh='Yye|[k]8|60IF̡x*ۤymBK8Ș+q(!;տQ*á2VuQjZgCVvwx9%QPy8/`I"74[.vG5yr`q7pفuSLgѣ>9sl V!iAWBadjQ4؆]ZY?O#gaBI(5ʢ @Nkl$MN2pn̪I "Φq8+Pzx+/NBX9uyhcgPEZwy6Y`/:CRT8sCTe ܝMF3+y?#Y6}!'.IqS! ?w׿| pGM>޳\ FEݮ|8FjV#8A+ﮊ\Z bؠt9U`҉lNgUeק.U ʐnS+-lN!pBOLEn .5Bn2"(-,Fg x"3IT xyx=Cx)Dh ލIg7 5}-h*܏Uz޴,i"xU){fo[bu"?>mɍ>ggu:屜d#  ZǦ8 tzGks~S5GW`z\Y,⍇1Dt!R4:n?)CA`=F}Ť?l,ya͖ўt#-0)s5㦯[ e}0*8KOϏ$UFPqܤ[dzMxtx,_l$-.+`86 ,|8<6EV۱;NǸ p(R:tBri'˶Y\դH1Z/~=3Yk;y/9}ݨ'dcuaKF31&'*6;bUGKIJ U ) őO(1,ְm!V{T> phU&7]8п7cX 6?HN]? d٪2g]icE|dP_5I[01I]DIl]} s.bh ?9vTC> iɶ4Y:|tn{FnƛV5o}keeCCbU r\%ԍk{t aWe4uH5jh_Lvڔ"(|ht{آh{LI!^l ԓn1[CԑtM6nkKC3Fd?-8#S;N-yX7m)P%wWB] m FQJQc!5P-1&M(9b7ZW>V2EvO% ɠpNlg|̭Qr#,ƚ8foѕ]WzU]@/Y@ n,Pǁ8zQ^Jku"]ߎ@<(DtW\|-,} nCځOWOHQu7st"m_vQ;N`~>t݇8)iKsۺ"ұe12B|4)Dڭ<>L=-`WL幍H++6>Yu%A%7 Zc}5_/QK]3@Āe=ڵXޡ<%K~j:ʥ({>"y'{,x3p+_}wk.7!y7ݼ?)?E?ins[%,Sx`,[& "eS[-qHHu [f*jQ1VdgщASp;7~c@puط2 GiZpðʭbɟ ,hG<Uaq;R2)Ďa*lpySZ?q:)ԞfsU ۶.؄Ѱ(8*8uAy/M5` ᷨd-0b{%LtltjPbHq,- =XgC,)NFl݀ a3xC%2*O#':>Yw6I_XCL(q p~׌Z̀#{>}dOFO.\V,ϬwuZir R&dXfZ3i&G+a`\4d*޳)fBk'7-țI}wu34&) 4JJrɌ;W+R`-7u~}mgydhw%-I-zPa6TGZf0_D@ܦ%F-CW.m>'Č]s4hX̕,2%i+=3G-2} oCQ.MN*߽ yUC rBי7wrL Ƹy}'*o 2#z6)Ynbq .3 ][j9k} 떌]XJ"qS^5}d(lO h>V|P^@v}67AP=/TYϿ[VAI)/'r[:%[̱vsC>ʳy}}[xծANK3 9pW*U!ż0tG<٣2^!9Zy[&Nr$xejvEA}V,;7(ӥ<:3kQ5HG|erAd3;t?R/.HotUu~oKHOH+m(Dž)Y)*;gR: cq)ˬ#^-JȌK E-d?NX9`Xslq2>w?RGZuĴ_-2ܐ SQKƻHz`Ag(ȍ~7Xxہ⋌@G^t|0VςֵҠ[|q)!/-KBrs`-Ev)(q*`H5iER{_wח`8߱OCWJ U;6$>O* T݃~@ PX<~KhAḃ7OY aS )Z$6jBu9q%GHY'K{yJV)@v6Qv2 za4 Z' PEy#ԴUJA?WC "^[Pd{p2_~LԆ(>߼rYX_n#ߣ5JBF]nlVC2% "WēIOkPPsbL5Qjo1vT,"W ba׸BIՂ7a}}/yj_B;:GG˼"9 F,5nЯ4({0 Wvr5FiY٤ݯ5K]7,"wp(Z I-zQMoE)2u;eS߁kq_݉QCS)p7pVmZP+ZȨQEXU/  KƐqĦ}wj 0A:>\|͖7 @4`ό_E[d8ᅠ )h=(Z0f<M ڀNW6}܌[K`M@%ÒZP??0oD˓hfn/iQfrrP"Q}Щ1ShA-˜y 4$X0]qe_`jh.v=c 1J9ѯ^_..Sk䏯oD7/f/b18@|vHn;>֋r97-^5hPsl(#$eٔn\G6aByXI&V\P;z Qщ'I=X}=w B 3uC=X4s| uW(KH:C@A9;9/4a/:ߤs39(S}*M3yXPm1 _U zv" JS@Vo\8(o6JJ^:G NW/sjcd\\$yb|/lji7#Wr苾tT*ˏ_4?m{r*fP<ǓymsOd6R)Vac}فE]-bY~:MVbya _A Gex̢?ؑLvs+5|CB~3zjfYÎ5ӻ̠~B|a ʋD%љ - ^bғCXE66`E\R %ȂmʗoIi_ 7h+c}:jYut%.O5ny2dTv[6E69D\;#U!@8 ? \W֔tPl8hG']Q'C)|eEIf}Ի'/p0`%\T5Oƃp>!F| €  }ۼ8` -=6rkP+ zH/]afZ=]i=Z:AZʀ .2?@akf-; D&<}l,RTE($2p- {TP '5$rRu=)QaЕurSĞ4eߙ$l*!r(#׽Nٮ*;5oڿ~w} ϧ*etGo`X1C͜A2a5KA1X?=ٲ7I߸aВeGLhVvM}՛4 i MwB?7=9@;x!瞈}Yl^,2c,ޗqX^~z57b< "m3(4|@⑓ivHs!f Fhn'-DF~}w1I!7%"Uծֶ$WPaO@ ګ94sOB[!XEWa_'k|QS  K!GM1MSL"4 sg2/k nnle^7E ->jd΄7ҮA1v? .H> C$uBSmQΥYӲỶrף˃<# ՟@5b4p_մpn N X+ާq_%Ix-n^?‰Y\i|Cbc> уe bS;}wEs6ҵaS1nJ! ^x u=۽3hW?uWֺt䌭/;Hk_ -cц/mmCXV;10c f}c2 >/ʟ3"rG^3_8MPY;|"pxE dX aB#47SGW}}f]:ߨ =;Y\uaNC)|}·mj`Q&zp',CqM^Xh{L 9@a֬\!LN.˵R%&򓸋im.Vʿi*L !gy C/jGN( h?w}J. v\ ¡`l;ToSm fֺi{!`>Z(M[o⢉9blmqeF{x#yXS "lZ y_%Fi (Of[4QtC$ޜhH8՜Vs-$U6`Mo!V.x]I2 ?ʆ$|Zkj B' dk{ڟr~6#Iwr<]#֎x-k4*ZF\Th+UJ6h6`?\oIb1T+~=Nv`ĺkC^gZJa۩ԏR4%uFr?|su?b>Cf%Ւ $& xm4& |44g Q0 ̧FPr/!#dϦp#\4'61Iw}CXFm]| a ?e%׶X2g,/YgݍJ)ɳA<ļNLMҩ<Ц0V6vUƗ—[+~M3K#v_*F%`EǮ/zQHX7=Am> 3NSGK,܏hHGCea8o GRvkMpiU\.-*,K eai$uQXnqUe΅oDX^$~ f} "w /۾E_Lj5(!vx#uPt8m Q+jv 0\sҎ0*%zвr%3;&!6y"@=BR+gѫt=`Z IйʢpPcJ:bLog|t.jCuL _ƥ@M=DqZ+gQW[b(W' W 0M LRxh5q_hTQgU_C׎Gi |U, Fd3 C>VOdj45#9?{ye$ YOYVx+?  5EO@ZD |.*dڸfoťޠخlN^鷎ؙX{Yk}rVl-ZyO$YQ7e>Iސ0pUI<|v2㎏.S"fsgDZWq'(vF>$`ħȢ+ :`AZ=K͠}J ׎U6cV*_4]Yre 6E7o'+j9cq0qusT H{䥓 gv,JZ4Ɋ CMǦjgQ|-Eh]K9Β*e}lݺՃG,+G$Cl\ϑ q?AѤ?"cT!Tl`5*& /1A+i35I;<ߧS a.zFOqPvZ8hmLأ=^C^/JvKc^YM-1`_V0iY&3KɻO5 bkʑ'DQ T ##)Ϛ@C ީxM?mLz|mz$ez'9!jID] CQS7]g>lFL>x,Wl ?cx0`Xx\e7+ݱ{赽SYʎpM.\(e9`Z40V_3hRHzp8`@BG̶hΐ6ARĊ@ Żr5e֯ڪ? n 6fǁ!Ԩ'#?5a<oy.ySE3ۢoU.KƤ7YPMo`EE쾝=Ky:7Tw5%@v{>Q;Id]Y %ǙY(bb> Z 7&OEpjKS7c(Uou귃h)cR ׽ZrˇgX0lF Yq`.Up,vp-p7&ޗ>:jʼnRw"E*@Ngwۧݴؿϥ8Z3v;aAotlCm; +Fg$bnbłƳi~|a3AޒEqkLa!as3c4^ ؘC<.hgKc @;ײ®J:2dt ]~U (uA%l0eQ:_(9ͯb PnL yw` a |JrxWJyPTL"/拄 ל!t!F/3>2ER,P>%:P@4"ҵk ZA15j([qCKe-Q{-k!O:Xh;* LQ{0cx/G#|c8XډRedILyLQ"D^uiA*l04RX7|,؂ើ \@Jw,ĹG`K;KV2 z.LR 6!H .{1OaFs3D){Y i! m F{71IƩ#g̃J8|B*B59b5>>o §P,?^"-aI?mm Dt֐XJ\d0Ck38 Ѻ ̚6,>CDGo)RqJ9&|f+r+I <'rrq9ݴWi+H@MV`inWtxS8!_-N,q\LObf8U&vJF#޾^tGrY^:\YL hЛ劋YVy҉/RPO KLR7qe!_ u4m G؅}-EjH=Hp_ldQD)6}UTnmV.R^_+Dyuyi$!&=5t:sOhҏ{Cq0W,#Y2`|V &|j*@>@ Hl|g69zjbc#eOkøH]GyE}.9ƹ k=I?GWшėI qm'UV؎ްO Ą6IJq2g(4Iu(hO#|'1gm` ڕújur\pn%MMU) <"2d7>YJJTZl?!}o ưݴ; ºkIh+q#=9[!'tSGYd$V)]^g==@@Tm9$2+`!qt@rviz^@H4sa>ɭ+ꡏ ˗*' 'ߥ>bnqxNj#L _8g!2@. X=Kk<}r!c:\5k_eJk %s@ۚI|Rzj1xSs/@q1'݅?QDebZ]IINwTn~hiOOGQyǕY3u"eQkH709X&pϕyz$"`c:Jo=y1g˧ CH]GS|K6Cb>}FDcRau<5wu5O!?A "6ggzG'0.=[ +$^A>*iDv00mI!?tO c@1[N:5a~'Sr1b<᪁IsiPQDж' xS"5h۶4Ȍ7t%g_Wφao[ϲ?AX͹RX*#= A~/Pƻ2:HA?LƢs=νʜf) (?w@B$1caGV+nЁ|]w^MYÜWZjVZ,Dzۡ-˹7tжQX'dhK OhxE6˪e| ʿpiYit[FQ{9djZɶd@r["2rvkBw­ucxåWh: OQ#a f>jn%|NR εUߦ+t l+O zWZk?VC.E3?|WeOKh\}V w';H6XB9.˺W/;9jsDpiؿ7yWn*Txhww"{A gÇw,^_seEj7i]NifzѿKoi(S mb>z~:BöM=-2=MA6:NɢveA2Z4+$4Tڵ߆Rdd39}\4IwZ+ (r[]=׎NŪ|wx|zoMrZ6U<,#z~''Ax An>®v='7ݞPl- bg (,ex9ڿ_2e!O6$y?R&)&l0^E3#* 0iBu>vc3hVK?^-i9Sy?z_qe$Rz d! HG .xhD`$֚CMv MY$I fK1ԢV!Gm !X,W.f?*8%>B;=Z2Z̞($SdRWx$ LGPHAs<12˼GE # RV,7v& svTb("+*pN;LEv>z>Yj}T]ۂHC H2Tַ#!j\fqswG-"~=S4lG( jHgA5lDtqw΁v|2D\j-ѝ-Ptr6v1ʓIV-%1>wYUkd''QGZ2[+ Ԑ:߯U8xǴj<2*ZX1\YX0IyՑ%$ ƾ]dzH`ɮӖ h2<ۆM]R% ND4L_t:zG-w,k$?gPtd!+L]\qM]Qc,^_߱v>ͳV!`Fc5绐tg658Ў#Orz$H`p\[瓢Mk j`4iq tl;Nr1/AK1 M2Ĕ-C0Y)/A*oϷh;pUK4EG /W% 3,N;pFF+Id}+gEW!ix} O_6T7NACc)PVܛ$3k)I)i`͏7Z Ktdr2zn>-O9T/ŽU5U$Qcxqo%zsNnb%YSIT1}mV0oyEZC_R Ҩ!#?n7y ]G4_UR#C40I^1IAKDKC=pyQHd3,9/" {noS@ifʉVJE;Qo~.'lzȍud]@n6"+K'{qȔ!'eMzJ_Ak.|@'"!!̟YsV, {1چPPB/N#ë32[0sT;r:k}gbuq|[7+pb`=V &6W*tStV, Tj2FI&[ɽu "} Bx?WeFKƗiu@BU4]7uP ڠ{lk!Ǖ)qNӺ y)}[{ќFkfUilcZh7=M{ZJ~~>kYU t# 񃻨]%U=NU\FFH: fpJy{!ﳇS #Tx'l?Yu1kcwEhZ@ (?uhCGS0.w;9T˗85̳),;>wťl o(sWX.>WwLI[јX2 ӥ{u._*+[B5 ;3+gB@ KNZ 03~N9َ.!0BBrw[xZ{y_49CFhwmAb7@+E2>3F $}vd6@byZ F)OL+ǔfbʧ3B,+/A8bJ͜&Ii$KW44cIE hEoQD]t|qB~l썕bV鉂"@ _<U׆u4]v YF ,Td:).w7;!R- Oj}G*Ղ4,NCt&3%JbgFm9We:x bJfwML+JDSdΪBq҃U{ fÐNb!_#y4FGi൥UrD 'K5cF26Bex$1mv*t1q>PfR >;8ӻ sN=C4wіm3D5fS:n*伒YnXl JdV+ɊPwU uT!: GP7( L¯ )7TOlb!;45`DVo<30uU-Ué î;=6hng9I ,3J7l,Gl^ .䃩MtFxpV&uXwZсhjD3rCh/MLpQ2sJIoH^;fBҸ;! EdBMԑa!K<B0Poe' AEL2|nFa "Q!4*Lf>j,4gYI}n ߴ:Mvu{ Gy }a~ T8I@c o|hXY+jxO<ǁLaT Kʠ50c15]/~g+_\`[_r!#Uk(v͓\% -Ц &SsuS.uwKpaW2ƚ .h" К X S{褱'2,alV-75JYqFb?I. x@6H) ȐQ"a{^њ Ul? idnNʌ->>+milw-%%Kf9Rg.z\F,ĴVVA?W' LjH}JD==M{{j5z5Pcl%byZGv}hF>13 @\SW܀i6ԧn;mlӫɍ8y(`KJzP?-kޕɜ_7/n\Z.XTX`_Z?Dx& !̄AT7sBh\=F|Jfq54W J0뜐@֦.lf=CC\s_uei+Gx]L`;q3~|A92l^aNuS$ gT-m=pMfS@$Ec C ٨:A6n_O+w+aM>861-y Bݞ46\CKCf|\ܦ}efKnk8| px|҈oB#ډlU"$j|ԃ'1mX` X< XqZ,ﳎDd@M>/=.~O.?t㩇ڋ@_>&D2MGX]0{}+)Cۏa NĬ"6`Τ%=u u& j$?"u4=.2CMT?eFv4Ŋǰ-JihH?B"ZnSX!I(J}|*PEYc"X#dv^ r@lӊ1 <+M;~{w#U$eZ phkN+q}PZJ{9.=KdLpDr[/wٿ]ߗ(7Y<Չ/_w[,$?؂ֵDs qXQvm:6L\[hDN6?KU8T4Z_L`A c$mth:Mp@3mP 5"E%qGM&r YW.2ؚ(2+T{̍a6LD5D}bJB-~* >pJ,!<-7k"Ygd!J:rym찃a`ٿX;Hv>mwi(}2*HR >YG79%ŭC S v4'n"CDfQ1>D:K`҄jgwHe4%2~DhK-J3!"gz{P%)M)J~~Lۃ= DEn:bAGsI ۳ũU ,z=CN5沄ka3l҅`( i$2Ta7nrh/g V;~sǀ]i#]=yg >G0*zzBdXҮ1>vkyT 303+\9BIІ7 0cH3|ע,ǧͣ `:ӱqypXly\W&Jt'aGS%lNL ^3R7Fr}gO }b%Ƭg H3FqBMYvOqHXTWsWhh pQYyx)ܸBDB&>@ c:n Q#,_` yo<.SdFxh F&뒃gNr?r(O.mxQp;!)iou|Sqj2[E.;3cH"uW9/bnr>9t!RyÑK!&<` }EgS 2a`LήyАx- O)^؁G=-Wݪrѽ>խ֡poOɯ>:h79^W#s@@!tt!?/5@ON^JY <kjLATO/9"Ml~'iCQ$ۗg N$00,GU0[uU NaRl3e5O|Y?nȺL\澵Ll-9*ߡ[rTSb6}l/VR`T4oOI^#4e#]{ecm.@՞B"N5t͗/|aߞ=J2@K9/MRv6{io;mV6moT)T|z"A_ rHذ[,H|L%LaQ8zqy(StYO)1̄kq(q|24uB_@\ɏZv hgw2`hY PM\?me:GҘ>}/5f5Rsx]%ihiA:?Tj hU̦-'V-bk})ls |$1E/ dyH D/c D/q,g-q~@gKʥ'dER.b{{tiMx7urX'wa`Kgw^vuu[3“/K&lnx2{x]!"AJȅ^r'-k;-dŁpD?5=`Nd"4yXD`u} QQnX3m [k`ZzʡKÒ(Ɨ9yHDhG=O5iۉ&K{#XSP! ;˪VlnёXhzcQ\VOYtʨ=wg~KFLֳ98sqelWF %8XQ> ) -vjU{ tgt;S'O:x.L)`/D&tn [$q}gWGc Y$/^6Sl1O*WȲN?9ɚKFP1@V6*c{,>Hzަ ?G9]Vq)4=Up;Ғ/; `8oZ78 Ex \B8J?L(T޲Mව-`b}bыM9, Kf`G(!lQ@NƠ4P]X{؁vMXn7 s7^(1?zgl% QH(Ttg+xʨO)O!_A9rq7m]t 7EL ^JPoMғ .u|nȇ5SN= &M%Kx{17sGuP'> J#EzooqxsP})̠,ؕ3RJń'(YF7K f iFae,@pIGTC28]Yj_$x9Hqa1C5{ݟ{BW130Pe&w=ڒ8&ms֪!ٍ917#sI)kG鎔?oQ#>f2uybi)N'1Q;TYf^6vCX/}XZ!IjYr;`;X?<\) } HD7ɥ.h mNn첲t9-tp\?5k0/5T7a|*u`\B`sJٔ6MvWU30+\8$y,rإǃ$p M̶`"xV& ybd ˸JU?zrH4=6[ YD!VJ;NJrj{"Xёjxڋ@S CE Up3VWrӬl#k N]\ׂK5R0!AGߤ-,6 N]k[,K j[Kaʻm+&~1=/ԧ* Jb)~10 JUHt/Z$5gϵTM h(}w A-PXjj?C$3.jqISL=A ~&r\^ btQlm|(˪cn3p|.F`g&'B@c^sP( X0>ZRaLqn4h ?HŜ:ZB`my2r'ۢ<73+/&nzu{5=Y9r_M;'7ʋ4ϩ6A~(kzv9l\8I d \uN l2迻bqAg>gJ]F9BCS8C@H<]]3I9%62yP2?JDJڴJ$H]cJ4Wt)4lG弰]Z:n݈)KUdet VpJ5C@ $ODW DOH+ފ# ^-7:$V;#GZ%lti%}W銜؍DN]r?|fDb( w\4C̯P:vGZ%,P-!WIѾ?cKEdz}gml"ͧϩo}uz@i~]vLjQϧG*[`7Ftgt `^Ef2?FN(wY]sz4 PS Y rAz,U3hWٚ;|C٠58=4! lxxGS4md>S7l.j%-NI,\E0I4)3# 쐴U?h*`2: bș VGƱrWFOIctǢ8|Yrk?O2L8#psxg;FOKz~\q:_aZMTx˻皼_ݏȅL}e0*SPy g G-Ar JİWUj\*'QDYǔɲUilź1Bo[{u<Y `J1C@ :`ou-kaaSZ쾁CsqMw?k ~՘jŭA j+j{'Z'lxQyTWϩg[,Q$L.C|A=FEsᓏo6Ҫyz@J代|fQ|,NL&: 2~lj9` Oa-:>,jOwԪGƾb.4hdYbZS'Nתl7-ǚIbmV6++U֋s P\ARs^$\!9ґlޝc6"50$;xNj~ezgy|GI褤&DQa:$$vd:8;Ca":i{v8+%zzRc)|\bR:'qWӰ/DqJV`xEA.ֿ%L6*FM4aǗuP(Jt3O$H"[ ejzaO1_0oUp'Y^LC-t&AjQT߲k4%*cNN/n*0PZO UmY=U0CGq1XzB#F$?