samba-dsdb-modules-4.15.13+git.691.3d3cea0641-150400.3.31.1 >  A e/p9|Ze+R~u"t)5pGsh@6onm6& LI QnXF'\-vҖW޸֠mHY~9lei)|r4ڿzAC/ CȔ3diPƸ0 =xK}8"#B0Қ^-g-![w/ǿjp%,GN#-V 2- hBT8eRN sn.G6bd41011f8f9ce20bdd3309ece166afb35c0dc834c19ad299e598adeed4d022c926bba6ea722266aa2eb6e61c58ae04d3d909691e/p9|#:qYV=;[XL{[%IEpk/z FB<fi+Db'a2r’K$KGW*nlΉ*_mTM>bZR ʦrPʔC5%>mC*Dh+ ,/}Ϡ^M~P2S*YvfHL ʹ~`uGqF1PbW\>`A `Oq)$RA}z=\20>pA?pd0 > P ;RX`-|- - 0- - Q- -4--0-ww)w(*=8*D9.|:@v>Y@YFYGY-HZ-I[8-X[hY[p\[-]\x-^_9b_Oc_d`xe`}f`l`u`-vaL-wz-x{-y|`z $*lCsamba-dsdb-modules4.15.13+git.691.3d3cea0641150400.3.31.1Samba LDB modulesThis package contains plugins which add Active Directory features to the LDB library.eh01-armsrv12epSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Productivity/Networking/Sambahttps://www.samba.org/linuxaarch64rm -f /usr/lib64/ldb/samba ln -sf /usr/lib64/samba/ldb /usr/lib64/ldb2/modules/ldb/samba /sbin/ldconfigp Hp Heeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeccefb46271876c2ba70dff893e03cd918eb7a224f08408b9a35e44bd70a2342efd2461a56afcaf2b7d3e263dd1e53980802e0b6f2586ddcdd616f147c38d8a0f97394d394f66c91a3ba60e7a8567e5984d74c91e5bbd159690c421cfa8529c5464c25f1f4ea3db1b41b7fd23ffb2a8bfa649af2875336836f238a347ea47573911f5e8194d072fdf4d0d24935a29a4af7e680d938951d94b35122f6da4ece1370eb34768cdb5fa92e962259c54cee72e38fec5ee0709cfdf87024d73bf09f40e863cd8895b469087c9ba512769c9551da032a286ce28c8fa5d316913acf5ebccc92c759a2b474f6366e037a9aa00744291ba5eb8afcd6fdc807f2d4409fd7ccede94d7efbb3b6793e0c25601564a3fa9be31a2bade7d97c2fe9263e18bca978b89ba77f0e64ff249157b34122435cb9dc1042afc4dd09a483d9dbf963027f75eaf468a7abe433e14834942ac42aeefa80114aa2625aacfabe82c55f09b70e9cbd3af1932d4f0b590e05c887c3b79db86dad1b2bf38b43231342441cfa73debbdba03aa2ce63fe29b0184a5219147e21452245ce190f7fff2b0fc2b5a5cf9d99deb655cd068df150cb4c27103b7eca6980212229cafb285965fc18f856b561471d2655771d9822026b1a5ef999a2a65f7e8bc11070824c382ad64a21023653f6af8ff46a032b692a6d689ff224c918c1c06860d57a0cd106626d5b758a32f12752760bbe7cfbc464738430f0fcb91edc4256cef2f095ccef71855a841b0985300a3377af812f840937c73e3aa3ccfe9bad7d644bb328f40c81837d0092a2f14dace9c0048827f55a3cbeea61706139789d65eec3d23c290b463ec807279e40ebaaa261dc579e05b75b12f0e0bf330e4dc5a6a52b1a0aa79903853a2b0fa1a207dce31852d8dfe71c4c60ac362e84f00e61cbf88be0e468fd1ab611b6de3ad31f402402338b7a6effd8934464e9d5d67c90656b9462edad45cc03bd0c69a45e1adde0474b85d0ad6a7bab3f5b1912b1f93c5e6f8fc9b41066adc85bac40e5ccc5da52196d3b3cbebea448f7a8a4a389f272610829ed86008a2fe8e406e6e290c480fb71e36db3e6395677a541547f5154ffe935981946f72a655e8a0068e1fae8e6146cfeee82f583d4e93fd66d8b6a118be6a5b5f0312851167ea832834f086226fa5b7d3bce30407fc449f9f6c647897f463d488229fffb6ce9c7773cbfb4cda0d22e7b5702311bb3d1ab31d1fed31939ce47ae2af01d347ea0072ac6306f85d4fedb664a069c25ab5f9db662ea4eb2d9cf116fd38db5121ba04f8b0871e98933a4fe24467486def2c0d2e0e5970d56b01dbf5c2330f34736e81183bcc5704ba51db108f060f055212b7dd7f64c0c300065ad8137c08792acaa2e729d761229b5df774c163b910e5b9903a534a1d44b2d32804c2c8412bbd0e8f95409e10705dd5e73ce7dd6e39f41c25df0bb1de82734840517b4532ed31d25484b0a92ad88d6cd70c3fac5d03ffc7f805dfcb362dd84e93f7de7053db4a49335d2ef3cde5987fbdcc8545ef35984919273abdf078ee6c0d134c825577bc9597cd41a3ca77106186a6331ffecec8b19b0a716c6d638a43f26bb711c271bf58246cb211edc39494118f1d46395340c037aaab8d7f93571fa783f7ec17254afde72e2025c012fa30a5b4aabf10809b79b061494b49f959809fce60f41343bb167ced8fc4b854442f366f91f29c80881e8fff10a891ab70e38e8a6755cad3bf0941df64d0adc989f7a9684057e4af5506891a125116141776382f4350a083e4ec2643841da2f61328e581f7f65125b2696160b7a873cb5ae4be6dbed8bf2137d116f7583c337ab5dd2d3397e849e6ee4b75f46a7329496b842dae783ecb9beec7ecc6428e633061bb0ef0cfe979dc9dc6f374b54962a1ee35dfd75f777666980c521f502843298b20b8e56d3aa48f219bba36c69e08a8e12840444f07cf1d93d91ed46c08518c517c7f5736c743d8f1340af32714dfe0bbc17b606d3e72df435801d76c7bc7ddedrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.13+git.691.3d3cea0641-150400.3.31.1.src.rpmsamba-dsdb-modulessamba-dsdb-modules(aarch-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/sbin/ldconfig/sbin/ldconfig/sbin/ldconfigld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libMESSAGING-samba4.so()(64bit)libMESSAGING-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libauthkrb5-samba4.so()(64bit)libauthkrb5-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcli-cldap-samba4.so()(64bit)libcli-cldap-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libcli-ldap-common-samba4.so()(64bit)libcli-ldap-common-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libcliauth-samba4.so()(64bit)libcliauth-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libcom_err.so.2()(64bit)libcommon-auth-samba4.so()(64bit)libcommon-auth-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libcrypt.so.1()(64bit)libcrypt.so.1(XCRYPT_2.0)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libdcerpc-binding.so.0()(64bit)libdcerpc-binding.so.0(DCERPC_BINDING_0.0.1)(64bit)libdsdb-module-samba4.so()(64bit)libdsdb-module-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libevents-samba4.so()(64bit)libevents-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libflag-mapping-samba4.so()(64bit)libflag-mapping-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libgenrand-samba4.so()(64bit)libgenrand-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libgnutls.so.30()(64bit)libgnutls.so.30(GNUTLS_3_4)(64bit)libgpgme.so.11()(64bit)libgpgme.so.11(GPGME_1.0)(64bit)libgpgme.so.11(GPGME_1.1)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libkrb5samba-samba4.so()(64bit)libkrb5samba-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libldb.so.2()(64bit)libldb.so.2(LDB_0.9.10)(64bit)libldb.so.2(LDB_0.9.12)(64bit)libldb.so.2(LDB_0.9.15)(64bit)libldb.so.2(LDB_0.9.16)(64bit)libldb.so.2(LDB_0.9.19)(64bit)libldb.so.2(LDB_0.9.22)(64bit)libldb.so.2(LDB_0.9.23)(64bit)libldb.so.2(LDB_0.9.24)(64bit)libldb.so.2(LDB_1.1.2)(64bit)libldb.so.2(LDB_1.1.30)(64bit)libldb.so.2(LDB_1.1.6)(64bit)libldb.so.2(LDB_1.2.0)(64bit)libldb.so.2(LDB_1.2.2)(64bit)libldb.so.2(LDB_2.0.5)(64bit)libldb.so.2(LDB_2.4.4)(64bit)libldb.so.2(LDB_2.4.5)(64bit)libldb2libldbsamba-samba4.so()(64bit)libldbsamba-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libndr-samba-samba4.so()(64bit)libndr-samba-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libndr-samba4.so()(64bit)libndr-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libndr.so.2()(64bit)libndr.so.2(NDR_0.0.1)(64bit)libndr.so.2(NDR_0.0.4)(64bit)libndr.so.2(NDR_0.0.8)(64bit)libndr.so.2(NDR_0.2.0)(64bit)libnetif-samba4.so()(64bit)libnetif-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-credentials.so.1()(64bit)libsamba-credentials.so.1(SAMBA_CREDENTIALS_1.0.0)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamdb-common-samba4.so()(64bit)libsamdb-common-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libsamdb.so.0()(64bit)libsamdb.so.0(SAMDB_0.0.1)(64bit)libsecrets3-samba4.so()(64bit)libsecrets3-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libsmbpasswdparser-samba4.so()(64bit)libsmbpasswdparser-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb-wrap-samba4.so()(64bit)libtdb-wrap-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtdb.so.1(TDB_1.3.14)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_AARCH64)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ldb-ldap2.4.43.0.4-14.6.0-14.0-15.2-14.15.13+git.691.3d3cea06414.14.3e@d.@d-@d@dJc@cS@ccR@cctc5cM@b@b@b@ba@bascabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2023-4091: samba: Client can truncate file with read-only permissions; (bsc#1215904); (bso#15439). - CVE-2023-42669: samba: rpcecho, enabled and running in AD DC, allows blocking sleep on request; (bso#1215905); (bso#15474). - CVE-2023-4154: samba: dirsync allows SYSTEM access with only "GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES; (bsc#1215908); (bso#15424).- Move libcluster-samba4.so from samba-libs to samba-client-libs; (bsc#1213940);- secure channel faulty since Windows 10/11 update 07/2023; (bso#15418); (bsc#1213384).- CVE-2022-2127: lm_resp_len not checked properly in winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174). - CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173). - CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172). - CVE-2023-34968: Spotlight server-side Share Path Disclosure; (bso#15388); (bsc#1213171).- CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords in cleartext; (bso#15315); (bsc#1209481). - CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users; (bso#15276); (bsc#1209483). - CVE-2023-0614: samba: Access controlled AD LDAP attributes can be discovered; (bso#15270); (bsc#1209485).- Prevent use after free of messaging_ctdb_fde_ev structs; (bso#15293); (bsc#1207416).- CVE-2022-38023 Additional patches for the PDC role's netlogon server; (bso#15240); (bsc#1206504);- CVE-2021-20251: samba: Bad password count not incremented atomically; (bso#14611); (bsc#1206546).- Update to 4.15.13 * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); (bsc#1205385); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); (bsc#1205386); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); (bsc#1206504); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; (bso#15197); - Adjust the systemd drop-in file for named service; (bsc#1201689); * Paths are additive so do not repeat paths from named.service * Prefix the samba DLZ directory with "-" to ignore this path if it does not exists- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./bin/sh/sbin/ldconfigh01-armsrv1 1696520455  !"#$%&'()*+,-4.15.13+git.691.3d3cea0641-150400.3.31.14.15.13+git.691.3d3cea0641-150400.3.31.1acl.soaclread.soanr.soaudit_log.socount_attrs.sodescriptor.sodirsync.sodns_notify.sodsdb_notification.soencrypted_secrets.soextended_dn_in.soextended_dn_out.soextended_dn_store.sogroup_audit_log.soinstancetype.solazy_commit.solinked_attributes.sonew_partition.soobjectclass.soobjectclass_attrs.soobjectguid.sooperational.sopaged_results.sopartition.sopassword_hash.soranged_results.sorepl_meta_data.soresolve_oids.sorootdse.sosamba3sam.sosamba3sid.sosamba_dsdb.sosamba_secrets.sosamldb.soschema_data.soschema_load.sosecrets_tdb_sync.soshow_deleted.sosubtree_delete.sosubtree_rename.sotombstone_reanimate.sounique_object_sids.soupdate_keytab.sovlv.sowins_ldb.so/usr/lib64/samba/ldb/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:30951/SUSE_SLE-15-SP4_Update/8d00899bedf509e14240222c35afbb11-samba.SUSE_SLE-15-SP4_Updatecpioxz5aarch64-suse-linux  !"