˞^2uc*aE EҚ|@HJ%b-~tdy=\9B14y˘C)!Zn]d43%yՓI@wi,I FwF/H$2B& Tj,jWz`:q>J ̤VLz6P5H{ ℥nIe^Jk:A&`:lpx-J%g@RB8)L"0@/>3qzl89@Eo4PG CJnTCWc.?>|D[ zcs+:}*oen Ђv .eDP"?1k(jLG*OpL̺ad r,~enʇ CJšAUwЦD-z/ 1@pvYB>6N|^!F>= qJNZ\T(BȔM雗Kq&Rivq8a6\πvIpsjӏYIU^Ek2V>Jo\s= 'U(v QY ϸrJ;@w5 =tL>2c {y]]r^/goT]{G!dr\~RRA4Da+&1M*wWq2n}DA,YDaXQ߷RgLQ>$+ȪMEpv/zYD63WCΝ_us{_o8Vj>g?z(R4_TԾ݀U#j`CrC-~1&:vnV|z{]S4%Z5埵?q,!?H^euV70̮\gqT 9|1U4J^}YfV&5g,T\ J‹FFZn\zM~؅Ȥ|!+`xl`, n_KmZudP_t- G6c56iIȓ7e e?5}V؟g22/FߵJ,Fs9JyN}_R[ 2fFTZ[O*̜*ypGc̰gLq/j* Y+xDqN :rZD@LEY1L,15s`|X<IN+"E4,g.l0fr1D-:gQbhGwO ĚӶDi1ONkY?^$0cGfnԯ+pR? wݞ\c~ePu϶b0Vd97'r2c'\-rNV1WIfqAtQSO]E-@Ӎ4dN/W&4'w+A1.p@N{CdM$ pܐM_6AFbn2DVjΰ*ńӐ>I ~Zs{L舳9[BeڝDz*s0$vuVL[Θ" hYg("pz0‰'  4Ĝ"|ѸQg<5{YP?fd~`V1ԫVxI?W&5G,׹h$˳le *ҟJdfʘ6#kuR9ؖg550q>ʹOM#NoLwBN>ŋdMPKmxZ^cgqݺm(ezW85,; ^u!6o)OShnH o挹ki8ʜʈ_׼bsAw;ӍV ?5?lWz[&n͆t@hGo oA`[~UPE 򙱾ȗ6H?}LJ04x0rV7Go*J0Djo|/:&,[]ۋtHm?,TOL7 I]l‘!^vW™Qt%7/:KfrJlJhϔF߽s<O0.JL h-$D õM#.t{ MOsjJ;;჋Wٗ$=`gIw -@zQ4F+pfo _娯)eԪ+H!Z ̢9 'ԔCWD@DtGyI x2e d%S,Y/Mlkt͢Yn4[{p #A^x?V!8*,d:EWU#ワYkl|&Y+`!B3: ʨ,7\$!0=]w=kE]KuPm+tI/("_Jc^a€㛥6+]2 Z\фf7oi 8HX?#HX;A}' {=Qک ~́KGbfH+oh<0 9 WcO;J%}p7pIwM,Ms^yYԼxIbXWH֙ydxfhFVPpNU'3eeHUr2qT+ Y*z}0# @Ivj_ i!Ix30c * &ns7dox|t́(1 <ƈqH/}y6Ve)&a^ε`avABh4@Ub>qm@ӋO cSRA!ZYHcc,nN}Iкѓf*GoJԣ@f4İ6o5آG30ƄVM3_ з u~iޘuُn%\\>vnar!v#̴W(d@ݚ?,U3ΒU( FKfG.\KR,y <ˊy^NqnF}!r)IXznyvɵs CQ6]ܗW<3!]vs$WM 1zMk|l 3/X#A+1l<jQ{0 8P\>-F5ծzQq>\EGյn#(٥Лע`q^l-/8p0I&k58.d)~Bu#B-a 685+W 긖bÝ0vsy¥ivlfV фb9گ4w[`z!.+禃Vn#O5ÙÒsl\fb_ •?Y,&⢯#=ut;JG;6G3DD=A \mE ȼasRK *9 h8imʩg6e$HTN\58F)Ɓ94ML=qE /[4? e F;GWqBR@ܞWfi %ל?[[Pp*{(pDaF+TM mswM^J>-,q4)V&$zQ00%r;6$Ԏvd%M[^*:V#\y4 EPp1J!97nòBJw1ڊxY܍]^L!+ARSmFfa&4x^zʡYwICMJsz8mPgn* sS.MZ(ZѱftD }zi+Nu=&LWsbp*LjjǙ*ƐW|3< ;(&ͶAТ'SwҶ%˪;K QM墻iO#ɦWpk&v%\;lzBG[FUE8ȦCԭ9}=ăυ W1X;sԉ~K@UK!Q|Jtԯ*Z˸'GyG6 Vv~t#ar \lqvu!۳ Z;M`t53d%[mvSL>Ko\&EDBeݠH#o*NÜ(<${O;T)F(H!Glќ{}4SfSfPmeVG4wIOMƗ6ů6ύ͈V#8W/X+i2d(BdE׶qZ1+77IJ{ p(L |~l9ML4H/A ϳl)P%` +(.Nڮғl6|?y^فI0*a^[xQn?0[Uh4 .f v],)!F2~qUA n?!.T(VnXzfxt8xت,1Eڞz .D5N& –iD{E #o,Ԏ{So]M c{!LtHWC;# ge وAhn|SdlvK]8.8K W7kY8D,ԏCϊ]wdE#2vJp>@7ZDw N.9I[M?>elG7FK$#NZ+mCfGJZ̗F"I,}lrMvř> P󕼼P8NR3lȜkpr ?} h $^fTè^)jb&[KM[kO 65aSvwb;N1eR4P[ikBo >r(ӚpB6JWfv T/z, չq,%>t2ꅹK#uWp&靵 FmSOjYwwz7ד 4ʤf5sa?brr'Nl c}oJv"w2 Qa=&4bLgiKS߬{' 5;i\Ԛyb,ǛɴyuGK::)>sKjF.!K O¥4 ˇv!V_S|šj^紧4R_Ι۴?$F#a @%>dE|n]d#oFEιs j"c$ơ.i7G3pDY}e]Ʉz=T>#y 0,iЛAo4n$2rlќLyynGou?hQ+:'Hn^V 'qe#᥵06XbE!n1S+xZpmH#Y*%֏wf$k8d@Jk4;aG`c|9S/ N$TU]aM:5A"Pkf5nuoo>$dII8>7]p$8j&Wri\5f1Nr`E<ΒXc<7l"5NY򆎙z߆k*\zro K柰'jĆ,U/|# \wQ:~[֠vj00BK; e` r({製0i,{G6z=X?KʄŨv<.ݭ4m)R  19Fщ uXqR*Bn*%BάET^h"^#Us-ͼUIG>;<]no^c`]Z+˽f=*d2__nI%)u`)JTsEpA^5ԣ&^J7)hcapkS#u1/ F!& ?/D{XMh[sNQ2D1RACRrﯷX/B4yڨd '#0b}ANO^xu:!(cYxo+XϢC﩮a~HnId@h}&2sf*3"a{ %^iѳ>Ix_m 6Ggo ,ԇ!]` ČQ0 m)SQғ :+!b,z,&çAr/ԐkI@&p!n)iwm=/ ig/EY=[$ ѫ0utD'yB.|X腡E2 A 3#sScTa]?l Vjc u2-tQ)%Wc /|s;,^MC>ͰPZ2djJ|&KFzB+p`ޟ)TID>q1Fum@b|t*B7h@/2$PMEVbuW),m 8Qu D~z"$U0Nnlm.\_]6/@ЊXDFBWSM}#m$q%,V;٦OSOc^K6B&337#m?h̠S|KJfټ4qQC1+Rv>%!KoZ F?ۃa0<dW?scoiR!~_7.Zfd>PPrjA]#Qsʷ/c6`+3Oݡ:ㆂ д[^S9J1}#©$-:-Wqӣ]}Bh꾟j-t:59_wOuSAa ۧ+zD*kxQ!V4,'SvĬ53P,NWp~^D9CD%/MuzW?jMu؟RO!Y>UavN FRYS\ej!Jlbb ϑQh睲w\~!ӂOLHvKV²H{O~{3;ȳCV^>,]"6D`hz i]mqVZF8=%}D$J$~t.OtZ(2CYۇ1\ g fyP<=SkЛR /,j7㟎JbNBaq6=d=eo,d.R`hyMD2d&% >+uo֡a0H!YֲEIMjATshgގUo`"E/h 0EXzO@)E]B} VbfϲC~G0z }G ٸi=-k'x'b[0/4X4cMPG<[uNwd9PRuLgX؜=|%ܰ)$(`jTvB*$.Py[0.*%q~1#}ʦx"Vv-n0Ϲٜ.icp /ZLv4bsTX|u䉫] nQ S1S7A9Q :~Y f>_^]mx]fI副#+iys4֌^Fu5x%fd)H_Hxмk41`P (}E[$G0Ɩ;$8Jy-Œ.t Xپjѹ?\Z)g=w.RUi*i=qKn$N@c"J*:)QjMz!8+97Ĉ(ؖ![}0Y{/)ˌal/Aq/b+Yhk_*^P̸$sr D&@s,6o-Ц_#zN6K-5`/MxrLf]ԱE{EOK\l Vgݑr٠#5ɘ$ޫVKDVT?͉A sC߅?hQIH:Ʒ@gf,^{ 70 b3S9l,[j(dkn9v6LkKX\@V[]$,vK̤1nMb:heDHv2q[AVzlPyKZ@7 @LP{9ܼOzG? $(foM\yȩUɗ JCrES+NmPAU+[<Q_6V3L|DFɑܙO luYv5ΔWy :Fh~pvnvڐ HcL[c_L'YKU0pb(?w?Ă'Ǥ[o*s$9|oqȘ,#[p#qDZąfwns%6fZd)Qtp޽$<3V*܁F=~W.,*ntbwWAm]5m΄}.(l=m#wWSUJ"ٚ2NۜTe6'DfZ.c/okT7}'"}|r^6=lb7Rs2V7B)YT/vSdQ sh*+ǚ^?R]яO݂A5򵜏@f.qqB2wcH^PE1 ύ׍X'7)ݨ~p骔0F8\6[vMaj.5 A"cS;p؟-oCmVS莆%|H~cN/%#$ .{=O}~YR~ _Xa 򩩶$l*.YGT'sRAjhJ (J^[6-R(HKoQC\{%f 2ς[EJ~ 2N 8d`|"4YaΔ6 -7c7τ6N!hN<dz4}ު#Әu&G_pr䆈1ʠT`cr4ei1(5<,?Bb ex0 ֕{X"qIAߑPV:,uqf݆sҠ*='cTĄ # G03E8KD²LE-jLb\C^TK*ʌ'`C̞>YU3L v5%^IeM/c M඾7{`ܐ }@Ux~D;9gɮ 0pnx *ܖς:`H(d86O\иe?QKb Ee >"3#l Hu5C://^C+3ՈQy+)LiH\Eԥ=g[wS^(xmW's,*fdOesʰky|hVIm[Hi_s^\f<͌u \ :`~B.N=0#ū{ pL=~ldgDhW ~[JyOA)˫*?lnOpAVdMʟe %v.<#r!O+;n`^` 䆌߲CoBKo%,XΫ[)II`_|n)ߪgp\;7Zq%[>6 blWT5{q^D'8D=V.CG<Ĩ2%Hޞ oi2(9eNI`iK.{znmgd}!ݕ I~҅TñRu3 (MM yn[^Ra}'q]>q33oyWտTK;XlENX:Gp(ltB$hkz{G}nY9퍠[=JƦK?˫leM $:-/|d=ٸW0T~3K{\Y?>TEShԉ\؊F;x0<\)rpMfW<\ s3rJ~\1t,<0?~B 3"!j,U: eN]Jd.pjN97Bhc]iQĬp3v*MS (Գ`Yd2[M⬙B25"DWD R /u73-O@e }>ϻ>-X$x$׀pſ1:n ^*1zJm9lpwڹ2Z+ʹiW|m}z7]Cz[hq $ڎG 82Ɲ8&Δ>R6Ȧw.1'P.0>9>A'e}-# (j_H:Zts@^lK{2/8wiqJKUv#Nkm M IP\Vv%dx?5=?J |=zyIP(Ogt)+_ J(BdtSh{XjvKд]ŜQ?RY[58SuH>Ep01a͏eƭ߹9+Ooѓ}3b@Y8)E_?03w<;+`}8g7N-%؜waXf`c7ozE&qrRw=yA0t'mަ-q俏 W!P} E`]Z/(-a2 PX.~x9SM'>e/qdK8G@':MtП t@+&uVe=_QŢq(`²ଇ@^5L{9$8L,vC~ə, ziPTM.6>]µP B> A}x|%嘲)@2FHY|N%z9싽~Gyb=*^S ڬ| 'RR>p-NZY]<ʼ9YVU xz|s^{п 3|pR+]IѬ1iQ6,\ `xeIaDC ` A7pܜ?" _CM62 TLݪ] W.bU̯X'p7E"LTߊ2qXDD#PH?nu}3ejK[u140 s?YL9G̥Òz ߲rOCdy}id4& =\_|lD 'TN6JDZhc*J}YO$lD" <AR RU* gސmEohfsU cz $?dуm}j5?~УZK讜l tPZTеDu;'"ѻtѸm[WXQy 0UlE*3T8*rj__LAB-$|+v/fu_ŏČW`Q8 ,Fߨv`t "T)o2&.|nv3D^mzmsxKrZ;=/G-fK>lG)#OXN}#(v| \m(?1oż[e)*x`sԢH+<FX-51ņ; bпe,mȯn h󙨿=5 v:o9QS3|꭯~t+u,'458V+ whaRoPĴ9l?Lso53L 7[ڍ~&6/,֯`qL%tPVE-T0S6{1@UO ^`9SI. EȞ.1F_MՠGcc9\냇 À`@A5W5~IyƙlK- O6`9{:O8fT$ra/Z~\4ȔlQQ zϗ#*\r @E9Ǘ>ܡ;\# tPBG1>%܊$u8}"w"Krj0zIt)l0)ƧcfQj2eѹ?]o~mPt48[rƔ,>օof_zoyoέRRea{-4ג!Ֆpq^G@Tt!dQ8҉CswJ 襛Zr{5l̨fM 9ytF ǩ٤.xe8j9(IiCK>d9[ve)6 NRFгƣB'#^ `7J 4pz-՞&1 LC#?NjFc[yC4}FP{ZmDCuyFo7v:0ძI ʧ~h)F:^k.A1U6r>7V_P|X jK:@B_UܣP3mHPlKfE' nk|n|61-P4˛Wԟ̧OW?k{+[(.#{;^8RO p6J.>ٗHSW ½Y%ϊXeQrQ9 ?d':GFa| U&|юxj @os3l1P F> yHq'½r4}>ZN{`}-UF` 6oRH%$r^ˮ'=̈/]&/y YAtH/@N*]fD,mw~[v6[37 .H1sZq{cC|/:Nn׽y&R z#S"bH~ >IzREu("hNӚ]yG0 (k/DsZBU,\zy^]cj^4Ѩ&f2/ߡ)ܣ0z Js (exNXIO4K޴= |#\VCgn'6FipzK!wgTA,_v{Y"wD y{ȕ+ҡ6'5z`.Eo67]o>E1Y*N^ҭJ<w?!1&U.W"!@5Zt|0xN7 uC/E/m$MZR8۶*O}Yw=d !oET cnf~-Lfi1l7T 3-(Ml*9W wކ>#I9p7!)Nڄ jH48گekyH58aYx)]~0n)adVK0"ϢysZ,覀 `GN[!n Cke ;{qPlK rT Ng^LVJf;؝N +x!Z&ƿz\'?beKRFm[SkWRk0WK瑝gK@= ! Tbo܂\p{GBLs*Ѱa&HꛎDqV'w[G!`xqaR݂-xD՛*>{r!џ6X#!ߩXlArtZyBG.o(2rdŁpYsw$ﵫT6`BGׯ?U@բ[>#/^*D,< OnSmtF,5`ɨ|@[OhMrv+, &ҽ7o FaEt^wAq8{jn"*ir {A Ѕ)Ƅe&#,a2㩤%*ָyeÞZ%l-v1tX{[gY㓓өTf{*%-O*%rV.p20E.@7 &,-ϕ UՔrfqZ\ۛћ&&μr4lZV[f|#uoSlI @^:\HVqV '`̴fDzc{XglNFԄ҈_-`<(=ŸN<fc5͖}$qJ\~7{y9zx %% A ?!Ԫ(7uЇ><̈k #7WrhXi}^F砺9[e^~>]sV.A?̚U/vDP]"[q-ɦJt_y]?GY{Kϻk.9ɆȋO"ؗæ+%Gfj:+b+1ؽla>~C4'A;ȗYZ/ V\_5Z" gXh^`6MUEXP@cY̍bY\f%R5WQ_9-UL>1s! 6΂ M_lUI_k;9.s>)XtdBa' {`mȅU&8qpdt?Aӌg P^xt )bpIbJ:(h硍YBX˜ Ch߶u7{]p_v"VmŕZ-!2ANy & ZKLwa(T^zu1eqfa5Ic?GLGΞ4znUj[@nQ$Í F W-rxNtbXHyiC:FqR!8iN{ba Jc!M:KUG\}|n~e1K(Qi c6$T]e>qciw^)SƭThmO$*bH@ިR@a{f+#ˍr߫QU :/$yS e8+ .K5COi? Yͣvl"7 & Kb'JPFfbk`.)utSXd#Q 4[~ TY4;v?"#B+Q&!v LvWg}* $6v;'lT!/"([Jł27u{?槒{OU9a_t[bАopⴗ`pBGSߊotNOt\sʪi=_Q U,&>9VўZX3BdVf.([ICQ󛜌0=H/5c.,Pa@ZMS0 æL@+PVp57 'N/Fb$'-{ ̝ uG}wŵ%ʐfK0#[ SQ`mҡn>*e+A&>XA<5-kUn`KZ@V C]/of" fPWҧTL*"M LOL;Okh$S)ȧk^|#!-JUW+ǻȧf(Ԏ64ɰR1h!߅ fpSNx]K/u׀Jv=@>Tr5S5&0 !aZM7v>{;!01zF=s,ehI!ty{`#evm4O>D9bݶt)ߣ+e8wcxp,FXˏGPw5swu;v\:4Žh>xJfPYj^@"[Mh#Ll' I h&U )s}އ9(=nWaU#7{/P~aE\ǺK҆Eru6KU&671VGQ݂I0+1 "f?m- by]|\om\MJM|Uaj$B0I hQ)4'H0񑜒EjS|enbPBUM0eWlO@tzFo`་ li?6:ѵu81c!]:R(j4G*.\ LтIBIJbt(tgpASkנ_JмL0Ȟ\tTh;|(k+LXG2>w e}Úq8 ؇+q';U7HQâ*=U/jNeϔ3f lE4:볡r:,Pm%qbxsb  )xK"R%/f0򵩡E4׺@Xѷ&qy=ޙMNBe9ȹwYߜy7@G^7\Sx'^:4.IVQAV͑IoR;nք4p/d[&%bOSy_ @xAvR1KݪW׮coWt:´Bgax,"Us"\O ⑒@ֱ' nqz  `omP);Zu;:`fA9:!(E  Vu]ۅ Sbg$K =-c΋Rǵ̀+S qB3>YG_IKR||1i|I1@W[! z|Sh}kwXS,M%|MC%?ZG+FJmξ jA1g_{+lؔVVc@7C4!s[泥J.xdA 9!dFMɷűZawc 5TՀ>\ DD5Q. #9߱^DZ8 ?1ADęSt[a_R35V}S6~Tk\l($˽яGF?,NLVLS͸]Xnȃ-aHy~~]3U1!ad |Em:T(맻i6ER^V=C.u6 :S"'$ghvgu:hJ%rvh wLE/\3tU"t(VQ4Ui0$5;2 Օ"mlw)!]B02@Op1zq͠*t4)jӞk4Zp6oQ Md~ s 3`aB3vL{ܟ>k#>7|OVb"Wo*-ghfI[ nl` &|$GlGg_z-N=Π;0QqjY;a> c3˿NGݘ^L\y &!5hHheF[գl]\z+`XwW2LcDcd4Z_7vAɪ~}a[1'z,W +;8pM,e\:OAm7mZCN1oQOigSnkWdhp1I?A-?~#>joɓ(WC'ڙ,@𹗖|I鼩XQ@j*i26{ы{r\UKS= j:?Qvc)>^B$.Bo鏱bz!v)if>C߁b?P$"ź 9_v1 rV"a`ig`A"`"?.*(SiB7.^Xke̐YVe{W<1# FW1Y&ˋGDu12+JZ[d]_bZ-/3zeHp\)ېBDr85KJMY(:N:㥝JR&%7e@vȪܝ-;˦qFxޫe}XDi xL`mϫ iOW\MYr*9`tE5:\.Wb2M%ѱtdg)6"ߝ1H%%6ߏT ti9$\0݃Kl'D YV,[ϣRu051$?”toOWNSqN5Œ hY̛D"eA}">x|T @WT;۽ք'*@$1@_LPVpXZ4~-,`VQoUEw0DE /uNU9뺓eg>j+! b~nf#WQmzW.MVD}DVqMi`)>{~f8̨͉k̟XW úCn O Ν NIi d8d 1Z>z=eGBp;]o!w#Q#LC3ZR|>%zMҳxO3X&SwPB,d +@jdy'KuX=o8GG;h[TogM |e3:KmGH' S*(߹]ߐh B|y_;D~ R5 +^=B,XuLH O_ݮ)fJXGq<컣 hm)d7DXhQłTi^ "R̐mI޶=mG]ڭ ,~Da9f&Uˎ>BU1Dr}Dc=pM:&Nƪg ' ETkǓK9Nb0kQTf&A8lWHOXhi;M@3{ k/W{ǹ AQ#6+39W|YQy[d۽(+W09MŻdG 21d5 2C-M9>!|䚼,&tHvEf#f1/e!~>h봽OZi[[ (8)@IF¿$&nEȥε?wb`f \i\-1tmIفVĴ;=S$E_Xt9>"ΗDĸyu.wM+QE0)Ti4% sMЊp=4 i|#N!G--BF7ԃQNr?<DBat8+_b\!CYcmqMLUF/IqRwjRi s~-0aqOpFB&@+80Ţbӯɓ9=,-|Nk;a_gJMA"jC.j (8%!? 