#$%&'()*+,ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=f14f6edef280810f50e79d2f7a523dd8a346a969, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=cfe59f3742bd121222ac2dd6c5f9446161f00db4, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a617dc60b45bb16ff7dc4236d9a8133d3e645cc8, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=e7b32726d09b02972a31919b15dee184e524da6d, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=202581418178851a88ace9427c764541cbb1b9f6, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c6b9feb3533071e9c79514d72921488d54fac527, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=f3126e661148b55bba146b2fa5c9bf4dec45a611, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=cbea95311bc0a2ded6144a47d1710cacd86a9c18, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=f1dba89f6f787a0e395c64ff8cc6a104fa673f7e, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=56c366466dc65f5fd17816279dd9d8eefcd088ba, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=37955a438092064353bbf9cb6a9ee6359e98a733, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=414fa347051e57abc049af2a4a31c687a69f86fc, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=e3aa443fe54f685c0486d48e3d5d77a450ca8819, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c27c50333f96807ede9ee1cd7651b280857bcb64, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=58f9ca8c01259ca2d704b4097331e0b9db93d5c3, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=709d5e26e32b5b5905648ae0be3b0e7561bbf1e4, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=6a0d7e99f734743324b4a7185bbbca67bee827af, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=4c37bf6daa547023901c5f80e9c78e8d2e6aaf6d, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=bfa5b248aaf2bb2f163fbd64e2731adbabbb63da, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=2ddaebdf4f62198954d4ea61fe37889999048089, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c11fe8083aef343105bc19f31c32ae6c1584cd8a, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=f06de5d2245792a1eb97c170ecb2ef0ad220a966, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=52434f2b5f4b9e3819a697eb1ccae36ca6b0409f, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=677832829fd1f2a7bb55077b78adda335fa4e26d, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=86d33dfa35c9240ebe55f46924e2ed179700d214, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=33a5c9012f6eaa537c6e0bc22d8691a547e1889b, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=90e2b575c493e078b9c7f3572a172b1bc9d2c410, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0435c146251dc6e26781d4e0dd8c89fdeb98b3f5, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=fef9aeb0636f2b5e2a7a7174f66a63f2d901753b, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=be27da8049c6b67d17383e199339f372f4dc57c6, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0dc1ce24e4a876b57826036a7080690286ccb539, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d513f82008fef9305d2f861f27473e1b023a058b, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0e45a030538caca746cf8041082533daea09def3, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d218bbc8d170861c446041a545f5d224b86c9e51, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=e455b7929f258b6db1d1efb8dc5e5c9725dbc7cb, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3b7cd94eedab5590a7415995df29e9edcb4f1241, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c7302a56ba33313b1c1319160d1a1eb3f6ddf748, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=b5c43c75e05a74bcfe45d334904adc5d92a53c6f, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=638dadd32160e450ae20952cbe074af216800e68, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=4c7b306e797174636725ca11edaab1b64a4bbe86, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=17de8a1e722927cd25e1477f78172d2974a086ae, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=188e9cb5301ab32a159dd54744449bab2570bb00, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=4efd011fb23f06a6df2a8d03836a5238825893b9, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c4db7447d1494bd71303999f82186e22de540933, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3c8c0d1e411c73dd9211e3485889df49854434df, stripped:Hfw+FQZs~0:cp(9FQ\o   9 ) . #  R\R R+RVRRRR?R RfR^RER)R/R-RRR[R*RDR]RQRR>RUR(ReR,R RR^RER?RVR\R"RRRR RfRRXR0R/RRUR[RQR!ReR,R RRfRR\R R?R5R-R/R[R>ReR,R RRR\RVRXRRRERFR RZRTRRRfRR/R-RRYRQR[RDRWRRSRURReR,R RRVRRhRfRjRRR/R-R RURQRgRiReR,R RR\RRXRfR^R RFRERRR?RR.R4R;R/R-RDRRWR[R]R>RQReR,R RR\R"R?RRRARRfR RER^R/R-RRRDR]R>R@R[RQR!ReR,R RRCRVR?RHRmRRR RoRTRRRfRR/R-RRRRBRDRRlRURSR>RQRnReR,R RRR\RRfR^R R/R-RR]R[ReR,R RRERLRAR RR$RfRNRR\R/R-RR[RMRDR@RKReR,R#R RR^RRRfR?R5R3R/R0R-R RR]R>ReR,R RR\RERRRfR^R R?R5R/R-RDRR[R]R>ReR,R RR\RfRR^R R?RXRR3R/R0R-RR[RWR]R>ReR,R RR\RRVRRR RZRR^RfRRR/R-RXRRYRQR]R[RWRRURReR,R RRRR R^R/R-RR]R,R RRRR R/R-RR,R RR\RER"RRfR RRR?RR9R2R/R-R^RRDR]R>R[RQR!ReR,R RRfR^R RRR/R-R]RQReR,R RRRfR\R?R^R/R0R-R RR[R]R>ReR,R RRRfRR\R?R/R0R-R RR[R>ReR,R RRRERfRR R;R-R/R^RDRR]ReR,R RR?RARERRRTRR RfR\RR^R/R-RXRR]R[RDRWR@RQR>RSReR,R RRRFRERfR/R2R-R RDReR,R RR?RLRVRhRRRR RfRkRjR\RR:R2R1R8R;R/R-RR>RUR[RgRQRKReRiR,R RRRqR RRLR+RRXRTRRR`RVR)RRERNR"R^R$R RfRR/R-RRAR'R&R\RRR_R@RMRRDRRSR*RURWRR]R[RQR!RpR#R(RRKR%RReR,R RRR RfR/R-ReRKR,R RRNRVR"RRRXRRTR?R RfR\RAR^R2R;R9R3R.R7R/R-RGRFRERRDRRWR@RMRSR[R]R>RURQR!ReR,R RR\RR RfR?R-R/R[R>ReR,R RRCR?RmRZRRRR R\RoRRRTRXRfR RHRERRVR^RR0R6R/R-RRRBRWRDR[R]RRYRlRURRSR R>RQRnReR,R RRRfRXRERdR\R2R-R RDRWRcR[ReR,R RR^RfRRR RVR-R/RR]RUReR,R RR?RfRR R\RR8R-R/R1RR[R>ReR,R RRfRR R/R-R1ReR,RKR RRLRERVRR"RRR RR?R RfR\R0R/R;R-R^RRXRRDRWR]R>RUR[RRRQR!RKReR,R RRR^RTR RfRRR?R/R-R]R>RSRQReR,R RRVRR\R"RRhR/R8R-R RfRRR?RjRR>RUR[RgRQR!ReRiR,R RR^RRbRRRfR R-R/RRaRR]ReR,R RRfR\RR R/R-RRR[ReR,R RRfRR RR/R-RReR,R RRRfRR R/R-RReR,R RRfRR R R^R?RR.R;R/R-RR]RR>ReR,R RRR\RXRfRR^R R/R-RR]RWR[ReR,R RRRfRR R R\R-R/RPRRR[RORReR,R RR^RFRRfR/R2R-R R]RDReR,R RRVRRfR-R RJRIRUReR,R Ra6Y[6KOoutf-80d05a0c08191adc1d16f1831742296fc8a5a88bbfc160a2804b19424177d94e6?7zXZ !t/G] crv9wyҤלyoRmJ;폓'$+%bO .JZyK(PE(qTrSߖO(?Ɍ-$J!Fҋ06Ԯ1|x"DRp]`s]+cT SA#ẖVS(I779MZop'&172ܻOFJ_qEW< gG9;n@潞gVk%N$ GkD)Q3]iMldxJsoAaxE .B̡Hdk8 ;pMki|29xM) ~HMR3MO*GalX4' =;4oᾗ%Ј, ] ûĕe)}bN^ 28d7UK(G88@*gmŎƓ|rcE\ŭ&_+u% ˔O%EhnR3}xT\$mPm[B[#K[({Z~Z8DŽM }ꆍLt\w ,UR{]]o-b˃YH#~r\i2YC~GhsaG9V[6&c l?(]D7鴶`S pΐT\t+W#{k2Rsd>(^z[D)hj<8vҒP8Ȃxt9耧LE,dJg3}Uc0gcOU\jBƝ~owL4'U"O|T $9yZ@HOTn#=칉o”C_ZT9\Ǵ4:Ѩ"+ȖN!#x-y2cTUkʉTƖ_d`J<7..B{JhS?X4f~nb (h/D^q戀wۡ _)WS0ߥ'##F\v٠Aԡel~Evi|ܞn#j t/B-veNO%\024-qݳ xR5.tGDa@a#-QcQ7v`&<`10RN U87:EE eJ̮e8^ v&j~">ն;)[/T(1ex U0/Ƿ]mTJ!3$9ҷ3WwU)@1|唱sGƝ$S!izmvbF^`N4d1;}މHB2[%Oz|}(qnYA+V>ֵ,ޅ!I0tZܴBnsi6`"fQX4fvGd% =(Ꮻ!"8ӀF}#$E]'pi$L:Dy}PZ{YăH QBF$dYrWqf Q)rs _1BP ˼`>nf۱S)kvnڮ^gy`{;H8Fl6UcDZ@bZ{ۤ`]A<<3JWpq(F PY-rc w/(vWf4|]9Ӿ5bav ;`B^5 `˿Z4SL᷆l09mѩ>SA/KL ڪWIY,67)m똟v~GP^AZ3z3R~eѩ= xYҮ[( Xp5w/jgJNuX͌?qsܒ&<ذ I3] 'JʼnYt"EL?;ٸ17IlV$hXZ|*!fxZMYz'aCgwg(3MtIo."N+J<2~OL;&5vuoO酼AP൞acy &DRe]# nl=oDo>cX1Yj Uɨթ}ײYMn9Pw>}{QHsc<I U /Ul=2" r/ᘊc^0*xL飯 0oh I@ :^ [q\tk{@U+9 Uz@-@TZ3fԑw:)/Ń3ZБ"EّnLzup ~n`|Z#ԆR ,4DyXE@ԡsXjƫvp]~zK%`nRCۨ) KTgdMXyb#e4?&8O+K Y2vo@D.u&`K9gOQR :G|!s(h ENֹXH@15qǥ ϋt\ sZ~E ]a /,)Alb(@.S#Ztd U!y/@U`4U? !kǝ5b$8y$ Ca\&O:F|z/@%2[q|0e}{=._W2 zYptҗ1?SJ|}Ia;Ǭh6=W#Dd & __]y plYRgAH$P0{/nv=Ɽz{DYM*":Gl+jY<~^U PZ/ܷ5*W?voJ+Z)1҂#ZØTfnV(1*q/5k c2,z wՎ$tٯOIywW; 4.[!c@`ߢzo"YfZX0mDG !C#>Dm4."[@` $$qs (O<&\hNi/}mII(L8`<(cQ>gI70 N0bx͛L?p|?y`@-%*N' (A_.6%1a4ehVH>YI$qŜ>anR3]rKڻ+705dtQv.N"j- Cmf}O\\h^,ҳLv;x"{>đuAn;j H٣\ g@;.H.GeHK6edro-Vh,{lJ*-evdFA,A_ 45t͹?_\c(xv#p [W: nNoϙOJ >)M O b7$ IPmPrqδ̮Ľ2 b H@;4SMw%%q#DQm϶Z;Zy_i/_\qPwT{Ts&Y F,6KhWeQB9)z23{S)H|r 4ٷ(p})X3T4\J ?jj[@~=p~r3ݭ_򄆧be Yd1|^I 9oG a~e4 *f(RyWֹ>;\xb%CNVM.|t4y?]c9`ӡΊ԰ NfY2!S>\pDګ$ԦCBea<'hBƋog.#KS~&Kҝ{Δ!NE g⮳>8?4g& aے&ߝ bibA$oG*m)L6!?=Qÿl-Vă"WЖKkD<'oY\gG`62ɗګi25TKIr2}WjM2~0xjmͺAGi;2*BOG UK$eԘ$}h̢_j;|/ 5׼glwA .StabPSlA'\e6Ǚ Gmq{\8H;ׄ1P/[|fNShk`7ap B6n~댄fjs(İ_ c M'|9"2:+z\=F"jEzDEb@JixZw>fֈXIpne-ព:F?g *בpc/7IeOxx B+kH`w;CVT63mqX`AtnQ+7Sĵ3&w~L{E ygJ"GQGvڍ|ی'ts/" ON$Pz{݋M}$!ߗE |+Fu-q ޖsaq;UG6=ލsܼM_(37O㥉|Vb{Kl4zܰUK{sI~pg4|A[JȦL's_EqdDIsح#Q ݠ5h)"$3MM6b >N00p?QQLz;!ic@"HV{*2Zњ~4-xh ܄x7 >aG*~_%.ؙ{#0с>M 8Xw| g+29W{,5ABspD>S"N6~ Ύ#]Q}t.ً>jhfV:k~eCSpg$3:,^gh=̉< Gv7ȁ|fÒO,)vTWu? gk-d>>^hpY ~0L0Gc;UNy3^qRjţƫӁ!ZsF[W3uN&4m(⚙6i5VSeaN -mܿ_<l=oBLFyeh2b8E-!m W06\2;ܲFN p0bä58;ޘ knhHPE- `;iea=ثG8"(c,W 0PE5B UGyq:iP𽶸Do .)/pJ-wa"ؠhن(s'Kt`ð !yp?V $[ְ.o:0LP+& O 5 N55 SSFw1؛vB7~{0(Es1IM([lu;c@jފ/5{EPqdunQ=ucFa3gS;w߼ZT%cer ĝ8;$#8fVJb9[ի؜[E[8ߑ̍LOT*w+RkXyqb\VWp<Y箉qFYMeH8OAL 7(F~ ػި/#wg9EP%yrMe:=${;4iLh_<}XH"-2(Rp? L[1GKw0/P8/voGJ_Wlo?hpΠZ w<}4$iޓ,'Ҩ`4/.RzMB\8}5׷%}w26aױO``{6]Uh%Y%x$[Q5P&4N=u[th*Llb Yl*S~rA:ZZ4ȹ!%}o㝀&ų4;f.R1;%S<9tZtT6aR* w6eǵzrWhm3E@Xa k*cFa q,G ~B/>mO^\l)cJd6资4Ww#ehf-FZ|:NQvkbtPd_B V54󶪛$"E0 5L0\`Cl3Wʋ%:Rȕ[gC@N\t_3}Y P =nb-ҋ;dK@ׁu _^ UrJS7@!e2u՘۫ Wi>/f( Z}B-Γ 5av?-""J>BJT!v&|~:Z]kQA& X"~H'cf^ܑ#p] 熰A\`!אy0zڛ*-39O76YgbY|RSBIK5F:88`{RDf 1W2ICk*`D|v) k9ۻaiFڹ-h O12[3~jK)s9t!5:Rv&l`;⫀7ubygYTñ[(hi{wh~ksFP/]NP'h_gQ a14(($^6^8A{">8F]@&B\HvͫfXY3F.ПhN߲Ee-J7VfMZG0 w)(a#oQewN˫0s.#C5:FAܠӼ 8`F[8#ҟFJVߵ]'+Y3;F*dcP Jf*J %^w3kSx nKg%v^YA*s.v@&6G:ъpz_ C ><܃"0=:Pؘ#*ɓgÞ$hL'U"ENgw]yՃ+pj8uJa#`UeF3~x]gD>lku/ZBj\ .x6-񊖍R3H4H{Ah| b6=D|2 "P5y;^JRjH˅ Z(IR_[4ީ_Tpn99/YW8JW2mJ J*vUGVQ t!1Ia͞ɛ5KY_ƨs:;o14WPP`mH(XFg&]uKa#ț?xXk.]ßH|&KVxO*R2:ͱ:n` V1Ĝ5{_pmKCH%(=3![3 DW%DHs9ٖ%!/`,WH ߌ6XM-"+ oͪAUF+ ,克*&U?-xީhEnre( >vF6M{(Ul69޼)FZv=Wθ5M6.=aCwW"HVܢ-P~뿲0Y_.t0@fV²Y;rT&Kl |p\{MZ#ywGO*pg0zRKK:+3 GAҜ_ 3~ Uאع >-0/^9ت:"w[4*Yه$a>c9տ5%rU#kCoi (K5ɿvǡ516g_wD TL4Tj1B5v#QY/QxJqF2;v|OwȦBz &W>eׁk)$ -P]IdGjuzwxd cIn">Bh{ClbB9#BF[mav.9 ;FMGԄ4L'Tɿ3pW;+tLv@(7 ۤ㧛D&m]|EGFm#if t$QMV]XjxՂ`%L,3cq'((GgAԡ[LڝF?}ϐ){u`+`9B |ۛUnNuf2 '"~" +n+ gEoaL'-ŝe]r"Ypa# X= ;\{2T=TnȑcQsEZzڃZO2ߒ9A՜IX_NwFznۧ%ob]jg{-hiXiw (|"P.-ˉl[Vb$JA-ۼRV-O~-yөQ/:᪗!w/~H[Cd@@64{.̿ ؛JK󪂹˼kD=bл[O#q" féWz^B#U5( RtTe'PeWGկ-Sݖ;8nq=N"kh( y~qS䵊hz)(oWj daK3k! #m5BC~<>Wpz>}=sS'55yɫD1sXk{*9\5w\ g5cY6W[U.w6Cbm$?:H,xdwSP;cTߙ҉.F߳Mx~xb^? 8RntPWݬ^2lLc_>>IXZIps.K;1%IE% ODG󏉒e/ax]9?L0T27b荎SWڦx4]Ró`q(<T84Ͱ7͑NGeD`:gÈQ vD|k!ѨEu{ݵ3h/SP|.RHkh 8y )9 !k P1ƽ|W lZYhᒚSHطpiKYU}D{exAVS۩$2."hPCIDu?'n wU/s:>U?WFKUӸ 0v_6RoD]ڦvp,0^EC{Xؐ;2%m#:&@^YPeߡmR]!1K&hZU!!'N 됆Ͱt2П^yBwP`dC+%^I8Xo}JECѽ΋[d{7͂YH9F@Ȩ90jϘϽ4FM-d 빽ʱufjZҡoIQd VJi9A(PFT9xb>@<Vi o p9P㾤* 5VkX Th CZ]b`7@ri.H[Z J[9|O$ɏAc'jfM[),x>ѓʡ납s)vyüН?>gu|mz1{*"]FzCؓ %*7xv 9WEP+P ՙZŗ"UDS1WKa-Jjϧz@TҁM9Q v#gWɗ&TEU_|Xh)ԵF#Q qaʬE5c(VE;#T2#|tEtf5R5VrdNx ֕!·Q36w2䲕AZ3g('tSMԿ-e_whJ6u O Lً |B;^ӂ*tav sIhZI6c:2h%,+IcĶ^[e|B_Vl[.4.ܖ[_I%қfwǽĀOf޻B..>Ӹ T!Vl[AMC5!E_tvXꩬ:[p^AA -g,NҤV~lc{8d~~GHn']ʼna{CbiP$K{3H((:(v2qDD^G9i2e֊?v7+](ZWr۠s"Ÿۻ*f;_vブPYltCXd aXB}Y| ̚=@6a.\tW4YNVBӐ—%K]Uhmy QSc6_G/<ާ.z3%T?⥎m ަ}.UTm\p^.]_ˋ>lG㶻bwvB>mt Ts4ÑO pz֟UJC*|X֥q(0BoP  6}Rֱɚ;3I4ʩ|F<ԛ-l]aET k5b@[HkGL]75k` 0rI_(%VB!OTq2W422쩏޴]]XSb-]*'ƃ.#im9.åQaᡛWͲS<2ߪ?$2K2ymR=/0R)EG>yӦKt F=Xz[3>s"$$+?9h,5Bl;H/b(KM3-CkT#)Ub` p9+qLM5Т֏E!_Pcug3z_`5,dDiH{T\NvFUd1₄Yr,sSss>oK̀cO +(zlguf޲ װ@TMbXSU nC܏!IGC%!/SH(DZbg!9Ka=m^%v%sGfGT-ڷf$Ȅ.t_'i"E]+030wSTt/%ch>'[h*z:+SI\l/'ңVMzm=cE(#i8K܀,P_mí'Ԋ࿴ە44W߻HF߽3-մAYt y{#$c ?O'xNK}])Ka\>~­bkË Q|$Hx=b]CA9&ӛݳ3 I& |—e./Ĝ0AԆJܔi2 ,GGqL|\CghB*3c )hqjMUy %{ E]ؾ,j OVv] 1SLh2[CQ1TќGXK?I Qa7'll-a㤷\2P=HHc0.j ゼ+ g ^U3|5NFp"g{VQKCEPeU|˶j[;$zo\MPs+ǔC,jr!U+.rn%`Ƙ>1ye7 g-F<,ڔ[v-wY!OTRɟ3gV>x?{Y y/n bK*&3/2R^]+*WAblRA^dxZG* [q 7[lŌ8B,$V@){R:V  -P@FK=-}'l8Shjfqʴ)k|fel_H$JSZbÍ֛ljҾRe#]ّz6J7x*O{ ֚}hɋiO'Z΀ ̀̎r~XٚL\ͫ/jm@Coj:&m-z{f:FA]KӖ O ݿki7dhF}Nhf Z$ItBexpyDC<{0#]ȈoHm5$61s!jkX3;^C_UsEJPQNIzQ+ƤD~a1Kd[yUWkLY`G)sE77 <(gELGFÎaE4_/ z+6m>z |AE nM>5bo%MФ%nBD$8)hҖn'^JҏD,ʸ4_D,+vYGMTgwINA6 U6ַ ,oL³"36YiMX .Q-њ# AC졹+HGXM\waS*>{)wχ~"d=VXS 4ctBPm眸X).ֆr/*QUuo^~J4+"|:#|NAZ*ySL&؟^փoYGDk^foQ_?0bGDJyb~2I|t"( y.C*YǷ) ە[bfU()0qŪ"F_?>a ěFCy+Z__KkB>?aεyR`G#|^SFw9M*85xKstAmj4GT:N׺ۂ ַ[7qxMj?n8qⓌ v`$T*UT8dy$a%ju 8M+_2 H;5zP8|" cL a^; c܋HTH." DY, Ah7kym6,t%ߓ \ )`U7Jٰd0AG _=3+WZPHūt!Rwg9&hL<<`%eɹt%F骦 g"hB@Y"~o<=%KSSqb6T((3Hm .l,=7U؂ _})H@{%Q$f7Gv3渐deF5yZ_%;s?=ǣ[yߌC'̓jG-C⧢*#sjf/P@R50LkBҵlT>}^ԠN 2AcvO։rœ`S^H8p#q{Z")X*0XwX$f?S]Eao;U,?@ Y\F<#lyw?dÿf@H v:s'&L/›մEJ2oǀÕ<أ |UXC<[5>v޵?Dٿ bufK]v{Tn1]F1ub.} fNz1vsR]HPK<9ԺЍ΂Ovڡa&[l鋽eZV!+ee{8;׵H}%,2.Á 8/J yD9 (6(֬0GZgX ع؟j쩡 5ޗvUsղK<ۗ DQ0/ѥB `_qĥl9 {t gA4>'*[DwHbbj?İi{YV â#2ɚXWw'my1B]FXEZm"M!mRVI:i(ҽ%Ec)C/~Ca1-ЎKS,tlÔ1Frov._"KW4uf%bDv|6-ͻ'@õcs?nZEm%q=hyfXof4~*ͥ8AN=LzSo Bj$SJtHc :@Y|hB]fTItoLzXltOP6%`YVM7+LRCE!03- ^h̪Qm;}_c஥]a.():QU̅DR}5ǹL3H$WQg5ՀP C4b"e HN8cưq [rbY/ _**KB' ּDsa>50jAw GIN8Q)cmrLFxjgaU~?U+ \,TpYEeJ @A3.:/FjסI!a"o#%m34.ΊўKrd!a js ޟ~c ,C{*!nO !g`#IMz_̀j}%H}nf-MQ: '`PDABIpDtD/}X48m"!"} $Sgw'?\pb vZںһQ=6xo>F3!J{BH5kC?A5SĂW0gb _OƬmь_#'OiR6J|=Rߏ /)'Ay:9fna,c˓1;wdm[^E) DeLY#2]&AS% e&qPZ,cF;P1%J,1>6@dб@eTi9{IBa;Й"%7Ϩ8X׻6x:XO 8<[j\t,h?Az E H&A$hGfYu@Cs$@ӕ&XpL]ʜ,)4rK k [A z2<:\gbj=mT |jF'^l@+n\Y]ǃ 8\ra L+KV̢M@zDGW ,?pfyBQ,mc?(Uh_B \^&Ѧs[i ЖasW l׫]!p j8;6$`wO֮먅"pw9XgůgL:tV|x9|hE%RDrM&;72h|P!JW*prVׯ xSdԠܢE%;ꝗIj9WmC7OV[ќ:~ m{j@&PxOϠm2oJ/5m;皒" b*%h <(.c4^Y.3i?LCLaJ?^2;)ZM;fǔBsb۸jtuQc'uG )20VzOdα"JP>E_]_l4(T||[RQ4h_\ixk樶;fo5ZْY^_N9!3k؛2ʓӪt\ 谮!GFR&#C%YXa +0^$7fg\(ݷ}P9 *p'1D ]e 07?!hNB=sl/m rSqJ\}kMiz[opw{'4LLuX'T5[Z 4U w@j:C0V g>ʻ`rhds[{DlHWUٱfJ݋7b)Ģg:52u/nt<~0X't}E$ʖh;:z}L 毿[WeGZVqk}'f)Eor`dњw*ۙ؝lW];8)do$P/l u  jlqJ5'Ε{κ(I:S+yGi^v]M5oX(͒pc;oHЕhAmؐūM Yr/|2˜hcl39c{%a@ZrЍg8g>mSyQGđ&b\rvL|Y,̑ iG39bʊ$˘(Umg#<[ 4CɭX,\fY|CSJмC!BtF0?r#)T,DkHσ `̶\2w2noHꠀ3km) 8&~v] #^wU-$v;. †-}&ngSďisKk#; +*T:X!Ȥ乚3= Mgv[-xM`&˨ ]`a)W*o&gՓT e&+7{C9/uA1 }_s6_Y5̠D#Lh=ECe82}51#g49MtNxt&oKRD\JmO-2?yJ\dkBhNHy|;*DRH>8FrC\}R]&vl. ي߹DS4|) NVQ$:2T4÷?hاN 6~걍 4.Cqɜo IEWȋzpi0xt?4 h$dW)yNˆ&5Fŗç!֝W};BaB:ސ.ьŒk 9,dδIu\VN~jYhjqjSa>`jzDcŐ^Ӕ*N bY/T=Ms?↢’D(C*{f,>p yr =C2Έ)G9%.U|=XE*֒^YOzG9( 5ۈ8xxzi(xèwȿa>8AXh6*S`?xzZ0 ɗn$r-2R~AnNX(X(H=8brϩoMFiooI8cE)38(ZL J Gjp5I`̺b s4%$|M1lH1Og+IwC=1eA7y}iП F(,PP̽?Tg.1 E3IGUfm6,k!is$%YLJ3o!^^HJx.7N5zH۞Ud9SE9(_ҿ?r<+mbxLhLfHK.D:ھ+K%_ liFQwJǖcqL8`{ޜG\YwP &D øt ]]~34nG٦R0Zw%ʙ*1Z^=C j>F-!ud P3DZ8J6+&Em~Z24# zmqU;H|atuR, bݍi^@9t*\Ux‘w3z5Љ._&-X3@p4 #£:K%H(yAŃ*z(pf˃Qܣ!^AlHw=l*\A<|,\GupA Ŧ%y%9}%*s6BuFӤ # [$r Q¢K ϺYmXS\(瘪`0kDӷe15Vƙ! %U@GTbN38{W04xX i֕ nO _rtY&8n8ȯ=$|ͦ`XI,wJ*UAͿbH%‘3 ܶvM$Q¢ , ^ rD>A^1M2q7fq8O}FȂt{'OS 6`Zx_4H_{^c$H_(9Iu(ALp8d?ޑwRXpޑxKە#Jv4~/N@{~LA(E,)l¿e)gF5=S'J KY6^'NE؇ AcIx6v/Bz BXR5M\ۮp&~ ;ed(չ9 _XwG,J)vA5"WbnÓq0(ܯW#;/ط73EMYg{v)d"(]C/H8F& !ĞA?F+0#ʠ# E_(g*7 |ƀI`fR/bN«\x%ámiq=h$,knG `D@ =w`w3YwIIbbTb&Bq"BwUlӜL T7ukDm`JxsYӳREע:gf˥$@ixq *F/7iKe/dwJ bC.zR LtG?*MCI?/b$-j$#rۗ ]9~(;{.]&jǤ 0-h$ o⭃hB=WnPb74p*5Y.3ԘP*ȆDflBy!2|+'Y\3ٯ%ԙJYf6 zP}A֐Y!OƵ*>ZtBc?W nD02D^Am^:Mίq5 F^WzHDGu$}?~{!uYGHDfBqמo`fU8b^#Oǰ2Ru0 rZ}1m:j˄d>_\Q{8QV“=ؘ,3JD;r$57N/ -z\m1^<B j2xR~ÏJrTW\ f2zwf.R\q$DeSFV~[τY";hQl<Kh$sECL'ᠬ1Iv@;AGX$ut`i(MՇͫ^ܥΎ>i s9}W$\NrߚӣLf%ɣ=9oc6>jGpctL:p^-0ZVog`lw1S{U|ucN `",V`ǚ5Y{Ii' Hl2SE)z"sn}F溛(ܩLq`GBw+-D}b0)8E9H]{ YO(diL׹'Yu r2 ,/rMz߈7fB(/3%*gDQ%E3dna$*LJ+U>kZ> (L^qG\/l˘opbw-;H8Za2p$`La4 d SVYŊEIVc[I($&5TA \z Z{/ܮ2zll{ n[t'$bǙgagRdJv6kܐ`$ڼV\#4%dZZf6WU)X_y7t Iv>a )XMDb/\tr PWσ_&$6>=\UQTgY!M`R]u1mQxzQ"Hє{>{Ya)9 dвm:?RBɌ=A\v%z*vox3u:2S'T>-0nsB',0A=lк&R5RdySK%s53YTrz*45iFD`G-O;%g:5vNQGhc1yP{1;!c0~tt0e )6`N,ދ nYIV+D2p{as|{ZY‡a-.'~g%355`;p].b8{+vypq~I-F&6E)I/}iPE,2|{sٶ[6%@ZS3IO2ݽwJh:mHXa9 oV枺Ȋ}[M/bkp HRyߘ6:B p]n";D1fVs~f ~|`JǿD| %L_iU;lH/@+<\8Y%!Z(icxTJ@s^ it["%}ux;y]׎*_:c;3fW ʬ7vL/5 jP`Q#J"8:aYwf--6=)S@٢FsHNM$0崎6oNGwf+@x1.A [V*` Q{BR(ͻ%1z qot+WY/8L3 z&@S\]<".|x:2f ,Qt|22s.GCV[(9xYi#z4x95!OY = P*k*sRy9cߺ͒NGąJe҅ SPTP$_xO$]GXj( D[uჂ \4iU{GX0r-z.ȄK8cens9Bdsv s.2 E& $7MAae:\^Kt/Q\{dTl@ ucMAa#_j(AIhyw(E8v.k.U3l4@ި\.[/\҂&o }-W˅b]mQHY`Uv\z@-rF_X@͓cj$rE[(Vq36n:s"e(5~i(&(\]f@' ~'1ꆐ;y6'ݸ)8fXU\ʝYh3QH{<4"eO:2/ʄ05r!s Y|+7j'A ,GϿwւuOZ0C[ ٝ #<(2q2@*q1Uؤ44:R߉6T",U#mlbm<@:S= RĵVc4ffrO5}O3q?C7'UΠnyd<Ɋ5Vo'~yRH+ͼy˜4ӔX~G3kIzڰEU ]R={Y#JU7#b\ƹ35 EMQVt>Huś̾W׽zq[XXk"_݁TK}g uPGڎr S`4S\s `ztY*͏e;;Mz7 DUH0-σF<Z:tOLl!g9V `S%=ˁƲ ,T;Ip;;uG4 ӗ~rMe cmW]=>a>o 7b]E,v|!B*٣|#DB?J9$?W J.r"(fÃnٔRkBrjs˃)N"'^-.?Ո'As4i qM}WvZxG$}ӣp3̔nUb; ƶ>^9A=8lO͈vC 'p>goyFn#->A,}z q<$RfO5W]QW0\BٺzഡDG^AG;mwې]UavJ6cWi-M;Br'vRk89Z j*V֢HgoW))?ޖ)2D|:#:U\UE2QB\0GlL9; Vm; XmX KU#Zf$ƠY!Ӵc/xq }F)+%ΡJ6In}{NQp+dcP^MyB7FV Zhz N{.7W:2Gꯉ;yia?^_KB= OIcB}Svㆲj%aHujNߧ=QճJxwʸhV$agD iy, a5gxX϶ð6#$3^ h,3:LJz" )J n5LhA@ssK@Ȝ c"v8vj˒naI%5piNHrڣoW+O7`DE PX6Qfp0ór aRX%#K$ kvAr-A7}(#w\i _?V?I_j65T(1tk3l=NӾUe[GvYA u~ SPRLNh&z5nN l]l(5,vuc{RGZ< ){;C8G~H"&Xd&~ߗP^"4 8+Tsq}HCv {E`!([E ?Frn h+@ Dw.iŠնy*89E2n (gPPEEQrꘇLb!J+xطv"yo&_ϓ+Q GƝ%JC2"J?j׿|}K_Ʃ.rX mRڴ04J2S踁+%LM& j:$Hhi l 9I@~_k`Xj׀KSeI߮JAvcgkol!zѾqʂ:v} :;ڥ\ iPH7Aryo]5a٫}٩ģ_PUVsDw{jlT-q È \m5nCɗKR 9t/'@Y^=D[Ρb> zs d(hB X Rkޥr}!)GKQ˵B!qs~"y`Ix 6K*0r"0`z#d,4 aU{Hw'(jx6>k -1[uZH|Fɺ2A bςwҙ*qsgX"-F@j𽑊Dџە̤0 I&8? <B\RXz OʎxAD lԖ;Kkװr׍G8:ZkH;zl-`^ -W+9&wz HcW+"^ΏK% u5~Z5ƏCch&NhZX+JW*$ߐ#'ڪ5סX]:7Ԣ?6Cf$I$Ll;@޿N2wUW8UvYdLO<^j1' s]HIUIAlg_ClKƽQ`9j-n!FmjKm48Pռ^K8ܫT5LG!cQAD|U@i[n(Op~' #Wq,tT۵{ oq>)61UsB@}*PsɎȭf®zH>$DpIK{>%{N pxvУe\g gvmrntj-3['6Y}4xTڰZ&ҩL9C.d'[,82ROi 6x-1' =_;NJKL;eyJ:!:\W*<6>a߽2[N 6mQ^t/AZr56-:uOG5Sf8V=fsY8rJ {9a[xg '`ܛz\ !tu}l2yaqUVx*0~5j@3*O@X\˃;&f:mriY =>-qTpJe ޱ8mo,؊t).n0YMHoX]H!*B}Ltl[O}b3| ғqǁ|_x}IYvضߐՓJ+.+V8EC.PjŃ(_] 95^ R:*8<˧JBj:hAw/s PYe4A9/72Pr X;rl/Պަo"d,sk}XάlXbaف]sA1o?kϵt(ZCn}l#" . ?Equr mFr[Z7^ "F3V=X]IO(7y4b US1at=v㯶 G(=aǼ-WTDDYQA :36T1",M `P_xO# $(&L_?6Xܑ-ögPI,YdcydO<-SHt{=Ex I9%oC 8_:!i33 \!3 rx#fmA7=%7R rxJ_ |8EgDso EBы<}䈯xIgꏮR^U"!w Rnȴǎ~kYVT6'K&FłݱDKdi,11n،7Wsg\Ý'mQ˓l5ڑUveZ5][[<0?77[eψ囹v>SA)td΄ڎ˧Q͝pϬyPv3Ƽ1e Ø!@Mh s7_(-},ЅL<ԧQ-~a01gMʱ˄ؽҡya͌gH,FYO4~F|w3\ʳ^h cPI.uhiˏ'}$@^< ̋#rH~Dp ]_'>4OrS}U^!/W>vÌF~6.JE9;Z`&&{+o @/_k o0DX7418FzvCL>X"vY DV/$8Hv,5$`O/e==A "=\{̣5 sؙ *hwĶx5uowRұSBe@A؃n|VFv=g~)Nf@R/M@i^,)@hO ډq)7׏8S﷯kס"L8>O"@'2 ];[L֋&ߜE)c)̡c:_ߤ%:B՞'k 5kKEV |~db<)A9-i宗Ś[)6d$(>%/J%>/a'V#\v 1%&YI)~N\9/L<w|4fB a2"TMLKBKy'C4&GHOpfFlInx~KKqSДS2aOeD .QVӓKZl8u nsw29]uUg"cޔα =z4D=(HqMȴp:ߏg?0ci0nujWpLƏgv QX MV Ph4| 8cբ`VtP4G"k~6+yAVt_P6F W`yÞ׭L'2NO::F1qX߼޹X=vb~X20lL p}\MMhcUk_4`f ()$o \ͧbaߒU+mc`)miz?Pƭ;w^v#c|!ࠥRw3q܎|nRf 9j4I98z ff? 䆙=Ÿotvfύ3kDL8ZVF =(wfcTtɶk b萌 ՓF&p^ҥUT#譺]yvMaV6`w\{NZ06:, aC(0WxK%ó|zQawq|S~k@hPmȹz:?cS"ŶZJbHP~I$ĩ 񩮊q;'@,ӗ@R{ .{ȑ(z@ ёUwknf/x]pkQO/o]u~*{I86p &[wrWe)ؿ0;ϹRk1nh^IRW).b3̄-\g<8,K5:SIi-(uNfN:fZ;TehIJNdY~b 2k"x:Mb]s&j-fi߂t/yn ) bq0>D 'B9< ŸЧhڙCѰݝ Y|^Xj*y"9p1_UԊ\Cz'Ԋnha(lmD_[f77f0:5h׶6c%tXعL|Kt}1z(LW CզE7" d!,',b3"baLc3A2A<^DhEu3 ,jLfԽ6a:,yyl.'aڈÈҶa!Te65ˆp}l͏|s  6zq cDHŽK77> AG M3dKP&ֵ]!]~? SDby˄nB=aFAŧu }@XkQXGi4_'/{۵BD5 jVtu,B20ZMN7!"G_KO +I1Ɇ9m,α" ᎁ%O[TbU=YbG6v{ pKUn%G ?W=ykWZ'P7nűs5-$A+8D-eF/͎%&!0g6_'>I]֜l8 a \&G6',`-ys-&%oS@xe4o %JCP踪H1wTHHʜFL{)aKQh@ 6q z~Ọ+MIqc|x]Fkf-δqBpue!\Rmo Uw&mӱjV)x7mY>'r04ww`ep@k['TN8{\Ы NqF6eL#O4A[j|?Yo:DDGHΏ[:߿M?&Ʉ[fJp̂=O鷉ErB8Tip)7=ՌaGcCk9N .:֕~`Y6HI^ >b FCtvk9몑[5n'lz{eYp𪄧@ Ξy'\g񐰗 Muy+4}}_{{)rz_|x@}TMhqOexhVr龜 e'0 Cf80k*ư~cl]h@%Shg [c٥:e >wL鬞E, ˊ2{iu(YqDL.) t;s7Looi!q5pֳoi//w( ݑ/CSN N%u{ nk!trgr U :yˎP ì4|odF@H4'=n7PqSv=_X -nro!Ìem'V #s fJ?X#M%)HL)kG@z2xQŽeuwt!_F91C7i*ϔF{+nc0~\LXoam="p* 0m@7Ռ0: \N&|)>&:X fp%\Ky ֜cgZ&(̥xnNsէa;#_>hS(Ô\7q}M? x80#' aE)Gj:?(q[؎d;N(R Ux@aZ9Ac;^)iooơ\a@j%,`\=:2lT|Dᵐ_&h!wսzdyE!xl[|'~~ܼO}p!rXh_w,--}m-(h{9qS^4^MxeFЮ?}qۻ}mY{_y~uݜBY%lrt)c|q(U}v hJCR;ۛpdx28=0s%H>( hjQ&mlc~K-7?|)NT(BGwb8dU V Q;nKҤKﰗ3Ūh9"U|]N];;sƅze5 ǘKWQr9U>n( NHqv;U@`<HALjX =;7u]O0(1v h~heW>KAdm dJY\>"^ˉJLU 'TL(O|B,gߦV7yMS@[ .kPOn'Y ;J钫#R5e~C}跦\2[6D ։LqLXTs$Up9#5%n0XN698{6T&P! HPk5}rBcQ*4\qÅv},1$$V78)aө$jmS`[Դ]P]L[gGöi12xw4œ&rWUpx-ȮλZo>\d( e3sx\-NL46;&)Q]<j25h_{ hAN㶇ۡkwFe;~}9ۀ[ .Hb`GB#bTFnpʴ8+[}5Cm bE|Dִ\ (4ln}?bCFN#9J}DQq;iOm$Lܩ,5X~kWFxvFb-0EX!5@KX=5lpR8zi^}W/KR`lsTGx!dLg?t. mnܶaj`G²lP\&m艬"7u/[Ca _)CX7 w u:`.#uq[|gɴjXm`.)J)bEKq7wNjƒ %ߠ .*X#>gJ5ݮ -.%]%-_o(pF~鳺n;{ceR &Lj7W]@K2)RF!.`ld^87֔^IwUsr<l>hSP(*j6~`s)@M`U>a]޽?bk771ՕI^%O0C`eknomG"&BՉָdk8d.-d d_G9*i.q\2i )3m VF&; a]j@A )5AS1x6tGe3y $cR!0'IW<6stYVYWNHp?}Dz֙{Q'q0 ' v+^d޹he[{#ة! M*>ϿS2V_N 3tP_TB>YZa?耎bM5ȝ\S"?.`]ΐ7C{Kr dn)ृtOӺ0U3p#8aN&Yrcy+fzU'yǾ3KXaֱ3\~8H܉'(O^1],Qo_kB4P]moJH։$)) `$/a$䚧/ ύΏ|j ZKצH(:Qq=Fi{/y kH=z&3x@t($ķHڊgPfiRmyeƱwVgH%oNr01f79<{U拒J&:|NT³#kUy9^'Z6-wO;bμk 6jbH,'! P72BRZ].L~=Pi7v E-[CҨ?yQ()R#Ԗᵨ弇paǟJśoU=j#}ч2SZgm)Pֹp{ʸ [|NoJ--o|Qk7"WB6BC>206Y:iNKuȏץ&mf@KH’ܚy`&n7uJ4fUe]4a|Q׏r`NuE>r/MOV\-74ܶUM}5˛hFagO.80Y(4}y| qO [ƛK8u-"E?}ˣ EQ?]'Rޟrz-Zz@@ s z@pVJ˵ 3y<ƏyE*ȏ靻+!{zs$&+1`b 7=+(VϦ90hB ]MWls@6aUs| -Iv69k5 4s84 WhQ Nj[^Ub9Qㄏ10i3RDј#F>B_nIthㄊ< mSMXfWt-Va(ARfKZgcT!fw[` 5ЅNV+X[^' [5l -]IHp` K< ͗_$2JRq\eR]p]D7'T;`_=zcImI]3%z%\s !yD|Fj8^VC4 AGaAF$I'Py1j5{ das}W >:mv"͚cInyinCG^6pE, &`Kq8cV.Kbi(qJ>iuPeU5j喱V%˭F Y|am}x_ Y}h-ZMlQi:Tb4JikX}ŷ\mҜH!"r*yeyCsu )xSM$:zk`pڮ[+Iq.0ERl1U9_ IgΑ)M'iWwD&/[Vܼ>#ɧx"I-,k;OF:F0Wh1#߳%YPQ~(Kpd;)uC %Ɠyivj-%NC0/u2z]hd<˟,p&R;j;Bٖ:@{ p͎UJ)Ի߯#MW|ѐJ D<֊x09e^ȏZ-V51ᏱhU\zVQp sʲhƟn{F P)xPKWrހolfNg8^UVk;#7Pz7F6ʯ(RE=ҤJfS5-}^uZI9r E".^C_-o&\Kp|q 2֎D]fHߤsXn 朕#Ǫ.(G&9'AYfm,a#/Y[ ͹)lr,i^#e4L$XEw_l+-ȯ~uv.}RTu}Fx+1iڦSXd;'Uب@K t76Nx:ny{"yF^H#>keJL[Mm=' +y66QntXg~"'8][HGpO ~F/R|R.ΰ]B2XwvQO}ho%AH {>)#cjt"OZֆS>E|5֠;̏qcDʡAM 6SG'Z/~ *$qoW^2Qr)xjֳ9A??5]pcij^r#CPQ~UC[2i^ +IONc np'&6iDq I >rO;@u|a7.nͩ|`eJ;GC:pHmPwa \('N+c&7zfxĿ̙^Q1 tY1eꄱ81 LvYV?h9݋)oQ(DHg>B/Z8;dzIUZ7IzUc HuToh4 [9$:(ӟ? Awmx>9 D9Ͷrjq  >L49(^W`/,F7<-> gEMBM]'~Ov#56AÝH5ZMW5?;VkP+ =dLj2e7`sEvobcX%6%!|"D.X{K8tRo} Pӂ4*'.' Yt%={E4dV&zUxY QJCP[#wi/xq,AWPHɄauWN2K(8<^"/9)Re/ CiDzW& Av:GR\g7uz>e)r08H"DeЁD{{Uj`6a^F7O۬Z~=Qa^Z8k#":zU/~|O9`S7vN.isio{pDS2i-RxIן}kf < SԂ`$Sw+xR  T;n\up]q-&6sA%Zh,Bm IhVSS*+TREb K\ޯJz MfS՝N,#[Y7&h:.Ia`z@Q8.Ypt:~~,L> ^JjR*Ŵ_)б/|>Sn;?7/G{LN JIH (}/ϗ9-OɇiH*[\zA&3AZ(|yu)B!/smJ7,Tv!(xT^9*vuSu_ gl/3hgˡ<QˤJdcyA"(Yk`G2;Vaɢ.}R3zuAW0D!PXJ@7A}#IA+eJV$k061kb1$l<ضZ2T52vf+nˊ'.4Ogeع<-::7eD `5,.8[1&m5?Dw6r_dA+Epқ-B,ޅ0r>d_P t;Dc'&;!d4qM3xH8>.IA>NŰ J,}r=>4w&՝Xa2k& {3܂F 4Ա|" J)8h. 2p{C=~1 cnGSoN˫E?qǎ*_hZ/ӭo'e; Cm.2뤗AsELKӄ1 [an nC%hG45\Tt;42Im2)M H+=)`\WO\@OrqHű<$S5@,~#SqkWu5lFfpb!K,qY143ΏyԖ ܴ=_j*ɀI)@B-VYVkX=|S9vNn`-s$ęOi.tx lk9EypfX65!oRQk^1a(k758,%w4 MAezNё>W& ́jNY-{BUNd`zpfS7݆t+MFr'dluP5jKnb RELPO zd7pb9`&h4vEX, EM'rJ/i ׽!!~Nϡ8gn'n%vҼ ţr6YiYI{zt[NKcLnlg%<.#=]mMN Ak1;[%J\G`Qx{Dj]|d? Ou>Ugk &aiDȼLJ\7!#=T1KK.TC{~1]: ^&%rd]攀% nxk;z Bqi]fQtWZ2☁ ߡ Qqwrv;/`E>O @7F6WU,l`vS' Z|kX ~?״ԥ/CH=",=,POwH,j4UUkN9oRm+[OGڭ lJ&< (ȕr+yZx)PkD`O FTXj81_+O$.h}N˰yꌖc=.EaRjVu=luN M]kf>f ~S-qdWϮXHc?8}3L-l/Bpdw{군J> נbY)/71[eG5$ŭ {ÂM|BPKQ؍%1n&"}ȇY'r\9]|O~Dĩ(W5C\2BR@[nj% Ӆ Bm'`򇶼j,q.<ƙo&eTX C"/88 OIdB P 2@>r*~+Z9 M.QdDx93U6j |45dɆs[bVդs.=v YwF/2ESH5O*f "b Ku_їHB'PP9ƵG*d+f*k!-C!69Drz7anNOKSn8f2>KHk>.3pޮӖ#457p]w^OW&_v@$BPV]ȹ5\ l09 9L" 4u _d]YSui;(h4~߬6՟mb?/n7R ȸΊVgX9]+3$XDV jOpvn"H+D +k(avb*C+c'tjtkմPpNϦ$@}zE&gvQߓp Nj``ORvw&fioץP`ķה+Ÿw^NT7x8È*BIY-)wsPֱ S~A= }Q.}.lE~LXtIpȎfH j'/tqQ6欠n0 I@&Z͙hOH@Ͷ2yf!ƃZxLan>Q60Vacmc}nq;zKN׭DwRI|&b "9^*>1Rm6AuP_6Sz+q(uwh=;υ? .#QнI - ̇Õ2Y@,%T$ e&)3 2&晷F,gt5l>mk>EqB!Vs;hSuUulD`0J~ٟF4ʢ>q&%WXԘXsGb!ógJd Ts~0$C:?p,8m9&DѪ"1PJP{)'A U-}ZV'L M K^Vp#A2܄Ϛ #-˕ xMQ#VVY)#z^TstOСc!f*+)|O|G1NWJ.%^>3?1_r1g|iZ(8Lw*b QQ S1 (@R}LS#eEFhGbn.K,Eir _/p]C=~xf>%Pi Փ9Qu4#}4x|i7v$`*-hV#ƒq>Y.T5騨pJiil,9Spӱuż3VSmeC(kFnFmmk1u$H$? DuGSX6S}<)V׭ bv!&k,E - {_pHy:mϿ[,ӇIЮLtu_9DI!B©EX̭⳸ M4i5Xmo?|+۬#}~TKIO-ҖzB,7`u]Kroۃ&Wy"Nr`\ :_B Be>kuDŰZ?7|d4C_QG\Arn෨q׉;‚%|YzĖH wT^{tjD xͧ 0WEdy]pe@K—ţJb69iӇ KFL5iT/ߨcvޥKg?JK,Y8NT\ ܤ@YZ_OGb@,ҝz>A)tC7F;`6#"Yǐ3 }[D_/oKwl}_q8Ziu:Zx'HIC׾%U%Ef6$. 6,a vϏ^ I8؏ B}ͨy޿mdp$̦/;JV\Wu1~;ٶ1cDL[c js/uHbO3c4 7BR![8"Nх ֩iגe<BV&&] /Yy{YJ:x)ٶcx5\ D/\\tk~BC\K>S/)kB#H.RceSnܪdž$oLz1Q drZn{>}tETXb/KY/ > ٤rAU3mPUӉi䍥k]%,fxXo z[:Z[xिV+)yڻ?Vf>."o@Х_ls7Yʰ9ުTƽT|s>1$$(ݩC?/{U9ЇBٻ*Q>#l%J-Otk1Yk@zBG\[bjNorcstG3g뿒I%+b½أ6-;# 40O淓B~+֝[J.48V eBĭIe6AMvw$x3i6^nߐ\6-Mtl4RJjFu65шrX+ Q8j-XYn1_—`3xNR k®G]FTR_؎Mzgg c'o^ʢgӕHڼLF:8,IS&HGUɋ~&,éRcZ6hg9ݪn\ɢ W揎4C_\Z=А9Y#-Mt: oMEU.Tj+wmd+KeAJXו3FXf{v&f4دh* i#&t:M$̙Bwɀ@'XC/ҁA(F\leT`EþY"e@Rq,i)PXYmb0>p`--MysyKnqJ6Bnǟwl@XX/!pwYHig,E= X>cObݝEZ} o8借Is 쭋 KTO33FfWڀ5ފX˲ُ \TKv`O' 02oݘf aԬ#c:Ƭl8Y[+|q{8]" cy=`Ptt:x 4<ȱ͏Pޛ!Tq4WZn$ɗfvelC'[ϼ(PDI$^Cga U @AE8o}824Dzp"{z\lB`;jn{5O` ^ºEr$mo/bPEU\!Wx ϬW,&䉼S'lG9<]*|ZEFayWGg*-c`qfU;`BXQ06-2`?{-&LqA% dxQbOKV6>st 6I?1 TB}R%XVƋ2[w5*94N?-$J.:햕=E몍T m?V'7Y[`'%ѕR,u41g%ݓ{Gb&N9i6 L$ZaG嘪asdJs=C^V"AAl"̬l5iʢDr10$V<<5gn.O= sgjs8cw_\zr=O乄Z7EUqH|)1 t(ڳ20^] -ʅ "[Y8+ 3yNo+Uw)D:OnHu]Š$ mH^nP%)Y,=kTVeh혷 bgw@<ytZf|c"{ע)KlEIu3)dKe6[Q$|#=%$ks\g1xwwu -R/RIi ^Ⱦ"oEi+̅C%m'Xa.ㅐ%ykaEba1\gNg4RwJ4,g}NM+v5$}Oۤ1Dp~~vPUk 1Xm+-ğHmo)-Mjn. h0~y @B` <4Ogn'.kx;Ȏi?kC>X쯱~|dwrWefy:\P8,b1()@9x ޼]_=6>)w8aS:q@nӄ Uk6#X=uԀRjB&168PEťŊ?5O-pvbTk弐PoΥweԲTIbH- k6pC(1K(mQ}3@[ zsxCEԧyB_`c<$m~򞏔mn@SaJQMXPH7ݳ9!3&[ K;|Ȫ5Yϲ5nn3$8 #OgWҸys/iZ[Z9:7!t="FaI)0]={M.3z{yzx󹍽D\đwH@EeZ+ ;=&jP!4`F®~L`[̢Xm]JLᶢ*a. XxX=&F*!SBemwq T-XK~DU3z?-#5Z7!߅ۻU?"Cb1AjiP|R+׌9KG4=[-u`Ri Rp6{VSTZقmdzg%hWZB5] ^;Agtg..}3_KKV*y%W_uU UЦzuA~y`f3^%vmr"4Z ڊ ̍[tNBP(ԓFAEYUDO@s Zx/U{n}#,'X!ܾ>H{jo<@B]^{fuTR[s<. xQl5ajqF> Zۇأ 0pJԦJwrjׅ|Cv߳CgU!f@L'4VBs-H$]Օ.\ X8#s;Zn?~@;W'F0eeNO+R /RIF [o y1`,+*J1?wy;WMuT΄wb-hqq]"͊G x?yۜn~ (+=8~w|lrF>ct?] ?o綾}^Z4m8J$#U N۩ /UկZ]rO9X2%RꯒɂCfTn}YtzƭLcsD;D$h,w OM5I1?\._26fMEN"M*!& JM~xuG7˵akt,׋k, 1l`^b[ƜfA K.@c&@?R_U B5ԩX/jSQBIb$Ku3~jobTҟ{+9)5YB9ߪmޖala=|W%Pլj{է)m(R. y{қL/j~K扢O4vJ|~@AmԺLv~xeZ^G;yThF4~1'hN'R/\t9)k}a]F,wk/&įbv4{Qp7UWZ܂]8}?&)預I] 4k,E >2>j}]%*ncjQ Y9+wt6zG#$'{*ěI}lbmI6(FΚ14{SLR '>]}`+EH$uJ=q!o^`2J _@21> {-9 nZ].2b xFVd"@h@s*1vMHG T%ayQ勷yV;R1QD~,ƗfspCG:Uؓ딭dt1|`r|!)-9:}ऎ"<WS0Hm9_JXd:(^j+}8G1.Cȡ\,֌W~ܣjh@ZULz^ U&S:].>_iqutIE4i`x[um[u?]ӭx0'(C&ϸi整!l=rY7?oLa\[DqB'}YSTAp^覐N\~ +"da27fhe,}#Ӱ@ ;JԀv_4< u. D^tXOote9xJՂ_/.%l9w=o4cn6eR HGo?|&Ht N $u5l^箱3Jw "e\clU*|*Od(ޝE y߰]7h0#FJ_a{<{oE΅S)QBS\U+^v#ZI[tx2x`JΥ=髏B<<ԞcaV,N<:X4SP6)O Qkfx -Y|p8 S0*n'>XW P4k4rȩY @gphh[(=igcH X`} =/&' Di67+DR}eF%{٢`f9ǃ5mMMYݜH U^\BܽV!EH jfy#|VX>ohBY#zJDKl3~plabߏvˇ OZ92ъ[7"MltEhk Ī#g/GUO$?n5:_}9hDF0DHy9fZn}ixGTc2>N*_ؼ`L'RC*sE&h_{?Yke*mʍ/mT{23OFhfg*aO$/ӽ纖vt@PjR]鉪r(ƽl*/*-T3c&)y5zp:Q2VFGFvbE^d(44[Q6kezo:FVR0'8?pff1*DI[~qm蘯.]&|0= Sducz]q_JϙW?f 1$qѝ"8ciy=bgUY383N5 7`Ugڐz[&.OM`3\氁Uʒu9T(֘|F%^Ts `jm 17mW):k{)l*CEqK 2%f>. (VG$RO*#-\l?,A*BSU*_Jc29FBbYcUXڈ1lk;Rϛb8Gd\f6O*.WZM9Q]ն7EBeN؇љIJAG]MIJ"wQ>;j]0)rPWiP7 W R9#QLbuc38ە1y3=O(yjJ@m X!zL{MA/BH~):b#p:vKҩ#]wsS] _)E*id N` SjIf.BbC-V;5hExe7BT2eՙve:V.(q*/`kDQe1{;!Fi\Տ>% 4UYl☾O9EP_6ʺK@P +k]ԒRZDyt'>̧vEWWӘ{2kQMPO(XGߜ6<폋ܪ|=w),fG+נ9*2Rq񕹒HE 4؜˱ H/۠oMQ]%H-ŠL){s_өvU `G #KRKo`f/j6/xSbnP"z ּK߭^hjZHG1ϼC?Hzg)"onD!/E,gǮ5ĥ4/Qz/B{3ǟk,y| b6~ICdPBft2Td2%KSOŞ]ZGRVb }O6Na.;m]XH"vC y0^Lq8;a謯Hˠ+4D^,,1˖d69ރU$(n (ucPm΢CmZp=/7V&G=4GZNikƜp)h&o@ˆ \u߬iGgFs%+ބ&;,,|D&2`%=+ piJ?51/؝.͝&Tc=5xOBD LeL?*1<N TVtS38M¥zeڦzWHRF\2ѕ7CB+.xz ?tH1ɘ}'rTbxZ_c<i/լ8TfO, JҼHr)T _䚐_[Kݚu ̳{`v@ 4K#*ĞZ2Zfр(F~˷lEza(yyyVhf"*ͻVeB(YSܧFZciRSrd=s>LR5lupaj"fRg WMs@͊WHz?vz?DlHgZz^*-7VI%YH$Pnٶ yщ^:ΓXEئm4e_$B7Muo=7Y> ?