7 >'~HN=n\o.%m8 qhkE:,AKU}HF˫gB"Cs(@, AQAYq~l"'D=Oz?.x<ٷ6vuىCTʳʽ/܁5+OowVw(ay2c[mѾ];Qtq(udk;z&ٷ>8Qw: }~xmSfF%2_85!(zd a׉6F/$,fDI1xn^.ICɛ-è5.{~$\Q《Scmo($?Lz-OA_d"|O}BV\oeǝ'+|]2y(#UPW?bV2>tta ݯEgCn=lMBC.Q9CuFu>oXscT^a܊ݑ^umq_">j/8HA[>L{E/mvoޔ}{ |>Նaw.1cy_]R;2ƛ8QkU dn[D cփVp`fIՁ9ߝ!`!8lQ% و՟U[<*OL~&`Yx%$^K=|V ()N,M.^qt=S@gF]6 #zr^lxH*3U xV`+8d~{y ^^7ɋ,̘ήJTuqg@1g|4D,fݨwUYy+hd;iNnȨ=FW8Ar&i._{U$*cw+Ztyǔ,~x!d7gi8K!XS>`~B9{8ĵvgBqM_UJJ nrs.<֬l=>+N7 eK9(;RR;?j'aD[V~{:u*zhJ|^ O9;nV/>rO3H$q4 m5kwUlB]hxK#$7?(^\TByw6.{F߉`Zr..dֈ/28$3ɷԒv< !ڣ#Mb\{>VWeS|3*,e3Kf ׁ;b@Ka.,ttu--: LX41rucR]=ϐL0U$([P{iy_?SЁy Dx@J$Z7-'=!:?0﯌>\@)#ˍףC _J]S~csr]AcbT|YS(  :?;Az;^ːDMC.G H__A X atURrBִL̵A5qh]HVip-4`]`^bOG)'mގf'F+fpdoe\=D9ƭfwtt p5.mXؕV:ryC_Gua$0qPb(~I9,h,Gj5T5?妏h_(Q)D  &>Ds;OZǛ]N(- nWxzMW…ԧ6@Pl=J3q@p׊4114r )U΢D"IiX/BKB?))yQU݌il> `t!bwzF):.^CE**olvwyj jͩ QO47fQq5ӕ<)b:ZEE>ӎD;E [?iU : ,v[ww=|bqK>x URs b pK 8bgWHmbH=Z(qNwЗ . xL@2tASCOYH Ty:DAG(r嫙Qg Y17 ;oi~cI7D?_[C!8P,H \[{x}WnxSeҕ/4iOV@|쬻oRﲓy'k O<ecQ?zg!Trݺ2&ǚ4aK|[ |{wEN%/P6c^z#zҀ+#Uթʎe6G7π 1_Twg4=Ϳz8Zpn;k!#g|eB8FeXG'v^N0#D]5,8ߪ-#Tݭ&K~]cՇW ;ov$ `U>C]nc{%괷1r_C~UƁ&K!fHҤf| 0M"vM Ndr"bj)[ (' (7{Cԧr= #:% c: pÙ8 f!d;.MlJZD.VwMҍilT`iOw Ei_ֆhhJdGu&Uc :rPaV!s3;CA&ggr{SעEr{f_dUB aC3!!ބr׺#Xz`.)>ngP$bFK7R]h/Mit@kt s1Vسhe#4='9e_- vu<t";ɼ~Mye0AĦ3*3_3FF+=tg1M6җ(CQu9m倒Kե!z,SץfG*l }ňCt>3v|:!(2@aZwm7+ YbZe.ǥ,-wG+sRVHΖ\XqK? \q"+F~Eȧe:]hmo3u b߽b%赜+%_V7^V_~:_/q.HBMiI"sjV^%ke1 P|290gda|dbqӖs\ Nq; T ȱdcy#%"7]^O)=8SCx;Ri%sR>3uU 5*i>.taft]f kLZ5Z"sgyخȨ.$ 3 #`RbrW[!HOE'Օ}'CHp^ 7/ٷn<08qygp-~po @-Y]u}" j߀ic/ݜ-0Ӫp Kǁ BZ!Mb&bЇ豿yʣe:F2@#q@&ŋZ&۲y|,'U)᡿(FJ ߋd&hBá<Cy"]3Ps$ tiHTm'&R"mj1л&%K=Q9N5jߑ'[ mexy w6FOSu#VFhȝARXV36f_30P֘+T-6F2XᎸES^~pޒKziD{r;, *Pnh  P0;o?[tdTbEc &GS=9d"8KML4r#(A??wJmEY|#Q5gdSJuFHOL!n._)k D"&t@!ˁ1<}Otl湬UO/Du]S%⯒[}uYX)"YYR4*`b2o$=hu$&78s1~y^i=A/0RƇ&4oxjKwm?zgeƊmyNDnCݸ;s6E+ "@a.+r#֐Atp3^D~+vRidBa rh=JUP$U%r`-m*gF%}\aRrŮIl; :C6~ae-]Z3^f\⽐tr~]X 彺,Xg Ɩ)Aլ1a:Mזu~->τ]pc9c~(6h7=Y=V+零 |`D^[}-A;`\`,g;X4 5%jrmvb7`AZf&p9NA į].ǚFi N+ RC !+mE`Z8n-jYNQ9-NJXrF#T.k66a Ve,=Cѕqg n~N=`M V?6I?l$/(]l4,/T_+y( ԱE1o !+C$v6(bӦBHtF,LZ˘sM)[CD 8i}p<a2=oC;c2043+kc%T fqEU?e"Ცq|d3P{Q# K` kDcpXAʏDS9v1~CU/v:?jN_HZ=tjIoT;ۯ{R{}J; [BYN*XLC+ ZGɉFkG-Uh⡫8-b?/Y:t77-"wƜ;AEZ2Zj0IBM *ԯ0 _ IHY:ňqRYA<9 3]„ٴ(M Ÿ ]+$bjH d/XO}ę8B),YUw 3}X2b; nhʅdQ2(<݊ o{]lCs_9SqEexދG%cRƛwx=co=):E ;NZ@awsbCBOϞR?ڰP7,]ѵ@͒ؐ|HUʧi?~&_!QSAtBDa9l=; O,xbVhWjr68GfµP[0ܼ>!6Ž!szN} r'LDxځru_fLHT)HfF38 ==nHGKpRO_r[S@c1oR4eb2&DMxoG2TVKa.Y(n6JUj`T$y' @db+{P@QܑUO>ZXO/huȪV}=Of u @Wffh *:$ Mo`IͬsZʉ}.MZUT$jѷBJ>X%\tPZUbT?҅*5hP_&{2w_|6&/ݓʜ(kE[K22@? R2gƫE2N Ҥp l8itdt?EN"|yṞVηA4;\U xG{*?l`Y \8!C&w⺖!]{ F]g@2}o;AvvcʾcZܭ~w)PL Tq6"z6;`x C9?WxƗiCL͕[ѳLt=Jl5%Z&s  G).=aq8~~',?Y6}ʸȮ8ܨ܉Jc"X1/w/?4ыɱ(?b$2G'B*ze{/fz^nR Ʊň/ ~{۱9GWW5a:.!ؖ\+@?7'@ ^+B}:)ZD2>bdO ~M}Up>4[Itj 7&?Bm>CtrxFmd'~VlgmjՑz$8Ȑ y$?P2)b>Xun28`>=7wjd+kq2KΠك^ӭ5Mu  9RK+@=m`вs8Wª;2_M='kP3ONzCC,MmLp^SCjn?HeϒɭY'y5?gpnHųk1Sf SrcȮL\(x עmz9ךz}VVh忟\g'$:eaY4lތzLB,ZI m7J,4Ew$TVD5K3͊rry3.%.|s ,BX=vvx=Ge\A+ȳ*_)NÁ"ϙ"tINzt6^ԿF;ݜ]0!B5ˏLJL9KPcgxjv_=`KFHv}%{ߥh8{ ObJYAj+NQ%90!Lh45JԆzk{U U.}ސGZx2LC&dlQ;$βI:@(dN| \ƼA) ^pK(,dvjX3'HR%Ǟ ,mZg8XiR7JAx\.Ą9[ h'zF;sG\'$?eF*UxQn_EStDڔVХW!W_CF-=RNqV'a[yqz}@ 71a`da^aٟhtvEaג'1S},^<EQĶuIjp]JO$5O3^4B@%2I ЂhujL\U1i4NEҫl߂7Yэg"d[k K;r ]Dr}dU2pFWrUyUF~9'VKԿ/`I=u H+Fwvz5q YgC>$ drGFF#ܓ=6XiJ4N@jMNuv(;ZJ]MP\ 9Ftl+&tB]:I4CXT0bڳ%Ōx9dr$e[ ;)t66 UH03ab$I'6#w}0~:\|f8$Ά[o:lgK03:TM@p$–I^K XGCTNflIV׉-㴋/i΄p /^%.v}j "d%wBĤF<6roWe('7eK`%l:*{@@Id i,U+wDr]^TX0Y!0!ݥo!^Y6[y&{8_&^~OEOu_WFҰ]qRbkW \Lax4N E|Чʛ.푢MXD= qSJZYxJmB1RśxAV_'n1F)AnB`7Dp7STRݝf+.tmu&>IG *4?}5ۮjnWBݎCO:仫 ⡪j) gY%A\w>$k/H3 clLWaLrH(::Bo o\!l7}>Kw z3h8 "hHdsO]\w@q^|qH&rXRhA,H5pu~E_ ZQ*q\\(>ގN0o؜UcCBh/LJ5=Qd$鼲~ 0CM+cFʼ3kꚄ.g:&'*Wضu7j%nSƸ`Qʟ֪$A14=cu^%v #A%Մi2v<pԾ -Ks1Ju6{:i(GQp.B"vd+Lw{BdR8_OOqSiz{mV= hz,?5shIdFf!\%9|&1sqãBx*#bXF|SWDB9,FIxc-$/><؋֥;_U2 f>oC5*O|䏩&lrU$_Dbjم11-ŷwkpo:ۆB6` ( Z[yjU\utI'jٳB_xQ/Vu7{ѭ^q!= Ui'7=c? owy[{_ Q6&CW=e-SO&V-52SΞ/FmjmSzE GYřAF%w_ɉT+i7A]TxlLnDFY(0BTBƿ%.e}c޳Q^YbjKwv>'PW͛9ڤg' Bl1x'Dބ{yc '\V7-THdHR+FT8(MT+fw\ hgW~k3&;_MhwA >H:DᕊO]*vЌ+{)tA`+%(D ;| ?{yr1+h`/qR*sQ)9NaCɟI˸'EFŹCP)<<^4Bc҅ )fLI=BjJ[[T,~%(C) zJ"_Xq^ 9ck֝m\^or~@ڑ # rmoħz{v+9@S1FEIĺy `v*`Vge(ϠM?UvJ kfmISӎg&'Nw n?yʗJH+Ώ _1S&C.ZJWcF4CASic1:&+qdAhZd yMB. BcfBê0Sug5`)i0Hmb fG&5iL볜[Ӧc@p>2^^p^u̔ոޚ&iYWB 8!vIfW6F'S=Fr夀416\dVV8CVF8>LC{qᄼn^LeژpG ̪O8kv-`s=)`uS\EF=\ Wξ]̡:,]z=E(% c&Y"ti1j {oݚzmɌ%Z{M^鶀)=aG1k4id#,˸(Z}IgP$څUX78~}! y3Gv$8VwRCNIPMGЁS2-jHR}dHoJgyգY+Gp gCLxMcVq5E G+  uoPT[ޡU piu@ثPh/8ҟtML^ nvIa_=4Z \\V#$^7`7#>x1bﻇ]f cy!1\s{%)X/?P_q Nd_l>ke:88WZˆb|츏VN=3 qM-qxP=I rv9,1pВR )|DL̏ )+Kh|з,Yqm'YH#əoT}ƥ W5-4`*w1&MVa&aFγ:uAI.29l1y_<,) (}^/N.ښ+*`D#?~_xY>>`ilb(Q|[R ˘+ykq ̽0&#`:ou3ۦ|P‬.$ Ca\}.uuI_ƄKPbZ6A:UX֭TtH9ŝ9o:sG׀FPqgC榓&. ,}^}9f/qF 9 Hpyx m}\MI삶dz5..\A5hyTKV4ҋت(ɲr[ZhmSnruB x|j cMoׇқX]!ݍ_SsR$W: gs |S ͪsax"L̓VeV jW`{·<-;Au))/^l=~d m{>8Bq*CUa@K|uPk:`"X~.BfUJ&+~X&њ 䬛hf{DwT x gupcP?<(OS%\1m,ӛPˌ1ƹ-/\8EII MEV*MQ(p{gr3D-P0e( U 4TP1?AͥzEEYA _+senXqq,N)I'Ey3MO>a-3mj\lI.c4OGsΑ0tsb`ILSn_u%-;@ ǁ#}Ų݀Ab^sZ7=M8RZ9q&2Ss$KB7 cfuݝ,5 u #qe"Q}uj{۾% %9e{J<1@C]L=8( 7r GlO9y$ \CZi7# L Vg[3& ; DŝqiRj&֦(zԈQY\g-J2&VF1?i74l\.[]_gKV+",fRPmO_".$Y=?FBqQWX$baBzS_$fQ E=z`׉J(ɗPMԀ4gMy1mNDPa9ϔgm=٧ǹ[cc\ ;K-QTuI94nJRʠPQm=a V3t""WCϔ2 N(㨢m7>L ۤJӗasƌ '#:JqUc6[H"y1;Y$eaAZI6Fx67XZm.kUGƌF>L'3 65u./ՖNR"y6PYc=tqPsB@*غ- Bػ7dwn(Q>lm̞њ]!Og$e%b]H .Y)[;bqΤtD_9j7٫5>g§}ƾU7%o1 VN?)u5;LF576~n_4kK&r֛UJ/\vMCdthơ\"%=n(dudR<φ PPɰ)r"tZ}rSL;:!:/Td5{r6vG]$5v;˖t6 9e:$.9D` = 3rf0D4_UE@'q{|z[_tT<BU!ʷC 6,%+LVzZB rIUXR'c &ZS3]+8 4): H]58Em킍 (lqY@9|u޵3¦i#ta2%x`c= 6KW;im $e bgsl]EJư5jJvHu1Ne[ܙf֏!h׏BuO\vkh'M]+bFˤiHpn&x?nja:4ņ6X0~{.TNë!r79@ިǾBOcꉰ+5`9KSvII2(x=2MkbF+Fw*GVNE'Vg Q,ܐ|( to(Gg88ea򧲑OĘ^Ҧ!Q۳%PD Ga(8R=UjHI5n!|ɘb;`(˕ 0Xtz*OV:,}mD=-AI&3J]ArͶ%D'aGo@%gwᖙsMk]yوw#9q5ҺT7L e|Uys"^p/g9` k\"/d}o 8䤯Sj0F`(uH X6ff E)ZI4aӜΥ2͜YU% jAǕ;13wZⳇ^Ѫ>RUupݏ4U\LK96J&a>ei^&`~$^?4be\Ze `/'JXтWO} ݒ ǣ+>o>*!ۺX. D&Ơ*GZl^ϱ] `e=E}BF|AIƘ;7kNq1HKTG}\08C ጂ.Rٲ0DgY)- `%Av(=k(#%XuQV?&d.4cYm Y{s8."<_!+8\iՠ7MT]$uuM躦qz6\NW>'Z=]Le(\L=:NF|pIySW*LF `a0 og3\Tr*qYᡶz K:9A&p2M$ܮ6XYMբ{jWCxd9p(ȋEss,3cqD*7#í|dhjs thZ&M:zctϚ6Bb3k x:m,L%Bd&UI|#*dYTq.b˃Ѱ-ijM2š@qu"w aZZ74V}U?Q3uRlFe g=S!p}8yPS:a%¬Z'G,5V{FċN !/0RNɤ4iC֮v0.dc0r>Mf(AMŌN GG(Sp{ =or_IODbbs ]P^܃c8V"`G `Ƣʤz#)>f5@! b>xFq(~tIH\B`UGA*BO[L]`q I ]:2T d;bf[nUlN.WUO_G/g’Њ̃IUp>}G=mƜ#¤r144 lܘ cd~eYl3~VT_s2#}GE;DH/w1A ? ?,) 뼹:bMMg`n|Lc";X X#^]Wm%%w'9JbLz-xU-+qqg?-=P.rkN Ȣ̞z k.ߚVG͙ȓb&3Be Ea& 7m %s#GZ-j-i$O'R& =y2ᑑKx=F?*rUɮ%5zC_j1X|<+=Ro=5=[w ,A\q;GEٝ2\jLZ625{KìrVEqk!w,(/ijEvkCk0xlm~oLj3+B9.W3Ps4-4 f<^ 溨@eGEuhzki 6)|"1)6GUܷw GlR")z[:eeorfjD> N_ݫjDCZ=6៏9է_3Jrf%  sB%pز %>X3ډZ؎azcaPSNy ph<\Sm&/8SVIb1FS3^ESAURɊ[C|N" !Ouޞ'Yt-{:X<0.18Q$ |o0 x2u[Ms#\wŋ%gS&!cC58si.2" 6@}L{u~6%Eͫ<$PUY/~R:]ٷE$V͎b9V6l/v}42#R| zEKysQ$l e2 0kcҿ\qODà<#t(״'$f{XyH|:4HAs璸ip&';Ȃ%vF jux{C°{m ..i0l0iĵlK]t#[:q<2&T9HO nYf\WLvi~il %&g,~b]}9ͮJl>nҙW7i?ryRDd&P:~9N']\a4;yL<(Y\Iaă@o"Zwu&e WfiFpMH/}'<K ' dY-(fI1 bȖRU3m9D;be$$LˣG}cMHq;lƪB r7`ZjpȄˀ$Saҭ=y"}ԋEL.M BnyN2D-I1ǰV| ufJgLzCTQi@S0xk/RVe s,͸:R,\FYy2 Ĕ(jg14/JGw~ \M%Mϭ%MpakZ^Q*gL&X?{'77DflOḃL:2!ײB&+[,KEcƫڔWhF%!m $}M0J/ FJ_,lGp"3D +$Y '4˜P =Q4o4ʂ1V70cĎ[fT1c4D kݿd*M6Eufi_N28aA2Zy,ͼ*2;Ҧ6sΟteYkо 3Ĥ,\}dQ-}4sK}1V\/v&} L<67Dl KD@Ń匷qQxu*$HWm3v}sT_=]u CiXҲ{ֳ0r6ZlC%;=RBDNVI /!PiCzMj?{(4_#%Ô|ŋ-𦻢f$ 礯9 fs{AYSފw0`H&b'FK|a,[C8).RAƭ_O? Wm<,,˥5c@3CFY"Ǡt Mym^Xv V;ECLsk1/!Y=+f&O ϔ/P8 p+b` 3bsL/?5| VQBn^؀z<3L[xV}Wk;z1575b&Jun\S8cn_7.K3u",~#uZ-G="Lst؜þo՘2€RfHbrJ eqP<)mCYYtZ֍h[U 2'0/ [yiD1 Î=wzW,$^8f_^4ʀbbxfӯBu ii0xV-.wB-* q O[xY49 f΂{@Q* >Z,y?yQԼ|%P],7|2g>p,{ˮؔ휢k9M nrX'Nm"hLtDhCA _bZcq`ˈ 3z(e]V'|TmAM?dK(e7 ֑0}88̒3>Vn#XlO0RT̹uﱁW4jCHp$N䇠|[&3"iT.ׂdKY3r!B߱']DATEЙh61t8c8^m^3~$gZwU!$'R] Xy{Q1%zJdF { n&|3;EU Sn1˛l- )/ 9)NIp8-6G$~RA@E4)\4Lylԍ*/so\ w-tld/\.PXT^0+dŕ~g_ml^11CI'P݇ 8-)WZ*3otDŸZ?\ ̅JʵWKD 1+"Wx@`N c^dmɋAP=;$:}c2L \zܐB"vtT;n(MFnUmaZխ]#kDﯻ9$?ʧq BC/LC{I4Iwc)"⦉vAƙr@UB&13+_C?M~s>5·1\zWiu 6Yvca P!S%JfÙ\!^%;n\t`  )i y§|\%lCLT~$s^K,9ŏPB"^ϫ@)ߎfs27h>N=g9؊]LA(Bvܔa6HJqp4(]GUUP,"9J3 4{ N mhgje~Du~|f7dDfMiT\1Hhsw_:BjZԇk(F}b"HYTuw?'ߨ#݃eon?2 ] U%p\S6hOkyqZ_f|It̬Fw+8 wr`n* q6yK'2@\B_ Qqm}5LY"`T׃qr^8FT0x<;zǣ=ѠuK%<55]eT5gH/ea\M>iYYU1- Μw (u=u$|被s=ŏs)׊ Lc|BVQ~@ 9AxC.0A[P*;8݌?ya(-RRs/Pԥ:T+PR6ruU aPLY+$_H#[ˋu3I|}~{9pCv偲fy\/,5YV|uc}AIB$椴OW.̕II 9 p꾎R;e/HE D>cwWҗ!e\~bP-ґ{[ePәayz|DGO_|{[`RS2a9-_W =ՅpXJIgƇ#Lk"R(2cy\k=FCb>[%0VTv&5f03=d`yPVea;3*Fxby0Y*DCQRZs I7fu`4騖Q 0br@y4oE`G8:^A]׻L>PBs W8nȇ,18,Qg>\z:"^5^ |t) C`@,+o7׵p[;6*rIIM<&V>>c`qMsK(کWfn*I{~S*#r ѧ`Ԥğ3>'^]ݓWq.01|lJ zWdTrxO6pM,b9U?[~L>3H_ΎvJ2֢J 34{wVvT߫2t771=NeC;` <5ϒ*vN (5:.g#LrP%،* = YC*echvL@}YJ"G:M]h]8B\e[y~@HFb1Õ3ᯄ!+V>2O$[`xGffk3|T-8rcODO)Rel,xVg[?g^V(`1T!U hڑLJb/br{a@\tXP~>Wj1ԼJkB>#HůɤibɆaztX?j VkhT*ID.lx!ឹpƜ6$ \g玤aczg1yd4R UksAc3,|&IoG? VR̼'a7(Z.&\;Z֮^ u^O=_ b1Tb+Rϭw뺰w.jfWDدux7::2̩/Gl L/ƜumUa'Kt}NʮvGxa" AO0q!V_h쥭i,z\ۀfoQͨx酡Nf&N-#>IlgM=uP"UjBHyxk^f1}8vZ"|%JKqbQʄ\$?!'[](U2N w(uJI} sZOiʞ{(s4Q$> XzDli[]5XŕM C| lR/d`惨S;9q=nwRpeלlQV ;wq;zHJvU-W.^=3ͱx œ5-0߯wrGG+yѝ/_TPqx>}, -)vcſ7[kώ5`XFVJ3tN;)j탰i TgRrx :+]hs-8qH7lpWxyבAMXkCY0 [UqvV>O*1DS(ݏmlXeu`#GtU©5:LKLf,gv=Tf[#߾pW4ּ!jJ02+%ǾB~}(J3g Wj˾En*Yp.2My#$_'%h=WAÆsyVGիΛglW:N#N{zM٬0?L a>H\ҸTYUɲ!3ZS%FilHiS ̄HDŽ+Zĝ;O^W2KwFȵGNanI3F(hs m,-)oF.{j hoE(r|iW _v\Pt#-7!MTzo=d~A?!;~D1e~a\SZΞO0}nvTHny^ HoWyZ}ܰR9~9Bki5?KXCKQ­[El-e8` mE[dR"' j?#Tk,L(mq ]TkECTiv՗g+s0bvfh:?1Uq6/ͤh?3|%Wy|t:9 !߇˓EU:zR OɌ{(/: i<^No6LIiֶp|k^2%ƽbd"@-ֵ- @X갸"AQ;{-.d{]&`cj^jUG.oo~Lq$diZ4Gyq8I<2/WLË,à{S#ftctnL'R# PƏ7T9rhOITͼLOFgw̓)'5B ͢-WI&1^uDE؝`κ6`|Nm gfb%#v}sA4Ań\dDY(zoz5$czL8 T!zL {1ܴ\?8nDC).zoq,LxFB>H#h"M1K)c+%(_4XLj,ʋkZ[NFmTd`H%DQl|f{ZF߾^k ƏLI7|o]npj=9`^Sl+*MXB4+kI!u~ 4}:<`3oe3v".B7e0x7m[a8L$S0x:!%#,)IwB$r+5Ԅ6\j b(a"Yla8%Y lZ,+ֺ 3i)P o4 %VB!h 'ޮ]pT.!RQ/tk-?oq؞wHe FrQ K_}CDn Z͖ .7QEaCCT~l&Kw/dKPJ1q9MKo{p vGiˉ07QouKw=! .Ab}9h4" Obmj6s+$oڙ ~ ̼2yY=fEWRbɞ٭4_D tڹ%]9oUtm)DnOn ^|@[xpwV !a"!0,etkS^͐B^%T,'A7µds11ZʦH,`/ IVl=K~0aQ Qx>rT>Ė?o,uS Hp-V |!sbREaNמ.7qmJ>_oecs4!PJ5 P7T; dfg^96\־J*F' dz#TҥnN\iJQ{>hf+7R&lZէ?M!&KyU%7`  7t#e7.*kC9fU3KPvxBX8dSAINanDAf;]Kô_{҇Vf Nf2t,ڠ{òf.5E~NF-+Y6^086l?u~,ٸ8ŨK3׭HOo+R4XUyC ͮ‹_dKs KjЪO/ /}@ .nݞCH'g`j8^ry \#XjUEp*&{&s/bmuٖԪd+ ɷ§Wӗks0N(wxf՚i#CuMZs*!ad|U?/7KLWL U\3`Fz>1=ݛsޝb\%ȥr<SSCӦڣN8 `Z\dPw+WmP^h_vKX,-#R}ѩp~D{iZ8= NNnW,ř~fD:n~{ZʽDg2qP:rt[0Pm1Px$Cj—%̶L%E "Oa1ϕ)%F @Qc & g`vKԸZpJxϡhJyf6,` 9kw{/;"D 1yR Jlzq#@{}^Yfxi}gU=0bB"1)80 E[~X #u{OM!gXoop)fp),\|=L:/)JW08(7b Rt^Ȼ?Q>ϝ|h8oU0 Qqt x[ Bh|>25 |<;:8'M$1ۯO[jݨSy$9Oľ/5v3IV|@"xf&rpGnVL:^0x/d3.~ fÁ? (~"jt2Xs_!J-1OF;^t̢VЉ<ݷDa4*^eĆϡ@\>K#%B{6nnG#>#Ymd<>+pu+{ɘMmE йqU4\s:$is OfWClg?t*Mo/w{$YY.H>SG p_X:D쾈j`~itXV(NG &q4&E+ +,"c V=1LC] aw1.w:{&qb>MW*4g>nnd|=u,R-J$=M z05S-yP$X#pM8tWS[@Q9Rqr톙b%1JVOkTG!BH,׷+'u[MY5͆gر F.rhn+-rC{IbNNTThW?{dmbz}Zq2&RWx(+f;M.3jUrkpRUC>!0 ILjߛG!+ͻ @6\q[ڳy ϫw" G^=nr+UIBd"\#3T-\Ko_8&,eӉ]ThQ͢BE"Wx 4 ɃhtTpjsXd5ue19d&@HA~C.IJ1G42"F/n-x8(pF )Qp_M}iьV\$>Ra ]ĝuM O,NJ}^1x5nepFC`Q(^4K5>j$uuoqLuxYWbGQUF\=\ƙFlMfdkJ36MҴ+)#CK`tr^TH=-|Y^~iaR֕Eϩ2hdZΆ:=@`%c';H4 Ͱ߻\G8zKhܗ}cgpDU'2j !xeGx$GKz z7A|@C/JeHp-}˲wڏp\)t1mo+Z׎*of ʫe}УXsÆ)'?|SQŕtL>$ݥrEJi#^wB ZboutayE߉%s &@lW-/`r5G^8zzWJ@`ܑYYP'Ua5v47#'N DtbLfLbZ-&NZ5TGW3bpj᭦P *(2I'{p: iƳ#)<ߠ'w3bLg_4ae? XjCٮat43iF飻$s?ҴSƸa7O~e:w+񦾄* e %ahFd| BhL4BBכ:N; )!2BsgHSR]aW}{|@qQ#Xsĩv>TorEߣ|Y%>Vy9ZȘcC \OOi2"V㻣pVR,fր1|ZfAe}6|yeI Z>}o$TaX*/fҬ s0J*W $׳af 탺ۙt=qxaa~,4)OƓS4-?:ݓG Q$J"[ߑssresSUMo]B2Xgc7m)w_rtgArB͠y}q_p!+Vw")U)WoP%Ty4!u "c"<Glog }19'\cZ- (K1)*h`4V̄ќbZ).jj{ 13CM  z2HFy BHPeQ Aaku C;NNXAg'܎I ,jLʇk6|HnsX&/884\Uo%֊טC~[/8&*5b/@;|.@BQ YLOw8]HEgsC@|7Nvfq[[(MJmϷrE75MѼ!Kb-i!$b5bB܌vb"Mγ  6p FoO:J'rh9ɉ (=-Q^!w vǭ[\$Ӭ4VdXQm;l&y Ĕ:DCԙY9*Hد%SҘ'dGL,lJ\ʚ5J ;nDZ?Ű/RC 啭:zZd wt(* r@XZ k 'N:F]MEf/dcR4a~eO^3 N;<% ̹tMb?暘> <3Pck 1 z-3CF8f2Aު5S ?c J|NGLQnjӫrv- hg4ޏ%6b?7²;XY6h}]2d^̋]S7s`E^KT{1x!-NNj#4+~KxqRbIx:ڂ<g8IR]:AwY[hobΥT[.58$Q(;Wb א\#ǚ5lBTN%ŌJEv!CwjOF9dSXEai/Fָ᩺5%`nk}DLd/wܣ/XLhISHP$3Q+&O6N"ɸ:!^I+IZMТƎT>hNAR~==Ax{7iD xe ʺKHn,Ϊp.(o,e)o7a`; $ TÖϫun!7WZL"?Rc2AhiJe47č_9tl2U"C,n@S;(czڕan8ps}qMo|.""vU+wo|eԧe7{ꚤ~~6x/]:%5Vlߌf*bOF/LI_ҔaN.H)␳>֠l^L#[%, %=O$boߊS`6Q㪘]W"h\UūX[JJKk(^x=;:D|ޛ2{ B"[t~@/}0F6A ;[ "z4R., ,࿊v$Z4>xW :DF  ~X#Ql"{oR>ork|w$fC:?ߋRӸL}xycY`:H G 8T:*A=N&( =~?L[n.턴MnDVQ iNw4]~h7ǠhH`&UYGe* p&dT"GkS }.-RH2OIG XZͳw.+]߬].@_fi7.d'] CߠU I$޳(.IP f42v>FYu_kOb[Vb>F)-'z,$K„`pȗ']cٛn6Sd 7xm#D<'l#ȋfs^ڷ}\]W%IgL1VfzGAWsW_{pߪ(e@h$,+/Ye5~†Mbϡ'?:* U_ʑ{EaKv=k_ ӧqD4nJfϑJPjv \ƚcC+!?m:42btH.ה3>yE1r[?LE"YkP1k;2c %5"Ro tQ[~w @7+mOT1^hYg_mIl HomJ_@@~(̮ Xcg8aI37{"/7aҽM|^y9,]t s L-"X6Ы/y׀! Zn)6\;є=O[uJ&Û);c2̑!00SbVMzGv|#ֈr v[L9u M'tnh=;Ɓr+#p (x(2"_­P/A[DE.&+:pM6׹/Kv(xȺrEj@E*LD_`ܞI Fnq9yb<{(ˇ Cq* c#IPZf]<nK/BN\usS_|w6kfO,.Q&ũ)8H2P_+%SvBrԹ4dJC8.D5縗R]A(8O|B#?4ak$ꇳi)C y5΍01(wP%˂إƠ*g61󎹄2yi!뮏BiØ$* 02)ncߤBtLzkÏN:qiOQέ)[eoaUh_~`N̘0U-85Z @l^H$%eҿN]&F 2!>Ԇ"_W! A I`s=zkg&aAwea*c2].HʹS6n,rKg9X%"-LOċao޺AB>Ta| Ϻ?b[xaJ{*gf ^08Q') MOSc116j$O~b\A{nc;{Q׽HN|pҺ:* P&=wa?puVQHxcG'+C4ONhj<gI-#'P LF:,fǣ 9h'ҫގTf>nUkCK  kj@^d{]TQc龔ȵ o ~9`b(zZHrt|Ph7P(J"54]=@r|4[^5  Yk&(qYcSgv5 IIͲlU4>DG NプPc<}f>ʲv3aN8 K`2M1CAr^{->AvN5b>*NE+!YWz 8UkP;g"e< Fq}nmqg%x;saBsڏNgW av dq O 6PdBưtT)Uz fJXe29|_/΃=U.I FUɢ6(+~x &)H@࿐v)j]2KImW16oMT".{jVYu UD(`gӞ#Mz=$I_x?)HE ӅV"wR xC pB9iQxF;E0J-_h7~O:,(:' (TI,^&Űf>8=q(cZwJg´e/Y6,]!YM6'Ov0~y-c>tjR Yx'CҌ0s'\v}5c2 +Ul7nX+<-;`>qfڂOJNkg>HB::p~Sj\Gp**RiܽF}MZY(*10~2R*Ёg86J8dP9ߕylz9 EA'.~O{~,7YDދ3`m{r.I‹h7>¤ Yՠʡ(j1/ '~Dc@0Fj l uzZ:iB p]ǣFr~ysІĬ'1,iۈ  7#U\ #gYĒؐF:O6UY4ȂK쪱a*Re!-4Ip0s 9ãyaM uVhKg.쥛%o{$߰Pou*ʧG|<*͍5nJm!+} Bd58>W`VFP=Cئb؟9'ض4zW>_ABGKׅ͆)9iXB?mʠ$T&ϡ!ڂkFziGW ⒠ZXAT:w*'e+N`ďEcMHQB=`^!B׬ü׺oմ>_=Үrey;el~a!wlcM5.g18HE{> oe^/ r GvO!1d~@T8S"ȁ{Xw6υ`TںGt+# Z7P*v>Vk=yY/l1KӠjFc4z)1;qS9Ƣ+*Oi^z7y1IgN( hzF1tAPnpgDFκDɃm>wqPk[8e ' XV}dRD5cXjBSV:+xbG pז-ct$V[?ԼX H-F{w 5\/q rJ9R9>d5mXTsYU,dD{xߚ87?Ce4S]=%?Zl3 !-YF+ ~i MԢJx-HO1K!jgыD@r;7˙@ΔC´5n/h~w+Ww9MJwtomZ}-鿉cb0`wtpmEx1@*`)N}{'8"OwMԕk?_2怖vb7Piw9#,TC#vEVEKP&uq`lVӷQ5B{-ɜ:f`jɺ1G@:sN{\:],xUfC_De|]`21REnlb"Иy;'F˿]kw?`e9FV[ϡwpU0Yb"mAAm] $_@XBN~b e5_~D53s{\7K*DղfpddDZwtFչBZGrw}`@o=rJ*@f=^*Ҡ`ͺaQtAt2c|Oqu?IXtUq#*l`qUNߥB!D4 r tb44M.vfp#UJ#ݤp lsx6 D HA Lc첤 %0:d3 3 f^✳Qmƾ@38EY\l鴫Ek5S](j[bo{ sƎuةnZ"by_5޸1#VSZ@k_|w%zSGsXD/_#=OۚQ>GjwH9%!,\RQ>.# }>zA9nZJC&Ѱ)FUꛎjC6]'28 mCon{Y҉/+/ PQgx}+b$y?Q%%&2N97$_ٜFnG2`ݧu!lw[F-K=N?A.qʹZWKa94]48rDZ~@̵LVI ?+S2П?& m5^F{jYҖ̓,*=̤]-:ѵb[fDkZ7jʈo^p7(3Y4E5Ya:[2Y}=uG h F'4K| 9M k/<$)}OO56qvMg%+VnShxΉO|J?h?61 ~%|qvy14g"OC"T>S5t{C#\o/[igǀ 7`&,cla[MK3m*H:ĩجLfRִ“9?->Fa$GL7R1 y⣚,p LǷNz2a_h )$%Wmb {W#KPadDFeƤv3j7X=V/~2 Gt]Ybvj݅>=R"A_Ux"k<3Tg =7;xiyeGI=w'} G{>n_җS%Z'>{ Әǀx:m~B4Wwn(}h, #eqճV+s\j$`%kϤw~pOj.1iMle 3#+SGX Wƨ"yڅH#6 '}`p1N}K#N};<3OpB4K!^b+R <°GdU ]o ۩``Sc[M \3Dt@<5쑱7!ހ/DdS4m̨i5,F5"mvy"4X |/zPka@ ҴD,QD?tJ{"T.-Z >[:,,EX]nc/ũ*wL6x`G' <Ѝލp$EؒI|@h5|Iv CW \l5X;O? ̂XJঝ'u0/ ]޻e"g"q:F ]Xt?d*ZJ$EKܝx'~ʹ$ tؐGՎnTQ:9N2󦰚ݝ[yu zBMner9b0nWS{Wv Wp m]`ꪉ\"!zV50>T϶X L,]$n SIڼ($̥W?BEy=]QA2`Hk-m q27bH02bJO{`J\[2;,`H$3&)POR\#i>SIŸZOwދ!U'%fj 犼,'5j^`O_ƚyNԡ6%/R^|:Nvs)RIt8M:V!xԌ-$!o~"R<|P ^?wir$w]a 'n1+N{ʶ~*jB5{{d!UTx1jegYN?)qwr;9k_E>Ah5EM&2ޏQ I[SMv7Tk2\1tA\MHk9pviSF90gc;-3LQ wOH[ _Ti9 ?Z{4ۓKTD1pڛs"V dH~<<@q=g=ܯA_%sӋOځҀbe_:FMO/Nr#d,3Lx0iQ0ZI [?Ժb0Hw;ݍO<]ұn VgE y_5H N*\/`N(;I2?˛ʉgf6osa*d̄zf(F:OnFT4& (A^2{3.;"3ʳq[l6_OyǁD4vb# (CO+S:Ԡl5P2’WHM1+#Y۝aLVʇ՞K Q|ǡ3ˁ(TsVvrJ6}Bئq=Y#$^ͨVԚΈHeoIrC'WiCԉ(U7/`ws2:ȉ'|o)LØ߰ k'ԃ>j48%bS飁1K 7` 7b:m;܊ :M:m*)&y#.[܍V,xଆڎHo:8tއ%yMW\->ݖvhD(C;*BzTNHkQY+>b)L@$;Q{g.\Ħ,kT3uUHpr/j9DL eJc_Ma&sV_BHhQ8b*w0&߭gBT*}0S9ZiW!G̅5ES|֦ժkWhx.T2Q"hG5ޗJIR"&_ Ұͣ0ߩEґqi>C 9yi.d8v_ùG ґV)4;[U6kMZ)Y늚n .*2I|.P>6f\g*ِqҭ碥XDZ mQۼLe -ոnnGQAq9SQ1_m&." ;ym!9l?>18 o=5\GK\@viymDnC%_[9)vrsO @o Vg}F  <6qbܝ#d@vn@4&v^1 f=tvCos{vr0,=#^HyN>!0wO\<(~OcxIculVO 7Q=ufDZIyc>UKYh&{[ cvOB@G`QUJLLga,KyZe eVhRASЪT9DIH=FkL+0K~o(:w$uGJjv5s--QK4ܞ=3+[eWR[{'sL(%Nn,QӜ!YRkC&pʡ́rAAHv˭#OO%Q7(ԡh3njYEoSAc~*=| >&5 -ۯ%~ESeF >qp6)e'}8`&ҭm% f?T\SA8B9JmT .50UkIO p\.A <=-u쫤jgr}@XTMԋA(Rjՠ݅M[Juӂkh͟3QvAj` cע2TÀedңaըN|c`oQ#~ b]i76`l~j.j={AZ)j2`%.5&IceHeh)gW:JΠ$C`D)c(N6+Q6N}uIa][`.cp  53g pu=^ЫHdOo*zOu(D?"E Ԡ;=Д^VMkn"{REtJDpWa #48ATn^4N:{0ǔYms0 qh/fR~P~"V@17[p7 lKwvV^phN>|6R"~U/5g m,6] Qi=/GpBZb+- ! 7uׂ۰Pm8ÄFz'#IsWʯc)UrGvyn`YN^'giJ!_Dξո|ABBX\x/-g2ZCQfFfy2Cʵn`f6ϹGB#Qs?y]Ul06ЧBDQ piXliᴇ9a%]j }zL(F jh~&Mc4V@:eZ[3Sӈ)|5]>GG6}Ht`@+WEK@%lnsgW;Fǿlj0m0W Om5qV|܋1\&Q T٦/Z%F vT,2@: ;X\/c%Q-fɊpHerK@\{8 {.ɫoH rTvOp+o#bACGer1u@Psͫ4pÿ.D9-Ą>Qyvu)w[p|47!ꃌCnb|:$]w,fȊTX܍vS?B yf dÊ^s#IC2E55Y6ex: j_y$q|2]vtpSS&?E'/M^Z*LqxȌ>0ekX 0L>TN O%Ŝs}Z56\̦(]wNR oP9t{K7ܦ)/Oɯk)BFs׆I5b|j@|Jt,_5=E/>nPtB,bz]\-S@VM&\8[p\nG*C{po I]8}><K$bܣ.!z*$h(p/ûs9$dD,_3 vQPRt^-&ђٻw [)>"A˂\kkHI9|֒#Nh.Adϳ2YHVpGQUe ?rRLqʗW+w4T)u5hּNl1u?I*.w qXExI'XЗU*+=_`>͛-UW.|ƊADy0jD3X)v 7*Zmdnf|aJQ), ф%=|4!zٳQ2!x)}?9Bu Hp-9:5̳pթ\ !zH̴F>LkJQW[xJ)Hj+4;">#QO~ 3  ͚8SLV更YME=-_ᙇ"{,9)rY9&ǥoZ/~ xE΢54:#ߗV6`jjsr?bI:X Mh=oP A;Y 3PѕM8_Qa:@ $s+[DL߫M=*Kdj@c)h"':35P7Yx~vtjEݱDQ]Rm`m7p~?}\'ƳIˠQ>^~9hg n&}:}FX1GKFoeeϺKx\[?=nT  f?~ZX>C T hyl:ŗMFZ!:La#I ogwO.i kҫ|/_+3jPZ،/QډCv%1PdKJiמ88h彧ͧ7-iE @@&&eDJAB" .Z;Y[=\9IN+.ޜZpWl)*ȍ? WN+0aA<1=%{"FKͭOrYyс4"i{;:eJe8(eKmJw3L֯_X><L9Nz^A *Q ^ fc(̟?pSWHG4)aݫ?nb}賺2_h><>3|#f=#R);PBe+\٣֧5s* ` k;7mX0[ͱL30؏́G碷G4<@%JV4*YxQKQ3)UR:C/\d9_pE2Q|%8 |G;hRQz7!J ld%P&Z[GoUmr G\IIF0qʺL5B쎌?T~DG~$G-_p2z#ֵ@ϑNwt(@\fKh$BRba,  E>R!kLIޭ`]eR@(rrk"a+"oFuF8"бziLJ):/i~~$ ˀvE GA4@1duO JWֈ=||i/IK~Ug-ޞ#܉wp[0nĨx g5<biZpګxڇ-r$-VCw>y-lvRpzT$Ok7q't#[^tLʁx` }o]`BnWnK{*vM:'PkjS^K$h!#'nRE;=wnLʪD>TV&xf Qx`M{B{pgVEO[ ˟OT^\OI16wK@gUR5$}$\s2*~-ӥEzО\n:ԛ]#RYQmM6Bػ+2~t! cגO$!bL;ֆ}d ^^_۾{R4{b'Xwxn9z+AE..Ƒ9B9 *?NxšcɎ IR=y6@B+m ,J(98=>ŐAޒFVG W!