؃ڍ)2eD"bwc#Ǭ RMqfni8UJ_i( b累C vm;Ս|  d+K(! oY"1* /꥗{ڏ E3*}a^ą(.l0qrMA-2UL$x <;*`)q[?ksfO-glſ'f{|c\\Hlzy`Q\JMխ|TŇ]s°ZI"|Nހ hOӋQ~[%Ѵ(Pn4u۝t1vɚș jx&VB`MЛN'96 6΄ŽrjlI8[_E010Ĝ]mkhw;3)e8 o K`^7_WWeOx[C:kz8lIl~|&{U4AWkDP.HE"te Gޠ`$d!Y_6W;iXpY4WDKɍHf FDW^I5 !c d@ y2<<= iKa0~N;K}MpNl_rބ5*$6,8%ϲi(c:/+ =НE@tVXMt@b9a@3Rsז7סgeu}M1˛Z >{{xHE S?Sta `xuBCZ9xM|Ap\hSϔN"@Wn$̰y){ 5y ?Д!lيgCn98Ds9#\>$&>iٰZh {N2Y4'zA|ERoڠ#R G[6NG.qZוL9=G$1x~~/)'TthC!#/[k ʞyYPv9uP@2'xx57/vЋh>nA:$n!F%ǔA8L:?=r3`o+F|z#ctg @R(06".{҆|xM?q"V2_ȫڵ9ǻk a)$B'|=_#W":q^_^@Bw޾<}=6/ f5'N+6V? <6\ˉ&+ǶͰį Dgљ0- +1!omNؗJbAio=7f=7Aj3&VҒ/jRƜ'pǐryl8iqeXr4mbU˯NΔp-Ȇp'z|U3%xc,VYv-H,&PZDYmc^`vR1rg @j Ƀ᫣{A+̢ /׮RZc)~{E |Rֵy9 = #cPeBcvP>GʼO?%BGrnzx~`QK D6Yq7+ 7V;5!cIvw.dL3[_p1+2R9v6AM;\Jvȱfk_n-?"j\þG Zْ'x55Vbus3e+iy*U­M(Bj{ $^z˭-q,`lw s*c[tc[a_c`)Poce=.,ƋddM2,S}BclW Z𠅼rĥ)$N9oB`^1\D"hK 7C,vy$iR'y X˚U0V?q"st0;l..ߗ)`](oj?|z#6 w&jT+m\SAOٜeNm!WAniNZKv T֫>lOT桱?UP>;WТ=ۛ8EφDKgWจBV ,51=}O s\e4 eOYǏ[Q(@| _h;z(g@L_^S٭pb΃vn\bڟjK^AES$lus siBWlb[8r}Tj]@'-Uc{2+~2܂LYP^eTVPR]-ŹZUz/YPZXqo~|!~5$+eKԅ|[*`4+HM÷%F`܌0Aw*ߌYӄΣ?){ 1L2!$8T ^+{; p|s$! &Ԩ[ XJꜯ1+>SIt|~ Εqį!"L Daznj꾭Rn̪abp'VR%?3Ovܲղj{ѿqwH&r(,Xd_U@sb2x,"z Yt*uDE?rE5R}M$|WDʥu [b2oC<(ń'T8VK ԍ/v[UgmSu? $b"z͖[h?+~CHz bݥ h@j f S+ڶP%LD%~qEaUw5NHOfS{ԏ󓅕"1mKv">c0ܮZuut b {_&:3|]֣KiR P7|:#XXv?) ܲ3hCVW%]Cʵqc{u"vcEczaleySHc(q04I~$icQD뱪sqƈ`_LRtNQg.Ai:Yev핂/Yߌ],d55)7.>]wVQx@Ln2J-SE׃7?pzB@`c̸|7d|~/0I+I#'{LHW4H>Roלf* >x}|R~G;$hZH+!Mie)>]8]뒌OP(4vg8%4dC7+k]_T&z(M2# X^<0''OBT<@bh?1Uh$aѬ7 Tؙ<!͛̅ l٩_xe;c+@=%Y5Ocxf\,$LqPpCi_y}EjH {P:W9t.m ­;dkZdI8<,+x5P{ sRIr)VZKW{(\DaEvL::]eE '<W(D C!ܐa}}FASB)mPq8FDKq_t[b+?}@_4wlښ}]nsۿ9۠!D鎾|JvXn{&YBS[?)}iрB$'tib#L9)ʚGtC BшAX7 BK$jtM$};"y;C-'q#W3a!`g/8\ESt^˱~w[%CF_[d)ӕ 5WUy?:I!뎢gF rO'iP} ݸw䏘;#MLfyrvEzO FmAm=FWl5.rpD;naZ[CW ɛ@5`S/w,Ϯ @w/& Hn[Eۭ/V=x*S= [a@p(W|d+tg#%ߩ8u`r Ǫuxq9Z&N'="KZ]jsy= Brvc.@)P)KM̲v$c4sgLa/3pˆmuϲ!tru0ÿ1w`yP!PM˂,4(xɿ+bړwBa3يwDt53ށvߞT ?oI XÒ]~փ&.y'lx7;)/x6hCF c/sXq]9ǨJݠPOv*R'R>(~ks=zjqɌ^5'|,f0ߚ` U`_;řC2V^01^IfR]21_+v QKbF^>īs 1*,]-x(Yހd@zTI⅝P_Y䵙9Kdžrs) c PgzÁDj .m/;3]T8CY7yj=6Dm(ϭ=gi#1dDM(#rȎW&cЍ띂";5zE:A*-DNyxP u=h387e`iO+Rk9>F03BjL %J_}`z+\(3rN6䦺d])vlQc;!u"_iRFy. J T5?,kԺx2f'qsѵLK.E~! H+d w0!gfFCV'p2a6[.,7b*S@Tn}qy&!t4ݩmijqP-"}TTKeKK:K8iW3tr[2;V/Bm_Njr/j\{K9岁kf_WO6Xs|o]Jphtnh]fZ5">rEZ1}-Kqmg;æOy^=,>:BX'Ǝrm7GzU EjĊMt?0ɭj^!xFF1 xKN"Wq8Rk/j^zU,y#ɺ X 7"CBKHk쟧d.(zؒl\6(="h fNg@A7̗m';)KC~V~C39v:=0m MMk_Li̍M4s$}#xц OcA7<_Xۥ0ԾyPiCW9bkrACK0f|;Mt(QFeD~%n2\k*&*4`P\4j~͕V8ډqbɔk Sxq2ە?/`8gXѳ\; =.d< 䮒r$=A#D.gf\NS*nջF?PXPj6imMb7tL)wwvda)Ʊى.F(leD1<ҎI4`4E̢Rm".сBMP^ٴf%-,W]3.=ոmx\eVC/C. qRXO^ t@+՜zRx]Kcͧo*1 0W-u^8MjC@':dz#‚C $uA!F"lLE>ҷWgtM*Jxػx>S$LFJI\I8I-8g.nJ#&D.@S3N$ m(VT9L#I9j>45EJjA!T~|yۺpP~ЉE, {R B/Ӵ@)6B,1 #tB//~ɡ+EΖ͈5҄S3䟠2q7_&cRZSZ݃oI`V2, DXTV?Ӑbse`)0q">E(cxF l'껝?֟A!̣$}G|$U H A0!dSNIΣ)F%X!/N7/ H3"I-ՋF a 1a@/8=/ͰR脧d6ҽ*eͩ$:uo!lhw7g>K֞"D[yVfc/eb̋_$.7} ~5dsM{l,_g*A!0MQ!͛ ᰋOH d9OĦ~E/ H?JS T6r҈U 2%@dbq ȬtM Hv /.+ҝxfM\߸B!W 67+G7=w19sŀ)AH|/d:i ͌z\EڢO*7S^"iSD$zĔWV`c1 "1^H?:۝%u\YWd7Fs!TuC|&' 8~rF"υI#blBM6+\Dv4.*ձ5ϩ;6c.E0q܋%D^)M(eM}~ٰbfgZIM⺀kz ]sphs:hLU"`dQWcx^͐܌ͰHs4HJR)# uJJwFD7oeyeMg~m/Pp<^Q+E#n $ zPҐ܃{3eP/82 h 5 iDԆ \*0~cbHEU9 Gd#3&֔[10XVg ʇ=9 l$S4[l2ڕРQQm84g2wvh<7bn{On.6ckSe?Xc#NF:#u(@(6C~4#[|l0DvAU}y̎f}V,̪d6o2 .ji*%`_jҼ@l/-m 6=%4 ħeXv@$˙R[gzB_ƴs:>_T:Ōpo6sԍ3sjR,h &BVc U-55*R0buWȻ! _ÿ &?þ)ȴ>@_ hƈٛk8p{}w?VZ ƲI +!{C2n>)5dVԬdal=00r\YJ:8iHA1? MrOj<[!a}⠯ pcao^oS^"zLKZB͵6 Z|{E\ OF |p4 Щ@PNMG%OT̉r$)c]\.~؄is"_(](T30ذog39r$/f3 T[r,^%;ֺo5>#QoMqV.{?=zVk6-8SO&x+r<7tܥm"Q UzS`g2EcO;%3]>- 'bl\AXLud+Pgú%;%56VBf'pI]rϡv@ ECVsGtHEyIA/ʱJ.puӄa 50k.W v,9p0zpl8W^݈gԟ07Zsm݈E ݪ iZ [D9:)=8 #($) 1:݂0SSEʉH*d;B&.蚛gPFLX}ͻ.l0Vv|(PLMO:8Č/v M(ktmeI)| C- t!l4s%)ӷ!=ՉcnP4p~r<%H*C✚j\HDR/RtG*bCR98oNk$SV_ 7f]0ǵJv47jHysR  5Uڣ~W%$ɴk82pCr'5h6/ܟqc/8D:#vOuLc}̵_yVG@F5:+lP6W(REZ[X>fQȉF}rި : (:ZV(mcMGlv(Ɋn :vhkr2eQP'y8Wj9_i-. XՏ*֪z{fh^r)(WA}>Yg|@ې~d`G\Gp[m2KiwӜMD<buU,2FY]U G+j:K1I; rD>=b2B'mă/ FwݩJӂS<(⊤F5! " M0TYv}|D8ެ~2dD  qzN{o26k`6hPe٫^9[rS]A(s`,!LB',:-Yst&V'w{~x8~JXv-z~[ÁTrA<%%)1P6_ `i6߱MjZk/΁Ov$ QRzX}òZ-|#me=v\VS!?2[0Jy =rVA04GRcwލTKhWO\te}jت &k BT\J5WGe%B,ե\VMw*p^&fC S}#乔tC:a[Ïr=< Q^'QsbU u+Q[,~atDO ӯsA2n%U4Yӭ5&Tp Ag]f&U2qvh> b{zB2]<8x q̚ IBF? p6rإ=Y9_!kqp|3H3Gh-T9 NDQ* 3&ڼXdut86'}td%g2nqkWb|Q-88} u krYGu%7I(n_DVb.yRúuq˟R ˧ra>K13 Uowվ R#]&Oh\tLB; S8cA0 S|lVz@O_&ڇ@5&OVCps^ y@\?scEYgKn(0jՇRj(0Pd߅N] I܉[Lvs*T4ZƵWg>k~cO@?$v8ަe|]?"O9<\rK;S G >D&s:~C7<FuqG&c5H>053]3U?z]V4mZư-mev+3nϞ +cbΞ]wŢIiQcWHr;OãWtZn Z!-  OpRT `[lh¬kc`KƝ͸VA:LtmMf{7*!a|[)/(qq^t4Bf2i$r֊7TKk%1sI'"m`{)gФ8Ñ=- Ho=̂6}m r[=v DSg6cIN\í&S0KM}س%?>ؔͺ ڴ,CM a"N cD_g`r.7v[-yQv17W;RM8\r$j~_Lǽ`4a$q!D~(G(EJ)rFv7 b3ĭE/E%caWivL9#e壆 8SZ76jf8kXsd}D9IvIn zm ) W4OLMkRH}ͳm`yʮV6 wC][sX+gTzj j1CiΫP碼l!yNɝ/^@aOKZv qaIxga̡|f…zDg0H8| TMkJgiYQP绵JV]n➶x#{;PŗgN뤜RUr_5Yec~Ci A:ʲ)#X=ZQ2õ:c6 ;*zu;Mk/.B ųdO;=a[-: 8-F -6f5w|O4W'@Z#|OGc; tϹ e;0g)78`LqA aol/'h,žf'ߢ/+::xD+0SXT1CY!~+ޅ9m x/Kts_"q9b%g];Ywک_`s7K'j}ϑ&цJZ6E8"X'4\Q$4"!Rsuw5KCl7tWV<6@_-BqC@ybc?H>mh7{,щ98 &it )4"N5,-hiD 906{ƕ|Dg)|ehTS~핹̬yߣ>:*6Q=p$VgR.qHtrV'3]̡W&Tpbt7WWov@|ö90 'h}>)r$vm-xcV?=ۙ"?KFM 6.wHai>u8܊֯WONL>0=o1dy ,P<uFRtrS7[9S5P2kswɜ_k,}Z+m<(7ӔM#CxT0yDu@ƧfoboؒOgɤ2Hଇ Ր*ӣۼ7">T_֬-/rpprMΎ#Hkb]ҍ&e=.CLEޗ>{)0SJ<`CpZ'}?/*;#mLʯjJ::2lxIsZ-kO]E;؈+-0cꊲ_"tTa{YGdsJ)huk'G6P+V-0%cdԴ8(7S~﷡-,LCH؀9yʏ` a[q; ~BEVx 9ȷŐ'ȾM}v'VBRȽB*ɩ.7ܮ}0)vs K?=$6Rn\&ڮϖװCh}{4b',z%)& i 4 U:X A"=켜VDMs{K=KC"8'zfAy^tINXAA Sb!y#:0&=ӻ6uG,9k{ :;%J'z%j~ Zf^f}N; @Ok#%h_ʼ7(z6^ 2,=11 r>{H R4Ƅ').1-a]m 3j ӗKGڏW>w;@ 6u׮ѴгEa2(ƾ~+ZԼdB' s}7+`/Jq`Wm.Q&1Kmf#d6ȘˮPuDC͟R<"R&"[[j[3UDD?a/v6\8,3WG2cf3A2{,17\Ֆ}z&E 6f^laXi=+4t/2*E D/RfXveZ̳B53LO2d|J^z ^"6_*T0e^<ۇ"fv,~jO9v0l-g`+d J 0#8j}q/TjF9LiJ5UUL?KGǻC>Aº.5X MsZ0L/Ɔ|{H+ڌ L&I;ɀ0,gÇ42\hЋ˂C]NedA?==wTк1fjdh5aWɂ?m\ ٲO~G'_r*[8 "LlGwop|1s’[ GwyWj26Nu^jr?G09;H{T4Nԍ5Xh_ V)7kaf-dɮ /rkkM*KeA2XR>FYqRR\d\՛m} z[ΊT0LR;SJʨ TjE]?CDZ$GZF!BBMy0Ag_ÍTA妏ROoh]v4ϴম' `a6 ,. 3qV$oDA9`J2dYO C[=V3D.4eJP4f=>]\PdY$]Ƙpj\W,Nvؼ%5E\Fȼ .C?>#0|.Ū7HNa cRcl3{; H!sqW/c-vgeְEris[f# )F/{5 <Y MT^|\.;[0Hb3x=a(B]vNG8t$s}`.d.;lm~KqflAI]9&$)N3O+Ӵ%9M chWQ!0$.)g8F">67A6kalST49pt2<~C3sqT4/v 0Mh"Bi>.ɱpXYZ|]%y-YuM9:3]ÁxG3()JHOM&Tlܒscی GW>.\<;5^Jy]˕<5Uӣ"ɁDNuMm4A<ӛ0n#]5Rû~ ոqm}5Zƿq:`GqY߼ԬtSYoﶷ6#c M!ս!s4˻jrEҿ1A}ڦ&h9Y鱸ti1vஓEcdH ZV9E*RD!BJ.o)!m XCkQ &`2SHp2}Ԃąkm#@xOАc- |ؙ: |qPJ[vtBw$\5ZN3HXw?jPښ[a}a[Sׇ#[sG?~3qe)ZVyQQ>@x" wćdg:]"S>II[y,_XL'!EAj7+]@(<]~T0o~Nem#'+;YU?"3aje|mA Qb'sr*N"Ong-YjYYLYf1S24^q;YS^($/tQ`bX)bY3{V%U@u`42)O`p,ߌ7UAѰKL8XoM7?vh<<"FZtFJ5*Y -\W'g֪}f߲::.A,Aǽ\\χ$גْe#RWMI mi8Kߢ]yQ?:ko{ye7ʀ넴~͉f\G\O_"Q ?fam1F'A{k?B֥llJ壿 ή+\\aGc;n/4R(dijN7Qxo.>9`Gd b3V_"-[ ,I8! #M|p#_;4%|l_EVL,on 't=v~f MT)ʕ-8Dp.%NJ ׋/K~5{T?wѤuG4D^K}77Q .ifCX&F $`Zu5 SD)76tnr6fkhF8'&+6 ėw~YlȟMH-PI%:$V\$Atp+ڊd  kb;g$yp xyCM+ IMk 6zt շZv/[N £D t2I/0(Y_1U_Z&h{D7૩@XZqbZ|AVaRbKAÉrBosypx`\,Vd!m %NYl)H{g)6/Ijs]rbB(jP뺨?+7'Ch̍0VAp{ltG"XqR.gזP*9jt n$ы k?b7)[3 [G2uxEcIeCu.>n31M gStH z&žǁ8)\늚kC/k+OFVƱA؈:]v ZgЬI]3o>5۵^ӗ+#B\X>{ >큊AbL60jAnGcg{qRj%Q`Q5};GjӋ 9 wсsA*Y~j}<>lpkx܇q7_qTzLP:fڃzKm#|ӈYz[yWb^sweepjt>~!-{[W{C5vB Ϡ^ /2mi];X6,%lPT֓G^tIcP)IyWO1Aա؜ nPS\O6Af }rUle"} ou\hW-'^̇#M Y8vԯgt9qV8.|uLG b8 P}ܓ- NX|1]*Eb/}|a6jBӿoY>*LtHga-{mz2Z1dA'i?OJRؿqUΖ@G)XvAqX7h}3]:+Vc ~}H5ŵy-t>,ڋOןҏH^+t>`͚&S=Z͒_哴JIGVs& =3󠤓DzkS0=l7$mδ `W9%濄͐ M1`u+}9db^> G̵ lNVbc(&Y/?g 16-&h`yD}Zq$b( iG)"?:j{JF% sYGh TQQ߷젩viWîu$S9ۛHI|:fdr׃OUeFsmN42K FRPemy#RQ$&f#V8(T]GY&pR c^뻯lSIs5RWwjK]I rw%3#Czf'ۧ[ʎyTjMwN]1õv!Nϰ|ZD72GJsWŇvxG8+m ʍ/d s[v2Ip;$Hj_C0'ǮXUZefd+R) c̜k`q$vFƂl֕ yM!TdF&D2RXGYfGԷO| JS!VZUTj /F8sM,ߊjۻ[;lmQ ,ae$z@GZSG"/փ8`uSm @,@&,w9#yچ;ri-ɜ/+)'ӢFLgGW`POj@tg@׈pc: :! 2K℄VX3S0NkHxJ|sFMuPrs_.Q<*q޷7}-F3j/ G3 Gj5=lr Ǥ0t'{=T!|O&Nsx!S h(!g<%ЩJ&h>:Em>f˻zۙQ!T?R}Τk(VuzP4$* ʁfdrZmL/[ͻnUniLgz^:8o8n0 (07$@SO7ۙ|$΃\W;pA giZoW(LY$'p]*D]t٘YdX/4<n\WgΨTi K࿚16J@vLW1zƅ⒁;.goK8,Y U*Z?ć98J5%(ڳ@% w;mbHDC7 żpI˜DnaXc.>DWtrc:}>O-ثE1x7b1@6 ΨPy.eۙKmkI:۲w>U{n7&Ti0.Do!6DƲ€YvA NXn3s)sMd*qQo9>hC@W3֥%M#xЏrMPAbm$U:zs#u z xCCڽtZTo>Oq:@*$Hb;lHN{QZ?7Ûx1*c.)iw h1GaK 8~n!BJKt7I tx.P=Qь*uA g%r$^ݎ]t_wp3;r@; DxLp IBpV[Hok(x%"{&[.Lw*LH'62?XLk9"(aN5T`gtt$7#fQq[y/B/rD}Q Y^i-j],ʺa0;o>/ld+Nn;ՋV!,Cƨo7ܪo`șͅ6;/YRnd(\%{bi/wל& doxHnzA8oH@?#G; AOBqs@%tD^!b/o;Yw,svJ#Lr1bl]u?e 43;QaRc{Ig]TbI  \bHY &i1@(;L!h)T lHi"&TL6$pŔXPKf<(#~ kَU O65kpuI1LjKeBзB:bnPp@<:f&R-ȯO[4mTσ7Y|(ƠKt"%3Ӯ8Żc .kcd!bq]+40:-/A`&;6B?*GJ-5gE)Է@O k?Zq0LmTJue k-=dĸ[Ή"Xս= rZP5; #ȒȊ&HM=63aiO MWR6W7fۭ={{"΄?9J/#֭4@Vj1_{| !@bZ]yGXkq] pp 9er5cӹ0z>fz-4cvoK7 yR`Ɨ`Lb/ޝkh UB[2Vjvğ4CJ$9snc&z,7nP[|-aA饺u+ͻ QL.#=#t9$2,Z䣥I%-򎃎%N=R%ǧ~-rWWݙzU˒)lYdFTdrglz)!7ׅ-Ҥ5b%!ms~?̍b@+fPX3؄~k"cfŋ5L#p0 i߅(S,:ҹ[N2;L^ޏi{GpRPW$.0“4D[8sȞb7+ΫBYu7ƝHKlO=1ec|AׯT5 h2c46A-OmR eq6|`A &CtlK[Y. [8 *7 ek'VsںBPU_7%T z*}MMzHW,^5"_rmC?y@IZC+ ]W{^囝GVRƫtQ-=KhÑ|iEg- qF{OʵN^:Z<exj8qh2rl}e׊W니hߊ ?B8>C6>[#G䚢2W;(#y =QSp4)Q)lc@iҙ 9- 耓rWf Sz[dY`HGjZu㵏v_8 + 6H@=:L 3D2 S"z6Ehn\-G`:Z} YdIG͏%I5 H崛PzOd@)-8U2 ߕVH~rxkBv)#O U;J ޅAE<=r7㔕0εX8$ٳ:U$h'&sSl Xz/ʨi]U]Lo=Iz+ٙŏ>:&dvaOBHJݐ^H#ЌʢtNIo~tѵT6eߛw- p=픥)t]ԢSྉ>fm)n8πUTw,~C")e;-Q7j%.W+',>u4G3BuAh&I0Petiuĭ-^qL$qBn+=aň6 ơeG[GF58a_ҿI..=k*iZs0;m* N?|G*.JPEX#[j m`ecU(pX~LJd놶phGrT(dY<՟NӞc #ڂeZ.5G}1<*5#QJ>?_؟Dm31m_ fx3KoMn9&dcC)lISb(/~ Eb[r .l ONH{onT4]t610RS@]XJ}" sr}X?TIr_' o\"Y>\-RAJ^TkD\~[>gh_JPdvl80o|3ry U4F@(u{Dk A=S$b*ίmP; x\PmHV NڐU9,t*#O+e[kf7~Ra$.l0̹>":%ģw~T"s*җ#tB96";rNٱNQ"'[eǑݦIZ-CoOys!AE= wXLkִHV7i%1>dfMKDn a6i[;fV 8iB}†ކMS.l316 ?A}U@~esvpRvch7Sd=; WhJ1bo5f"Cܴ2'"Ƿ:( ôOHE7V dV;du?*P/}'ޢ-Qd?W 0,h)MR>`@ЍH2a]$$7HϟĀYsF7M=t)g7L.tnB*a%Жc\38fauz%ثS^{Ѐa Y`6@tk;-jȋ5Pu&3ct6||V8!C43G;]cr`6I8KHXhk<&(9Nq /QY˾Ix/bBcR0|k(5cYq tlr KMZBN޺ ]0pT_e<%j/|_>yyN})H}ؐ QtF09HZѵ *U d/䯻[A&eI2}0ڞWH0Tl8է!k|6lX۰#ކ9Z=v\B̩TVj/(-P0w ~+ V !A /N \QzV>.+=}ԙMj.M477`Kw2Oj_nKԿ tܬM!a9#B5"]-c `OR\4qҹn祍hH jAm$G+#l#` oMńcqb8LmM(@laٜ?RzmjB^$xcw ;qw{p<"@u&Rj($Ou|EyGL~GS#sم$Xscd+J UQ?1$[Tn fKa"13 BHQ7f])󯍰@kVHlyovm!ds$k-Uk4, F]\uV_%dċKv! C+\aN呔svzlov1~l$2u%Rdo;jxl/]?$B^9Wk-Խ$jSk٠p:,;i/A?B@8(3ó偅*EbVҕFe v79rM;x' V#zy͝$ 5Y嘸1x$e8KlGAoH_' e8Y&"GV0*U;Yn: uVȽ)A& h%j`50ns)KSd`K0:𴻻PLӢ ~W`E!$J@ڣa6([LYxu@3p/v#HTLa|fΐWMt F: 9G,yνPyZ`{u.h GV e?pķA[5z@[,æQ/͒|@4Nc2}w#y/̻KYC$v:$} Q;rd2;lt]߸D58; 12R6+*[IkJ=O6H${[fB7 l0.leL_2 Y-55&c_#\^Q6{ fAZQOaؗ2cs‰Wz #qMIx$*NuUbwE)i չR=ՄmkW 6wpʃXSvAȬu/E jjvz`V@Xb`?'_O>hl+t xtz4͗alLS*b C I[p%FL|úB-up?&X^(> ]j5=K,s߮_E2僃/jtQ5Z+ wZj>gKcкs8tӪGaUpWQ?_5/yӹ9TI vJ4Lּ4L~pyϖ?sG2?>o5<C8!ș 9.D[Z$e#kwp.#?^>߇>(*y{cgI:גnTSJœi/U2P Y˸%0Ų(G7R!AGtzP,~`4@ң.෵]_LE]Uj=jj[Yͮ:io/~`8gNv(Е(e]A.S3siӆi҈p jiVg#,[ p~HUƒ,[||ǼN:hPs1o! ɍRM@J.k>#ؘBDa-՛eBB?-Y.xhpu`3}>B,t'ȜEp16p\%<&+nL 栄F?O~vTPD{ӽc0+[)vC9;FLSO%oTKNpOYHh1v5b{AVNK%{HTaUdteDjQ6.hyZ3MofK@\7,{:meS0l#9ډ/\mc 4fKdi]M].QYEqOc)Bq= $zOGct>R.PE8ے >~Q/UdhڛvRoECnG e>h+\1j˳r5ī5ۙ%ؓ9P]YFLƢokPnm= ϟډ$|$ Q@]Z[2 rh02?:COݑ0cO)qZަiE[ɛoC:Y=+pEW'?75v !Ձbk F̓P>-z M|b(4 H'CP4#3vt[+ިp7!S1 *jaENM)ݩ|Z& V&WUWSsdv.'-:eѐ*'ƣַ[QXuFEڬr7bKJ8Œrd_sI+R%R~NTN߄/ 1p( +K,gdNˆ:jޫ~Np8(=gنyht}ip?r.ǕI"­cδģ%Ka~ڤ@y.&űQ%>}pzm^ZGz?a^ |ܩW k~g"Ǔf <ĆP{J;y^ NV*a^6Z #J`I OCN&eS\^b3fȶoYn/, ySnw0O c$ɯ NkSfKDB\@J>_ JC(Hb.aÜv@3W3?/찴 qIK>ezlMXdwQ 멈 `2;B{ag)ݭ1*Po'P hZYLxjK蚧58b"V+Y]hǻҁ7^ %=gk%4pZ=kmމᰕV4.m9O O`,g682 < s,m<(I.o* AtƳ"l H=i!,aEk$o/pw4W5vxM 2 4'X*]n&vk~{LP-*6R 6w>*|2&lW;1]1j6Z>;COyHЊ mmۚ݅I@SF_AucBs$';:<]2c,,!q'뙰4+6FZ4^2#gEy"ul|qVf f3%X>qߢrz=|&(@s )kWL; k AzYAv҄*&aNX){Y[䆋ʷ_7w4ӓ5f(IKJB5aT~,v1=9z0D\g_yTydΒHkh{b,'}:C䃀oYuf3MqPpoI=}bN*b4OzN&& |9͓SUq&~-g.:7\.S4ޅpRZ,"Z{⠢=[Mrb phaFߟ7MZB=0iOѧ~p)UiKȮ-tMջ. yE7M{|PTU\ 23e"ގ?^s}]{:Z_6-'fG@9Kv7DI!WLX^¤K;ǘɯ9L,dbMqàzĎ[9BՕځb{4额P}b g_N# ϽJ{dc|ㅲ7:Z6 PNHkg3q\dO<(^x)zlnsM *2l3q C"[~44b}Hg/%G;>4-Z /9~ ^i0ڶͿՊ}nQ<4 p3YNNx xRԩa%۪"֔_tp>MZyEՎe)M ف `N.盓Amws+~E\M3RȔ'/ZR!e3 )4}x[soс$ dSo֤eқ _ĩ9_=Ff[HޅxeJѬs#GCf Jb%@7(z8we(tzj vhćł;4_SL .FNBl)Pa_bJ8Aɥ**IeѯJBl@-NƦ`T/C@yXI gfgraTn^![hӡjD۳ J4b=!L>RƆES<6jvitp@#ޡWj~ ߶$y-f!*LbTc?5I"w@~(RZβ5M!;>)'\6-]'Cwof 1hr`(0N\'[7hi M׃aV(%t}7CוaRP&e?m-s%~:dnK&ODk#.,liMʯN~>t ['f1iyj{pŝ_|r>DFkT=>H6ءY9-a8fŮːdfrޤ{:0w27=jII&mb;*P3e4=J:Nh"T¨ l *0j"vV{ҟ?]{S;vb)*$) dztj VZ 5Cn,rwS ˦7)-j4.3=thז[}G}/pk/pRfPR=\-5F{n]Fpv|y=}CZGi226dё9JN(3HO'u( (m $Ƴ]r?$;T :cuȻ:΀xw kKަɯk4L1kFMQdsɡB PYSK$ qߌBo<Ψ qP>yk͝jwYFhWZ{<Ι hrGjNSFb ] ]I+>9{?-e+S9{"qf\R$ciɧz?#щے"Ǡު~#ܧ]i~s7owO)`yw&n屓vdOW^bcq;wdK.ӂY Dّ?nHѢjmJk ԜĶ5ok\%@S`ZWe%tf lōe|}RU{Iq:R ؜󯗱! t%gI'EKOIW7[IoЃNs@p"Hd=4]9" 6-Ѿ0 3uAH6I`@Hƣ-7pz)`=4(`aP>{Z nffŵjs[;z{T{$=<~4;HTvBF G8+s ݓ %޾ ADп7s;6 u̹/=g=EW4fN4=[ y55Hk l4[F̔ ZFLGawQ^WXb5j5g=K y?I"`N+Eਇc+HsQʽǺi{!-.s3 ЪkCpu$GjC mgw伻 4"r{JБe.=JةkEq׈߉ D]U7θῡtN <>87L{FR_iؔDɏU }MMpJ ?Ům+ O" cKHpGa1ܐ.%{?.oV4MLM;]{ FcP7[9xC"PfR6ҪU"DU@T3Ţr@i_?4pu'\ %rJٖ Ô{Y&qY&wEx'1,ַel꩎#_fڴ{cHD+k±}quQ=4*2Hւo :RJI)[=5F6HS~/ؚ(f:U}>ne9$YgߦֱJ:Dۏyv1B Lx5[3ӎ?]M'.NjMG7! Fj$ƞW_m&Q wpBj0E]#T E?˺ZϦXұ~D;r`f=nW>#j.@]6qHPN~vfzӊ"$tf@ ^l%+r kݙ@|=8t@Au@<.C.sHq k- ;+p Yݿ~?~#'{R7A|Dƪ5J(j^b1y2X.B,Og7d~Ur e@Hr-!veI+W_5^yCzF70LSYUHg[2Ar&4w^?J"ul^l@lԖClr]qέpvIјM\ס IcD;k'њLM 2L3W={'# SR(ۇs݀A1D~n^We  ? [}:?xSny TIho1\b=aBȮ@ZpG-7G !