}U&v0rwFJ2='uԸU㟴T&c.h$2qez(\Tp7|[Rzǯ;eu\cc^N.k@֝r'g;ܢq1s٫S ѓU Oe) p>q"pi*U3'ǵqB:dZlߔ&1%N>UQ ə | ̪}TS%;¤ h$vHU_C{6# 7mWt`hUעDHóAz${F46c,}f'ab+Zd].J!Gr!f0_ Pjm`GjczlCf"[PFPh_jM>)Tdb)F*1V0iɍ,*cZ \| x&7טǮ '|OhNW-Nɘ|trHuf2 ηֻ+ofa֑-dvXcὤIJM:ztЊ -u*WHXZ:;tJ ;m]bASCvDz; +I#Z*-b[kCS1;#"_륹RZUPx~\hnIOУpd@K8\$uYEe|%@!4s'' Y]< $gTU_Bx-DB5~ESK'LLj@[ vD Q4)GL KSG0]Ώ ]L)Ύ³u}`z,fPR\F/VPl }DK܈ߡ7k4-~IMbya adDyʺ6~;lE.ܚEK?i]S/]٩֐: fy?M9?嗯.aNDj@-N,V$,e3|o~+hgeG0CMD rgޑxAj~}a! (>F,OYcE>&50FBD6XI4`\Ek4dHwV#msVE$&o7G6Џ"|KɦEa80)vuʻJ_SwBf=eũ=2-Ks:LBkFs(%~>dBR"JV9Sdyt:@" pbeG6 eܴoܔ -W!V(SO:լuuםdDHa;4T:O:7xɆ]#, ev?jbp5ztbmK<φp|}) 仔 qS56=7U-|H1:}/%(sMsy IoIY,{nDJWv“ʵ[2Ưȋj?GZ *m'Wj6R-]~һZv?n_B_SWtJ5Aw r4: =fdJ 8/0l3-b H2\+0;A9H,+,>Ѿ3sƎVe2u-o苵jw. aN+b~qT5!TJn;Xyjj9/جh'g/DP{*]9Sw%} JKOMڳ%=tݤ#F*]gİW 4h5gZ QYj3{8IG|9$${BetF;p)G/*F"sNp*.!0 o9ߙEp7m58 sO$ 쵒3]nnCkJ L$9K g%moCA\ި򩯠̏i XS_"oY)!U[Չ3 e$3+fS s^`PӟR[QmEj0@EFSd{Y꯹8|I6b>Ô=F5h^("ްfEBFc}bH(y{h|jԇeǡʐpI,((g jnrfe_(u K{\[UeigA0g9}JibfuP~rI-3CõH J~Kv*B BkaR\!%Sdi/zj8RbF ̯tM.vݐQS4DaG۝\t խ]gƺ܆#ۂ AC'J՝n|3C'F}H$LpFL׺Pg|*(d"Qp5J%{.9n/ֵށZxBH4G5 z|85H'%/h10t1J8 F1Co+3A6 ?PALJ< kUhT?4 ^[`kQ Ǩ8cRѓY!NRD軨`tlm@'-vr}pnZs`)I-\J ~Q_ZG'5ȗ̞z.- ,\>nWɌ[$ ? k/*C!)CeF{MiQ}9/oan-nnysL|Uc>Ār0=$˽vT[ ,V`%~*Y KLWXrP}dh}[BWw"B3_$u-"6wjIn{ ]+* gHVXnք sHj3Ͷ+8 }uK##2FNtZBD;>؁"# IҔ~`\lHum@⛕"bj|JliZj=M9Ll).~@:NalczAiUVbMӥZBPf%"Qeغ‘&˕\RڴwqOMѢL`ZP5uZ%0$D'ezIMzxTG8SaV\_@À(N uiv~wm+IV)Ǿp0%kȗ95$ -H6 5AM.׹xQ_CS0\;f!^Vj7[xKSfRb ѕ% 2ԙOj' =fp ?02(4ގ٫ se3K؎DN;E*&Bn3F׵њ 7{[pܴIf^u5Ѱ~?I!֖Mo!ԙ4H@xwU#ރ/0*wƖ|PH0O#uj9މa< d:ٝݐūCw=nL1Kg\m^wCǼ7ӃEifAyU|ax)ގDwGN69z'@{=({FT1Wk?<&__:RgՁ"V؎L\DSw)ܞ7ImmFiJ >abC}P-EKEDg6{c_- ܑ N"M' YUrn"8 FH$lrA`< ir|80(yovkY^FAfU p?M_<Ps~5&}='豚eZn8DeוŻ\ԧ!c:~HQ&o>fa Q/ZRo>Ylswk鎨;ϛwN޿J0s4m5zTfvᩝ<PkpUnL֫&Ԥ\b 0`W@iA9#5t@ZZ6~[@:0xe8jV: H+ XؒP46`uֶٙ"REW '[%G}Y1|d@<%!ZCHeH%~#?N+`-I^J_:$ D<WY m|<Dm>oN 3\3rnuo܂mȼA\Ër-=%OR#5izDH((nt>5~2m.NT.Sw|F #se%HjSxM\wPjHARI㑙dJLGfj pXS*'clf7EbFRh7v nw oD=B])F_A'Lhi#'Y\̆]B̊- .]Ӯg5au7~Hn){ CڀV^8:{\E@n.9C֤Q> )[s يS%+?8M?d^>Դ2ˣ/|ڀ:lr83 oZ=_83$y^Mhf]CO$jUoSqSǺ'Xl*\tp24"R4=20ܞU^gsؚ3`Qfipc$v;ěV&h?nEyFyG"UIC/x5 zlB8j@nU5-cTaj!AT3s%75ig0Ѣv"b U+ݗ(T5?+qoxRLͻ|L np&K5<0eb CZزw:h "g i!A=N䟊RGS{P"ܢ Þ|yfwMh$<.ā{xj 4:lSɲ6ꋢwq m Wg&;ԪS5ĴOf@ld1 TH9~Mn9h_ Sk[yFx灵YRdy<P k>[#){6+>r{}|T°3r!`/i\ x;̴Fw+kˍHV̇QcQ2Q ꖏ5'1`N9 \,?IH]5׃/|4HX +Ffi ]?B!5V~<ǦCM?Y;, 7_ K\CB;Of.G!7 KW } CùGO^ކ3@ }2'{r11Xff(5BvLN% ix#ZQF]5dΙeQD~%"'6uC| ye:;'Q O/vS] ʻlTiOn$эYhabX~c9W4QqίJˇsO`<9nHdq2OY@ OJRV_B[` x@1ܵb,7aX> 4TF ?ʚ6-{9NOl8b[8v;[ sϑ a Ϥq֊bQjaX? E@ިQ6¼jK>ĥb"-Tt[h!5|NuRBHs!v<`SlayQt;kS 4/m"Cp@Us"WFhav/a(wf5YO|a`PQ/}=;) ON F*dx:mpܫ{~)hL@NpLzn*ІX=eè=9֘_Ƙ]fhL_P#`Oe&pi ?!4+RsTXyfR !05AjNHg<_dn@rtƾ/dSd*ܽ? kb!ʶB|N@@xjR/1t8oߤѹo^V}Տ-HWc7lXD~dhy  a%rH!Y_idylRxA Qן7zu~2!ER5u z˸hpDG,ّ^].+^E2Ju=V/Oŝ0aƇB8X JK3]Tx# YAh 냔SDӽ%T{[Пӗf=Ayպ}!EL*(_fR鵶˂l#JȌvX !e#0Kt/965:6r,!8%rVpu%5װfCj\]q;ZDC¸VHp Ƽy67\Nlj:1Qeʀ==e#tl:Ëbjg_z^5/9kAǠB#9w<")&N^Ju_Qݣ4h{VtܔE'Xt3vqC (2N*At>BZ"WwRJ{D&+`@YN5 Ey>A)׃|0jZ> NGv5ڎj-؋GYC ZOYjJz0,]4ϲ[9_.]?'lIa Uㆱ%kt"4=1!> tqVOƸ3f À[0')*; I -z.(&RJ[bu:CVH],[fIHk;6M~KHfCPpZٽ<@ȇYnd# 2]w? aŃU`b=f^f *VHwi+k~2Y8ۻ.M M]}0 'Kkg*hQvOy]D~w6u3ͬj8 !8XU\MA^mgPL_SO}eA5#gs)awƽ.h- w΍2H_'Lγn*LQƗ) uɉ5la bbX$a1*04l77¦ _"5~-Ub30UR0j@"! >f$fM#@;d/] 5ú,r-{: $]+> ^O/FC@nr'픹 T,%Mۄ87%CW7!D|_{'\5A<:)4PP!Ee^rNU1$҅*UbnՂ,H1?:)/V1잍#cog. **d+b igi1IWR4]>o`{Ú2zgݬa=;lk *O~<^>&/BL/7ݯ *oh4Z$HM~,V)L>wIGCqQ9yآ>(B7֖BɈJ˹sܮ&K/LPN_fS[ˆDDӷ2 -v?4^Y$s.4 bkFX ("sY?MZdQQN`urnAϼG]#~H _($Eܒ w{|$ i;,GM6ud#;*Эi?9Q +'$xWBk43ΐ8dh(R(;yi0Gf0X}šغmҹ!"^' z-D fT%"mӀ Rf!IVύT}tlU-"@zplf:3z& {z J 4f|Eee H$2iFu^whw%*gUM15g ȫXeΕ.ͦ߅歄c_q 5{7>e5C{L8NJ&ۄ*k{.A+pC5Hn'bFƌ."ɑ .GV_W 9;o] ZVG62 cM]1yiGjqSĕrmecصoihByvv3'X6R!K pj(=Ҍɖm#U 2Z~L #td#awnk4VHͽpPχPջZi+ru) W A0-Gu؃!΅&fl;.ni:2Iglf>2>Ց戁ޫ"%3 QX lЄ+dYdjY$bqt[ H|0@f/֜=i MP;4hcv{8уRC>+n}'ܧ5B߱]QaQ÷c|%{%xF&",.&Q_0KYS1o\̪lVJ ب@Q C01\@Dx&ﲜ~8ހ\gʡ6ԗXySo広XgcSb|dzrƓjpmZ q)779&{ ;&/t{y:W:1k4@II2uzHPr&a|AYbL H T>[)) IZ~Z֋ %lDԢ84(dX%W7J˳Tuo1b_7SgrGw"* ^}W~`&UWL^b%q3ŗ,f|(zgWӜE'!% 03㭲Y~.@+D^rP9<(_XE:B`\K>OP/ GZFw'RMD&6x j:O6Ϣ?-22RZV vJZT EWL>[Q͒e󗡗T)xN\o82;`̳uZ[]pJ+#lG.™+k ɱ틶 ;E#x@́7Q13c?L_xwQv$2V=o-_L~ bIaKFr{JY.b2 @*+:[ᛰ4 G4sm`HFG6xb )3k?L9 6QbsdDK%D{~ޢD^5F]܎;|FQx;z46~/o$C'w>.5Er٪ }y=UC/DX+&:<3^ *;_ZA\BriD ]8I$  +"J̘widVlJp+JQ)_KLZmՍEsP8LO(*:<$ $旨 tHpS0tb>a" xq~m]c SVzx;YB@uX93<}(qW`OʢQ^i!̦ GIw˳NT;IxPق3*#3/%!6M L⸩,e>nQY%єϕ!;!)-A<"鎙YA9tB33,FPt4 Auaptg&O8V 6(}q!57#{HGU`]66P\wGfއ5|Y 7<"3%:1uGlGoVH>OFhY堖A" A,--kr;b֧W*l+KM>%`C1՜3Mޡ/8VxVm6^MC1`r7 q '}$tCRDY SBhvOC (c~i~ZMFlT\pT+FM>uJb*M?h+d$ŧeu-m@92GmaeC3e =c'W5%c k%θPk>A(NĞyDkj4i\b.j - oX2;u p;2Q42`o[Q~JCj,Ҽ 2_dN0~7'?iaD0UwT~鑚g~V-*Ӡ9@x=2e3 ^֬ fLO})܄r>&gUXe9ĥI  p_|s!pGK#BWEsYZ@9p4nfn(=6l6;N:̓l>ɇ^viќF\-8C|^GD9QM-M?x(<`%0Wc6UW )L2~? u\Y *.B!Z5 Rh :HɷWUT=^RO*4 ihg N͋y`w{$ QzjqX/W \e,PԁDFS^1x͹ A[z: hgH׼:m7è9w 3u׊w{3a8jQS씾km/6If8JGV2q ]cbO)8zCwln= 7(a:TV\B`#UhaLH?d:#-2cPJ*6LN,Ĭ:0q=nnn?? a5 u eqq0^w⻜RK15vG5:#T !2S{a9EjjAS;@7&H \+5Q`!ׇ"brFpe+K(hc|ـEA] t,]v;dA! KEP)fԪfr;0AԘVJr;~+KScQq0sO [mQ8,V2T`éx;y)N(uYn+9LEkP14EA3J*yGdFo1LIH/7DsV`BU x 2{\gdNնt#(ꥍ1ٰ.W=:ID /7-Õ18l3#^D&־p >"ѨP3L>b̲`X)§6u{G\ [ ;qI%Xdgyp-o{,uTД|U&UUp Dd5pas. Sw#'%ьn#پD}yyё9_ MarX l:7h+G[Ǐ>b!>1T.3K_p;*޽u}ֽH7(C~{OsdL!bE#?IʰT}pBVǘ\yH4uŦ}ӭ2YUj#Tޠn=N`<6p=\ oN~!Bb.Du䳗8}=Ҭm'V%IrʰuЭ;'/n]9ۤsW+IgT!L@3+#EFMa̖J7ÌrK,Ak hSX s-O6@Ȥ*/ SBJ3UŜaE;1F|"&8<_dzH5#{s.6ޛv0r$L`Œ*z;`HAZBPZKvԚMjmɰŦ ۣd1qiC#KIl2~Ǜ IK6cG̗|=sFWPt[ɲk4"eE/`f!"E`oOW⟎u00U aHKg!7bԚμ!%;Ү. MI.OY09:.Elq}#UsaVb!cTc0]l=OTmb̅gEڬ3\XGTKk3U47%6B0ԧ xHzsLr-uN!'l>cB<^ɺE} fN2*h7gwQz 'g˟vS-ss*b^fc7inFQ rch80sxm,(cOWWUzX $xB婚S5:35㝑<,[ͤ]dH-í-l0Gy"k0_6"}bRg Fd,թ0=.W7/A|1~YU6?f|YTM "i"bYE@xu !T/ZMjo=8Wb|fM@ETnyEV]R1<_/<~a~I·:QQ",x\EӍuM+I:h5Y"T+C)|M ~`=N;h^`r e&CWvfdWY:BORA9ܠކ/y32z!,H`r5LYg3tRt8?r4bόlr@: 1DUR?)TP5c53gφ c=;#0 jk[lNߞG{@v0u^02aU֙v& ·)TA.ĩf6 \$t`pz5}&2wkD>ϤkڍVMdٖ.MSId˲% Z񽽘Ҵ߁TjEޜY,Aacי$O+  ե rָߧzy{KnMӮ⠗b*;xj/k)2Mc xD`n[F`m b&ɂ" Sܬڠvq$kA)&l Ð9,mT)`%B]܁hZEBmjͤzgȭc>O.~*B.c?2SLP BdžhG DNrKҰ{MP⯙Q^BcvljM"OrqN9.>G=ݶq8d$p6Z XO0EEƪ i;dl!GV*e(څ'JPOXx)I۫N$L_&,a6& +򸧚~/] 7y1q''/Cc ܚlQ x2_њy4 G -VDJ=m%iчϦ=4 "ArV\r3,cjyw}X UɱFS٠1vP\p72|S4Xhi ɚVƘF`7A}SMe" i7p:0q#  X11uZp(;rI{>WfBZĉixQw'.2Dc#+o#׭r M>oxF<; :W*v@ϑu9|yJlZ1`w9H۰mwE)wyD#]Fߧ/ 9ձWEFc h}782/<^ЗU+P*#] @\~ Y Y r E XPeqnVNzaĬ5 *+ mm՞#2B{#k`wv4Hd7~@\HT zB5Kq_ Yd@v#qI* M)9lJcUu&Tu֪!a55rWCIJ!TQwwO ZVX a׮9:6f@wCmɄ$QHm!a;4.8e/XLo]&jAgJd|2ؙ.iO~q1y( #v?6`88̙&n!V-zF}O8CdNߒkA[_Iw*fSeMlsvwtWTj-ن)~sHq ENjL6q)'8 I{+jIW!𜓆OM$1gyVׄFsXxA"c'-+[% *bZӢHYU YWҜ ۽8d;C$Ƌ>'@6jBM@\lwO q?EwXZ;ka:_x 8^hCnB m)A@-*Q`'j]j+ck8xIE{?C=-1]¼mi07g&' ݰ݂cӕBԷ'+/Io^S̶¨5?S1`r@Q :.VipqzzVkv">V~!Do.?ύiĠ WkjO; ^+WW=2`G4[w`/16 1:S o_sa;HNR@T0; _搔^vZKЩ*C't؛=6gm+Drh5Wd"Z_Hs@gP1M ia0;٦~k|ө&n }8w_JOakW21a"yTŬrr`G7# M]*Al ^q16V9˓ Zs[\n.;3sSw̝pY5/ɬz@KrJ>#֎ 坌^{U|E($|Lo.}9̦uUb`$S'=rL>݆>pS>̪j;*QI/ƨ Cm]Aiܤ_I@+uWw Ih9YǾ2{kb}#Js Wi9%Ҡʿ{X.WL[pD/1.'d92r@SiMJC w/W Ec>"_aTBF(ıBv:>BW>'W_d_@q9}oN\:Vxq.mpؐU"Ab(~fǪ~t6{Bp)`eEЭUA1~ЭGhyez#;"`1cu7wš(gR5'!%χ^.l [}B_q ihkמMFX$6wTO4:ҋ@ KΧ>Djyy8<#g}U3=sq7.`Uݬxv>geY x)w*&Av},h7)FeMhA|YP ֆ辄.H㈅0v t805*rp w4sA(-%,d٦~mAsrTjXn+.8~ClfC7:ssˋ8. gygPs#;G6W;ib[$C-sgR-lU'oK~'* $ucmy%gQQMCg2!+_=&90CTֿ 5mnihSZMDko~L/ܟm`Y/ѣ5^G@KHԃz[SULft: ˎ#EmZp3 cY~$p^o2vq Xcߊ3r ҳhvDM6cI.,D&HnydLԱ-RŹDk zmZ7`lSQkd{GleE:{.4v_C = ?/m`7;orAcVj8/Gjk ęD.ev%=3P x(܎=g|p.D7]#8CnY̾Ӫoh;!wʺץt}.BؕXĎbaXˆc- [.͹mHe'*YSw5 PV 9e{G©;aMKr} Ee4`9'"oV,Æ04~\Z0ΫQ^~#dgMa]D1Z)R`bSЭCnA=}ww9ȴ0`M /1Cr bspcJ^}ZV\0Ŵ|meTw}pI! 7 Й(C4Fx8Q}1@f0sٓ~#VB"Of+t Eb0EDKzP~ ~۸.3 _W}t~:} *ғ}vN$g' caw+3ZB9=qM[Em1EՀ=uaG%XdJR@a&uK%v `6yP~? 6W}\ÕZhL>e>B|b_ e wdf-/qN' &^p #KDeI<7jKl:aGq])DViƊcAc1 b5'SVB}Dq1)dӳItL=;-VL&?@X-S9AϪr|W^&x QBJ{b6䷩):22xi. 7+\wHᬳ\5i.;dݫx2ռ@8)<#:ӂ]c4luy!JnU3mNB%E:]r - B gZ]T#A"8Yb?g.Dܟ3fYؖW]Uy6JņcLr[Ƒ e 㬙 `:}5:.jʋ4:yMNO!EJИTw 爀p)$׺ۂ7gLģJ%dc]k/ϱd5ͥ+gybF$8>&[TљVfI3n?Xq.?ۀɘqAgl9V댘_)_àuVUQtNSra`0Y%}CfPĊ2~sw _Dkˆ(_ph8${=< Ή`QjLߝwPmĽ-t&W  >Q7FbIbzpP Ԑ0a dSaUN8%w7W4$ SeF}'+* ;(^tlssCB_^Gs:'&s\JH.a60R{_dy  4\صZ*bH] Y%5C$PFbJ) ] |270;R4{)nDqLF>uA09͎P&#fS$ʰ\̈́pR#B 'T6̒@_J>JÂX 7?Ru5χI4+8t59. aoc>|'3RsT3my-Kpq)Ā1YQQ9kդd6+eaa "l^o@(idv4Xa {崍tAg^†{@ 2.QYڵꨠohݻ6 $)M sqm9Q/.xJv%m,:zE3-?B?zӊYA g&Pa,3a']4ʭُ|u7jWN"]}0Un? j9u"a{tl|wNEp%7&z94 ҇7τUs>S=3? ܆SO_sSU]i_`nP&2YN,M-(T'ĥ#L2FL x)$ $3mλbךhs$"!\eDޡ0@j"T\WpX8nI]6t(qͶ)Z5O"9 8|t_je(_=`Ab X]A<Mp,XԐ;beXlm6 _$)ϛ=*t(7b[Xr8dN5CRPF# WT"c]R9MGşzD)Uߩ߈_5 ie&~c?wfuqoMԼ$Wg 7+HZ&C7c7çb\1_(z`cQPW.7mbCnr|o^my#߻䅵5{Qf4PH* $+l'uL fΤ+_{jD&fbar09qm,`8)LFJs171w}8gx: ey{,wOb#*Lb(C,ق$VŲ#@R,l?/ї9#$vQd眮fl_q/ Hu| :Vj%\Ebg}C돡eS@Y6usϮ5.iEш{)O':q=:~XzF*'"B98$y*PiDK[Y~N slhm]]%5Qwy7#]v) T}yk5bIJ6(!]/ bNebi z?vSs r` 6  ֛3'/یVi*iՔQ`9G|dq}-0͔ehUWXj^/#F`i^]sଭњwV oߎN+atl*_,(jX[(ʢI= _iR{_˫VNT* 㞯+I6]\ٓ?