%*wU8'iC"?JE!~kAQX>Jvћ5mVI呎>0C9hŴQ1i3@5` :$t+QϋEJZیXNX\Z̴ik;I4|B?kd]:yX.z%;|Ymu-DB6Շ+=!'_sH./TdmeJ:V4>mBIm:skO8@ o#$C2AJs:'TUh^:/Fuefd qt'nQnSڹQG|.AQA BE @H@ $ĨdȐv[D=+Md礠L1 CqRp /iߖ)+S7@:Mb|<V_锱򝢜"2>9ieV|D0>o+N1bM 1T*wC0=&:)r<;+P'}GTC6:VcŸ?WNx+@fKO7;&;XZ},*6%_K(]Ξh}ZK8t9J!b{Nي9U&ؒ#4UNIUG.Dg9Ə{9;]#"ew6G'OqA+.:}#+[d"IXc F4)6H`ǭIy_Z N|DpyMJS۹ybP:F)cbf(DQy.53`H*:._[B}:-8-dS]1,%DcYb5Fٷ  ˷[ᇶ>b\!<̭nƹ˱BX}>9gO|k骼*ύ !Y o+ \e,R o,P=h~2D&]اI{z U5=J:òOрv^Q h@$cʿv~MD*&͙Ž\q"LIy!N.6`^~ Ķtj 15F)Mwjdّ֥̍.喨#v_~oX%AьSڨ}*fGyÀXP@Z[8gjޚ+|mѳnhFާhZSoK,:?Q+::qg4|[y9>E7}M~7: ݫ(Nm &@]HW~aXܯ56:g}H*)@./h.cxi&G2WAƒ*O1 XJk8˭Qlwlt6IxOQ: |GPtJv ]W@*XE.7v՜J0\UA#-N암y *៩~##"D!'&[ǬpZʲmҳÎf0BưY`@[c "tZ‚<iAʖ#JGoU6N~D'Q @u2j!Tޖj "uru7XxLtVOa[ljϏ:9L?ҊB *1D#4bFsX_\: RC+:]W]o;5-"BˋpW$1pOv^K׽^_R %rg`l2aO-BZ"Ԝc>, к/"o׆=]Ff/ n{,kdm ٞS(2ZF4j9F3 ՂO^d4I"a{ UK]?uJ,eaRn=&zVck^ْJG[B~'U uj`|) {RwQP%#0%S xs S0+RٿPI{*ICҧMv^+ [y(@iqvL!N\?qlP,$B$'`1mFfAmcax7oW :\6gxğѧIZVF ' :\^u6jc..ul,<H^t{ql1:R/ W*|{ Y2P?4:`uD<6 Ztn{=٠,=FjRĜ t^fޑoP@`捏ge {<G<>'R|G* p|my_Z(_}D?Ϛ†׭x|K`_QgE%#c6@fBӃ#]ݱV2l54Ěpm$: [Au[_(,\OIc8s̔q'O3NbJJP^4]xKa(f|wb9?yĜꍖ sad̜bE-9 R˫L+{ [cLrQC_}D?v[Ǧ-MG:+/NJw}KƃSG_@ZYGK.}R5݂ a<~{;tM<"Ǎ$w(GAY:2~Z6EhtaCPei|Ē;8P DeO  +Be?t=Ɛ}ા"_j` .d?M曺. )ouKe*8,Lk̃>Y,ik!U(얤@@1y:ŘjW&X4QOSc p^dtM)F{,ݰ(=܊UMȴB!岤kazbTv@=WfeW[EHZMNg!? ˰шƾ7ㄏMR 619O7a4SDxn݋'XvY 1D\f2K ,r:SE^05[$@n,*&Gak0)0A:{RnR|ӕlDA#BVdC6XҫS֛p_M_+{`D|:?w8v9b쾇nq:Zcb$'zxi4[ɹntqTC !VPڰɉX"AgHW!h,Z]1bJ쾭r1q ]X ܆D"=qȻZ,E8,BvSӿ_xUbλ҇du;*HWnd5䯎I@JX\MBR2^^q ^37,!渦v?돸w _8͊0n1eug<{PƎMU6&K3{*\ń͈;2;*3$@T5$7R0x7SyYku f|t1fqq)82؅SUO]( 1-OP W}|w6q!3ZUPs/Sxx\OMAX 'DsѮ*sS݄G߯ήH+Eɋ.<ˈiu7i *o& W Vz  9$pN}FFuanx \Xipi,'tH xpNP8A6XEeNCx3a6 \[r26dtq,$wNveK:R^[0ZxvP;Hrk7$ .46k21ÿexGAq)u}EY nID(FJ&SoVcu4w: vh"+qAuwoǞbB­+eMݩ|~eμ(M/Q:fa@OLutuu9qx% J;hcҭOߐ-+Im4׉_JfGBo v$o9BZuKj(wAn{x?K."u0)Hufko5|9}/U5Z>'ydly~xh9)Qxey~͎w. N;<7c@p]%?06MFʝW:,ϊ#ك3OzĂw`-G,b VSc] .S@{ cLޔNUCR6NF+)6$KѦJʩMJ@c7(I$*)+dRzXWq6.ty?~X&mZ0as @dn!]їOC PWVYN* ee»[m5]Csx+oBjrroFn/>DTK> ݇׽鋘VstT_!n"$J(nX 6:gxy}y6LgPMw[xypd۷g7*/,ia;Z9qѽ XgU0;§4`fʤY/&@Y*QnɠZб!F8_7x34cfxUUJ+< zAm`pbRznQDPT oúN~3'0Q WX#E7 jY,53TC`BX?6" QfGQ~x02N]k( 繍dJ_MUГG"y>w7,qkZ]2RĄ1;֑`sGgtʺJ(漉QDETj2˾?AռdcXbY#fo'V3uլ/R+h&g) =S:NiX?&]KBބhwHv&H[t݄_7vsf(ɤ4mZHhF Ltm$xe: g*L6LqlMw*UJ8NXa]/QN;6q> U qP| ӋwuOJ\k_d~E 98YhrE.l7WΏg`}'Px PR;K.`b F-4Cqd8hbT)W ;Dn]¯^k$ O/0i\7LRZ(zou+D't% #Y1 VՖ^K1C.hr.qq&ا1Lh͑;3:ZcX#wDEMOas&TȎ-`{A.UiFC*VMP8M +'2\XKb| hj/O*trCi!~QYV?q=ҧG}LYRU rJq 9whPԜQfpREQM$8Rg<`! zăox2ˮsnm VY+=.:r^"t m?nj&33*L9zkQhl?̟$ҷ1H2ŷSL>.dx,IrB5;WU3XƑCx]^ R 񹶬w PVRL`*t$}lBBBWWqR| 7pI1eFzzD=>k) pwCל-eTܑ.)M[`Bp5QΘ|^3u&k߿ J6o*nJwz7~ 4|4 z;@*69hF`vL2|=hyxlaの`͢^`4;*bMr%y\9qiڅq Guw ^y|3+lŰϏ^Ho$+>g^+jHܰfgĘ>t F/c%0rdթ4ĄӽǩƯ`omڎ|ǂb#{gj}3|dJy?hc4/PdsOrojh몔h}6N\ayf~V߬;8q+h[L=<)7h@l Wd,*|GA#A+]ZGNm?T|yV'={.ҭH.KIد'U:Y3@HnM z9yۜLgRX1hniw4x?}C|,)^r?cdŠtuvnNMlqj wsdꓩeZ=VB?]ZLi23e[Al0{-hJȹ/g^(ѥVW$s ,ϋkEÞW`12>}s 7fjWͷIv_Rmٖ+iܱ]!2Z@ Z;]daw Y>J=y㙃$sﻸ9-P_Y> b3|VfVq5zcRdyU2{k;Ku7 } XX川Y(:g}5ki> \O ֑Ew#1z#C$L{0 ED!=ZY30aAӘ5+{'NNlxMr -_?[rp~c4¿!w(`G JNC=uHcB2puĕ8K[T^MH1VFI<"DhcfFejmx7cԁ'Uˌ9D R ~塼6ĄRWʷg'nGyUfpѨ]Pq69IDn=OX8Mpr/!TO-9Y=5ᕪ($گvH_(wbcM*P7EEl(PU{q.;DiB`x1VcV i]58)Z>"`, Q-_ۚ {)V.SD|+Dcypp!vţLx {lZmn RUES(y oFq7mDԢF*&E'BB6 e }bJm|_VJ_]ceѦ( % g]YRܽ.kY&d#ߢmKi "yeĜET"HSdgٱ)сM`ur_Cy3VrQg ޕ|-MQx3¯ED%]^6D|m(ޟ4G$.HX̮ !~h{lX? #ӉsWQp'MZhKıSUMbP6 vM'6_O+FP!_]S3F}n:O+,C3485NJ:␌iZ][=l޾gK-B 8I"k +kSas<0d2"IO TVjuF^Uۭ<Ђe X/l/z(CCDӆ^׉ H\-|)a+Ȓd=KzlGKFiѩ"r5)v# #&z7s K[ &3Ml.ӝRfGjބULk{P+sv+)iqXRZ$hFv?%WS8/7~Mo/]]Q*Rdނg!TyD^~oX -!?y"QsP]\pUOי2KrX$1#2>1NaMtއFQ?91,Uhu3!b]_.awE②^ %6Z@)!F)ڬLknu,0TR֋2w '|rU%}z/E1#1T.+ 8}`r˗򖪈9| CycVf,ݏP")(SĝKӮ!&w#kI/1pm.͂UZo!o:6opY|@o1;O].1+09%u$IAy'7{[\2kH_%:q֫2ܐp5J•%3M>n6"KK4 >*ФH9=x. cC)4\c'z̉.Bm9:|A&Mbs) >c(ߖWR$apvW>qTof]S*:PU|Ⱶk/MI5,ᆧƥɕ[sւ8M{&fj F1sXճ&Ct5pa57d ]]ij6R#>;j貮,gn yH\p刋 NԲm AۚK^bea=:]pEz4W_F*|B}!BS@:wA_g#QWrٱN!]~8wlb CO^4BK9l5[-RM&&sG 2zIeJ7~Mn s}Q( ^M-BNLw) tϘQqgpH0qI__ShƱ-%=Ri3ʪt t۔Qr"}n@ w9`%KKڦ ;쿻5 V&:<K<6jc'"pן予*` r,4RQzfh?s7R0.ym((S0r^F*/D+ own]}zzsM5&t`1s RfN{O̧)ovƉтb:[wA<hRT1'H %?<70gZZ҆cAhdɐxeAг '1Sd/ `̉6Y p`c—2%ԌeB޿}lOCBϮRJ*7yv76W<G}/x \>'$aUXr,X_*kf%@)kB H@ܩ !KV 1z:y :k75IIUDeNwoRI1[= !0䝒gF:ZQsNпc^[oBrXu4(.SGZI!SJ#o2 3RvlnsL Q viNo)[YKm}YJי [l1pYs:#!T0*j:y2+ D貹ᇟnNok(sͨb[o#q㬀 .tDrZt_r_PL'.f\4;)5s&Z`:!T6I#hC (;5pF(EIf7ؖo%R촟tT~w֑4h; a]n2RxMiQX^&:sxZΚsՠEg1ZG@m[{p}lbɈSQ"e /Vy\ BsOU=vs끬wNy?V\ڽb{ac,˄x2 i|#9$GF9h|Td dk貥~mpg˟J{wd.6Z>^e~W,7b\Nj8$ eM"Jkw6^ c{Zf0_LE{K K#NnoZ6b_#bJ , ( r?.SbC1U¸>eꞿdLZDa7sUcy3S\ 4{gِKK R{y\ܺOB \1{mbd#IJ!L˼0d">LEVlP P@N}3sYkĵq*!ӓB˻Q9w}NSo0e'T 7qEl^ cAt}u=6{_ %ovUH U`%Hi# sFB l;W.l4'R4횭"TG_Gh~^Gf)ؗJ\>ěDpvam_!FJx `:0)9_KLG΄X0o,NWFTM% 9cIX nD[+;jxY^Ԥ$j]vԬ|LW,ũj'Y0XRۏрZuGY\Z- R+ FmRA婼|Kw1̦U N#>yJ^c5X\_Eؚ 󊽣 4hkѡiOQzx}4/9t6rItblRpOH6-uNs% Ϋy (W<QJ籢mIW_@hI1wFW:/ E kR7QˉSL$]^RϏ1I*(WVaN3+j4j*`zv4۲(sg\pZ^DETaO\I( f(UbM 1}ĞduSRNW*9q,;9t'6V!8-kiJQeW`6 C}%up039K/;>F"-B$ PSonky)Sn=?/R-%ճ5b4uXuP#J^[{8vLX/XPt=B0qX) RJ;_\0y>XBucя4A,qBS{P*St kooaX)' Mӡd^Ggj<5ZX*|z>c{51+?x޳xf#4K{s1rcjdI0gXZ_TvaJk{9&8 OA[.yḰNFv1ֳU 쿜\8|A֏j3mqn˘/ y-8E-c1'UfC}.*;NϦ,=`C,$%ޯW鋝*~KceO%!F߯QRo4A"Ԁ)sYKa~;T:B)dU7 ׺JӐ|uQ?gHo qQFDhX\Ic85YȘ~ZWZ bhHQ)"Pic _Wt#֗LA`^9cgjR:pDP9{h)ΈE=" DuEOۏ&BUAive_cg=vK]a-Sq [/ߌu.H4u{L)[{'TN}=̂0f}1zp$~p#5tɴҧVM>ff͔:Ra4= Es3h97V#>O}](쇁oSܙl̢n* UỸr%`skWջhSXL7[,,fzKC)# Xp"RL.~<*[dĽVjrk] Gp({ݑ&nktrƜ$=؄Ia~oC5Aî U,{?G)q$ )ys(N>?Cֲa˥4JCBZ=zՒ9619 >);+mw. "u)mIW\"槽Խ ~Q7dOɚfw?$3()amt}ev酉e!pOLw3q~@: >/=PFWRnәzW$r =YH*fu\/I!)䕄M]ʒg |mچo_xd4KG{Bä́ڷj艦!CU{ao~Fך]GꔛW O5S ۴DHV~+|82ɏ]q)s)eZ2#?cW;a9DU\ʬ @¡+hC*M(AW-Y(7-)5'cςB۷9u(f!*HܵG i2ڽ7 e!{U-yi(NpgWoQ>*h&7 <4+ b"f2Ճ $8 1oesJǨ$V+-w3:l>$F/[ zh[d|O\qѥVf/8EY Sn2 ZRCK"^Z[Y.{wn ew5ƽExEr&ɔש ;݄fCZסUebL%71Z$,]a-^) .7\$dNdtEK9=DFp, ݦe ¶dOOy 3-> [J(Z}Yc6v"d#\oJ8#Ҁ=^j77iC[ҩvISz %N&[94C[rހM 'ABMS=[PuNɃm2#Jr2uT)lfR^EzHQt>=0+@>UvAx}>l2@%:z./*TӁNjR -oH6O?sZb]pR9-x$"!^7c'$Kzq-`D(󂥽7}oc6%E%% ]"[ шLQ`\Sٻ{<ćjT򬧐pWүTkdnR&'4Y4,|| 03OC[XY0I1v E(,\z(bR 7+Iu;6ܷskvC@ l6RR*ά$C tѵO8 U֢@v4AcI$nXHi!HV@x~(y.VՎmDZ8I_c/">ZGrf=Z(gM\g-ȃEc>6^0w ķΆg+}i;K`BR4կֱ,6hƴm4>3~+ UJMAٙ+4\ akb9k R =g.Q=3Jto!Mҍ/5&&'hgxU_*ϾƜPkHn_7qZHđ8ɤFMYmߥeNeCrǜ[ގ^gb$V-o!RFrK+_u C]HDg twΣs؉>q🃺AN?lۼm$-OY-K|Ոug9g՛e(bԹG#ZM' xȰ0{ZxЇq]76,=y>{#B.e" mZ9`}45 #>_F/d\gQM@[fnO7,XG.j qQlXEc6!EX1A{MKLV!hW5pp1mMGdJ$ta fbM.z]焳ѪY>SS= 'cAwyO:kQKp5,Lc/,{ҷGޮ)۷4Cd]ȸ Kiҷڝ-M[EɆ)`wos"ɉ ƾgaiyK8MCD0c)`;:~ne[5ZBސ4hDjL\AȊ̖b%?ZrvpU+K҃YϮFLFE zUcNK4O_+zp d5D^kX=/h9ZL?\ [${PWz#vqEp(tU"Yt|7J tÕ_0ɳ7dM>zPݻ0IGmWH;7%ȧĤX*ʼa8< dYNb_&[EmzR+p~ bDaUt31l- V@% Q&zr"5Ԧ .2}GbGa->3 gJz5z"כtY5gee˺suS=*J8O.P-#[^#o8%mEY P'^+p {>\^g#`e(]% Yy~r^{x^JPʹb}\#QuƂDT7'avC%YPcEˑho1yX}k.?vݝQ^C`+X],a0Ld <- *Wv?,r-ֺ0$N_?D0sAyP'ռw@)Sؕ.> }guޯT Jj+\ (̝No}ɩBx݅n6DѧK,Wj<=k"f2JkQS,{ cPӬT/T%^J?V<T(R `i#_GH=Yﰶ ^BL#%2ܻ#D{&_ج\rmCwOh#Wj-#eNB/پGh\d|%,\4cģ챠McF05q78y8WqPWPh@-Cbi/0/*ubWym=rQd RE"`9U~?v.;4Դ(_ɀ،Gbshy&l>l KQWXRXBY`V);F =!Yt7_UI4hM'zMϤd)[ÿIcŸ-!e1<0fVPVt_[lgvKjyͅ )_+|sv J=Tw&ŰȍmK4 rF39q}i-e& JY7gwkqX U8mP.Y2(*$Dg|%&UjlYMйQm[ :RG:Q `mv{$c4"0*{|dמ󃂙.݊W7`s8- Z[H3.|UFopO&lk(/#W}I G<#^;RXe) }5iZ`fup&/]_͏Ͳ"kD4w \aB€GTU|=?n|koSњR#]'As5P܉O=n*a>fN9Q?lY49L~?kA~gl9.~\T ]w!xp K3CԐAǟ.T/O!_3B6|c<Ɣ$&-3tJv]9%׺֒ yF[˥ Vk&^c(j($}/IȈED%HrOW4 vaع^ƿI"(H!?Οx9<)l&d, m|B - HalOgZś>Yobvab?G];b`KrxmQ&k[Mz᫿nO/ז3z[SP㞒E55cKx oCG$ދ^:xU8 0e$|~dU xM"+-wZLཀS*!q[_qO@$ dmdH2}V&])8 )O\.w'MҀMyDSw~xX>V8SMvn*+Ga%U.܀W z E=LG8愈=t8'mKa@V3 * 0=^nG2SRmg"yY1O6S3s ^FFQe VYoגZg$GחPKLvvhBs9P,3OZF)cz؛ἃsc냞*C;YƏ\Q'`˂]H/{RՐWBj9 MQ/Ea7\xG>dE}Cz^Zw=s=֎KIq4' R?|WZ<:ܿ*`Nd^0?; U]SkcT_4$FR u~X@e ʮՖek-7kZNޔDN*n:aTT)"6n|K:.*?;YD@j&WWWyį/1]FѓK׮^IoeХCns)$T+""4ߗ4:̀c,_ј@כI?#itVu?["}X hmP|Ss#-hCFP  h/> ƉBUݠR|B}܍jKlφ`i8v$vE  [se(?l3tVHڳ'N[U!K{3"t&MVY=F~bq]z~T0^urw 1gmPRhH|x.Nܤk 3X$ Ƃk,RMz87"%vRЍ%~+4ACQN'V?״(Ʌ) Yh>W d&#R=1uݜ_=Lȷcz.n{|A{a^E lwF; @|[:Huj[xEslFJlOBF:1O/8nMrd߫嬐! qcpE;ZADpMFDJ͔ *hGq[4K(C,7wH+8+ CbK !ס-z|L.nD7@ ķUd,Y K]J=ɧ Kٴaa4ۓtp*wS"7W#Γ5 Oݳ09v chɜL49H N]:^2r _ݕ8KڵI|rs@ѼF H32$k5.HNm9;uWi#pp( %VxͣJ(`-괈fws)2ih`\L ]/dZ` PZ,T-M&Y/xtȜWT.m>(k澠omfUpAo`V2rYD݂ jSهs:Io&y% ܪ#>b<\*_] J#*X ;$x{ f[IijEE'6*Ƒoogw% ܈b1 ¯q G~kSN\Ԝ=&:'Ez=<5 ]zʱ> f:oL/ڐj6,4 IeTH,D)kM+!AP>sGEǶa`de.?.7cYJ__5&2 > y`gNZhgTmœ˕L'Dt_iH$?;<-n'ZK]FwTxb 3e9;22 ^@7|l=q&'x+/Ѭ*)asF~ѪxA(lw4a0/q&pX5D+{-"Q&c SPrjOnuR~aVˮq^RH{d `抶 P$ۋw+; B:)21Cd%ӣ BFW@/v70jEUml>!E&!p5Z~%q;r:Ȇ:VzC%{($'>mRO -`Yoq# 3WAUl~/&#|T6M#wT4tktoǔ Dd*S#w{MߟUt9+b㻘>sQw:&'zkEg%a#|R[_^H؛Y\-\.n ~H.W7fb4Z&DwPOg38!zEe8 jR:o$9^FF~rI*d9ʦf5y EWХb l6b]ˤ- h}Eı:~qrz7"dblCrX!k7w x<&wH绪٦"bnCn)\#,Hgs'<c^x-ڮ%z,T(,3>_Sƍ2e-(B-Lwr͝:0Na_4MJBXm1Ul, -u5ƓS>V'kR?Ts“ը}R`/<#=5 +4#N?>M@Ѡ+KIqt/U>g&Q0B:[JFPgsh f'jD7(Nd^VtO%BNuSx{u |UuA4?A]n;ijmqMC2v߬x]l_ 4<6;s(JqT,^]$j`g DdVaYlM;L23Bl~gVE_'dI$W9\yh[/9_Q3'y]pl l)憽G`tb1 )ۂe]F R }u2;łύ[;_ЃV$ ]z6vNJf rq[P`ŐCr\~Er?Ot5-PQ+j 4NtoO$fJ\ T,~^Pxa/RloR\HĕtnQGO)Eˢ;R Y8gA? $[~S/@%r,EpDT^;²U F]sC&|ܜm݁kl؏"D5Tjݕ11tE;J7v ?#qId'U΄v"U(pns`MWvHۈS"kp.1C SARϹ4j}R@a/bjI737&JZz?TO*"{%kRl9 'dUZH|NsJa $YEXf_/N'h'OW "@C#INAopٔ$ 8ۻTd.y' P^ǣΝ[G3LڰJYx1 הּ%%\VO̬:/8l}cLY&z kn KM`?TO-yI2 d~&6ܮ=_YJAF!W٘odz}.C pokJCנ $g;Z][gH06'Rl4WI| .63=&8S8itV$G=<8m8}/SHjT&٥7ZMKWaHxz_Խ)߬)v=4·6PMJ1"_IoE]sTc_ו^vZH=m}9;ː2YfF`]sERgf82nN_mϹ .NX~:,nRnM;Ҕsit^uM&xkp0Zxf*؝qW(il9cBDA@*oF5i>Tpcb 6y3 ^IUp|*/-{O$EQa*|M57`g-x\~=69"QѢ8.TsaՀyOcX{I5'B,BxCE/ozc,[2S|1<qQK3l ~+?)+čU50 7d0/69kN˨ BV3D)m;bvYAytv\ eX`˚Km.w4'^ QQXnNmP1#6!s! pv$9-V(0S: i`qs+ qF.hph ɟNGkPC)!DQ3uz 6w| zM ÃQ8(O+rUL* ]= 'Y#cj l^'7/:iO,FWzu/ .hwLt\Z(I" $;V&Ugcms,uK;)k?f.ԓ_5pt[M+T.HL}~] PmǒL=vntc\Tu)nj5WDARq˛ !٣9_  lM/ `4 ܳduҡK 5{kg( PrSKC8ՁG28,΂n'Ӛ#ޭ_I0O5x5rw::/bM2мV¡r߸#t~ڱF a(*b[C݀Ѣ-jgoڢBi::e.HY_;+t+g畦#VU@:K]/sW^->&.*&G5LkŸ,CTR.ل433׺;) \ -;gFY7_A0-M-n-%%o[4]%[W֗ {Ljyfn"YmΤ Ň/i ,ܰW nۗoN}wxӰ>s\*^qp;%OMCp`]f$Π02ˈmPLڲ Io;7"U?Ζ8O&5T/S}tc6J]N~87Z9? e^,LgeNIRyQ 0zfc8QZLK8ܫ\qZƩ՞//1(B\XQZ並nG.3*e. {f-v\+%Hivu9ؐ+ +X6#QB;CAs+2̱2к5?́v< g(gb؋6Zudr`Pi7G<0pשXm|ɬ`uOĨS׹h@☡< BV֖0L.M[i@|R'YÉVjjE3E%󚆖SGlNC7eh _ygڕb:4f6FU< ,C/~J_]хHI07QSu),ƣ:1íCiY7j9bR @U$۪))~a0҈g&1sKe1C\3 VSoM"lV :ʔz{,hnMv2F ޢ"\!9x"Kr눕Dߗ lV] CVĊz dY'i+n J1 sw1r6L}KN0id5 PNc;_3ZHYspY)B يg'[6S7|6:/ ĩ7gT2 -@"m\z* >?-(Rzdp]6&dwKe)&v^J) N4f5/:"8O+li꽕4HߏP>LefI*)ڶKcNhDFsybV"IuQRH:r.!ڤ hX%c[`˩US y?={_0ţn%2Q]M]^dZ`@T: T(h}"|WhLYO_QFDY5"PዜtB1 6-;. 2ɲ^<+q[B[$P#wisjISN. ox\(㯏[~O\+ڰ?݃bD { Uc/ QEw5}&b3Ԯ"@ې]>ct ,@KΕL.[&^6*foe? LxEFx,J|DceU/`8q*O_"?w@b62*/I7m1 tsO-f𰠣Pݱ%b&-ƥ'=\OOs.V;߬p0fU /~FiUP_܋̤p%ɏg_mzETp򱯧7Z ;IR5>0U mFF&ܯQ1fkN2tbܱz+jP2*9s@uz2zE1OB5~w!,vuB.w@N]kX%m{4U(xq$P3_ D5Po\,C;OLW{/6hjsߛY'O<BxZ*{CDnɚĺ4MDž@:vi{TjFf 6C8Ij; u9LYS < Ug~:fAX5L.\kjnQ)).P@ry@Te}$C[Hun7=IPngغ%kd7U1Rcz5u4y=alqb0VXum.2˱Z=͛^:Q ,5mIڙycz7/5`i E3E9[ 3GﺂHwm( +{Gq6T[p}tG%a>V#x?=]ÁGٓ~_2h{/Rr XKX^ 6r.<鍘 Y6h<SʺyO5ǹ(~&oEyR#H@+DkhcbP@45]Q痾Ef^Z:PrqK'j?*fiFyT@d‘13H 9`mPSGyOV߅s HSR"4# YbzW)'bΜ}fY4ГuZMƯRX_AEG#EN K~@#Vʜj?mO\ˆj٣&#ihw1z6i ?0@BqXyJ)z0?Z=MEj,c 5/9LC:uP/HO&FD-rہX4B3I)"^l3 |zDXf-.3HFȟVk8@&q. joV &R^mo{k԰/@D3IL'B]Q(W,_V`G%Vyy`l'_C \^<$f5 ٬o3QlTwGD0+P+umkcD3s{lLeCNU0PwIdK~AM܆Wu755UP!V `܄Bgc1G|_Ϳ?'䚈Q:zLD\Qͅ/CX/)X# q``ʐ&La<8[\ULG4jx1ēhUCL߿020r>C K_Xzf^}# aolH L)e (άez٦w|G> K0v`-ת9\ g'6^Pk捴S.YQ'B˗[(iVQe-rI>|m@sY' _l'ЩՊ$60DP6~m6#<3QIBd(:mX*MG5%;㠁~FxHe$|:Qg!=ˈ2 Ve ,^5G&?TL^-77T`?gI"a5i8-b))*Covz.4^&HE^Pr`U fE?,ʨl[GEMʒ+. 3k]^78ڜvAaw2Hk: 2ꛏs<{2 *K)z>w>thjt~3^P]HҧbbPEO8<gj.w-|^@HAoODӿ/E,S/g,,y!=[,+!R_:c[t1@: t|R(O)[# w'q\);O[q Z)FAEz غ$7LܞOշۜo:e,>x.G||'?.= JѕLx4Wv!N >hz8)Z8!#l8.;E"/ j&K}cuv5Uށ+αaklWy sQy l3K*]DS=vU&qVx>(nYj4ʤN(-F |AuCWxNe <V_}LӴon5U8j{V\hhIqT_+Eͥ~"EEDGAl mZY<m%A~xo?GkڵgWT%Z 5d-p3y7(\4NpuFσ#WGѦ!g]sEGU{ Lo(tBv 6|n q*V߽;-PsVL FRV yØHi$.r7q%!@V*JKSc! D J@UKeS.D.70FFfX\Xо i^z70Ud,sSܛ sR>|"BXpO15Ek; ?#"`Q!h|Y,i(`Fƍ9K텡ʢ]|ʼ<\ࡠ68l{XvBp6ZGol+F)[~KQĵ+[%h(dl3Z@߹#XhJ@PξL<` aN1d.tfnp!x!j=GIҴȏg]$C"jq~1<nx)p#Ri4<bp92 Yw勔Ww|hjuuN B`|BѾwKBg:utJL\R+fW]E8&Վ6W2_?Kϩ͸m?wtU>e hu_෨eJ H XUIո&ԑ UZ }y`p/y2Ӵs<6E̲=sgD &a toO1s,7hC9j*DPp:6O:{q,X3V+dzFdzUTJHL߸'<,B3|#.[W$W@MaI?/w۬]g89Gk1PFqRO&=87qNQI6Uҟxaqq(32arI4VGƋMD+n %oaiRa#(. =Iˀx'>zhP:-621,'Ո:]>Y("vio M*:9c=J?]p7TTVny'Qe֩0epv'ʲr4{ @ưͶU\֙Mv7v4 -X͏2.J'LK&;ۀ/СGo\!kԊ  rC{@Gdp!!pY'-?u"54hje&Z,cm80R6;Fvo U|-)}a4k>\O:I} BDoEϞN,6M;h)\De$Ij!I:SC$qԉlv)N_+)űg*vqZ~CvLȟvkkԭ:{YZ®5t/( { ,sJѝVQ3/+RFSA3+p>n|AUK+E6 qHn Yo$Tr>FHT &葜f4CEé\1= .Kt% 5ޙ\#p%Hnl"?6E&DnsF{XsT<y;jW]<uT/JcHD7R- q]=*ȏxisgvt@r`_dޚ xpGk࿷y OgW=yѧe&s/̑6. &VsןlƵ;V8YG;mXꑍL *⻽"3AM6PhMlD4-uysjQ5[+צ*Lʘ uN +M0%M٫5Ea8N13gu>QHף( ۛi;+qܸ40$=fCʦ&-kDyiڨ=_{dKEc0[?aMvBCbUō=iHZy?/c'""XWf`¹bW] D?J7E,lE6}()fZ.@ t>Fѕωio CYI+'P]dG}tĝ :5K0kX0 N~מ+-xCS zz Ekj?ՙ4c:X\|T'c7~E[HdO%;{ Hle]D.:9<0\ƸQWy(?wPI뢮!vG!L_v v0~P9JvJL QzG O4텀-1MMUrr.|5Z'h^HxY bdb|F6P<D"?JiE3pvnТ#pcMeR2ȇ#3ҹwo]/ ?