<+ r+345a8)w;ؙr#@f\~$4a6M=٨.vz"/r. g/OE99>B6fM sĐ{a Te Z{ af(eq3 ^j;B^u иbԅ4"p uX*{kviYhPeNܞ&GQqztk#%̄~Pꅦ-SiȄqI ڽNd’S>q{:8--lbp!OMq?-W|m(5y6|.TfH|5 +(p$A_sWQ9HOXOcZ;}8v>15||=rbؓ0rl֗.JM ą5{ m.W9p[+BNCrNA˯cbݟ\PGY)f|/N4?M@f(u;}>t&iԺCOLbb1~8=E{Qؾ}Ӊ_ے*9Ɠ`%7:baVڲ5i ! nWe,I8TRdH"񢥻P`yr45iugb1mK4ee- s8t`wzaz.DlTj璆gv_A-K۝ưC/.\@$c*YL؊6z<:{/TWk"Y$6dx}biTnNس 1֜ ۵A4]W"2a Oi| N1^|&WH ZҊyeBv7z#jT+Km0뾭Ma+Hsiz*W}j4^cOy:vV"끮E"|8I@{{j>#|#LF<vRWn<"mLX:vR+moh8tͨV|:6AM7&bT >rt73:o֭*WnɡsVO}J5xα!"#=8bZ^/3|TBl7UH -RY^Ćŋ*@gMֆs܎bƗq";o/B"`#B߄/̵29Ion?*nf_M<'\aqF%>ӳ[$Ռ:[*/aItǮT@|pT|L[NbYw}5[^%ջ?E5jU_F%6IC-qj鵀Ҡ{?)w2oLփC_ǟg;aze+-\_Qvz :"rY++1k-қ9vb _ (Kmhv@sc#V2qȋcIm[`bR!_9Rr&h)q|Rw\,$ņ'm1"ԲS ~05}$HYR^K#=#- P7c?vEpTՁ]i#%m/1m}_]SWגvH E3k "q5;n-ZaT׺oUc1Zoc.Ūɲ_VCoV5n %eFHvQ $M[(Itzt8:S4.D)LęķMlOٌMLhQ]2~^YhCs~AQY (; ̄g xhľ;= E=xHDŽ|L?b7If[zsl#ߊ%ӪV^"ss:l8aZ7kjSe1%ʯɩyWSk%Tyդr҂|Ubɝ.mEqSfUԉ"4sdP @4\t])˞6S~]ܩ|sx^?3)u%;݈ASS+फ़tֺAzxfh8o22\P:K!c^Ea!3=9%_o{uyW&ö&?f܊9P&ψ!knf[fk:gKt-={LiQ؜ru"/pAp$Ƿl9TcJS1NF}wӅ Q!@"8Z)<}J՘$?b~f?UҴj܉L%#쵸P0~7ǭˬ<*~l62<^o `Gyw5a1C,YUSg7op~ֶ-N#)@4rc:-:&d[eRǐ+zcC$JW|+R0|M΄~ R9] 쀾 ]T3lo WH==rvo ZdHqpsl _L:oǞ`ly n"s_0:n☚䯝XH{'S`$/I 4N` /)Nϫӹlq>;G 6rJAS sZ 6H|.'n<\# $T&`T!X׌?#2hsYFi%W-kU!deafJ)mM`Wk͎c /,tT߆z c=*0揎\]CzI` 6;8L' UE^Kf(J첉5yKb|cR#mTiXg9:fw=}G*'xv*w1 !e$ІXgjC0#s;VAM,N|eGd[8:'t޺ }?k)F;,Zv1KO 0&zӾd5̊9Uƭ^պbۯ3=}(Qd"|i _(FmL oH8t>!F2l~-v>hI!HN`Pg[p.L1dծm xê4kp[᝜zCm|n6}[!Y H&pPPErãY>f}] 1yUfOm11Z<]+du7f V$]OQ>]*̂`^\{ ;, 9G&웩DۥYop*|_Vme:49)'VvfKRħit{yJrW5i0_w|ǡ@EX^B!l( =HN?p" |d{G?F+*=D<T%%LnY}kg94ZLd&Y8$C{#K"h)~땾𽘺pM"~)I<~~[摘ÐmM%-_OiLr]hBKz}ϔ Bh"2ʢVH׈ 7wqzrZOqfO) k7RaP+3[ ڃ,( x[R|`1W:Lޮ£)0Sa" RmxotEN(9,]@ݥ1\qSxIpdᩐ҃9|5k l _!톑jl%¿>M]D 7Ϊ "Pɧmd{Mjvy2=R{yAK"5.kB#XT#vvӌ.9+Ceݦn-DFۮ4<'5$)C1-: ލDgNqyK8-QH!CL]}J1h}b&{ZLgModSb ]L"8؉{b+xd'GЈFֹ77ĠD JUCrt[] -8D N <\;>.߷bĞ<"m4,Hۈ2=e(ڴv5)O%O@V)@Bs.z82K zrC%/;XfL\|u  /`6w1!qx+#Uch,2rx>1Ɓ೹/\"@0DV,3'R9Z~7iy:@2LiVnĬ] ^QW?-{z31@ `WpRQo#cYRVo(GnnB,-֦ir--+7ǎVmY'Ti~ PsoCLwD is49? A47 ɻV 4 2d1Pkzf U\ set%jsWOCi3^V;l8grM#f[4BXZ\ٛx,5t]SK\`bDd*\lo}K(] "){ꈷ ^$]ZXVS^)R7&kL@B8iwЇ֦`Oa(l}~8{}sXxIb ]c7ϣTP:GX}Ws&&Sp]tES,29-8`͹Y$d!7\- p%" ׮d]{,±Ԇ|M %uBrN{5T40J VllO9Z^bHd^m.t 46C4j FjnE#wɔ3ͯrP|*cLJ}my,;Zڡqi<>۠O.)Je¤B-Õ?WWoNS#VY:%;(EZ ę0cuEZf׽<ڂDeie8)72+NÂh@3{јKw|w,DRAxyi#qxӦ\23ۛ\%Hpjzkt4K쳊0z.HO{-9}.@ 5|gOG 4ƅ9BBfTb`b,3j<\yonP>_Z|K>5:UșT4H'Y1+K t^KLxI8 6DY.jMA#8(#ktc89-R~62=n̏DHX8rNԧMa^*-gVL!h=h\;16!°eoB&%w=j1"X4&5 H7n3 !ڤۏFKed3%f0&E"< Ǡ3 2%֞{8No,PTGvgs!F"06 !ǗtҒACأ8;Fq4  o8oxQ__b`]d%Rx6B:p.A1ŶVDmEH);!9qi&iLj9 p cPeFU;n?3: R̈?RN~j xAyo쌭¬<~̡2oh4 P&䴦2fa*gR# E]Gs.qV)ns3B=Ɣ_=; ec}{np$9YLaK'tJCf`֓9ka=Nh-_IȽyو4@Wr ˶z4IJUˈĽc{J֕4DUUIzV{R8t_9ƸlE@L9pj^`o{$r JfC VimWfY5Fa?x ՞Mnc!azAeFZ":mA-1XY^{`L?+儨-4; "wؚ?[S ,7,fI&'3ˡ.ixoք{u91eu`P*ʸ\uT@vfkK~󥡱/00D7c@Z;kH"Nig˒hP y8guO_7a(TMxݾ<=P7E5_ir lORމtOp!C@;~H*[f?ve.sM/[됮y.JO[)&y1`pN<2%6 eO1dңqj$dv t|KHtH^"KG>Ty+n^gAH&cqmf7> qtd'R{]\7jqQ#x%]:?I~ ǣ|Ot~,cb 1tt0+=)wv)l4+)/uѲp¶uZܹ~?aG#75nXtWN{d|xR w$ES夾FǙ`D=Vn#I?iu{ƻ&ߓc.5%'98y'{}9^1spgBٲ?W~e.i9gY9i_<,:U˙[ :g)L2}Y&nЦ\l9; 󞌖Iau㯴l|􃨷09lWwJK`G_cSvz05oLz^ӑ#P޻Dw(.~5ةR( ޚ.@jI?v=شB G7 \55xףT SKPم{nkb'uP@aWݾ4@01Cʧkݾ i_P^ޚIHܓN7~W:yS?eB~>V!tk-*3׀~]AM*丹t *ywaw;:N_j.55 fs0R_)D#0f?o]?Ue9/h |an&{'حsAܡV&,c>=4lMO6ec~`aRL[Rj\}a 4$YP|@t1 qmkFB^(4kǰ7v(u$t' %0gu:'.ra޷* ^f^RĮ̨ qBɧ7%>1pָ@hP416T*oZ) L]6~`LS;kǯՁLBu4?xʑyWg%MXzca+RfF`gЏ:(i$zʁU~X9& e%MFC!Rvs8i)jTY*uԒa"_gz//f'G7[ij!:x+D\[<lU s0ܦyll*M ˫f|N}:>f6AfkvMվ13F x7?-K* ',JB\@pguDUןz1p֜j…VY\,|6FS"Dx2% (v{αj?6v{`_%p'`I'۹PĘ hIhÅ:~Qu5[P,PB֪C!3{e PIۺ/kՒ:->Yy^ KX)ڰmI $Ǧеԇ%(A{J %Oxk1%C+ds'=1+Ngu `6^ט=4N"PM3ϝ'Ժ}ޢ39ow)xzv`"xASIQ@΅«~ȿaa'dݐkԠpD.R" >1}~O1(gO`̢!np%Mߦ:b!%ڷ_N17@z.f\ %ytȘmC9|XIdH~`p 1&OHe\%sHlF/ɏp'']sNb@g|&U:5j:gB/#Јc#OihQޭj[Дt?a9ig w3>0jkyH!Jv"qYUm2LUcO- (a2dKnM3fߦ>ޒp@0ˢNSO϶p3=썼&xFZ^&,!P|IX(/OrB;[.*#i\TC8ĺ+`_tOX[ 8|VX T+j= j, dZJNu_l)wB!uZxv'$ʴ)36Ibojn! grU]ڥh{ww#a#v]'% Uxq)\¨=#pręM DcK\B%<[IDt|#{nyĄ\RFR8?d*vNy RV=K׸D#18 z' X4c#NVg((3.[!%mSGRS(՗8^n7Q𙄩Ԩ}AC!dTėg}]ؖxg?K|!؜};r$4^L+ :F@9S2Caα?8c?"ƒ/ρݵp{޳OTNTw5 z_usɅ!.wJGN6nIw_k_}n=7e~ NE 4tLgj?0-WH}s 7QwiA&𨑢çIwB8=XŘȻ3D {y:E &@`ɴt7%ħFnī:5P$R8(PFWlF9b`HXӵ`;|Q+Tt7+;V7=B L(Sm7X{p쮓N8yFXz6q`r<I@+k̒<'|TIC2x50Fe S4T|]_h:702^O?lM4 O=a7(Pɞ? "aEK?z߶F]lR֚L"-#JXA=m7]U9Sa {MpȂ=+ l|6ugy6TBFA"XOrpF %red1*4c@y;3@ՆdkYj9`SUA/8~zJRPa5`u] 0CNKl6lWyx)t{. qVZ T9^PW vut7-}Vr `n@&DpAsR%ʐGBYr(Os$TrqeSh \hhCL9(Tq×=yY Ub^xTWţ:MS+4ې 8%et磮)mT{(~YeG]2u\{Q0ThNYm;)AXmG=zk aH>8@4E3{}U~Y??e.R¬[DқsmFkd ܦ-T+ѓ3pZm<;(^/*3>y1l:`!kCT<^R6DE@0{9@.,i+b:9(7?YYNOT-ެ=p4oVb DJpzuZOa(<|+ .{r[tV@Q4F%W/}NYsg p#.zL<5Rk`Ll5idkz^4v Rth_;B :<ЅTusIE_H@Rk4];`** )!fLH٭ z[o}Mb*nET-ڗ3\!хW&31<9e /F3@Op[ {ZF0׹~cbt_V_-Zm#qpM{"VC ]{]ӦӶ&G.Ȍ'g/Z5vsL4i1NOjBӰޥþU?_*BLh*%׉`}UoTcm&kfsR3CjƓE~cQ7즘(NJ:,//hUljOb~ 88հ^'7‹ONV 2r=;~/2J 1FH}ݧKgq61_x?{ŦR*j“^osu.[M\TM'}o-`?)xǣI vsx=5==ϱKB8XT2e闄;!v 8]*#n^9q=1qg½ypʺ+J3$ߍN))$Z|pkܸGp!8o~EqK{0M׹ b#mP2\kAgxy^qx7t=c/Mj$3MLr+{?F-Wˈrs:X9-=E,|T#.6NR˃LCz9]ZS@l@}"iғy0u2mOIKx3M`<^Xq9Z󶀴fKp|[0`rl/';Q:a >Wt3K _ldPP1ȅMu-MřhÙ=F_/'yoI7NKrG\(Ȃ`I#-@F_(<ǩ(P ६9q*OI)M&B. #M^ C6/0_6Aa;jWLoLDĩf1 Rcl d] 2W. GN)pcNN]L پ"!nSQ#^k,LBe#^7ӗ}leF$>wRw%piy jgM gO/"= jPM>nG>D %ˇk^͛gI.ɘ/阇H(+#j*>"UZwV\tꭎE]VG /!8YOj [gϿ'WDjh?JE+Jyba'jP@kR nd53{ųSUGpW+]y j1o zC|Rt T }d( C'?La=^^CgI="Izn%V$LȚ(M}G %,W4ɡ?)K5bp.&Gj̍qo( IG)0O^IqdFTnc9\z!'̪m\Œ:O{iMOB`PNf#bW$<΍7S,8 iAbU%iyL%;?W 3>/h|-,K1Kruo T}SgW+bb(c_QVcDsK4vbQ?[A, -kjT΢ YHOu'fYÔY~0=l'XN|%d˟ENex (K"p7v DIΜ&+CQ̝. }'Ɯݏ8?](䩴8rԱ+f=qR6WKvY#N'x.^h+-F)C؃؎'JŘekgv5.1%܌fV2쪺L%=R 9HfU714AeQ8|qFvq6hLo˜7:R]W3fsZNϊe~Z&$%Lc3!tpUSPe9{hn{&mi-[H0 E'Hz-%ۀoTg̃g6:}N3SI ANP0&?VEEU:"7?[Jڛ+5h)m.qR2hݼfӦuG\)-&du0uzl_Qwa#j`q`" `UI~j-KȼHb(E: 5 YhFaPs\ij'pIHEDP#7BdPpXϾsV $!$|si͌cSƨ' St}:?WB_Q#LT\90)ܯ{0ts?rWϾh4XJ"C䐼 VSWPo߂EaAIE(7Pj[udƔhآ5Q[iAuV[2 V(&kG#P>*?tճ&?TS)\L8\7'R_؄^%B}ȇXތZHL !v;P7N|8+e:Pc5[5\n{1j#פ>"a eA+2iu&@Ga۵3HDB$ h*ԕ0Gѣɢ伛cyُGݫީNgA$*KXkBi; ~sDsn1VRVwy4_'/s*7xYv-fUa+4݈ooڛQWEV/K"u<\ٗ(a{\|'ےŰș #+L6 ' hjN|Ę= QiDlQy|H 2,|2=40Ï{9捏-1]{s ķXHz9x\Ma82KFE0XO \B* жRBji+ve\OOQmڵdrS\1 ,gg<8DʤJ#Dxoΰvf5NYgs |!wRU̎;X]܂;5KMC,k4Mp~"8AsȈ;#Vy\?eKfhQi; -1Ї`-,a*a^c[bQq01j!YNbmКX,`Y^9u|>yD- uNF[}#( &*InV38kW*N I({TA9rpr4To}IqhNm~4s/!qHV8i怖 @^UB>@mhM&6S`%z[)J7W=jOC}(x0O1O߾-ΔYP9:NzUfQZ-* A& Z!q aI,E~\?$NJTiuH6u|^tdJORr+/Om#!ZAΦf_z5CzbEox P21YWx+=v^ CbWxҊw- X8^<MCme3s(=Xb~BI W7Ƽ;XtQ5Wgkm. EmЅq{&? ,5t'p~9$Yn f Tc](ͱ$u:r젝j66o:%j"lAԣ;?S^)yOB3޽i^p-0eg lq)O9W Pˆbӗ " U%XfqM40x I,Zcg恜7)n. 4RÎQ~6ƐaLk"MF>3eӈܥ%7H{qF.P"QwVQyL<)!:QDeI@Ƅ/an#q(>d>?>fUzX2HtV;=ѠA޿Ylb0 l!miya#q1u{"JtN5r54NuRf$y\D) -mw !Ƕ<yUj$Le]X&:do^zn4TV !VT48]Hɔ9]EgT' 0"eX[8G:ڭ>O5MpB;bjak@D%{aï\!vqMƼ \>д[Ʋ\{Ї XVi.O5p|5ӊϒ !cLW~McH& 18+}-*& zI$+] ]'f Caxϻ4.)Vfgu(!߾/6>N #{3<4ngxsb҃$3` Zh[^WTv8O b+|ڵ;Y 8!f+d߬[禡&*4 Rs"]+Oȩo9:t |Czޯ Ss5D Q0ytijE/Z<1ff7Zv oWuۊ'淺Z{U<ϊM[e5#cq w Sw00' ˙fd;E]迡#%)6Bo:0 ʈS01LнnGhXnV7߅ ۯ`863,' UIS$2)]>(bf-pz\il='h+Vfk$4<rߏWn 4lũqN$Oa'&T>BjgҠa9-_ :-F+h=Lբj#> u~N0EZ(ݲ@L$Fdt[ ":#R>>Ohɲ>O) Kԑ ^_"([^}ro4wg yK#>RY[R~vG)Vd|V-r͢8mgY2k{]^MN-PG&>!)J|?nUn* td֗F8+b 4a'˻-ؚ 1qCh#Vb˛Nrs:jNZː.W rr;~x `TUwI?_Ya|"qvozJg?-ЕkȞ)h@*Uf Q^;';2E*϶N1B9RB -*JH>bTh<ٸftj8T!d4VПn%(7&*ֵBaia[ >Da*qOZL)v|ݗ4Yi^[Iޡ<@v{;_Nr@t>KZ%: - .ck=ΩS/T& ;xg!{h HVe9]}AfCnK~0@nNm ]Xj4O8~36<}Y^k`fJ7}1/Z];bvhgRc]zt2V&* ^pLKnXSN,OFF̚v E`ګfДCa{TL-KR7m,krl.k՞d贾;:]2d%0Y+8Wu>9~t7.0S]bҺEoyjYٴq2!i,F{.u3Pڌ,w+nk4sW[á^ta Y!lћKKV8) 2׷yzpڣ}YO]H αLC03H؁y]_,6=Dk#)5# ~ltfޝ(U~^=,SQLq=UlwHPOaCv_ڶG5:Yi?&Z~kŷƞB=N%,P +TQWZčCH鄳R˟}' |d^#£.xxZzəNZ:GP. bTrc,m:*[; y媝8+j=Է9ٳN:kbpLuC7'|n1$oȐ(=C\Lq%ވ")9-A30tuzո5UAAejmT* 3!5dv'C(!)H4G`hGx*V\rϭ=,Bpe>(2C2igN+kwcdh Pd!!3N Mv5E6ABbO3$V~KjLqw^A Y~sW.8?vsx|.QaF7 }]&I,E+l8qsiB>{:& F3% ʄGjs5(Gm+ײ?#JSN=PGL&C-e a_ذfݔ83PW`1{hl!)aluW (*R%{]MSL.D!fS(!iP64I5s0F#d~KfAG 42|7[~d+ C? t9ӗ#:Zo:2Am'9wZj0+(ǭv/?X)T{|9D ;Ї:pRQM7Y:6lPJ ܸEs}@ XM9+6Xy"z٠.A0w_]+(L4|^C=ً[շ ekP0jȮ$CJ譙<z9 Y+] #=u7N)9ڱ;~M ^ny~)]Lv+xUP1n#tR_=ё`TLqhz;I[*1~8w8 -BBks(ccyhfj\[̀,sVw9bCa>^2i'(#r{+pM?Iy=wLq`֜r. 6NrGMD^Duə&b^Ɗzno F SCOɵPe15됪oV)Iy6XLt3AE=hgX`_930H7( lrQJƝMEq)I ӵ6j]V-is+Bz۽GCL=1dGjLa}GƓ;"ye:%(rfH4qhZ6 J1Fwrb4Wp괟ML?n A?SL9nf^JPFOyF([u9Z^iMlsZ:<`eXv(D=Ioᩝ35k>{IR˅ d6|vPVЛ %S۟^-*=bmk W5"yseE%j>⫰K5& o f~6?yXwfƫ&ċ$+vD#{Ϭ$ ?侲xPrƓPeKŴE:>ϴ/t0P CyFFL0r '%юȔ3˦[#=>^!AĘ:(bFr$j`O8ULS-i\0MTT!ETI9)WV}͊i*?fW~Wl9[ P@>ɨT _ M|IQQuvu.F.Sp*?W@3~hOEvRAɨ!@>ӁtƠU4PPL"[E:|U/y@"'?čVn"d6nb;;* sA\}fUנ@C^Q>4y EYjR0v0xM882yD#,v͛Ӿ PH. 32櫰KjTu[W(usEX58v;v!a;Ri$>å͞t,R\@8CHxkysjBMe12hA6 a1@}qW5_ ܝ*jI%aBװ['`ˍmXl?f~D()M |k ΀~!mJd|8eJ#*{!m (0r19 Y. '`z|}??G ]e㈟7y8\ų{}TE$Ў=WB9Ob/.ZfH\qFl8(1#~!Kql/tQƩWz"-ogX#]: 1ao89Iɪ8x n}lg@k|4K|#P5MI,Rms>[=Kf "2sp 츇:}e2;B:K>^ڗSbMsr[Gh hDY%nA=\NрCRF+O;rP =A 9jw=akx9ԓErj&Na2~KuQaH#wHZHk6K ӕ pXz鈾/nPWWc‘Jlhf[< @)0ݙn-?urAK0+_Чr9)BEuzT )0Vx4no _WCyK-m@y̡(c0G)bCCnL:<Á+,"5 )q01fġtp2Iu ^,aVL!