ߒƵ3A2gQ\oGl_̿OX\>0LyH }8*3e۪9lzmt|RYb4ԃ!YsW7ޤf! 9^lH$?w'Oz0x SLG_(v(V[Q xdSmI1~"K|[Tjd]hxmmˎW{^|fXS*TYsJz|w(r68Rwߢ؅z6TJ)ϕƄ"yM|vRDCKE dAAmi'@xR<[L rň]gfm9v~F 7M1lQ$-S MX#k'j̱l{K++,*;'>A)|[d<z+bv|jk-YF;TR$1NuaB⹐exzf0z1 )Cokf/9NS-Ͽ ()O}wdQTZ%e@] :`Fe,,ӵ]V&Xj'L~Ln'~@|_} YVRx&/vcg2h8x.B3x|cx%mH't}1 |UOq"_J ggYav)fɇ$Xt P[@y%oY} ޳lZ6?:R~Uېb ]AɍjT]~5d R F5fF8tp3^1`kN/oA"2=,u }m|X_ ҥˌ$֓o'L) P4WHHL%DOs>_M,ۡw¼f7hOW,A&(e4 Hpq<0Nڼ#q6d3YeѻM^_RdwՔ\?Kg̏˯$_gzgוtʽNɏToaP 7RͪVL%AM*f#:]a>>=qDy*V߭]6r{cj,yʷQD*X9ՙ=/ӪL\0X,n+${ݺ ӽ7oieأ9%ݔŹ<ngz\ALkwSj/ GS4--L |١ir m nq}fzeJ*U?H~?5Qy zA GBe{?܄XvvYHYQ,󴌦6眸h "S,}#tQ$Q[P@Y޸tT]ȌЖmXiCqNelJru0U+sfi%43 }*{ccyqA0lZs0޲;f-xB1*PtЛ1_Y\Y(ߟݨyDž!`QeEֺ,ƴחix)Or x fۤ2`8uR&9>\cf ic^Oi15ASf_'\ ۅ3}N)v 4@JCsܢ /Vզ~8Cb9[ߞAѡp(RKN5{WZDa.VONvq%xoozhV@<+xGjgrz*K('v.;>H`h@9̫|̀:0'ׇ*~/{mk:_%㲶cpȄ3g̾CnF9po/"U2!V1q3ZmIbFX-h[qLP>K9!OdjN.'pZΣ9N9u@]6UM@7HSFL%}-r8?$Y1>@-&%x 37k,V(! >o*"Nprg4խ-wH$nxWy.n~u'iT]= 9Ȕ鍤ܷ+GCZ7h ӗDA~1=+a_rguYim'``JLZYUDH d@2!%[i+2QaGQl:B0W9fex}4,QȖ`ۼ`[ JּI&MtxH )kz0ob[bsI%avT59>xۓ5I7`'κ]ti\Qq4KI{sRwT:h QdgM_1 2:ٲW蝌V e5`0"'v/d[\Y,VH(fE!-h%p>{VN7#2=:XZC,#2:{YC:|UcBX Bc'}"ā&Z:VοZwy jzp]Rlckjzx^t|IOktӒOmxC`T?|ѭkP6it LLWRrٹz'ԦFEY3˧H7bTߡa=O9t틉bĴ 7ϑClǎV]N%d( R eC4g* ʕUcb.5&ہȆzք}xK+Ws!j0"CƲ*. ;Ra2R`I}Q?:-l-،\6l{7?ew)2=\U hd] TCFf.Brs te\eq: dX&ˑ!VD2_p@u<`o| 'A,j)JC(@j j!չzv!l8.M* wjX{98QT'A:1ܭ'Q< mTP4HFy\)Y=A=g-' wnGZDĒͼU׈9hCW{3j[ [aZ?`~Q|@YIGHМ,U_7&6YC-idCmw$p`Y)U/ޞpϻ/:|Lx!S˭c/cK*58[NL<F7\B6楣ۭ8q=oR>D9A^W?[(0߹`䰬U^q;ݟoپTGb@!R q_][g<(fZ?y {UIWVo"/ا =Sȗs thDx #!U@Í9"bk{TJ<^|SRQqQO$㟖Y r9gܯF8+c|?8UYXx=Ǿyx`A"1C__agݏK!akKt5о"gHzI=R.PR'xZ Xd4+t+y@PDsi4ټ1&fY>b&y4<,?27B bzgP҆S V;"@_B;\<#9۫&Qė@b3\Slv3]P,ޭ:K<z0mN-_χ* '~ξĖ=gϟ8HN(2 pI-`"lOQ=L㈺;8ХuO؉YeTvڦ@i ?rRe(/uDMpVi+J D\?N)Y\f$3Uxfa؛`aR%9R,=(UE0B+YJٹ\b؁!8@nƄeIopYɾD++Ž2*anZٳd,o}=S ƃ?p]jvdǒr=Qߙj$vbޓv4Jbtds T Np ++x%l,|&_zNN(!`,XAB:TJ OqNvLD*u }r|B`F{gT^2:҆5wOOYÔC:׈[}p{U#'^WҶo.flfO0?Y8b N#{i##֣ xU q:ڝR~#8P f9f$g x~a{V>.zcv_E8)tV`xg.r-Rdv@'TO0//ƒ%t5|s&)eExa%/bfBYL5#)I4#CBWIvUEP?17N7QF oE<}Y9*pF ɟ-[ Zbt/3ֿٌ<,TW‹t礀.C_tr *b)BOϻH/{i\ .K7i2ډ5| 7;N։h,#359"]Dqݎ*79Hu6sLN&Xb⎐(] |Oof2ϩ\_+#sxxb~ {b4f@gYĉ*y~U EPͫV,@OwIAFxJ>]bH|*/c#G @#VM0Yv]z~{%zZ@ udRe6oH: UV4l 200E5r4#I0\nP1er>kS-Mn"`d _<"/$IQFiTZ\#,J,yFR1S|Ǵt/7\ _sNiQbs;>w@OX86=Nwc G *Ϝɜ -Q5tr,kf{v]}FDvٳT&5`iN w ,F ca;<q VÏ7/m,-Rf&7lG])Z#X:\-Ijd-u-~ -@e6XP ~>dO/".2y1=;㿑B8cle=tI&;;n$OqݚH֥1 .Qh /F^ e9H!Gjϛ}RVhQ0Ws <(.nlrKC> t* }ٲH t7|;d{N^e#FP;}%|t6=ި 2K-`Qoi4$&Kgza#YHע0?k%Bkxl"0f}F㤖aFOMy8d3tn7|dt*N5 &讼VnS (󇏅\f2J4yʹ5h[K3o6xCL$ʮUVV⥡jgeoqݠd$P}{( I( 1{АbL7&lQ&yJ=AyZo`$D^2Hʮ@6yݳv@w|[ D7T,&..z'3T6#KL_*R$+PƜwP就8U~o$:Ur-- h;?I ܾrz2˷@[PtBM ѰDF.-Bi7Dw_Xw YkųeNQ7tR%7 c\CL^3Fҍ@h ^h#))q4_Vop ne1,j"^ӐF. *Ro#xѥ 'MXOޮ-M-; &5_o2akc}p}`gRب#*ؤPP2@B8l%:Lo+j_U7i~ꋹ5*e Gdquf! nuWA"3^bw;KL4F`4%q0B@PDr>B7 f!]!%vjMK6լFi`5&0E`7:_K-Vj9Ъ w^k!}; i}/@lHٟN;A8Z #dbH "EP|Z-gyc^MS2E̋um]tujTՏ.4XAԺ>b^|+m7̱ zPڞ4& P,tg%3C~Al GF}xK׆4iKp!R9fn%HAz, yɏTtM%Ўج+0߀=֦VZTITsV\J|B{C>[G$"gXdB&$b7naJ<z sTș"|#!jsS!>.=a}χgcu1:lehO#^tZ5{)ʥP^\Qwt@S$-Kd7МLֽ=S8% ;O8̑2X{"ʗ?gv+9-Ř"VP /A}P<*n3Ь (V8jT#Lä~ˍcŶe@GfZo[8D|! )>> U]mQ`G1~_XU̪gk_>@a(!j#hu3磨ش-{{D6n;TFsk}C}rqٞ嶺r=-ۉ|saRN)g#;U|ї!Hkgݘo+)v X6ژ(r>L4C9<4zf~oFN״Z=r$Jk e1]w­3Y{eKw.WpD5jY̡\W9tz=TKN W;>MVhOxC v |Q'1=.`?gY-Z0?Ii t|v lzYrB/՜݄1dW]d]6#bV?/c[t%@ N$.g\C|PӉӘ ۢmW C a´e/_ Tzu޷f26"ei(bf#'z> YO ޯ|!ЋpS*GVÚ Qr]f95t|tzLF CFE;-oQS roU<ɹ'&9^ w/Bzˌf G:H>\NX@ {7~RƬC+!MU.]eM sjg9<+|"D?DR6PH2$(3@B8!1>a|yw]0"c "|ե4)߱w|Ihk^ф V.h;Uřq2vo`K *?Me'1qDc44<]4BJse?c/} 9;;^/yc7ZY;iJI{?F1asQU>h*HP8H ?lDU+*ӧb j@nq;ʭ4WfXt~䢍WNJMjGqyvbjD fʓV$e_ü]df(Nlcze)`cMu$ͻ]=qI:>OA?]>":މCl x>:'J^0>sݏSs׈,9МC@E^aTcm SC>Hcۜu-z=2p5ou|y3NG1 YD֔ޫ#Sgzl7mz@P!V;3o0^wJ9_aS$Q֎[ȣ(jumŗeD|it| 3}Qjrk C4 BZ%gSpJ+劾3cH6M7!/ؕcuLzc=.6 ˽]A{"f~ ber-dၛP4`3X}8s⯌=/c<M6mċfyvϪݯ0BZLo̓La.Ε-- 1?ټg~ޱ PRMNg '-t 1ZW-o@z*s7 BK M#C:~ǧH$ScsRj$5IC _`Qoٜlv0z"vЕ~$J>}IfОM؀Bn>M{L(@GHvT:D,BM6ss%i)S[yLAj6i蹂<٧ O8#I֧Zw[܂dIt[ù"eMG]Ey~b_m]:ShҥG6;H]r}#Mdp7?z^ J7ÄW|>) ]nd%|_N-*bS" ԣ(+ۂB>܏f'NWpR5v]5#A^ p0ftb| nY&A+.Ss#vM]wP Pa ;|vquwN`{b$rP1ɯ&CT7"%_>QW"~{4{)8^Z9? $$RUd(_#)mŰa&]>ҙ.,8i> *X&h4=Q1)EBȪCC\MY({PZ'޷\gЍ#0@~i0^+4蹩`[ +ir}JyD/[S 4O]]MAOh}帗̚7p u֢ Hy]]1$i 0.)(@l;&#+Q1&U)gފY!Vf Mcwd$Us0#O@=?f5w6֫xӡ}"bVȕbb"}˿!昉"d GߪX# 9q/= Ҍcm/}d%]q\Q;_ȜkaL'LUEZpS H9Uъ P=&j*Z9S ƳE̗QxؒvW;Z%T^flLہCZ'Oűv̺Q#4pD4H_Z U!&VR9g[$nHZk6>kwyY<;ҙ f+l5u}3j nx,FT }#z{&0fj#*AG).tXuXn!Kbs0jb-2cKDuAhSQx u; e9j%$ܹN+& 2f-=kX#U΋ qlT~/.Eɱ +U\Ab/i$z 5 TQڏ.H_Z{a/w_kʞ4$܆!T'Ŏꈌ#266 wht?(.ōhaȞOPR^bl%'u܀ijBƨKޱ,@oyzXF>kY0×Mb5WJS-ƫf{|kmrg)+tE\8Qi)8GdTDlԃ"uS x*CP5K-W,=r{ϔPSc!ڼхELI]<=2QJTnƾm=EIi^F6F =lòF4ϙ8&>;i.h,0Kk*Sru+񊐴Nә(d¹^nR#dgLto&o\^,$os6H̭3~'SD]Ȝ } #\?DOy;Pa"3?A^+p4(e]c>Xl;%Ő-(x ,^_ Y?yF%gXoDmh])=±y즔w,_GQpfENް=$|M1 "eԝe9Wۨ>s9XDzābKkR78a!Pdt%RCNȎyMKkqI ^.6T4grdw cL`Q>0-2H>=bGD_-̯8UMASSרRGǣ -ndIDG81( g,hGzMrWy*zIpX6ц@-K(:Klk(J_sQZ'(87ҏDXv&:ۏθYL$8֧ؗD ,1~APc5_8=wU.|1y@s6,[\GTav_̄ YoiTz.' L?y$8Co`MOIV&$|UsoUM^.F9_ƷQ/h 4 "qA:N~;vQS@~>uPFЙwX^4>5m )W{f,Tj0\OSƨ ":= ijxb*/xS:(g: UUo8wF#JK+ۦ5i>yVDHDS[J0=RȨ߀#A&7y(Vo*m64_/e*%ZpYCYD~"g?,e3e`g\+G.UAF0HIWi{gVq=7S3FJA!af%9ɥ)[CzztϨjrI tᒯ^Bu}֋}l997@ %`7$v{@wi=9M[nXA4)8 @U1Mr†l@  ,ycGxg I#*9 ~%DX3Ux+*cP;ЊުHݬ5iZX䡮/VBχ"Jրٴ(Pit%Z(Cwp- 3-aj*_b.]#=QOhT cXjx_62Ywi B֗2>b'ڰ,4F:gbm{O s61 ͅqN"qW_1~219 >?M%K4y--v@%DŀwZ -5)6Ws:⬴ ϓ;2E^7Ʉg*e e$n_n;^RV3o駇v Kf%&ݓAe Q`8/2jC&,rN:6V(UBl [I }7cfolty۝r͢}C?zr+# @9t( fܐtgڴQ4eriT?grIœ{i_dW؆Y`pG mn)-eԋ C,fN uM J_2L-Qh/7Jko)kah#&1C=Y]7-BFqAR2BW CDopix%IRj17GR,87RwN*52i&$x}mi+(z<̑Mf֦8+S% JG Zڌ38~fdb< \V4, _,fyP7G$VwA &&a>|2euYaE9`kR|7ZD 랇5H+R88F}O.CЊv p}qm弩3kņ Zk)Uʻ\C5p 9Ҹ)$K)"rGi{p"㵕xI$$dc4d{H7CВU"όC ]ZzWwm\ܳ7F8m;yBJQMjRֵuݒF'l;va;`C tn!?ܢAe0nBːLJ=4Û?][u9_cRc J{8栕& vA|g.aݹVՑ36Cr*o?c>,_ߍj6}I'Ύ J$":vj֩eZ UڷlmuXLR*A?ܡLFǡ oHIc)iH)k%#Zc S0:oe}En\CWẗX++W2;y)mbگcf_sjGHM_7?Dog&\X:*ֻOF ܚW]EXU/>T@@,&<{;YHFT4qAv>m08"#& 2Jó,pkלwvc R pss}Z}UojJkւx WTX4۸0=fCr3Y   "0lpcAb:>\ Hz0z'qgdD b%?ibwU1kZCssת/i)od[fpGF?xv8 rYM@ߘuCg)0b0潜sgrʑmB5xn4|-G/셸$&0Q{.HgR,jGv>^Ovh.VFх7K;`#֓]y870~<£qϫӉN(B6+zLJ'p?]d+THIC LvLj/(_B+P61I<J|HƏzڊ]^׺Q}a@$ IOj~@Ո +x\sHr@$s*ιyi8DN>ALrHmwRi2~R|t5)U? ԃZ>~*([[<P,$>õPb'xǠ碑 v5\M_ZjK4iGdCIXqԧ9e4zGu`Ơ_H9>pٵ ~ǸP=Pia3mb>-lqABä=ϟ6xC}?EI-\K/D/,S\ G{Xs c#+tѬ]rz6U]r2n:&|E*b/1a(ŚV7a5vʟ$/ -٥a/ZX ñ=2v6,/} VܩD[NI57M^~)Vx#!w|qϨV믶i25 ġJkW2B[ÁNjhfF<)/J}Wٹg$2&Hb\~\B6jVD{Os3mn~q,,i@[zp @"cægP.׻!&JjДѫ!+6X品QDٸ|((0Ç- > 3f /9>Ѕe=3ΌoͪZNlEp[Y`Zv2WݠmKH_ӵbmyow~>Xu3VT4jywߌ BkuwbDNkb\&+ mUJB @^&Ha]k֥OP$=.v.xpL8$1w0gэ5f?,DJ0Jqkt Xj{ׅܿHĮ ciJLwFgmc,fJb0ԔZ*RTh=D9R/W~ <,~΅K.&`0k:̵Bޱa#u/s*};밪r:o-zgmMQ>j(uNxkFQH63A4)6 r_ .{C5ꢩ%b.qDaޥ 4&iqxLʑ{Ȁh7x6&i7l,CxO? 0N-,$I>ɉEYp M"\K :F1#ŘFD`z a0k_}EC놿@'U^2LL~[sӉ8Mצ aY_S>gijLk KWLb T3:ᬦDUv`'+eS]792צTK ^6 PV_tvkrVvTGBF"T,Y?r/ "%kn -W&H>jpZ:~BEvc~"_WVsP}3X>]/HR}Qm f_'rOK0,•NݵLT,A EDO=D|Zi{PȕNO`X]/WB(vAh 3d+OӉUU 9zfVBG7Fk6T}c#>䘻hY-ʛ]f6p ;YiuioOeGVtznav^rtjG<֟gsASva}B?NF!xm<~fS X͟F=q0NfQ2r>{K| }2H:qQ]ƂAɻJ_l #Q$ ggzWX\{{#t+*jK1?;M4jqQlwPwϱWw!5Ofn|o^\f!*D6'z (y} :iݷ= k:'(^C_n?16ZH=IU=Ϋkax#CmS=ׄ X0Imθ* Iz2 7>!hl*mM'N7 Yyg~S.{0ùӒRo4?n){G+ŔS5]xxpIOeD%|&ȪG +BW^ 4g1C-lpTv$z[VGsJZep=9IPtQm?1NX9S#6t?^k,vP|+?:h.^#DUfįߟ51#},'T6s"}P)TVE.5G l5g$jbbՓ -4 fMEjcUxRpm;{QC1g4s{u7sӽ 76!;x$ppϪ`1$_p1  }F1uL%.5i-[c^}-,dCWp>bƒ~"=sk#+]ny8(a t-CETuv*ml^(!^f{426EhyrG-f:IaRmMbeY,ƉM"_RE*FWቊ{7*tT?RRzu1^%n6ebl{ȣ{]^_ݭY,c(BT Ԝu*ҝ\tZ[:K7yjj>V[ Dl%؝g_R7 Pe1HLnHR5O2k^,ZI}V `~~Iwl!ȑNI˦bU޾1{,jn8ۘ# &R66%hL3?/&\X}t-J)^*G IPHȝ(KB6F^d9f[_ȱ7r߰ۻue77it-K @;_{#tDy!fqnwZ88[[BYɸơvkgWeTs$ዴ#FE*{I҈N9L2sg'"V6Ы2bE 5!j<4[pKNFQֆGŀR Acӡ7U.},99 ' RV79rY Y>HӆTXkUog-{5#]梁E04k|r2v~2.zÝn#kEZ2qohAqj6%qruin z91OyUlyG-nlc7iDY \ĥT\G6%~c`Y WFUl{⺸,[v?V ݆P |  &t5׾ MfmuH6Sa|/#M؞7p&}P$?ME)\:ƦB1s/4`~z$MSwd+jUXaK.uos7lX"%[҄0NӁê, ~4n6tmeԳs6M( w|aȮϓt~٦=঺X+kaNE5k]"(DE߶tNLV7q2>mez)\Q`T $"֮n?Y[Ƅ$ x.I+DDKƊKȷPi ]FZJzŴ?yj @.͈A+oR=I5ȒcEϸFnKBhy`\M}VOɫ7)ƬѬD ̡c3Fj6pc9A uP?=b`geV0lgHI g$NxL'D)nw LN׿5SXZuXU}dXe NBN#s-qy9덥崌/-:H:>c ѴR-#n f ʦ.pJ9I+Yio KXbkkl)kmXB~a"{W(<`\#A~+M0"Iw.Feî1'G8џ% pt_dxW8?]baC]`8^e@,['jP uaF[YU6[Ԅfk;!2򆤛ޘYh7 =aW^/We0iNHETjD`64W9XEYW 9*lPq,6,_uݰR/~|8M[, tf7_%˰wFÐS%HwZ8ɾ,7nd ;c̀UTz VXgfEdGdBe]2LPTuqZVS"˜aCƁX 8ӿnt%s˧nH,I)pO5J< r5~mu&DI*Ʒq?/ZK9hs"Q 6??l2"pb~//{F󭝉 aS;՗q8KmZy }WkmkA xԾ)&nlJFޟrW258i{_.ܟ"M.Ż.v)5dVAUcp)?`/m$dubPE-Hg+HIPW:D)י+Fo6'K(wKe2WUMS._"|P^@˟4d~Y.9"sg\h4ʨN4ӉFN WcKlBQ&`IuDe<>XIT;53VmL´Tǰk\>"rjnNj6_l#(yQ;3Xr^գ]y bJ E (wXӫ>*l x \ށ?HbBAq4p}-ewo !KYolzN8K_U5P2Ǜ>25cx=|ſ\zAoX7/xE,*C]od`UܝܨtH.&c^,Jjf%#VxRH@~E5gڢvWSH6 *k^Kjwq5;^湇ŔVZCg;S6^e W\ l.nќtY߅<ZTADNX( ?'=$ T2Qpj$ 66 = ļ~Y w{M5?%+os Fn,d] B52׃]Qm']4o}bȁMpd'=Dr:Bb=N ]yK@>.BZ]h0RNP:L@UgĮq_DOv`[ 吝<[/33gCgk#7@xb5@6+ s9S2"ȩD%&J&OȥۊrP wc x2?")m $hʗSe(\vsG@q$bQVX>(Dy>SV -0߶LkҀ b jLވ2dl׾lt|KٟG3^t~+NCb5pBwT9еeș$N߅YJGǏc~Xy[~~LY1qM):#?b5!K $]yӖ<{y|`91"nV?F,iwZvexֿE8oѪ8.h1td-@{pHWQ/MUk5#.d+o^+†f8ſ EF"T=)927<1)Ag?cɻ,זhA3:TV (Qo9 F^T,Ÿ˛=KTZ 5=;[D@ O`IΕu@ۭe32RV9K\ >cqUsNz㟱iLm7f 7WP2%}J5ޘ xJgk#Vi[_Ff<ZS:v\=^)*© qmT/7F0m; \yw<ى\w-A;O(d_3_n]RO{Q),}Z(8/JѢ7BzYHO>!!ibuqE/h O a)5%1VBh=&A5r;׼ゾ!zV`x9 S|hxv0ZyI)}A^<9!2ɫ9gJUsO&3}c Y-iYnt}CCa|0Z)T)Aa^I׈<!p;jxEY"7(V KR"0KQ e8~XvwԬk^Rd QOd;%R=0CױB34e#P6#!'ՁA68 ܄n\DOn5#+4,jBb93\BRtWKb%[^N0c\|1;VJ0Q2Xm'u׿ p`i(]GP^*&7!7b2O꿴mF,m>pyˬM"fK`زr/$W\q3&:h6>C)8&3~Y;ݓt#f ֧!!Ɗ!}TvG,VeZH{0{0 6bՊDK G*5jȨ/+yA υ;yn.5t;ρ5R>3 %G7K`PߐD $YnbGKPI%c8J.x+%$M|Fpڍql^05t` u @:=FBpAPJ-iofgHy@Gԑ&UHw,B̸ %NX% 3`Gְp >I!m>w"tO* )E7|p4@~!𦮽@da)*%ăzxG|iT`B#HOc҇PY6A%r#Fp~E=0lqfca6x^~G7VY? ZEx }L x]yfY?຀} F/4ʋĥ$ҪLt T z4ݰg@YbD0U7BL:837on.hS4kChF?G7-h(-MDf[:oȀDDf"$m3a+ΰbC柱:Z0V`;@1o'{˒-tƧ'nDp$i$woiԨުr~h2K0,_wYteMFUkgk}Ywc,c*VPfnSйً<^Mj >Ε_#hX6Ei|Gfp܉a0#99U#6|I,?lyޢ6SIgDcT x,Aˁ##x7~Oy@J3p盿[yGU|EԠq0J;azg@Q%\ײjXxc0/|c0$@{\̱X Z ;}j6&0po%A|s/0~R_w!`'0FDp~ϨA*L :XZե.dr}ej4DNNo5?ƯiRJNpFs凳O.W,)+ؿ9W7l , )ނ!>{*SxQ #`^L0 c腭+ i8U5 "ph<,Vx68#b33̡4P,L&fn~ :)ѮJ9rsFR4Ffzqq/ NuYjq!*2d2vUikƖ?6oșDI|}m8H䈰#h7ǀ?@X<=5alD//*$?key@(oĎqN\ IvVKlSeUBJ*x3Ci%J_dοf ogȄ+P]ֱ̍=p50.S.CKkQIN-ȝ"*ߧWVPs4oj nB8jrLW3U_qA)2Pʍp1p vjIv*+fGڼ RHjW'c;) UGAAQ?+&:CE},ooMZLѮjxlύԫe̻Aw;AÖ_BEd  AdwGCc JBWwDחMP(+om3L]uP z3;:^Gڄ3 9oD9 hᮜ Bq0Bej,wjo5>ݮW0lw2%* 2yP3 lXI423 0$Z o$fy;4┩"hg#eܠgz; RQb1g(.;3yN6+Աݾ?@yabs%+dgS>)Hj̤ kjaV'XePsxiyOt[McT&fMX-4lN9twa0BAbXB=9$ ;rktpR9`,,2P.]P$oQyb:h;- kE<m\pg^o 6tEAEB1M,!)x0|͏U2PG>$u7p3݂JOƚx^v^h%Ul}8&[.=cpTڛ8N_̠GT C45q}q+C{Og6rnp::* CoJ!=TCęDnG/1I|FlH$5{UCAWcus8OaA{fUF.yjHH^$DYLCH-%LN"P5 +E+2C$YǏ-h1Ƿoħt^E8`鐣bv5Sn;pk^.c$lbrolB m~َpEv(vHkl:F:f}zd!iYs[/;nofvYzY}a;ϒwB8T*0~Jp)41?l`_MVUU')˜4-K/PpEQ׵md?[h=;9QYob[9ٛS,]ai-IB D )nS0aiFi aif%je`=*ÉVS `™`0N\[ٻ=dN/8mmG&ytX–J 7<8ӹ0FY!z⸪n: 2s{Rp p>`Gy^Nq-\hDRЫkʂA­;CA_e7Ğ 2 ڗ;<1>2q7_׆[eed~^9 bʮ%vBP u =+@yhWLk64XR-V]PBEe^yqoyXwi㜸b$'S1|b6oS~B䎝%y՝ʧ{ eDw7/0;д]ZT 1"jOO\ӢXO|nAJgqWG#ͧhlXGx5B4Y.HN'Tѐ> B#\T4pÅ=b{-7ןuG~zOHj[0[7]φ`MFcc'|觘Cʃr*Np+V½\GM15O+|I @>O:H0ai7!bf3L0P̥̂AAQ#CZhpSQuͰ$7"D݂~E"{Q $7ڭsfA c=*f^ӰAfko|'lYfwQjE,b31ULC{fM+@f)V5P$ű.5;$*8cvL5=zq[;)Tzb">%R8 =}D1 A(~:}`ᢅ݋i]SM Ҵ+ǡvcW7XBnlRmq$,(z-] T\3m 0(ak# li_xnE7vrcw5JzXOY. ,~ OiW28U}-5d|A=7XGo&\x/ܓ9zɅ*k -6`C}x+u&{gC~~iQBʱ~Ậ2vp]ZEANޠ$Pk=XatZS|sü %1f@mqΑS⻼qqҁ ?0lQ:]rzFDýjGmս&H袋ky3^ iU)[߳"E0Pl/B 0G ݚYřǮL5 7fFQ=/Þ{{7,{5w>뒢,ዽU#7D힨И[={ʄ QHʷuEpH (f ۸d!iäo!v0S2_I@3@+c֪ւ~kkցt%1yvZy="zƅ 9% 3o3q *g1gȖPq^䒿UvFc qiTޞo>G@>z1h4"֯5vv'?a#2k'#d6[LO~(;xɹQ;kD`0wNAlǙdAq$M;/YH׷:IXd_J*kD -O_FkW*곳<3~Wi+V9!KO+@ٕ48fxH,҉BpcNzi}p=lmſ8|tO<ѵYn_Pg88=),o\p)ְxJ0 vyӌ+FB8P `[`k~w}kX`rfl*q|VM>ck A} bC! B|[,9[ou߳솚# z+1Rst+r$x$JND^74O 0ᖤpo9酽Nc7BL azܯ`uz$Ѱ4(QH\}7}YHƷQlԅ#1Znok\?mEֺl0Ip&z.?-k9Nmo˛qٮva!Q)h퓴,L ^[d޹t>aoB gV Csu%kfPv~.nNՇaoR0L! P ,Ms6k=N2H5/Q/@ωA~2%dH`ml'v*M [L3#6r'oJ1S&,&ᨅ MT[Cy)P5*+Q@ EX<Y\Q/_!]Ic GI?Dk }]6xQҺt}!zdW]4 >وUT0!9=*IR*U`2!['."Waձ>:2X=5 e`Jw]e`Q+U "Nmy lT@Cռm/NBܠ\*Mw;^({0/`p|E=%yS eg47(u RM*bHv51/6@(MV녇OQ蓮_HӃܓd4ŸC bP؍kmPEZͶ4zFOFԏ kO_hs)= ЭͲr#yv-D-(Ac),Ș}M%XIyW\V=8giK 0/# f\kLO69ҮG(Ӑ\K[M3(ꯗ/O+Ir Ur:yMU|C sd Z)~g̃׈zœ 1Tnau@9Dt]z?>8Z. dcz{ͣ⾜2 4{]/Q%Ӭ9S $/Mh|F{Kxh%u#LS׳Bs8t80Y}52oP<*1L>mhmzhpYu`h)k25'7z!9!Zpu`ÜD_P5.}j?f_+n0Ć&YYɚKm5X* 5]˖dI`cwꮙmalW|V LrWPdr*+fCݻ^a3:,<I9H\0~'M.]Knu3؝[}/П1vT/X}Sp(4o)!ch5{Vc' 'Kizz`ˉ_gҘ^2hyp֍F"C&o53'lVMfinSHi,?+̲"XW >4{jZ|"{K}΍ 6.ۥ֪/MIS,?.'n7]@+Px_oPb *n[6gL:=+R&: t׽+%t.A`%bn"-0rҋorUQarA}=txI8qK)9[Ont#. 'c=͙a *pȞ\ԷĪSCu]`snH%`kBn9ۨmP%AэsA?({rtZW9DƪH!nb[~m~UKBbVj͟~9tHVrj#䏐r(?˦ʋ~{t5䅺2Cwy﯅ϛ$SU>3|g?.|d6e(U,v[0%o ιX< 8-:WNNĤ륒QOazq6;"IxL?Ĝ5q#Q0ԴOnӣA_z@OH/ñ<$&^ sJ avmf E=D68Ք%6 U~hC%D2uou[A"C4J)<} }b2aaiPk,6ć sy o vEjbRj~?Jc7 [b1~ y s" 7flS^BlW(Gv wayɘ2`>b1[ &at?(G4FZmmo!ϙ"bcP{/?΃}. M|f;BKz̃crժ88Ҍ=Rl$39ͦCI~1DfN3>4  "!Dk#W=C%)4$H{U 0_xRmZ5ئqŚScRhp#?u)y]&ڡEDdP>x-2Drr99qSs*wu 8fȀZWraغ(Y)$LPJкu4@ .qbQ_UU;q-r0"6eBUTSihVd븇̜!S 0]]OI,*n,h1f~LJdm!K9>2M.STgf4!Xz1DL$zuIjS1Ӫ"γyڱ+y`8t)X@؇2u^ߜ97~JٗwpxTZwՎz/ٍͣwi }2+3J!ϸ)zG;ִ۽rhg'4-Ϧ%GI6PwZA#p#E89u_rıBb ԸJ8r~as,v|]e_LCmn`cI='!YX58n_> Nm[[)Qu-!Xs̱ߍf&6,Ahn}#II*mW&^RXEh޼6(`뛕Juq\- C7R.4a*.BY}-IRx7Sf|,.R e{. # E+tLjRKx!Ejw2~Z1ˍ`:zaCUލH$KMjAJ< dyXAPDZߤR_7 ٮox#jXЬ/樣IQR䓢{ndh4"0NvKl%<Ǣp$je<)#-uѾNL3zgѤ+-y^nN XǤ'ݲ1lj$D)8}w&{iW& d[M@Q]MPf"/E,rE3ٶw>UFR e;h-"+Bqt,ӻPkI5rxؾ"y|đk¨ӉX2;47[nFCwk*vK$kZŁ5M(]H줠 rZ6Lh~t :o a8`@wSLF8GH2a=}K6{EC0i LQs{2]ޘ(q0YL+>/ utlV:̏.~[K̵(LxLKzs`m"VؒUʥ]P]:^Vtgcl_c]z/ۦrJWGeD@ :B[̓DV ;=bcb@CAm[@S56~JkmxX;܂ҐmQ۠65m- H~ED> odh` /̃i2Κ1&5r'a: zN%%=HS3R-41ث7~T H:.[HA^  ]͎R۫>߼k09~KD-kmwύau {T 8;]`Rec<Ф`H b zE?gmߙ,fToش%܈˽UQj&?ӜOEr]M 6:[V@EM#?˄߹Xi$ɛa>Ad>ȻždxV*Pi~'>֏U=@yu[шkg![@xjBhΈ#w++vWD,6MnI9be@ʏ2sEv{?OqJ[Tiṵ {X\9ϗ#^;6g=U9̻pу8-29|JRf~[` (⊲ėˎUAUF¡^y%g~HyyhG?TTʆuЬC`{  qd pƍԂuA9쓛_t:U\ъۃ9,-sۯLÆk85X&BrH!\t܉|]Is(.JO3\]z-Wtz>ZQc 鯘]r2Ǎ!Ԡ80i:>7NNSP# X2lɁ`,`I`/ PX 0\>SdE)IKòCY|ggyD݅j#аzґJS@M 6c;-ǿxD1=XJ%[fr#MLW|0P.DnzX 9$ ;H96IߓP|'XGɔ*~?ǀFkPq07싡j&Xcq29&zHBɍ\$_!3V w}w<E["xhr1 /ݿ4t.̃\9IuBÒ8lx"&!^H|B_# YjVQa>9qw@ږjy{3q봆CFOV`T$?%^(,:zU`ee/@@Ԥgd 1mQˋl-3'to5%2h/E?pDR_Z,z9AˉR;֏dLs߈%;5qRJp GUu|RaMجxqw[lp>a9-kDMT 6vh1kJeTg @Yy<](1bxU[{|gk$,S\?N3bvb|9 k^CH3T+b'^_rS*yc||6r)$n'x$bs1n^.0O]Fzw@DP`(<L*EѠ[Oyͭ'~bbWR=8 Y*(QF-"If54ë)=lHtKW>*m+x!TaTGm~ "Qnqau: ~LDdrp_F!#Td͝ ъuL0`9Sj$B'N(JxΛɿDWn= >M,a`Y`W]{ s =S7$ϒ\U26MiiWnz#P hR< Ɋ"qnO^aRh?DVG$94Ȑ]H]5޻&;]ԟ⺋IObF]l'Zl$$Bۇԣ[[Jf~#H]릐,<˅=PsҾaL^SNZ8*Qy6BH4`4:UU.D/x <E&x;m8X4Džp3kWH"\YJXA%yhn(cTꙸev:X,dԶ< a֗ޡz׵# \"*B>oen} L +?R0!r4h2CAOp#e΁DA{~x`wlf1Ou81k-&O]M!lpyM!Lkz~iK>fԮӱ&n>4uFVO瓔*V>ǩ>,^%x &7':|L/i TeTv$cK󷚠hX'Ad$<ƲZdVi.de7MQtnLB"Ss2Ă9Kϕa)o>mqHLrg\%> i.MV5KcsKS!0٢4S@4Fɩ05--@/plwiO顯r?΅Nf5hPbJ;Nk{鞂 [O-Hmt*3Г t uYLݺuAƖ"-ckj?n<;:>qz۲dt?wA #B mtr5R;a=_cp0KFg4RWF~xIe5N؜vlE gU)4%L;+%h]c+> J&{JQCO5͈D/:gNNwGD 8]i7]\@p?'؀LvB3+OrJ  V6c,/YaPG*E؞HWWusglZ-kG{ބ:P}dʢ×Ep|@'cJr يG躤o}S -C5 ~j,-' qQOzisyo#:(;,D8}{}P62K39EV\boݘ8)S |%c"cʑD ong} I-UutYqʥS⢖ޣ.&} WǙRpD6Jo;R荽җj/ޥS-tk/ඖm 14 5 Ȓ;`Ԟ~@Bdamcǖ)ץ7]^:1gS2bIVC\Vzn C馢e٫W-Nx#$nj`ה( rU 8!xrg ʳ)H٪% M6et6A/_'.h5b[M RhF `\<4{{iB/2Hm+Ky^i?}Dz5Kl…H#}V/G]@񲭫m3үKq 144z:/D Ws*+#desQ]^-m} PߢXz稁s1H|Tپ *w i,N- Zbx[PIa`kT$(3W~C ӊ˪Oi^[cl7%ӗZ) Y!hkL[ˡ <:>bUlWj!Y{OZL:WЬbڿ`-Q8uk5& *ͦ"wŹۢh*Z㐤 ~%ueRЇWsw bB۹D%ktvEa:D f5ixhEƟiMla { TV;&FahGd K~ 8@(:3^(WN4`QrÇd~/5 |10o$޴#RbIb{׻6B|ْa zK&b[дrv#CKKclQ՘e()KJʙ`oTt泡Q j@Y6@13 /<;6ojx;8~*fJmh,Gnz&WғVH jfXA2Ioޱ7?Wv@w?̏rzɻ3P9D)ÃFf*, Nn8pZ7eۺ^-HCVN/ sPy{扢Y<0ƄIK~OJ[9AtBGpfvϐ gy2,F&٤=).`ݳ`J!,ўz̵D1!PgUdfkXz 6~} FquI\IL)7eFۄ[p:R04 k+}}\l|3Iz촴#uyE0"AtCglxUo $&ab8k!eilT| ꋲpqY"OusXko6aWΘ*w)qyir~C UoLh|MY1$y5)D!K} ` &iHM]-$2 ёXSIkK~(tEtC͉cђhs1OBɄKe"znDA֧\%^8G=L YXSEEXN2^[%a 8*g^w?2&Yqe0ٿi4ax#z6]!7RoJ#%"Kk1L⏻(*!zʣNGX^A#vhiծUYy>B֔ 2Ioc)|;/s˯!Ze xdjt 2OBBfY^@M~ |SЕH9xb7~OKë}w[DS'=,.>dVνjNI3lRMK%Vj+3ŨT`CÑM~HtGf>գq{-:|Lf25RZW+e&7$*|S ɲBtШK(lhg)2r +0=2=V+dMTv YJ%>F ĥu\槌'KpHG/Ii4-W>@+8qo}]yZAץ\V6EB!*X?vOTΝ?:gn42YM%=V҃'#jbq]2-rIRwC k0'ͣ3}1xs[a=k8#PJj8w&54Yi?1~'z|bhgf}5r5ofQƪJE$GV_%2_2*Q3kJT1c߽x 1nONhssμqNL8\cMh~ʤ1VARZq08WMpχ-@$sjs5+`5WxL^g=v> V} ZYGrRjFLC?ӈ74L ڼJP _bHUzܲ9pW3iSD@ 髫o~-UBOnL֤ͥ-Na5pA՘=T!,&<0βש<k %Lžάl n9{N(9 rN'/K|ק& B9 ^&lP?NoK*b¦HkO@CP, 2GhDH>~X u0{x& ܂ mXL 5k ׎&;ՅLx#㱯=W 8Uvbkpn3i$bйMW5] Gb7zSHgM0`q go쁨‡)RHr1t/BFcf˞/wjuL\ߨ/^4#p\Q::z7Fg x1ycB9_Ouz7H6þ(VMK 1bWp?)n8P@-no$TAJ쫗RzؔVDA1 %x݄*UӚ"μjtc^//=͚R6rl۹l\%X{{?8[p,A]bIW{_q3R3f8V6g\UX|5Nc!8{88E#e~0y2f6ٸzn^14nd1ó8=7s.&),a>>9r\=0r&cGJ!vV:㽔v.#J<͞&HyC;;c+ ||5j48Yն5 DϠpEU y8>c QvwO#}@9f]a\`sO>wT͟{H_AۢLwվDmSG)!&V-'Tvn LyB85cV9>"4/wN ܪ]b y|@-`]s՜ۘ\^nf"niâ"Mi,̠ɀc3ڠHDF3A֗XZQu^CayekX^h5̷3?64[- չYz_3]=9aHiLu^ eā9Y.C+| :g~ 7uX] $\0\[w^'*ņ[Ϲ]ݙ6J2j~Y o5u$[=û4ȶxb}C /}rؠU!M˪hMQlh+VֈRv񪎫*܊Q},>7|~JBzf+-{ZAD[cBP5:/x32W"X˾P7lz1}sbتC!Ѓ* *6{zLż%4rPx7~_%1{)h[&F6B%ߺ½M k;ȘUXn|B1UR" B6WHdr.7Uc'xg a72$XsZjeE,=BOg. 7A.毖ڶDlx'mI;aM}M1W;sk8#ɕuZs%\Zv0-a0; .ς'?$e-oص K[Hzʱ/2 w?%kɲ2F-bqp9m Gk`4x+k3YH$̛k#gQ:l@H2."9!@ G3wpSJ9oAyU8S={khZ9“xńru#mRUtόfv=Ϡg pҘVUn̦& %eYX :j__.,ҭ@sֲU-ͧ N>mE?.{,jprx[RHzcN3D5ք>9|]0筷8* :T'N̍e9/,'ʼ-i/³8r4 EQ3!(969+:}31Ƅb&&TeZit(R6v[CZ5ylx/f.,b { yru[X$f!s^*O@}1For%ҹ6\``loX8UEd}$zx urlWy%''4߉*'7:'ꔚB.["fWp֭4bo#~IO%x%Z`q*XrǭW9a:̋j<4Z pG;3ƾ5(TsitD4.3(H׃)KNZ/CQBn,-R?細Hy1Ho@MWs ԚG. B7=UDnECG!Z;fqx8ߜ?r){^,Ct>z`co[qN9 q0b.ij.&8vVxw*=Rt8uh{doR<\w"4}FSr6tZmͪWI| c{9mGy r0Z/Q8diy?jP(o^(:??3X)얶h,YY71:V+w>% f0 } \Ku ѧnG<-ݟ ^TiX VT-#vZK9f#*NU}4&Hr:_(*HP!1BLx18:fJyO"O(}ܡ[~E~mC0OӚxh0y[=t?pVPx&藩̛:g~qЫ.l Ȧ4\6"\-S/I:hhL8* sy`:aK~~e2`+B(߀ 0e߈ Sdd;$Ex'8"F2d2$(["fmE XdH)jʵ+<Ե x$`i45 VMj}+==6 w}B4VG;_ Һ~k+_q~Z|/B=HN!% X{ZH+p$PA4룍i߶4SE'{2 ]PF;"{ $RۇzoOx 84D~G_*m|1M;Xet}[vĢ /Mh(LH7?-fxIRJIr"I$^*lHucZlZצ۸ӅqZ>t002TX :àO|0f% \r5wř̴N7V)5ʊܣu_ 7n4 Xܟ0yzM:UvV8y WHJ/ׅ#]REH 3T|]R9pDa@[[OG\?KN:D%̶P֌>O3!}0sTǪ >?- 7!oݓ(sr8|@Yig:#_k`.ڠBQ|:#O=E~(GǕV81I}Ejoƍiȡz!3]s/?a>ٹ< y:$9 Eݝ_i` T%>\ ?^مk"Xbv;݈%lSc4hRf?Jg?lL3DWa[4Gi芖-fzOqUpQ[ N[6Q@0iT5vP]w%ZNDt9 Ξ\Q|&*z^Iڮkrl,P1`_؋/ ?k>bO(VqQܬt|'aj`lQx7q3e|{ibc54?L&/ZdXRp^x+lzCP|r!^ z0;VÇqhvM:NgVAUZ,Dͻ榬Hw9|#oJz[Y_f{8j="x [^Yꗏ{)( eK.S6-7҈1jjgB*eyP#7 m>Se )LӍoRiEmM lTr% jィc U_Gt}G5i-Ygi=5u#n bqt wt&#+d7Li\pE o5OWHu׺by'Etȴ ǥbN 4'p ^j)T9<[%15ɽc?s2x$n4=Btejdp}:u]WubM./s$f{|u9'#zԵ+'"9gߵ L%r!G*i/h%AfqZ)c%Bʾ;I]ChBҵ^jw&9vZw56},YXo2',;[OWv3ɃTѮ'44X8sW|dy<xo֗?3$%"u`$MVYû X#7B"SE΋ϧ0wu,Gjj|/{g%cMPWs`\llB/&.aN&9OR?1ExȢXcbxJ;pHP)d^{T6z5z;kQ&d&eJ8aHeuwO%P-l/K2KdOs!u8{՜FD%br0` WQ}Oa 6ߴLCCc_@hnOj:nTD_x%*3X}j7_ W;ȡا8%|KڶHV\đ`m]& qy[؃!'c~+I2-yG}nq }ϗA+jgϫ`1T(ؕ^ AZ|+<-<"D|--:FwaQ15`[{v"-0Te6Nϕj[$~q('.8ot>Ө5A58sQ*-x$T̡ʺoO=^ٜ@E7j2MuVݧ-֑鎵l1Szo V̖X @uC7A䂐BdlQu)~AJb5'+2eu>\cfI:'QV,; r* x>>u⬝d[nȣk- Ciխ5|){94 ^;"=;>y> vI ykZu QIXBvD'F/gA)L]j(3w[p4Kf~yάB2g|xJX9l,Y)H걋o^Uk2A%dRDc׉E: "9 IHhF8w#2CؙzI(W_Ҍ_S Ka|b@-!E< Fe<+pd$gT]T1!aϮ*{w{34voE%u?bcf{MfPDqֽ ,g藚5gXJ$:yJ43w|3`N+ b]u0cөM7j0Qоiyzv*]특^hExv*LȲul~ܪWDn܂gn'^{5}?cV646]g<94I*Ҳ!,6^ge˔i"iQ οUKFM_۝=17\ s DhRtr8HxB)P4s2fW U(Ĝ1`(/CPWҐַRl8TU#iq*Z$ - *)KK}`rן;ƾ䊺)aj1#w臻cotpXx=氮W U;{q*]ߗXS|f(-%}ΊWn؞c*uN{"V=Zjzܓ o %' {P[9Ql ]5o'ղ \"8hUYk IN1w$sNyh\K Yw!UtFPʼnuusApXJ;K*!_ʸԅE&v*f LfCڌC7l(C;ln\*n;eɜo=j7V) ;g= %`w/?si--D7;CS)Gs2Q*ŝ,\dL3qPޔ~V|TCh)k_. .*#`Eb+)N_H]k Gef2uEǹ9R9e/nfGOu\%X&iؠy#OD8jcsOwL[  ր~N .C l_XK)lغdKFk~&RA$JSvATpC@l~4 uБoa/9I;!m#-dQ ' Sf3@ZS{<^;k6(uwER@N$oƏ&]~|/fcP*gX^hajۤZpftdj4\4$z8k`X9U+5P^& DNNV)}$V) zxE3e*m&[RvSQdB5费 NNlJ?:3U{@L fYbHˀxĚ\8U8˕͂(6 VJB]ZwOxgA짮Mm=٫0rԖ< kiQG}"0]k>0Wu5H}XK^߾(.j#k )D ~2o!Xߥej߹,Q$~I5vrB%ר}G-Oȴ@R封^L 5 * u֨?v8$- .AΐQE*;}+I,p э£^xq#hm%Giє`'sr[Vy4kΌ?۹^f-=wzL=Ty0*tnm?bx|t/oQܷ?1wTBB6s3;9sD#Eȗ넗@c1C@+߱g&6oKb 2[ro2GTR#*Q-)k{hRҒ /ݐ;-k|dM7y$U3{%+(ˑ+沶ӡy!뮿2Hxߖ& `.Ft6[O("yb6)|L6?(` eH-`Yae5RnCr[AS/t'đ(ԵKs@k] ٿH`qɢֆCN~ލ^AcvdG͖n)AF 5OO)p9/oG1DqpP&sA"iK 'DZ55|\|_̃Ѝa7)IoY=X=Փ QÃpd6)ec` PY31XWضpB/-STk꣇R]Gt̓}#^ٔbum oN:kDWQz{ظ)D#)$M!.ɣ'#l ÀQגp^bb]`Wy [vˆ7]x2 vJO2">ڟw sg ;\# ph}\M馭 I̡$|;j~aㅡ :CVV6쟧]W,jE~I{ 'WL m٥:~PF}oqgkE1l zqJǴoW"Jfĉ6/y#Rzy4f;Zg$;N"dK\\iFࠍLJy轵:W(1{Ѝn5mFG&QibNR@s4msK.2zGͫڢ&v'>*2Mywj@}93-gG^7NgUA?/D_6 bj##A~1NR2vSWNh %ZyLFHY2ɝ;hЯy )`00fn3>7<0&X߽bjJup$0dASC6a]g6&EJ9° ս[8AEu5Q(N%.U2tqQ:6ۇ<0Wj+6зB)3uC T|]kaV ebI؊8)d!qL-vBTV.G3[S+oE#Il_+77Whta*%B&d@N0E&45 s@sEĢT)!s9PYMHN`0d^r3e(.ŃS(]y)זlv;r[kĬ;*Xdlbn6]j2\YY\~;o H΁N0$,z|"ˏDCa:9^9G{csQ*tbpaJ#.龵) )EYm/@n]ߊ`lU^KXgcT1OmŔ@M}ƙf^TB{t#=.)Q+;h=3X "s0?r&M' UG$OBY;$L箦c4-9.L!*)](~2k^9% khnj<9װR@B /u% ?\QK{֖ Ao6y q #0 & k!zy%)pnGY.O@s*;-- Kpෑ̑v-Mc8%*[Cjꕲ;-گ\\=$YL=(hL: >qUhA5ٚ%'#o;~炍iPG0P1*EQaSɃ|[4L$0߲scF߆!ZTXKbC7UKƎިZ\[bnTŃ i("彆pPmXJTϫiGz <ŽK*1K;OYjR_MqxkRϚݪJk_xU+oU$@ڝ1i=A덣AIk8SBN'" &' C^7w։[Sњl U=탐lVbng39nx1ƚEpvz{-<,gs ~Ͷ}TB =xk zJ`Mچ\߶&K^nRpμ)jI[J8` oS%6JX*#[ʔYfzV7=p$ZۙQG/!LЪ^j\'4=n"@ޜ=CX a%O ٮS%ٸPtMFÝ4]O 72߰6O0j5`qk7n{R_pȉڹ< C˸bw\bAB.TLbm^M6t܉ύE+" 7rނbMԕD2rpD:R'ZYޱY eP^Y*R 'sBX"[D/mvF>Eiu0}#𭅦@\fFp·/昮䷾SH=E\3؇{`꫆9zS_B&σL%;E΃[%Lɻ2VwLQ> [U9n4^&s2'=%Ų(?vw^eD^Z2>dkC 'u3ӅJEUAx)dtX.* =gF2*(7G`zP@O| >!ICHz^1F}`^Pa`8"1ivj;M5P+ϹZ,# o*-~ ϒE`+-c}]}du0ydg~P[{GU=ܟ6UZnJ:d)Eb>/ Bo7RM4R+^Nh<#J޶FF=M-|ӗ!I&VV  F8:v:jvy*@^CIxmn$?tQ F~L+<5΁}!WBBBjXu [mPhM #2 dۘ Uۏ$gOEF}ƦR7W20[gS]l߶6>B@86hX'g1蹓E/]@oM]~-u:P^ai_d%5Oz;0=-CdPwW~n)#`Ag\W`JrVj* ަ($؅![ 1_rz>P h?Jb[/GVq5H]@~@9.Hio9n,>?+0iRz@P̏Vd*38:(7LTp]#r0k7@%,v R>-T|{W:s˾? ./"H;z!\bF] G,TYϚc\^qVTRchkjKAec튬!`l$l(m/*uU;ULhlۅB~$<қ/ I]WY.&_AGT?m 1ϓusL[XeDT,^d}f uډdyKӓl#!n#L6C4B YF+ZdF$U"OQȯC]E͋qByNw Xƅ0tIpns#WUن>9ls9^k>uQmE2:HiFR8sR+=_CPJ f0jmSY,_d5!Umc$WR x{V'? S^| fV ж5Y z[\)7HR Qýk?~=gf/0<'RF8_ۘ\'/_dsme\Sj0uDճ 0636 /4]=OE) &]#nt^>NwͼaTbuHA?|&2(edQcg0vOg _ˌh (.\?}hWJ7SP&bTxwf Y˶mF&]=.#fPqU磂q=E5ρ-g_BqW%&3IG3u As5+ T7bj j҉AUGTbkPٴL3J0U Ҵ^L\XSXѱ03HJ/ 7{t7bkX^tDQ}@ihݍ{?cVUbLI$ U'Lv1 `*⚞7:ٿZֈVR;6_A Š"쇞_NzNZ(b H])곯uJ3_?M'#ˊ;2|{ =w|_Bx >BH\YҒcz9ɹ›@{<&Uu Gޛ`,CuڵZ'pKlDbҵO Fq^ha]%bDj8ΝYH<ɩ eÇE/D!`!rL.s'4͉]L-kMv1- GD^淿kƀs'6>٠y Oc~gg"Lއ QA`Xw6:̣<2J 8!: 5\!>pzyT К/ haAJTKN!LT?Re :^!sR_&G%`/noJ 2oWD_.`A'A6u>wxS'Dg(C:I1 `M OS`yԜRF#aQkx ׋"#3"ήsԕÔdh4ѵei+ܟƐj@)N{? H,←4!óZ()\/ɱ@ A*!3@. |KVá&gz:ÞD3MI (5a|S߃u"tIR8LqA+%TDͼi f3wk9x_FD4 ѦcЁy$CaB`ƫg6u`u󟁯fB{Z_N͵M:!,XՏKW%$<Ͻ"Fj#|n̬[% ޳OQʟ.cÿkKdlw4ЉO HQ=t[Du:Cݑe’_G'3Jw2 a?RPeSKCfxʽp4ǫFWW@44:) Vks]HU 3Яk?Ȟj<1x=Dѩ.gŭ74`% @O -\Uyt#@aAJ(WЌ[Wc ɀMxfk ❘w&]w?RY!6tR ?B9I,"iD]DT}v'VͧT}Zn} %ֶn&&j`y0$8hs=lu%LhOk˳ъ tqTC׀YEw/t-ZM\Fkâ* M!QV^{ $u7fq؃E`g8J~UR$g[ S%O04hIdmg-}^ib7ڼ-z6;ݷz_=-Od?VBjѽ@s`qA]}EȳҙS.(.rQ GvcH(G_u2+*8_>u+aU-V+>!A!~"%|i0'&rh=hv;oR|.4#퍎5KY\W xR8nhH翎Æcr´N"Ȃw~bydFL֖*} 6 @d^ x]i'ji;b0y`.kƀ䏔:حoQ:J}" d7.K||D  t(Wb @ aZiA;F!1< 8\w_U|խ2}2]9Sk*W/z,7<>|e!j>R56Qj4NP*' &$8g{n3ȱHjz-4'*±ڐ/Wx.sq\Rֶ׼PۯFzĚ\~9 ^xTuWH{GU*^}r Z$rtŧV:Vɝkxւ|mZDe/o!#߉—v3an~ť;\>bp,#TU/ +p/|`f@|U[](jyGt˞@h} | P? ɜ.u(-}~;!H sq>LR/#)sv /%ߧ Ȋ1i}E1L0}9xȱ)t7Y&Lfi'%E˃q )v3 2 3UL0u8@=Z"j#W8J&FNFO7wYA8C~( ny'G<< Jd&?^79ytΛBS6?|\d2@e/176{ڎ2H GS_>;1 2A®LeeUlem䣱&Bu2Ԇgrr$w4QŔ͸tShS~oR`۷B hM̑gL fp q$ ([r5`N+n{6;y׀l!$w rXa~r){u*G6$oSU>]#ؼ*aB;9,iBy5;40<$ድρhd5VMW|[)T"NQW)bR4Az4L0yOW@ܹϞjz }GƼ,,a>c@9P79<^A/xߤEq:٤ qFE6'֍ VX7k%v&OέV ]Uak{36z=r" !9?_:.^:grcx-kc/ܚiG~Yh9 MmԈ*$XeN종?Xu}!&CD4;$d’ޕ.|KMH A8=o(F':Dq`-8V~R[I`P-l1d4!W5NtW:B Ew3y{w-/tg^o@n>`G11{^߃ćw@-둷-޺]UnGe!o_|>pCsQ]#=U ,Pix!$^\O1oSar!EpХ>@G6sT7ˏ"sXK03\-c~ /)QxZ}ĵ} ޥP2 AA҂L:N9ꕖ#t]"ew|V@+EOi Uҕj"lՁJlxNLN")VG%.- #7zDGnQx5$97t]l?o`1?Xc}~,m2LЇ2"BGȹlk]ÏvwUx82g_Cˢ\lF`qölfahVz,oϨCP.g-"jc+\[ ho6EXN?)nx`ǰ/S_?CI:-~? (:ֲMxmjlY{@5Y6}8J 4ѧsA8dt wԯtd{"sW$ ؖx'/0\p`C~AytWE,!Sa3.c"v#Eqqʚ94׫_:9VQkuym}85啹d32,ɬ[ <Axqل«B!:fkҘ&9%%d"wn2ptd܍N9>hzc!H_g~iHݕ(/l){ 5ήYJd1A/aBگK&G-6@ IEEV o~%W.kB3]hQOWRB9# w-o=3Hu?=Fp:HN fD1jtD<ƿY nל էT7C#͵@źqiKN3+ubl,kI(037l0x" Aeo&A v\!ݵ-^GF# # qbKAjBw٤ƛs^u w4*2[hx?-MfqJhrW*Yv>}S0I?o7cڬ?܋uз;GP:[L ַ+֖;3TVCm1@𵱎|6l"l9nKe qҚbkr`tѭߛSҕ@,o+g&ȼl ǽ_Ȩo6jMs5ĥâttԶF2Ge'魶;qF7M˜&vQO~'y*HT-mX Qe!Ӈsrs- H|uo6և]IPSo_ WEe #%'ÌE$CNLlkQ߷#sx 8D+C#p1,hpzR-nG'X;^VfoUq*[6k|K€DJNDE~Z}@K@c*&OcKEs#b8DaYJypLbR%7⏜K(7V?x˂u97K,s@SeGk =эbf,P7ǿW 8 T3JmƌՁWjԸ 8\!݅jZH(CC6#(^cKЬt2HN<\*BKSwDqaǹϞm/L*C`V;AUO!\'owJε }@&.NNĉ7>H5Ww\:Z͜l]Ì`% k$*C2 "{$c2?yVQv53hMM%TXwZt* ᮛlDn^JDf%CewB+XӽURv"*d]4dHJ_NEUVuEfTJ=Q1[,> K*hpz&PCFń5[]0]mVSZmNC`+ ꋧ}oKoG|ISWrQ/3"j I_!~j =J]=w{: 2}*m\R=dQ9ҥe*H}!3*dБ𵗝Y[\;mGQFAȴ9.I\ Q};X{CܯV= Цw_9KEZP+CѳRпR\7oDo:ՌxcFCҳVmFrT[`ژtl]pz(l~#o-/;T2Mݴ` *=/OjXj^@=\w`2%sSE [vߝ)Ůl/CGOZmZ.ma3## DK(y! r[]:Uh$^]uak "JKJ:l!G䩩UC9ķ x] d+_w+F|V".6Ԍf ]0_,fDvw6}Dnq~^G'D63M+6wS1o]OT =1ryFm!TCib_dQ;Ckoq/2,;C ӣ.7K/!k1PH :vjɍ,TOA d᢬LJvMW ][H"-@P*kT< \^z'mgdFFl8qs]C-z( _SQDls̵r*dغSZCб33t5>W"&~58OӫUǐqN[p l?"wQ% ?YFo3͕aJq K2S쫌Gp"K]ʦ7ﰐWW>y!@5%b8_j/k-Rj7w_~%T(T w;^8QmU)oi~*l͐/hG{') @PofayS;d&a+^B0`*J|ޓA7Ǵ(10{~1Jײyu:dbbY $aZc VPʲ7ȋl<^(R_9do2BD7o rՃzn7CAXPeߩ5nW3 ne{e0nh&YX.n@) pPfˬX0GzU__\V\4lYҁ,x4-ܘ0$kgN+ITu-[)$Jy -00[Z|%a<ʛL/P o9TC!D1rnDϸ /=V%XT&cxݥgyxj疇+Jo*eP"TU_,ol'ݭ#2xMB GQ Nً_C-bMۅ+ ?Ҟ19 ܶ">'d>72farerde`_zX[ 3zFGo) D=_^w,iB]}JS#y  #42op>hK |J5/0Z)]oa]7y+UdP%D AepzQ1ۍl~3u,#id56a#m)8pxC3N r~iUuf͞LVBEb?ދN"*o>#y x:" ttKJpOo̅81wJ!)H 9yk%TLRzQ '@& !{el ,N13#Yj8zfGMht+ZYN1?[(B1 G cIm0K mA׺Y}#FNG#'bTK9SA2n>L^N$$ {NDwAChl %݈W'dX4/R$c1v`p4 d-c(EOo)4y{*K,R"7I=tٳŨ{~#=#wH[u~j;E)Y$Pƾ&c2v\)3g2I(O *BǑSD $|ɶ0#V82pB 'H'[0ߗ8R7)aA4+e^Rc#'k.N Zl(oVoya\@fkl`W0I[ix*raQ*.ݿ>Cz湮=_"ĥĬ~Iº錓+-VJ ͳ/RF$ʶIe8QNN kbj"ޔ P,獧I.GN>ll-ً ̪K#nq-4?H c 8f?1]U5:2B<͡I pV6gMϞmbl Ùh lҋj\qfGhl*܆rn ih?KnUVF#$=F9Xv*"  _XJŁpdF$ϲgffBVBoy"Ui۶2pf|03bpA<&,@U 0ZH/Ѵ>]!V-&ESr̼,) vaM!w@'%g7ݹhl% .s뱞h6.?<дOQkwU$GkJ6Mǘ(-z(Nns8D?p&%!|&Gl8a$I/6xD>~yFoh#eJ$UgN^Y(8=b\N;4|uCջ:pFd,ax.+ӗvPb:Sb)dfYXIhrfTXuLmA S1S,53 wjlVb> fOE$r 8bt(ԥA)#֦#9cZsʞ-_QS UJ`f.K_Oa6耯XڶN ;˅.JO9jѤa>V-.ř#3cZi0wb.GX0U!B!OSM 7Ӯ>[# G(H{Ť m*M2re#^8%xG.E,>7O\ʡ3 pL^n$|vW4bF j)2FYRY|SHNU|5$k> z=8%/YZm$;Wpq}<|$szWvU-3ޏZZ}"k9+/:tA34-8e-t:JjԫEqsL*LO riw{+l~_h&vnxlܙBѠP~UK7ǓЮIsZH 4["1E(Kͫ1b!