/eY_Ơ (2O͹bjn(: z"xPB˗rOGå̭R-B4|b曨>Bh)HD\kݺhǛ|{rLs ۘJ7Z@l7ag l+dbs%bQa` Yr<,%PPGK0ʙ&^pT㝜ZǗ:G`5e)pmP$ڲRȁO$Cř2;AOP'߻Gfe*B,e: ]^mB6 n(30:*WW֛cuW3R׎t]9#q_EXo8r gp%` ]Wᦻ Lz`NJ ݇w|~pUBQ#Y "}753Y?-3|/HΈI=-bX0@wŒX )9)^RN yuz&jH:D/bT%:Jk5.S^Ml^)J s)muOE(O*DtkW4 Zx9*YAQ| 3%20!j+icźЬt)K5Rr NJ=K<@߿q k)Ylhh VhP57Upoh[fZ} TO9A漋FqW[f%(,IK44MZ^=1g2gbsvqQXPX`\8|,.PqNM?+dȟQNH*neZ* Ad? H3vs`kLITNņsRk-K<3:A: X+xgQ/Buv iFRns;8)X\A [k೾唎_onֽs;e,ėm>udT TpB t0G _{l`׌hd.aj.CZotD:lG ~h,z&I㐠\UHJTэHMtmV:e:_HP"b%DC1?}ήqqǽAܒt.|{/Ze[K0&`%J=sC#țf 'PNR6wP-2'p˩*P#ΟʪoYʟ0i,h 8~N0>DǼϹU~*uz݄P ߂zψ6ԭ?I%.bHO;EFPVR{kq^Nea!Α娲Oޒ0$kΝǽ~s/wFQhyxb4,ṎUR3N}ySB[{Awd*pSJDC87069K۵7cj4Y%Sv]WLhpac1Ӓ}qb!3;@Q"o_^b~:E'$P?3 O6ݚxf_gX&bV(0;/Hu 9}}XS&xȄ,,R吆!*bYUw#qCOJKe6u :Ƥ4~OLJhXzs wJGbt=ʀk%C64¶QM,i2ZoUn"Pci%cMTw,~5Ʒ9x۬BI52DZ,T_Ք'q2Fa38sj ;jvZfLZ&"78\ʌj ١I愷P]+WK2 1Gk1jAV;U>[}2B`j_ƁUF"B|q;ϋtIL{G6#rb!F>!dM[0}*TP<5}~Qm}CFqJL7P9Ɉ_ךLvY?!YW쵫r}^[lXc;@ڐgt7'79*6+蹖=~^>!jM(`aib 3Hk kXɿX2 I1eCX|N?R%<@HmĞzzg.a9u:4),Z8[ԏz HF=K=*Oܩߤ:'iH&xɋ+[?Qu<$z*9ڣd=2ŠuEYo^[|HT?06#c`CKF}hp=Os }7ѯ eO/}4+kC>;%H;DOֳ#sHΪ+bp &rqwѕl/5w"2fP+ݭئo))m=a#uF$ 뾵SNQgC)B|{'>u$m`ONufTy F%D0t.;̊b0 h*L5K[R/2dg׫u^ZSϔ;VN㎦;f#,8~f@xTSڣ1AC/rFX5{]h,тYph{`$t,GBPgM *MvgfGγ(rEBV4uY\m)A'Jv"J[x.x+0 8O%Kݒ4!nCiFַ6%#9Q̣]I_7x}A'Bu-4Ӯ BT$(?l VI,е!| ~dž7FLЕD]VKJZbL\6;|W)D). ;I('7ѩwNlfq\\UCڷag[GTɔ,Y# $OB'_Fejke=t]B̧Ĕ= `B%GDY%,ZIJ\Ƶb֓1UueUb*$! ի*W/7s]tSԯx=wMD2#?xBtgҺl12b&\I'˜z':C62?%I)t-_IdՃ#vj?@!ylT9Mf7WWA0sޞN &>4&Zʭm7"nՊ}ǻds\Ojv=IkEKdxxK Џʴw#%$g{ځD2#?{ikRE P*(ܯnU? vݶ L/sl8I.I!Rjq9)04ázy)eIR[Z( D;jh~T)i0e0+A`@\Ȝ-)C{iu[vhɓ(zYfZZ}b̷ J<@t<6G0X ]B45 n,'bQM5OE0+)V.3Ĝ$8[>pcGJr)dY4FæzH$!RG.Zl 6 (sli9D됋WLvvZ[U 8-`;^}&N }g)xzRp 8ŅIh髊F/ZgV,ἄ˜5z9E,t0<^,*[Jͨ`nfSn?FWsF2:M wT1˒xUdW` _;A5eQ uJeێq!H[Bh 4+2\_Et9 +NFY@%vL7:0?~&AN!ÄB`I.?g#=wGٴJ3 gA!Vފ~Ϋ@wx8,RyAn㩫FJ@\ gT7'95Ej!r-&Po=BXbquZl)RyuUt9!Yqϳ:.ʴ2CR[\(d,5(gElPٚ tyDuZmp hw&x3s37@/ܷUY?#a3N!N'f8j kf=C5Ύnɠ`pwpH92-KA6FXTSw$h 3)_2IW3z7U:_Ջ@ TC]޿&4?x]i*QcKdO$gI#&O.򵇬 1]}inWf:AoThq+aՄv >ۿ9F n8'yD1౻piUyV؄GGWpb#ҁ(Y0XI3b=A!K`&͂v;Y6@= Qc{il~ N>Pq*SWwQ/kq(Z/e19BDk: Rz8"2Xwj\ hʳ"p_' {09SFx"]?SIh,d|KBU=7?DcrՈ|CZV]bBA"@.ኾчgemxrrǒPO [wB&,0*P*6.s5שּׁxT35fw̑!Xn{C-M(̷Z58? Y0Gd )RHx9];:Y4M{Tx$Km9ET[vEB!. ڶ\% #Eu~UQFћtvp20Z17;Q HOMv;n(;f#Z#A,*]Cn`\X7g?iGP)MؿdJ \SIp3X}ߛa!G*p&G5DF⢧ :%'coΚ0%q }ٝ⠝蚹L|ޥö#@i>ejn gQwv:3s 7 Etu tr2Ʃl .XF᳴ =](cUUDM2 / ƦvV WhPPOᴶ!i[7-367+A)eN0pTs4W$3c`s w1-'QB"C0PhBNJmfZ:jՋ\oh*!OpAv&'"=M0'"ٍi~~ٺs[ۻY5k.r )SMG'R'(L&w;]-HFHJNCL`Qizb|h~j#sϜ!O0lCSQ?-LkC$!} սb.l08Q`|l6W/`k31T@rLsѣA?ad_mCak5L9K R@Vh&P2,0K[9jP6twm(F7n(F<= Y5M]n{ͻSvcڤ5)Xsr{5M-MbߦZMIàP+|TM XD[d1F_xߑr.RR4 wIC`fqI~ɇ{v@cHQ*)-gc>Mp%;d¤c5XC@9%sn)0}t٩fĴ]0aV`ɭ!"; Jqɫ5h6DzcIiMh`Y ѵx/tZy#pP®I­.󴍖 d ~O"O_yxAM{Oecۯ [d5!eQ S Npw]qXtFWqFwަ"MCs1 YkXa'1p<7"[C\ >el~>0K1tV/Wc|5` fSHms-)v`g"VLBm:5yc>ݸ%QhɄ.NҀ"Z53| 3wF-B|(C -.icFAqX=LFm@ \"&-PD .&&'@ ⌒rB$0YD*/ΰCHg FuXY<&}ڨ7|Ȏ1UI}G1@pUn{$Ӿm@Inа  AKZlLn)nDŽarHo*yw_#i7耮a\N{k\w;QFM5RWeg+a5~a; lO v y*'ptN:BC@miB=B&4s[x<\όΒ B@VZprMdCtX ܆+ Es(ʮHJ?f6򠏁r4Ni=`ԺixF&rv8Ӛ\$EWui#|F8xGn{*WÖ)Y`hߍo);ͱ+`Wh }s1|d]u Qr36r6Tc[Palu5æcGjy#m , !z`dʂ_4yL[\rm#< F$,v'M}'טn''<穒iʾz^AMef 4ϱ,yMo=mBCCȿʉ<2aPbw6ؤ@憝u )r*Aa>pReD-(یg*f]N J/9`WЅBhW qo"<\ {r|(07UϘ%кZR_Z7U5L$#me/ NF 1wsNE]rh.0u=N6fYԏdT|^z &+딲6bw"qtYsn]w.B@~ȅ[(e T0o6(ᗩ[iJsDZWe(7cXWbD/ ˌ;# =k'* 2ۓi_$m>>z]B~wIٞd\awyAiVzo=捼[Z8,XIkoާp5+(D^,bqCA-u60 M"] X0΁B^vbFv&J#^OXϪiQYK"9xIUX$frWhz )ZkwY' X?va."!;?3Y1q}8ҟGQ0بġLi%H<Įq;֖SQj5-`R[Swi hcVvR4rXΔ|C-,0և*uAR[ZUS2>QfWݓ` DRz?!4;#儸N_$!+ k]j:@:avxOENz. (L`ypZ!H$C >v2'렬ܫ!7ش]e/EuWWVB%GyG4<95F9B0J!/񆡞7*kYa >Q`^7&])1ؘ|GQGÄt`\S R]jsn(;ɹz87B)r'f>+0fؽ.e'ToCqۑҚ 4'E~ NJ|KIRb*=Z‘??Ub0 a]ﭼ~{s# _svMHogL( c$x+yy32(,pӅ%<"XV(h=MLܭ0H~\WQ\Zv㱗8BVyM92 VNA0YWf ggߡ>Oj{Oysa!ij\#qWVg&;kr#W^CoήWc7/y/F=YviHwcs<UIږnwwXKGG.:s"Z2zqPe|~@*/%2z~z=@4vԝmEٚ+p5PFW4o`c 'e5KnwyH,x>tқ3wIӔ'-S64!h3,\k-aڱd8 0ˣeP#>+'UTn8l1>k:Н:9IgսA4*w-y(O&Bi3 De]D/5V B~"R48cUHn8rlm#ba{8:{ ]6NA|[?[z>PQC,4 hB`~p*@#=S߆D-%e(oW 6sK!`_G|fJle.TR=&JJmMj;b^AhƱ|(k?fdswA:u*g;Y;'Ȼo_U-= ^Dy=' h7~liz]elktzZް7<~f^?VC6!lu),a+7)8iԠn➵N^0=&#ߚO/6}f %Fl%b@Uݾ!)wcoH+" gV zsr-[ 3ڸOjnR?2()D/9QBm'حW 8u+v읞Yh`xȤ"* YhCX:(E2%szF9Do!Z mCtinuh$ܭ Ⱦ#+.ґ}TvL^a U:~ sSy"66kAFS:Z4ǯ6HvE=TR/zkQ+Ms8B" 갺No]4 SRD|$WOźI?*Ĕʇ*Tu6UT%tX+W]vskEs#vV5D]Om 4騃BjFB $*n LLu7L SHVX9abvLG;xy.5ʅQmiDЂj%w&C}(_ DD@$3*>``tն=qض|s{ BJg0^ mv AѨB%[; ƌY/r)FJz%Y0P(}^z}B Wwc>H8y]M|{"Tyh{Wƅ)(T2ё ]FEDB j?Jr(yc:yIRiB7Pgq1q c\t4 &4I1Qaz=̠'_BO.u&@ot@ל"OH @+; FaH|8tBtWkI1*PXԵCXf531ZcTC!U#*S~ 5=)A~_4ݟM"*cV2}b J%1p|<+Рw|jѿPp3ണT 궡alQS4JqhH[J>T~*0v/қvӈT&d/6;Mty@IѾ  2*9# Jn<ŶF:\i%<[,`!fY&2m 5)s"8 aP\)pb+j7Ûʽ>C-Rv42±!Q%`0d"fH8ش# ]HL@^/OW1zbA %{@fK/v&/ՀuI0X _*wG<=T d-.%x1({ЈQ5sMQĖ=s>&!>L7ݳgrV0P xyb+J̟KSMsZx㣡 y4%eP^4|1 @zJ\'ިP9 2VGюIV5ø\SM{y`L}|1jW0IFQcFǕf|›RLAU/{QӱtrN:(檏6E5i5ݜ JYjoߤf~jDR0@9o~@NBr5Ɨ{= ~үmr˧r=̭dҙ$>HOҦ{ixRrQqUdj茼uhJ7l (sF>h[c I_3J@PwYY U}l>h:W}IߏQՒsz_IֽxDQcZ0>^q}$t}qOQSc,6.j1@,r-rqO'OuNߨkgМXZ.|:FBZ5@EV;X-_o[8Yb%%mPC'UQ7NWyJYc9 _cFrh4 :t$ɪE U'a#8hAƞ9/@w(~0s>ZUV/=Yl2/M~*hSwrSGgzu/6>I=Mi~/@[5b`߸3 t97pE3NP*PO'(Fߣ)ATS!^J:^#"".'1>fFzOպqV*L]u6Q"־=ǥ?\?bcQb;,_ۆxc5 G>̂DO A`jO A]{=覃^1+t7pjS͋NX0gXZ_Uhd$i)fjgw@vK\z(}MG o}xwy\tvCsTڈZA{z~"t>{&NT/ofOll /69 N(.v_Gb]٠SV9{SHE8-p/4Fcmծ]?.W'%JF/ũvc3/g(Y2#A3Db3yrǴ/XSHoUq}iF&W_t({t=mᱝx6yuNț0ټi<uEifR>N:brDZicU4oXE_nZ&WjWr2G7siF0S C{.(ű:ZO[ JTj ͥcFqET:+6dDI<ڱRՋ^r2sLõ3nz[؃6HhdD P/%£Csr4W4{h$z.GrZMUEQUݚlr5'٩sIU]Tȩ~&]\ /a84KjlXB Md0 '}A/>G>G\JcGW_ !7ikdOLr[ߜ[!<['Al,[M Y7R ,^$;EDk\i:@]x}B jcKOeIKw9Fu S@0ډƖ}͙{u;'+dU5Bˆ%>?Zu/W)=@-Ҝ |{)R^6t ?6zGaDZ0XIw6404}G".m>p1B<|ǾL@K슈0uD539.p_L3K2itr_9ut5%rBR@8h9P@*Ĉo'ցBW?A۫R1$uMz3=TF54Z90.(Vk#{ 5@ɹm8[) 1A!v2DN۞!iG zG0}B*}HC}ei"TA<6W'[I/7jm"4`Hhˊy43;#Aɠ ,/M4P:l>0;L^E(k} ms[Bm؂ 8,E p# L?PAss-.d5Yͼ3#v~)Pz5D ie C1?#`vq~N[浫BEZ*}->xqhl}x#:iG"qhQ&TUkE%8dG;a+0swHK%Ƚ@GJ͊fl :l"`0 gF]_JtvNat06;r^ݪڗWk람YCowZf aJ$I\\L)ĉkf yXE ^=So_|ּ.R[$K ,[( ,G%EOZMlN 66\$Ny W.G)>llLب7 ڬJOܑx&UU^xզ5j8- ʗZ6 +K"WSA!3QKҹS4pnI%۝{uaUHSK6&sq_o K[ć]j.e҃>-LJs_l$x5_6-FD'Έ Mzcjr>S|31Br5"ym!ͨS # Fzsݙt!9|iG`&t4+H"=}&}}q-%mH+9Ȓ-,4mz 0<\gvㆺd {deGAjJPC֑ө8)aH mr2H3 =xxg9\j"<(ΙjG OIC=2pz7U(W"CmQmrIյ%z/@nX $ Sr!ONB< _9pHXWDept9P+q@͡7B 451 ڸx֍0^~3 #WbgW"]oOqM\9t.bGEd&87Mj #-͎^# CLn+NKxv@ XT}g_1\[HA 耾WiF-Z6^QrHtUA_.6JmE@\#%gT|%`Ouɇ`fZ;ƙ*>éZi% TKҧϧQTqSݪuCIB2 VCxϺe. j;Um"bt7Z4ua}es):TBQ:m"zMR64oA ڱlrzk"d~ _wiQ[O]ō`fSs8/ Щ;xC&9 $Hw~g< 238pase\oC;7fȟDf u7pdו'aSJ֘;Fzy2xSދ(s Pl(sCC oU&OaٱZeXc8OifɌqMsT<27"R̔IJ Kv/TBIc~g 莚ƲfC:x\zL6+'OU'ұ#2DW"6weΥ > [8+v""荆;0̌+sncP{c@g&!?ÿU?PB_0o)cD&vP?!-A. /fc|&JD UM- 'Ug߁)ě&8T+?5LAAg/5~be{n}W ʄ?j}m2:V'2 A[or۷] uL~=3Y+YM L?_[M~jj2Unl~eYh|.@MЀV#Ite4^j,1 >;pGC4P~l_nQ; f]p/X^@J?-c8 KU|VssV!%kYT,:QbA:v$Pg< r }GK[{ '55D@D.I.B5!T^WS mL: n;鋴JQ)aK:ock$1B9.DAۺ]ߗ]ƓL%]8ȋ y%#gy62do/ozأġnE'O7(/]| 5^ ;QS'R}H&A ~k4 t#tY<y7-/;$Y\(bq57ةT)L߄&ma/lŝvA}> $Pm҃'Kub7ZtԣL$r^g량,ԃŦeCӜR:81{ @ک{Im C'mt{:_ >ĺ܍׾nKVt+\nF_ǜ @Sp|9܅x4Ģ4J:%m«n(iٍWc:{$Ӟ-}.VL^}KQ}j#M/W9?h]u>&V_Ȭ_HtL펻w;ÂPt?{zeÅ"TWʐ)|~!i@ g鷽;}("K0 ,t.NuDQbzZDΈTYS\XtG 9oN]|t4a#m&K@mԾ]90]Ee\m*$d06&xz7X70(ž;h!6Q$% s!1D}3ɧg^!XyQr5s-"PſXjhY%yAMo$(H1(>~-m` em5&gR=#bL&PwtdSڸwoR9!fҤGE)wvP)Mܠ'Q|CC-䇚Cxraª [g\ߤM*OVYhdGYWKCU ũN{Z5 /rPU0j~R5Mc7$\Om}c,Z=~|="v܏s-߰9M[͵TRRФq1jNJGȟ (Ƞr6[ `eZ,+o].) j\;4I:;\80q<sՠ[l$ߞfl"ٹAnN5 K  +ϢE³ E>m$?2wׅ,naT;nhʨUQwLm#WX́!wMMeiP#La+=tl:@(^x)Zt yUWSkNq讻J׼BX!tpNx! yoY2}KYX]4UBF+omGZMگ B{Ya/MLP}a399Ǐ :Ң9W0Xy4-\+(tZwiZYib\˝d\yg6*&7&M`yy?hOCIQ7v~[[p=j JPS`) YqOf3rXC {KgّU/q6(_\]䷀j)Snkv{জiNPςMԯ]1ǚQ!oBbDZHr*dN.;i͎O/m ܦP֥etD|\Q&2"FPE?(E 'wă{U1`39/P=\*{gP 0u[Y%@Y 1ۉ/'{+_֌B?;fU ߀[om?wx;D4B{*=vQ(ECn싺@IFɸӜje[w7~@[ċ/z[@UHHwͥa.US/P&0Z Ĝg03:!] OqZNDgԘ Ah6aPXGh% 2t49sp郀=H_Q[4G SCuըvx_ctAtk}񮥁"ATwy1`t,4b $#a 0QoP @¬BL/YP+6}ra*4>O"dLJZ.lcmEp.ؐL `*>~8$GDY#??'JOb/qa #I?#&; 3|fg?ɣb+}f[|F]bñZ { R3򜎫)[w9tٚ0m@tgl?EgA^'☎h!(rû1@+ϭsIN 37gF.8Cgys*:IAP-yٔB$xqPB9TI?aE$Km4wU#xDRcnDrՑ";X=P[.60֠xAx30GȄN: cMDs:J)oxAT1?\k-q1EҴ* -[SJ`[&R¤ƎnܶFBx1 Qb&y!=` ܢ$@8Ɩl~X|Î"[U'Pi/̏uҒoZVzR=@>d?H_/l_։[0 `06FkJ0[(c|,H-1X $,/*i%&]WG+z10J =mZ=4]|S7N|X<傘Ȉ]1z+ KѧExWC%ei`M,mݐ.EW,@z# {ۮڙ '+yN TWl {nV'?ʋP*r׷pدXRh2BAH騔@@;ϫI_OW y8TB޳aP^'&dRTLSʶ/klF.^dJnTS06:'htT&D$P]'Գ.$IpE)_<j{ܿ0VAC*wvL hp*0FOEnƈi֯`> D*ksZ\UK}$vd(9#cDR' |Ѭk$Q%4x.*ןbJ9! YE G 68s:*)# xX-yUf:9-[wKb\α _w/|‰{+Fww}|"hVNHI;Y6DWR;"'뤲h(E'i[di)%.@نjh' Bw;d鏂buݙxv)hH"WP & ك@8l*_lȦ#؜^OQX2J/j%ءqm󷩨ZaYwc"SOYF2 4A6TH_ee5]Shz}ԩm=++j0F%kQ"$՛bP**K[ɜrD ÁTz|%,Y,]! GqM1r< Ks.\xTsϥy_nR-kߘj}eGhM5]hQ{Z$/Y KȄn*%P̊IE!&? te%W:6VkE2<8~r;TmMc7%qϳM$|I$&50%ΐ'z ]@MlCBêx}m[&ԲWV ~Bc %An,ḅYo̝?-8e|R4iNJ_PLx{_4ro Q; (,<0\y\xqk—d.r} o@]JHj q ZmHֆ~bx(Z((u$v*xYO쥢H/Á:|7W,{%5ܽ3ܙ.!fegر/S{SED mhU}5EU%gQ%]!ɤ QgD#*Tˮ 6=O>:l^C@KrE?g0#i1:&DQbwPBkBlCCDf,<_EA5*-9# vd>V(tՄy#2CN2ȉ̴gjipcYf0iXv(}2[-Jn) - O 1p!mQ6_(HsшZ"X8"/UAS> 1!L&vx ;}ѹz.,͋C1c+IQx~VXޔk',G7OU<{u&w9?r{rf<it0j&rZЍЕ[0LɯFU2w7'׊DCI*41aժ7EѲ^ɨsSHɷCl@7'gx.9*H1GX 1 Cw'aj^a! p~QSNE{ ӴYȸele鋡]牚xY{v9*T ;nm,8utBƒtLĎoF߱d:Mpw N`c指6``mDJ?1e^rʑ?FmƤbW/yE /U=';|B bmFHבdzt "ΖHa{awY_͆ue[ gtSp "5R^1-/ظ]jKRjd.Xx%jSS$ɕ k(\YF g*{UUk_7hb(ՋDi84iiGb=ǟFI'" chtY/xGt 0ArPj))jW!P5ÿEÀ[d!VU^3 osXt843 :T_tn_M/ eȖsbuxrK +xYhHCJ"5id Eݧo1`hqhՑ|,}q7 %A 2˰i.M'J~)fP1?TÝP\o)? {.| UK!5Bit(&Fa#D@xHf& /{ƭ8޸]Cs3ڿL`Jx@2Kr#Sit{^g8E ܈6>Cr:5n@ =WLnmLrA\w={.ěrCӽ~Lak$r!}N=|աkx|{i05MÂ`M؋7F.|qQ] 0 V=f ]i"IȦKFcnkC<|{4!qra,@h$\k]v@ ɍBL;aTzXխ'=#lOXu1N.=/GZ7 H=Z:x X:ݐYbYy^b,.2`ff{aIzes@ۜu0Yc)0j(A;7@)O=oOqjJO+ Z}RG[+<\>QJe !|`u.O$ i*kPhLv<ʸ䟍/g- o i_gǗFõU^!dkbifxם/c}KpG",ûPJ oH%꿖=N! &~qw9؞vcmbz->kb}RԻeT–8[Wi(d/⤮0Q@Zz-@>gxƗV𸕢;>ߚF9.ٶkE4ksr׷f[rgBZٕKz͑iS[ʹ[On*7/$ IASѮq"mI׫]2'QI-ISֶUΡf%xag pu 2~ZVk3>=ƓB;,C4Km|C +@l76NJ =+|hs\'6"%ʋ;pj;~{HfĆ>y>dCn fNUKNsGofo(4k&85I\hiwIfGO jQ'0\x7Z`ʹޖBC+ݟkd̽tӽҸXt$(nG3PK nmZXZXA Yjq{H`_g3P6~m5ˇq덅iJ;OpY_UPÔ}LZiB(Grx>PE,O˧U9+hHM=wBfA ٚ.&\J02di$@0B=,Ox;@MA#0R1rU09hV@YO>[AYT^ F`fC &4-AiٹG$`OJk 'nmE';2`'},tB xk*RIm4W~? J7~| g#Pqt8˫[;O!4DsIO}Μ%<6)zE=ߥ#t-U|=&zbD5C2vg9MP {'YS,'Ѻb?_NhZ6:bT\+a'߷3>G0ٯ whxXh# 2ps^xJPN? WDWG:Oe8{Reh 1G/bI{dDi1R6R{R3"D^yM%% "]+^o ,QG#?4Ɲ_cu3g[@P}y8Tr/jb<')FiZ --2ǙX3h(I>$Q 22M"<7a+P\O8?}I\#u@m|i ,]R [F`Q.TڡY!sAӋ,9׍;}]5'tx1?N@6֕+|A ŘZ9!~1Ji^9U|oLF@ s&"h r8jxprMd|i9O=hkU1#YܰPDш) vУXK iqk^ p#wPY^U3" 🔭5sowׯ2tEz#rG!\Ec!c? h&!]hoPCJ5_.U[eRpME-mk^"Cz~#Lc+_ -]tL)X G}BoF&!N8^)=q4XbVg~ Za?ǣT`W3'R|{S+j3l{tQ?,Bm ISVS|p∭|> aL"eQdl zIS?vSvN h,})4 GCT"rSX՚}oESҩT̯T{Kwa3ªc 0o[ j}ter'Qxy-w _$Xޮ;1i#jy)&>Б' ]T 7=ם'T{-LZ$󹃬+K!ęUZ,>,XX:ňDtׯJf{{VxN%0#2 $ ʀJ|,GѦ(&G6wlMAؖkl"+׺|j  SxR~^$=Ua()$d`auWd8Bcd'._*J|(s-o_YzXAL2AɜەS)-xdaȌ<~ V@m,/`c~d-"'b*V J1Vb3H8w>CƟ;kxsժ%{[om ezM_#2—9@c=ִ"zՏFجɋ_72N,[ul䧴:S+%TlfCO4 2bHqy]  Tj[%É0y87xywCG'+x) yv$@ qtqrb~kPjK\ ub IΘ%{h攖$@ɂkyRs~ZSH95lC91sQ#B̶}*P-S:dab94%HFfl^#Pu'*{­K )'B*v< f=:-%4\?_ѧi-7kTF@V2 7f6 dV!J|^Ȕd2HFf*٥\WRP;޲/-U*p3y$:WQ0DzY?cO.YfY{{mk*Q JɨsYщWÁ. O$j>*$/H[mݷQE3qtP[Pܻ߂ }g1(7u,TJOo@] β66LgI0[/g b`,Ue| gNIB<omJLe2gh{C'$'BX2I@6nqTFOn664LafbW9WRxLȊ>;U4t_.A5cʴf`u? hSqbԵII :v<UYvGw;,KVYq'F؂!2+(XF1W8;52ok8Oм>+juٸZ\HgXʣ0yLY>s|OI|)MLl6.3*{5n720R!ID;}&.oXMF$֝ Y"`2jL&$ [G/6D+'FHJyz-ʜ>)0vX X) $UWvG!xérKKa@CԌIuӆG4R$K7FJ$·^jT) Qq]'sG{#`ZvCj'/TVxxT)k|S^)oˆi0wUҖ؀WbBNQا|;K5Np3W 4_#7C96׍#@TϽ/bYlζ3C*bڳ{RXZ 1yji-뷳^yqe8Kd6sE J"},b)"4$")\X9|K|x~Jʀl;i?e.>]; Q !geoGK̓ խxd6b>H \}fxoGNOhw~P{L ^Q,Ai/ /]GBښB A b:0  눡3bqxUSf 4 1n^o=8; m~5i7TMTA9X,Z0Dfy܁fjoFl?lgI#mis8]gC6Y=^SLx^]/.b~G8Y< YAm[&UP[a[]z' 74 h{<{ Ū!#\G>j@qMO Vwi OK/IU ~uUq1-SMk"Eɺ$v5a9%md=mn[SF36"μ:qt:iZ~@m'e͟>Ap60&G ib׳=PWr/l/M!8T#̣Fɑb]JϠm6:Ӥ7l4;]^ NlۃjhiVN)kA;(9Ez/mBc~*4= 35EØ^Do8=@Bkwmvz(SZ`<{7PRD{c5N63;K}d %ngRzlBm!w<A)ª5AAPy& kܥ7ĩ!<'kG.Ntf+P.@X*X#@t"$N:բP*>g1h!kvEhu`&^pܾ=u~PAQ0fFZقX}8"5DÉӝgoޯA7`r^NJ5h-i~]U7o|LWMzUvk 9RX% ۽lBfMR-nkX" ѿލyߊ6"O\p('`RFJWIe0f(ޅ}#F*!= F9 ]30Y3asNf8:t< Kρ7LQQKr3QҨ@m5c`V!P^+335 ]!A$ӭ Rslbȇ).pY.gV4q9d|4Z+ X}BQ3xw>4!6e(WL}"aѯ1PpOCMS$'@3A&-O(Cm8L~! >dc3xg;#HPow93a']bg=Bog?]}J[䈽*v,4K:}pR _|dC%(I Kֹ5wkB3&<|K/e"kI+-9b歹,72tF>!䨂?{aʬT=䰴[w;Zw)-ֹّgxδ&J_*'բinL!NqB^==\KR7D"ݴad.oQ01T(PJ(l*3Mdr/ H1;"魇τ?5?IL/uV%*/bM-|ʘnd&YY321?A[w]`#mų\J:CuzXe7]= ِAYa N"l MY8z=;2yPhr>\vi7&߷瀗BFdkaUj:OuƬ3pXZogXX<_`#*Av^ eoV4%(m [O_0ѝN7ZtNOO4Чo \A~h` 9I@Ҭ@ej+ otV dNb{\Pgo(ADs{MM1x*ϑjՆF0T'PUINc$qzKWT쓢 9D&wX7w͡W9W/)aqkH-mg1t5%j@ީN M^k ܫ 0;NZxҏ#wwqVDfUtBCp?r-Տxġ9 L "%l)զr XGU ϰɖMGO"R$uDޒWZ(] )t1lHp: eUx.p7ü_Zj2㷠 ~3 AhJLLdxLa&dYd,IHI0|bӷ+Ũ:?}j2 2蛿nYg6Xщp߽W$ Br[7I sBQ|-J18 %ʏfVƋ..?domAvf WE'2s0ق$(UBV;U$ t qVG`tPn_P',[e2D{HSl>j=8_\ԕ*8d,l&5?v~sezδŎ@&i-Bx$[^_Hnd(2-;t*Ǿ,o%Q)6eV%&q}oF 61ADISUV`T hUn DV-UU)tpiuL@\Gz]^暦gL bڥ^6iV|4;R\!5:O2 AZd1}T: erTe9]Vr$oAO*_Q8!۫ )Y y]TJЇ!)[vFlyYiHW?}xuhZ+%iCc.Jr<6[#8usPi%oL̔S.|"+'փb<'O& ϩzS".}k-IeM+}*Y vFAEԒ &Fȕ׾~ /STyZ$ݕ p]GNk7Q LaJ[`V]͈=EBA=Z,}~<=Y\3ṃ~Spx&ɵ|Nې@Nt[+w2 VXnn0)¾`YK<CC Zwz!"\264G_8.]mL^pO~K-쎛wo'7.4zIayb71u1VBщܗuf-l)*r/\~Lp ksT5 DG< }BLXGŢKU jm 6KP9`ѸtHjAQ㊚/ Cqphoi-䏪צW'c"xf•LO4h`(Dr'|pr+ 7RNsi6dZajT/Ų8nʈWr zcMzG"<6c\;#c9ՃDwd"08\:ݶY= ~3"J%h#K+Z{(Τd03/CD8"7>3ˆ(}r f}P74{y]s#uaMG0ZuyP^:X湩l? O8ۓHb##w*p!&ulA*Y] _^ ts͟=), AޙhS}3٘g9C,w9vgI9Ji.!\EץԏжoPhCi4S#ڐl%&^ʡ)S_U<%^T16xs)b<,'pWŵK~$F-0~;2[IRB-eV:`Yq$ldS]_G^ EcdM ػkT&h?/g: P6V0VYW'458e&7z,Vms'1gF.P-{oϑj>'). +Cp( [a9`Ί<\Įq/9,F{J$*Te_ZKH5OlʬCH޽^m2ҵǬL /2ySiÀVhHfB }qx鉞Jsˬ ܈YI}>]0 .5 ӿR]1V ?U)WNR kJt6uz룀Ɲ}D1EFlP^&2( Op^G !|؛h|9XJ꣚8 hIpJ/ K䶧,_/] &69O78Γ}ʒ2:G ܔǤ xg6oŒ ws *`]b!ɺ&.Z-]3aȷіHR"j&#Y O"\Ƭ[" #Ŵ$;SǕZQT|Ec;p]chђv$ rmn&vշ}{4bX"{˘(b`-s_6b%e9{L!Y3Pp$LJ>bksK`s2{8a&:-Zx&R%@-Qr:Iz+g"} è*<^&re oHwS`ir0>w2|6դe:H&MiR%9'Ozתg9 '_%I,%C̝(} b`5G E n &p!DGs+4* :k'i,B7w֞pF>5g:B/PcKWUϨ0+eXAsO rm 6j1-\ 4BxG]wP[]2N˳*2)!0d:OWܘݩ*C!A1dߤϊg-7 6S/`lԗπJ9i/zd#qXy_z R*`!ɾ>b۶CS7h^hbE)d_"،kI`c  l9Ih^Nڍ]{9z9OIl?f&$qm2XS:nx818 v6QN $N͋iO9.m*F,q~kt <'[V~߈M<'ԇ ,݄[V8bt2NX4ǵrA o,_[iBU@z?"?C[δi:!IőOэaq4fnZ$yy-Z9٨)?cd| ~4sf3C%(?̝ -Md75DɊAпqwVK7!HcoECv Iפnj;T1Nݐ@mٞ2VxS2HH+@˓A*Ăqn(Ps'0I$"O؉!:(8J;B֮.8./^\˭H3hI,D>uuLJFA^#g1A TkNv{ˇr%V1:9 GH9KGryNH!F7qx~.P]ÒR!P,~*rƏ8C>zfr[#-J"q䑥)#g|$$6؎cc} T7)D]u˜ijL}8iE$k?iCI TڡOjTյ%<^~1\sz 0㾆V+Prh$,3 Z4S ;'EO+T3P̭ 03J@ Wa'Ú,KG(Cs -12G$fg;Jo*XyvG@v~ˣLy.| .9\fVEAGʓ#T43/j8 D^׬Ÿջ\E7ޠ9pI B2sCKJQȴEi]aKH> >4e ϬFRK5)vp|8;{ ƙht2\sc(?9r12\, ʘ@疹"6 w;ڧ+(ClFsdZ9bB):vW惘<_+^cc M<4oUɆ~.<<:!z8e4< 1Olhk4e <7lAn!r]%'1_թJ]ڶa(Ћ]'+-Nv2({%o*٠Gi.[fdB̓4S=|٪2{/yZYhi~ M@r06z7bfe a\K"HQZ[bƐ<4N촄y?tuёuukWeԳv5mL%n7w$Q)ܯkRQiDQqW=a iѡe2b3x|XY*s)&<k:?N&F/>[b ."7:"E2!ȭ!tb⯵>ĎFWMUVIº1nZpVv@DIAx@ٰg8-;5za[H.JKd .v%B3o9? ?=FU:nJMC2%-Nqj9t53H?t*UcWE?UÆ96)T@xwi?H ҭmzYX[#%{XfKuRp^b'F, !f'k'Pe'LJ[spLJҌ-* v)&SMs[Q9XbotQS*]3-PQu%~!u.(uyY\`xAuZ̹w-* ԄP%8dvlڢREJ7#9(>:mN|+˘yy5p{.u05Jbtɤp NAA]&EP>UTObyn ;*<Zb SxA%27B&E9 -}/m"'!j rm0$}nQQC+ 53JQ9¡.AKYj c2!vUH $/ѵP2naa7v#K[V[< K »X!^CUmD\uroV(~OV"cP Lͦ)GI"4R z3ЛN ;D - ijy7L͐K7o0(Ή&eDr!{bNlfpD`G>xNMT%&gSN[kf}*.(MKv-oEմXcP.%Gsgj>i-StJJN-!'Kb}G((n݁r]LVgnhny@K(bΌRO,XU*I. UG%Ncn}$:'%u ۢD_ZlP[chPֈ#X+S@#F9mf4*WAiWp{?ﲂqt?ɂ8gf)˸ʼnkqT(6?KoOx|3לLʲ%ҕMi yuk ݼ 1+yT#HȐ۝neYϗK04˳mYR_!jcdžXv,G ŀ!v,C=db5k)4U*t-~U2m-ϫ0p5",l-y9rXHv\ Ok[ 8OA=LW0CmD8P8d u[*" m@B/dE$ĤZa㜆̿ j2je?R[8c $ -iK'ޞ-pC&] } Vk]T+rw2c2Zw9)n _zȗPahSzv>^yW{X&2gM*jZ΀VL A{w]Mc߽'Fa̞`E#ξ[&\n2S^_|ܚi~ӳfWF'P9לH҃) E7pcﶢ-P{i|FՋЖmeBi~IT(#CN]siRgxɣu&|>S錆#\}TUO*x}KSZ1SRuSAtc̭(TE&ʯ5od<#@F˿{ ^> EQź!s61aʩv%4&MYeyWOI9WZޟރ' C 9Nuͷwό"0]/"V-h&=wJD/Q}oջO6aKJLQQ^7eTOhH{K~iz-\d^* m5Ʃ\}(ARj50opʊmFFmyC;iiG&]f;4=~j[s|Ŭ2g;^gB)Z(xCD1 u5$fƒ('t6(TN [k[-kQN_ \7*0e rpk[ALn?[BuC> *}_;IDaPKBa4N~6_s7Z=GmVW\.KGo~^ZeӭIs @7n5cxk(cImJie0xPEGzL*ꖂҤg%!3_d#uD?Oȷkf C%Q?;9)$&Qx Ҍsh4g'Tbg(.l7 :6>WNvytňhAhre!҈bwN@6i >G9}.(;?|e@tj`L4u;T`lOmFlqGчiivB:0-:Xnj#@ˏQ|WZȰ XfRUC)Ul!TFp3N xOev}n뎟ʙO%Wd6r  $F'?} -pUyDtYbM۟>nE NfK"\k~d]W(CdMͽtnU:gseAr:Ӯ}-\څޅXi&6A3-,geQTro~u=+UBM 8լy] Ѕ2M'_/%&qUϠ?pd^$e?Nb5.6Qbpޗ#vv!b !R۲Z%wƀ4L#1foT?RgJ=(ɨ!U_c ) ȟK(dߒfm@L=j|DJGe/Pܪq{aEX,w|aHQtIٓK؎jʢ P1-x0+vhY{6N}*s$?쎍\a]se/W25b Zwam/Sd2XH$:#X+~/g&b& N 5-S~ZK8Zѝv%ulL޺XǞn}:h%/Wcў0Rab)yaO86T^)z"3f׹F9N׊6P]7|5c$f+٩MNӛT܊g8/>ؐE Nӓ==yn?ٕ{0ВdZ%1wHH|sy6 Z %Ν&5L'G:3 ;XlqJ!- ,&?d7FUءwEt{h{ٝ& QV6p LOD"OQQntIM"WR'(ePtA}ϱ>~>aa-o iH9ʧ4#?1'i`{WGz56\ŧfwѩU>tj ,1kS  82u*TZ?]s+h+ 7e0I-bZ2cEhSV r~]氹sECu? Wk]PIWfq]pLA{s^J!@(b:o7є$6NF/y5Nll!_@\6m:0,+KbY9,t$:l];M/dDEi1` MD&tߝa5\>+6W{·^? wq*΋D^lHhδs\D< #<]w(EDD%Z%.r,.](,qhYǧ?9|,6cI}Bslsa=pg  .+Hdyy"3jW[7$lyI-r?6luht)r׃>3qT*f(]IɹݢZ;l{n$Iad k/_vM83?}̵Nyd |13oQu0h=a6ž[>?17(7:@IuZBңTbO]Jo.{R3$,; r =X]=M _|,_}yGq MݜmKۅ*h"BMHGApk,\f|@oL@Ω4oVTEgg29VX ũ sk)Dte]XuED#G&ݎ2i? :qrx,3wYɃ+7LPco\2y&/BI% (agQs%3IJa'+3܍LPGn6 8(1 }k%;\=KN*YG!r]X‚域.J iu{v!+ICF=/3k,%!@{ s6&a/$z_/U먐3^Ld \~ӗ"e iW b&qfO[c# Ƞ$,X6+3%U;T&0,I!^2, epMʮ<(vBA4'z' Kzk?֋r޷M9mXs-RC' (Zd0U/8.erN}@"!J!ǯ J@"u5D|XG{/v:V֡Q8֏ D}դ${e/G&3]J6vVG~}Y͈}M` )ݙP.}]6/SZ%=lqegAOݷGy 68yzW[7gzB&1Mb2֫)6 wZ@yPO9>؏{[&ߨ#~2e H+KeUqͪ/QQKUzb(EĹ /{ KsR36i6؟>vE",?]7S5CM)_zC(aޮ?pZIS#g[[l#0@f9YŊa4‚KSHyX5!(TcxOZZw7t Eޏ>]P+MS&yΪncpΥ8T8t,d.lܨBa\v j4n1ۤ`4۞l+HNR1V!q LGGB;$T /u:͕y~6jH"Kwme$2Ty;3SPǃ` kJNrJ^FEЋR7U փFb"}]'Egs hQ+\_+kHrSo!06>C7#vɬNW; &-Q(J$=q>w$nߩ[*$h ұ@ ~ٻօe~ȴUvг IuDے4Y%[YLšgc9 vA fQ/,X5n0"b6[$VDMBwwky P+:UcLos3ޯ@|5A$.PpI@" D:y(`tFL#ښ-#o~&au]uCKE?ض\ {maTiA~t1G[FynCϗsٸ7)F4AwzgqВC;&UktP.F$D\2.,FZ2TPd; SaŸYKXQw{b7rW b%uq Ax!xvEI1:Enag޹,v„Kh3uM]ܒGw#?&-Ңys}E`dZ)A$̍d<&9c/,IO<(!m[RJ4mGr*aj?un˶Sx`Az8V^*z+o28FgKᬬ-Jlh7%to.?8ǸFmR^1&0LoXTSW@7Opc\3~*+a4\{N%/V23sm&+5TuӔNBvL]\GN6¦fhGR. DnOaU"_fY:bT9Kk0ɾ\Rmn3EmɵmK:\ ȥe9,aMxk'"}D~N0щt"w%ߡ:ꤑ[Z@Q$`pOי`Pz:+:DV4$dCFlv#miZtil nswԤH џ*.ȯm& N%i' 1ʐCU -IOE~w}TD|#߉v*HDx˂"" nYN=m+2:;aEk_+%N韎uR-Bq[0gGt>”x53BDxY!ς"vPO^- "41tjp#"0stNrVL\c@?i9x+ 6mC?(hy-QkU7!Z£OiBQ0Ȕ3%j'^:J-S撰[9iG}Zuow&Btj5=?<'OL8ēy$Bp4V&ⷮzEK p$ ]|5"'y6 A DAB[L:륊Ovly efF+R!!'NgĊ,R;a{6$'5RIo)W4NQYvIW:cŝ$ EWwG(&,ĂDS$Ar?RS?5]LS86K+YViRҭXŧ "Of߅O ~ ~=k[*&A45%@Yx:གྷ~?.3!P:Iy5]5ɸȦ:I3 8R[ 6a[Ϸliu/ʇUUl-Z*,V Ib:.m_b*?7ZY X2