@M$ ѽyu*FsXCyK*n뛍SnZA~&m"QV*|: 5u XJ-RE%,sڙ"CunE{=fא2㨍 Pmgぼ$mNB I!0oW"XxRSrwշB +jȩMkl*>1pK0F.b)${[!s2؜bk Q<63mk` sN *zD8;0|n60#Օ=yJv7&ikUڷl1~WRKM)1(D6U]uޠVYdn/7`8uA=qث/ X:1Tjw)#c̤F 07#}#շ`-#-8>u#cy\_kb]-InHaÜ&~ſCr1L[,7:vV9=2/xTJ\J0L"1J)Xh1tfH?Np|s>N z%Qs5v!5O vF n:װ <4wj)[Ȃ U ?¿&LF Ύm׉揀cr(f|xjOPv=eb״zt J3(O@V(A|{y-i,4om^dk:?~Bf׵<Ǹ~wybzׂe2ɏ|j3i7|{8qJOBb`]ZSͷxTrC&L8N/K^]6@=Dc(^VI_|aq : dG@,zuj[+y z.h4'?{m (p.q v~Y]1JYpkdǀnfT<1ĸ~F 4] ڄ@łDɰ_s/|P/[ qgKnȺ@B ?o!Cn}(\q~jt N@`!&I).,&p ={7.ȗa ]R;~uw .Z'P2Q$@\;eP(y45~|&U[z9x VY'6%i(Ӝ=EP r _{bw ֏\cYt&YQq,:8pGEߐ'jdXEРxU 8 M.3}Jq>j;ǃm麽w6˜[4^V(c]@މ /Y8.E`S~))vUd5ʶu8bǗ}6l7VW_TI3e4RGvhnɟwH~G~)Gr>"y$lQp_@A4JZMQ;8 2\{3#Fz_BAP!zY@ueH? xH e.eOnfPX{Wrx ɂp  G̕,f\ u]X;RX;#wouKT*"Sb=(w!Fj՛B%1J6;R$.E |B&S4\^V\iYL~_ݟj]DN[*K9''`R(Ԙ_W/u`^>@%M0#ض޴nٛb<(,#ېQB/ e :c6NAVI5 "HJHlw7`4,co$Fi:CD@,Lppx(26OPJ!ЈlDGzGM㚴>zުuH/5HgU_芍ٙi^-M<ڇH#%xY ,cgFܬ^;&[{IS@t$HlůǬr/O0TCi{FOd^*m$]#geƇlSȃ,ٹ$%.v72e0{g 3 ʡ{6&K.g-R'W63Z ]{ hbҡodS(&?:\yjɊ"T cl]2ȈKg;]X 7%Xy"\!0FvZx J. 3Lw 0PJ \15ĈXY`(={/5W8p KN(O_rD!!%dyvFaeg KU%[.k(%H$HZ*Jy[$7sA`4 >I_\FE[`LSh?:7HP ~w2\N Q`\/Ӳy~,蝜?j e[t2P׾ mgB>|]ҥ瞲0(x*پv8֪-GO 5/~ӬNf>׌%&gC½KYThsd}kEט_ -R}`" Blma3jF^ph7{fLZ<jlL1GU,G] VW Ts%/:,K=yRh苶 GCŠ_a rА럄`fqE"e&'$+bUAmx!z)1M(ߝmئFeB"S_} ̋t!bbMv-o) %һd,q?51Edt^e%QwZj]z-Hw*ǁ7)l+'@bMݹEvn11VwlP;DW?J;~ZL;] HUY"=mWTlp7kn(%_3PP=!{p4(ܝxM,,:N04 \V)7 rM_OOt5q Ns>?b%XUmW頭ᱭA΢KݽO FRN'dI XCpꟑmW_*Ek=ےn*yya{IthIהCy/0> NBbn3ᅋ΋/Ê&QlaM/LCO*%IŠI?Z4E5?nq9rk^UJL[qM|KmZG q'WWC鶢\/vH Ұi5L2>WE4#IO֕A\2:Fَ;U%V"Q]gۃ^Bz9[Kn3YZ3zTjn3 :a5iP L8?Į/#10bJӨaU"kz?BXF6vrIÑĜxA9ٗRX05,= Y}\H_4h}˜.M$2ydH}o -ޘ]P_3vB7cyESoq0,PI+QNߑ\>nS \?3]D@,M:p5 lԷ>FX쑜Γ5>d (, Oj0T}X AVV*/(EvN4Txl2Tzmc<!`M(K b@RZ7R^ 4SofF۞vHGpM^]S 3~prD52b{;8}bp(K -mKuMQȞ@xc[~Mҭ"KBA4 $ A {|ZI3 Mmd$LMÊq ԠAK!Bqʐ9weA6J>6kxi (3kw6PPn8Z2AD.LV)*r ͸3ၣ9srɀ vqaj|:Ww;¦-?}kchڸ]^d%AvP<a66y!FU]ʴ~s{F )"UKgK҉|N {ܸ+'{ &2T{K`^9#/NLk`)v!`2NbNY$9עU`QB&WPek;Ґ8@ameKWU%I8asTO(w-k*HgX ǝ7ib1lL$i]7&ƬC *4Ewz#tdբ'Xv8+S"IR 8&vѺ"l+ P~] M&k.LUa Cd¨yC9RrKOnTl!-}$:7衠]Q oYrD?0Ԃ`.䀓`%P(o0LVkCWcv?h3jᘶ(Y .N,rsoLܼUᱧ,gh7w"%3;-r3Zt̷uq`e!; ݂ruP~y6)V_fABr?gw&~07.#Ӭrt~$D->8 _l{&JIH(=G,^!M yst7!qjqvuBxI>ȾIp_q`iN!{}~#I5 ނr>cwyz/lio;u+"s" o(ɤO3"L0@D Z>s+L_f`Z#&Z),* &Z*'܎g>uYYr[Q[-yy^"Ȋ7|eϣjܼ> 8,rД`$[&;06d^D5_EO7{UdT,ޛ <[xI+PA8,"8^c땹_$&`zI@'D8 vBmC ޫs&(U%_-\uk˛5xY)ax] [xX̄nZOY%( Q +A fqkݨ=wVz&$ Xm[>|a^TNŲ.U 9nۼ<MF={l 銎`iVix|=D(C|j{T91X1XjREqt3:XSC(0tOMo"b̮&4ڪ@u}ȗ {zlNY5b4i/A$)2JmkB5Lgly!`YsԿö<̼tM6S\ 9̵E V0hoFjc#-޺l˛`)RY7ֵ&^~і ASeu`FbL#y0Znjrgy> .wLV "1[踪531JtNB9qIbnSBΰuXNF``D>gxYSQ'O-U.F'7$qOqT_~K[WdS3wD[p~0Q0pQpޯwIDtؚ7V$EƳ:ӘjiG*8׿;ɜ{E_gͲ-,o5YOd]2麨iK >kg) a3fݎE-2C1ah=0l% |bPdM:B $fbBN; 7C!(2#uՒEzChJdsml6'ᶈq=YUyˊ!~`ӽΘ^gy K=ahfgR˗ t%bŘ8GT]$a _1G #g3B5{=vz ޒtZ+{_QbYtI w\~ҞC7*C6$a%WjrS?[,{;3F[D@kv]ڔEz6M!zF˕ٺj hjX؍k 9SΈ݀Z6z4tnR=}nd!i#ػiyT3QXʹ+e_C)!h̔ Gc܍RƊXg ]FL^[BͮAZ% 2K79{Ұ, 7~YjV"̉L6pnoywH@(\0,~-/m&UZ8ϲjKFyAӖHhݜ4Pn&Ss+PCχTӥ4~@b#5.o0ͶgKŭJmg\Ec`<. 5m7'ˎb̏u[Wb!2ɘ<'LݐoRr59s{ƒ<ͬl̏ (-pMя):0E7`Mj2\;pE \ nq_Bѱ}"wրYUKmP"ٽQIYga1K2TΫSiA'j屴vHRWjLtxLot-)IkJJl{rFf< [rfѐ?MYE4 oA*~[r fv#2/FnȤt! YCVY7w^Wix -óչֲ*P`gӲ]?U!u+$gUd+=7uӳAEAA:U 1[/v;ԲtEgkn>+ݦ8Μ_I$x$[{ `2KUwo|!Aמry7t7*7M8`ab Qw7HrTO~8RS!)ELIH5~^f7'C`,'.k@o΃`E@),e(vٓHStu-6Pq$GO#dDZ{"m,۩d7[v )@pCb,b5Z hPJ:Dq԰?dgshb.b&9B7P[X˻m{vVA_%Җ ֻ@pdzK"p#7HŊ_ s7`#bXUlRBhCɶBvڍ^.w LFȭ Z|Ktȸ[8}?er8Kuеl9Zd)AoAh"νIq+Itjzd$ۍC;٘S*;6mEYiM奺v/障R!S iDc"T,kK"`f;'=V=]fQ)>Q-,d'HZ+IwJfJ7C+%g$7Ii0++qB\A*ſ̸Ev˃ue3BWUXԧZ{JwZG3@=r gRx#*иCiv$K 0{]AWwڏ }\9!OIW`F \Wm*ql V3_NwʝSP=cM|¨XrNo"ҟnT_ڮD,he[TlMaAolnQװwдoߦjrVyV&RD^kB  = +@c"~iYFjØda} }UB~<9"*rͅV>굀EK uiBΘ%!MM)N-|D} P̀~:>*/K1 ^:ce⠷G.?#vF#:R"C6jL|xǥKpPMT놶!fF|ZPj"vCdƔCcG!"K`vs0)GRoVw)/a]V8gPk#U-lܵߨЂ}"lO# yY+z m .DNՆ5ָ'ի W_ 2G|bBFwY^luLYWSӀhk(3/cPsG24:o :[Ӎ&4ȓzɸgܓBDxgOv O_ϯV>b+|6HJG |O /vɖ#JZxvf8@moCS\109=23N2KF*2NȀ+I1B\OJrkbrIBq\+a8 eB55*'~p@,@s:I:3p g-`?؟XB~+Gpf`6""sսZBI '*A LH<ѣwj괰&7޸9TB]yJgJe}}藚xXm%5::ZNϰGe_ &{k>nk $\~7{㿿q/T^1:wؼGvE1.{.oئ\c,Rseȭ eS,0tP] \Ұ*o!R;N)vrKnz|FOpͰ T ˰W3fM(6FoWFH Ys/DVhWؾNtq.9 ɀM\K<ᲫYb`c ؂ Eı?ћCwS~յI%&>z7}Rh:P|6#,' rSPPlZ1cr~ag1?Oi(?8S|k@P,raUkivxѲ՝/~cX1/'#<:Ւ4 ,nOmEV)-odԏn즯~0v8 E>F"ÌfŽe"z&-sλqWjg]":5>85?¬W2$G;GZvKh\ ,fcCܴldց&&AuZ(4swRr4$V1dܱ s-;tmUNFlٶieO\$Y &{F *ed~(| -ɟz2pBV7~.ٺ`7/ L"5yӫAO~ew\:HY0x.ЎlH#_vy1l>Ս󋤃]?$b3 ;7oOGLfmĆ"x5<{7E8Qmj5#~u3- T(hhc2Y) ,Giҹq\`VYaq#B8"8=_aq 0g-zR zZ\dfN edH3B{GȂ KPZe+l荦H>nW;F*w< l`j2n¥!tܭVفjcn@zsIQَ݃Dc]:kխTCr#TAʪ6"fF}=mkSeq33UF$~# 8;yV>Zj*n|~b~otY(",Kd>6NwBd+۔pd npLohdmNpqΝ{w$[ވG))K5̀^g~ V;dK@HƱOQө|3d :96L ˴"ȣz 8OY@g_9E#_ 2{4j5 CN+ѥ_ZNT,^{NJ?ɼɤ}j3/xy'_7&Tֲ. yYn![T=l1ָ=Fz1@-}Jr-)-0n6e²L M' O,3xx)C9eZ%yt͉%S#|ძR"WR~Wtod7ӽ'4+kDWb*,sX {ZE[1"̥J>gӆWMyaQ7"N|\DPsRCv9_*F<uUzjg@|+=S ū[NԿܺ'DS ̔@-g!Ea|qyPf?78dLє8?'ҡQ))U L9,0͖Ǘ/F-X%-ODm4 .Ek5ĦJ>7B~?* %ֱ~JG B-'I#/fu d2KRFA)\hzԄR1D=:vlMnG@4I[7`c,qIu#p-lOq`u/y2Ta eheEt9wi’YE_T8em&@C y`ӡSD`rғawx#t8]bq N \)4.8{st@Ƹn؜# $-q,wd8 %$ 83;:OX“sjl.#%r-Jb 5C'r3*Nd޼R+bkOf^kƢֳǀ9qW7® 3%7ݴN&N]<}vYX爀_)]#Qs]/R}'W6O8C=p#Fʼx[-_ry̲G]Z&Gs!M,gwۭ_V̱c^bHRx?^di#oeO'X$u:AF8dԹJ~ d7?7ĘkW-G=jlOg*:7㡰ZZcNE)a{IEC 863Q&zY] bx aV5)]7,ۡC8w6yü$ \rJh!A[O>0cta.e}Utd:MlWgyҐHZ 0,Y$,Y=RL:>o/~/5Dŭv"~  Bk2c(L_H> 2Yړϻ}Q DDLH"z-*skȼn _ jX|PNr}nr\*.kxϛfGJTt*D\FVu2$0ո}u>a"G3g&G[cI׭1Ld %k!G.09+B3=cELial3DEe=fvB&rpe$;yd+C(ׯ&1ԓ-ಝ yO.K>*grC@KwHWn-fVi]HŻ`nU7vщ-tjɸ)tRr:~~ihwC"dk Fv'~H[׍48hJ/NM&I=\"űyL H4#VpXnC 5 !27_~(wd'w'2sW`İ"Z =}qT*1 JzMAZޛ,Enm%:J9!.bOWu|tR` rX Whn퓲i/LF?\Hrk*ܒ~P剽‘jX{TP,Ĭ^.ef3h͉u3FX*ڝaeB]mX״!@cO %7IfpZOQKfM,E\\0}&SS5v$?P/F%xOW0)3N ⚒iZa VͿ#E٭%5*#ӛ~ Gnɖo&OBXg*^0q!ZpM1{N2$Y Il c̤˳9 jY>u=yyE ox"}T&>=-TSE-\Pwc{VQXmן@w.E&Nn5*B.\ÆÆ?}2#.=GTOT|'1:H$ř,hA~ך&,nN %H4hY%|aːIt>FH(Zr2 {-#7"U,* tz9!xN60 V oXӹe]= me+Wc X֍?w^Rm٢_4'Ɂrnۡ5N@ U|$TR}޳gm{jL@甤f> qD64}:f0n *#4DG>{jz?.T[; 2?mDTP-=Li4G<}]@6̉0y eh3ꀕ2w--G5E+)o=_ D_@Re2-=lhɮN(JC_3&=%dVd'-irɬ' n"KlYd@m]R !GSU9c{\e5^1CϪ=}&Gj|>c=xQ:??:+ /%ǜsKA냧kp#wTFqh2\(p͵tE $l_z^bM1vtS넢nR51@ѬMDjFm\O+WznL8WA{X\K]c`ΟimɃfJI|ޓuyQֳ5e*Aro5߅0l ҙ5`W/@bw\~$O_)ȃA+q \#[,i/ws\^E_gs:R4iK|! %+`W,9Kn,_[$G}5e]%SD {MV-1=NϠr X2o&)vo(uH&2F0#>fŭæW!D`{n%[ ~$ݼ*p/M͔%j[Q&JUEsC M^Z N`Mp,?NS}`8Q3rW)$*[ $64G sNx6iT.([G'T VY1pଅg s8ϝwU!eʧ(*cÔ#1FޡZp|O;"rv1B EHT;$O?:?Ԋ?"ph&-:}#b`[/Or$*M|I|E%:enb bۗc#ْ.Q{A9#A,@ }=1Z-@,Q;v Mֽuc:8ͩd&{Bg]%&50a:VQ/˸v泶Br{> ݷհ̀ P&ȬV>s,VDLOd:;`.jTt&6Z"9z_.2^X.eW Ohzj;NN CY3 叭ruW.?qݧ˄_fuK1Lt6P{ԜƦڊr4v!"dc~U_w\HOh[ǻG%xAOy}i/o}Y};\IKN#d@A\t6 -FHJ/z}M;w.u&$LIHOKʫtUR:lGOIRArߑ@WG)B׉9r'1E;#"u֣_#{v`;a|2zX.m_=N5R: NݪYMI &$-&gğYxżKccSs#aP)j$2~29}4Tks2i:nal'P?\-HsaU- G~~EE:zv^P s~7 cKw,*Dò-Y2UJXLy0:Ƀ3N?pƵ5E< <&05; &"Ig:C!Az{=1N S3p(;|ؚ`DN#F}@G5E85Л vj$Oj3JDvOyM*vM '@HdXOC<aN_SrzqOB+_X:vBw,Sܘe>F> 0̯ƄAnmOa0Z:CW*0^.8<> (v))͹ݱd8DT(hc4ٺ Gfi<M0{wT^,藴z{[ ܞ;[Yֶ!s;hi2aUF\!hl&QKΚ+Uf_}JLG^˅E#_8+;Jhhy|`oZâʈ"8ߴ(]N*:{&}nc`U˗o]\u.S}Jp VԈF0Bw3 L2=Ct/4%4ۯtHf2 PI6Wq1Uޘ1Mls0Ɖx~NO6apNΈ@QJ3v%~Myܲ{)aTܻ:4)$tG]P^jhϲbaYW!ɃbSfs8dn#Oh_ {-*䄢WUX)*Z(/[W57#Y4 1tSMW{T&A8m h1{ZՃ^Wn 0;i8@#$Ώb[%[zhK`h玆K\,4Q4:rf?אּ`X(v%@GX0O!=A(֜gε([f؏ɪnG7<0E@ƒ()@Q[Nt gxS>_4:MCm]N|I{u@_lk "l5VIePZ0/6͚cf5wfb4kܔ{lɴS,¤LkicCoOk:ux# ΛQD=snDAŸ8>'I*mzM_n>#7^_kx'f[`ѶLP .Խ۱`K8zUVMT7a) t%ª VEb_ݬ6r['p6xr۱9 `ʈ0i [Z'$ rS8Rҏlq޴ׂ "(D }-mL(eFgAա fyfg3F>b0Ula`FܸqLh6:41|.e,v:>qԠk1Gu_b~HⰈ1ٺԶ#ka#kWɩȃaiF4X ;i#)$P¸&EdX nsgȳv ̊9(GG$Mwda}vBn0/y_VS7*YoPg$0xRȯ qx ^ditN#)y{`\66%N~-Ga(n5I{#yz`KC$A_K\Y)? L$wWd -9s䌈-2Yz-|o |Y>\"t(r\AhdRW[Ȃv](HĿk+8%~@V VSyim!Z΁Mıf|>"|QOl,(j2d>DȡŒȈio)tvG(&o|b!0 >8ߏ8I?N8ڸ_׹#? @ۯb#c"bD%Jw̔W܏dq&9ec{n\Vz\Vo9TK?|J$!I&.M@U͌g/cVWBL~fuE#{˼74lM64&@*Sz2|ew.ᣝ= +[Crm%\eك&Zcԇ%}IһGp ӳ97)t/}G"m)N30IaA6^z0l9\{8=Ʒ!*k.>=Z220!>,L5C;fS(! 90? w+wD.QnNQH0陑;t~`NkpX3 fX]oc|WYjPg?q8+Eu :8,2`( E#{$ =9?Bon(1Pd(5i~uҰ~TФIv<. <Q4{;4c uJмɼ-t\:ÓP3g"ڥ6#&LrtGy=jZbzIK9TSOzMWRϏ~1X.BkiwbAX1/϶jb_Xb^`X泰KaوM}i8TI6b82>qwP~lMOu:}U `>kqK-74 /O)8Ю O'tJv ͆?+I@PelɨpW%ɜZlA`21=Zųnp qwLhג"g ,x!۞K[[%qbo>wˆ_0oL{O>P1*B@! +KF9<0ǹ (6cb6U*d {id؛0}MԬ#+$h@9Zqh>`aϪےQ)q^n*"X!X.pN@<cʌ򳲘Vނa4_tBOe]rkepbE ' -ue*`wxz\uA{9<w:jܫ]%5`~#*Qw\-r ](5fgXpYf7R? "U^I/;Zi~O~p`;%_B,1 i{rp3p!7H8) cq0I>ɦ,&V,sWL@W6 s! r3RMXCV*폨ӣB\a4FQ\sv' Z_]}sM,ռ #.HE•P8 !&:n.'% 7A\j! * w"d&$O)YdAdl@07LfzjyK|IJzc:N (Y;$q9ȁڪE~loPO< RƂh!o[{_eOKÀڍ&)fCqvbF{ M{sꓟ^yNjFsvJb9fFWfq=6y ͝U6g%i78>fdV̧&2F2s{˓g ;[ֳy;=VSqTfkwޡ*;#"Ŝ]ѬB|f#Ŏrj͔;x*BB~Mhq* f5ޮbӾ2iwW+qZ+_:6)aԝ,/&;59T/!6ZYYH:9pבX&[6H>2$ ^/r;X (0}hdjhT£kNݘēh ̥.A=vq?)' TwH&BE-Pki$XNԖ<=!FMWf!ҡtt-UB^X+=M!8x)@Wb//v8 i542%$8DWgRQ{.?T"XmH*Գ-Q4\]n^{Ʋ *RT);$,4O=8vOM3 ?uL֨p bJš&I\N4kEk֒lb-t` g YIisKӸ<;- ;#b_/ vin*u7fq%q~+sKdn )hN)ɧ=a>H,)kؙe)Gx<0DGTL?mȱUGnu4 d7{es6\vX:w1\g\.NBV,qhSféIz@]oTޡ=Hrf ӫ8GVo3 =6kLIjMP7>T+_"DG󸋆c5369ϯ'bEDmbTi2@M Ӭ)JeAݷT{.6AKm wx|͠$_ÿkT~.4+2VW<5 Hȁ֨@c]f{6AIe5 o}.='P773cMMFIbP*qObnij"Z $M~vBW;06ȞI"@Јku[7??淳P \æ R,,裟J""D]-K4;2݇]Z1>gԯ|"*j50yUFIP.EXJ7c1Xjt7&&zT"rseGJGb SG Ei8]IJN)C*Uk&⇔ $?N̟xäE˯>Qc|8W6$@ R͛X~ "mUJ3*P6OzUticql${A@M6&?gF=vHh',,E"xj3?V!Fys?BnH\hƮT?/kuqV4Dgw["Ǟl`M^*a)uH-qb63]IN#x \м!e[6SLGY9גC`λ4\oheV n,8eצ3S>Tf7h'Hdmƈeg%s."[xeG~b_0u>{#c^/9Y|rփ}q>d*x}>/'֊(JCj0ZXIi9TgmzBLk-J'_SS&_0lǠC~ֲ20ɾ>iS~0mBW6S谟(P]wm|#7w=HbT}aԘ- ?{0DV0mN W|NW9/#܇`Q##~-Wf[7LT32Ya-܏x'#qU:BLBœ7uຜ a&)k8'q|z]2*6v fo=m;: V0=62hLS<=wN =ԅ9kɲsx(_5;}nX82g66Q ѕS%f(QwgP=PKBi$,СboU@cm~ vV.#i`|0d1ŭN7p7P}u9[TgC_+\I}Lvr*RJW)ӏ(m Vɕ{i 30aqeM fFst M nu_mDюRKrDy?'+U?GkU.Ҏ)gN/H[NEwhxutE={TW^N8I+<&oDkl5r"'-yNUS!$yvss_G+P62Fdjepɝ#);-Z봷fUE32)]/# 0y*\e]bz/)Q߀D0qP)ۢA 9HASXNC p݄\O-9=LU O`25-0VQ/p-E fgsفB6H}A}x?u絕ϰ$YXM$ٗ řߚavoİ4ԝ42}ēӜ4ܱͣpt6)QxnKǂdXk(5*v$-=oP3Ԧ']CizƃҵJSA1N[kF*R^g dM֒c%" 7 Di[o;`x$gv5рE\EZxAȿD c̯3((2i_' `sEJ}-lS6BlQ5 #J{% `|,bfMj:XJgt(xEƈ.>p D{Cϑ +0WO[K|%y!?Ii|)YqD?FSPV/.]Gj -3NL͜6SfǍ]L&dH`yPp+Ony U\?FW=r׍FVwqsZL Z >8XYf[s ^,skc?3Z5RE.ɧGChEÇ9S2}t*#(D=趹(K'yR#ȐrtJFj,璌CBPKjIC ֓\j!) MہaWM<Ú #䝅c ,_%kWʁ+zVc?NO6d"S8VJT&Nz$riBunT{V&j5-pn+"7؇h?iGHaRCI2S '^NJKy9wI o%% dAܺ3e비(?RsREUmOvzu؍M9_G(U4E(l]NZGpUBʄ%QREc:V &ܜ;ڂ%t*(̩@=GYE$O69۠$E_3R֋ 1>S0ceHsje$xSxxR1-Ś'AUB2 ;[voSAQ{C^޲5WZN^H?R( 9Cƨ׎Kl'FwҠ7/i@#u~&IrY3Nlt3FcIa!o=-1R7 2>UqιD!P"efFruno#$Q\!2g UHÑJ2F!= Pelj/M(Bs҉O ygJv}/ 6+"^:Oj1(Nc rSZș.}$0t/-Y$)n8$~oBh^g2]|'kqqـŊE#daG<)K qU20 n>]Cd!Ns^pV)h9o^՚'`jxR^U/-ŝכB,GSTBXDJhkWOj(O; OPIj&FUB!5RXy苟m[-2Oy6nOQƆx Eku4x8x2{^YnhlA]P'7H`lZo?uK=TP*}cD I~":ԲGh @q+R4 bT/BΙbmhI+Onc[? -!KJ-WH`6cL^a5. ϡ!aPpfxeSjIP. GMu}?#{Y^K2/fb~rB?Mo`)'Eh_Z^s&F 1f}}Yb5 NCqY^pl܉fzd&xC)@LD[y #L_.2n?*l!gfJqi*ҰݏpIZO:ىCe& %oj%.'ezW܊P'RiM0a9 Oê7V1G ebe-yW~ ,8ȬzS%9j{E!3Ґn9nWy-L>tfgNIKZ@mAOuX?xyv]`aL|uS.†Fdc%jo jAl|寘 pXFS%H$UGMFrp eMsLQ= C|ѫ!ߚT- y[ө$QE/35刟h@?k{6O!'0|/:jjy,gkˆF "pZ1\RC]WA(\,/[*te|_kctH =͍VGrJ$10M'ҍ8}ZG'eȎX/Z?Z#,cLt,?6(1,<;4-$r?& ̲)Mw5o g ԌKNDFK.xMF땸!l D(v\& D&z9>gb]HbIWBѱv^B8pd3`Y޼r5kG8C f}Q) |R3 R!'Pޱ3 k 65 Z"b ˠ_.̙-s3&V9dV*(_{w+IHZ {_݁[{Rsvz ,HQ,DSu,Y5yUAtyeQqc QZ`;nB*#CqlQ(])zF5-A|9 w[/p`uB.Vʛ-|2'Ǫ6?̙oU#&O,ֽK35RDDsre=O }P2pu /* o.y:W #+~VMLwԆ`XGE2v^W-!p'ew^qyQ݋m͉=8U5sSmAsZǝtS\3& 82[BJl56U 3IS) ^ y`) cmp5xv`& 0$uaHv'o$y "tC'O{+|.\"-/ `E] sJWnU!b#?ݧxt]9qufd_kez# \b &S‰쇟q>P ]dBļ$oMO~3)6ˑW:,ͽC. /bN ?\u ] @7jh,nŠ7߼,JZEQuxJѥ=0eͰ1xdHFct\n\I K#Ei0=:Gې̜4-ֿ+%`9mp>RJ[z9k6M/`Lo`Q"7.βѮ^; !e0cʍ_tb[ vk/y0~e,(Gio(lR-V]xĿpKqC{S;+gtBUUg;W2i3ٴH>[._IHssX$QPK{1`7#`1[}/.-(< ~6+-ɣR@Fexү;ȇJPp,!= AYB*ӊqqb;8 ^$(#( ӾU~U?ݥ8=^1$HE7,}Ԇ`cW^ ̽oΣ'(.cf<*S?Lne:bPw3aA/2޵6C2 <7v8NeWQ PFVqvRwŨ`g|*Ě:e7syD6w)E #Q0d˫;5a7!$OM1o0AƩSygKQ'rbOjwoh]Q!\m7|i@Ed}Ϙ~$8(>\9,0'< զB7ĆbN=ińy)T( ^sį"6w ̍t. @a*F@ZCc:SmlR.`Y^FER0f? _}Y%2Yq4Z&ly0?wPI$ltI |7ˀǏr +221I>̈έT._`G Je)رR]:~4~m苇:C|[(*5a)C7|?,iX/mS 7YQJPHͻ& ^"Vs'Ԅ  t;o:q?t`Ml ;yUجV -`ߑzO5Ճ;9MdRf(pX*iKjxJo ؁e $4K2|  U +2KL+&^E =z( Fn,.q]'7;Sh\gW՝ (0$ԖA  >q)b3U.m_(!p/g3iXK~,M zLp1GP1vU-p⋴`}[3RЖp#I!ږѳ$n^o7mʀ>wBNЩh68 y\3/8.ʋ:ŭ)VQnONXquN!{J(fQƎ2Wz ?mlJW]0~^VONΓ>+%E2\yڗO+Ư^2 V飋ַQuđ9ğ55%^NU72i4o.oµM~r_IˎiPArڣ z )Fs?BmWJMF(H"Jo&u&KH< עZdZu$mZ64*aZ>(>.c+$$>럞Vs^P|m0l@ow"Gf.چ5|=G$I)׏F̷[Q<}HI1 ӆ+P$%傒C.=W9 *b }֨q8Kw7K$giQ0^e-IoWCKbjWڛfჷLk0FO#r!xq/Nglc kzCV]CFKbe} ,;O!?uy)Og2۵aV?J߆@S x`"4Zǭ>~Xq>&m OU0lIgwn):`ÀalhZNϑsʱfh3& Lԩ*3 Q`eB0$7ܸ^[fL xlCsP:1=S- UWD*4 xH8pɿ{JEXwO"?ӌFo̓StA93#ygh;а2?yM7ZQ6,"K$ n팴!ړ\VNp h)qgoejʛ^n] Q$1ϸ&Қ+^i݋=eDolk`ha [hϝX)ڋ8/#}I'|Ս>6x**^>OװQȾ|8"BPP[C+GiB\NW^J؟| ,'dU1k 6Q\4b񮙓5G<W!]O!hey;(D";7kW] mn"ܸ?3չJ)pD咲rȯ遭 9^J>=Eǧߎ끫uː5Ђ[fsV(%I٘c5pl, Йm{~-ŻGRaC[BCٞ'%)x @UAdt*lQ7n~SU>JUY2{mS3:6],\')JR4MEWٍrԆ-d>SO%Rl?wxq +Ņ,I?=3Ӧv%+Rlʎ,;X/AUΧM#ջC f* ){}9 )V~}.?韡H){C^ t:[$%sJ* P,<ϓ,YlFz rVoLb|^[_%,T O?3} xWf׻7 sAm7qB=DMRH+VY/e* =\ <~i kJOeׄWJk/bP;Q OiDP4XfOSiL|q#ЭN}.I@[A_Zi_ r٘Rc_vCDHzt uz }ۋT=(BOͽ FPCW7Ff(2 [ oCUĨ#rZY+ r%DF SG9NkQaO!2U/?&9iIiٍl+ N6ÞW3 ~usUtfFiKڦ@I;l_|10ìqA1*]{ߖUs$OF")QAg׵^&n9@r7uFN9c!F!aҋ`T- R|Z>Vo(볡,7 zpW >U2Ls8-)+&jVMN|}\+c މa-%,uuo><p?o%wj+d zX@gpkg5BXAr80 @g(5eK Z.rzLIr~&%j e`g+sA=EX@E[uP xsI'Lb .bcbC}E醓2Q.AJbh54S -J)OBr~C p~fHG*)fxKR!&AC:Xz W@3ϩ櫢V.T937t| 33d5Γ٢,]"η$tbA~ G(M + ~ntM( RO%de:ЙτEN\R˩+ [{n*&sFnϷ;nPJYUVƄ8. Jj;dLd@9 %"ю~ e|Ec+dhZ ?+։K|q ɘa!z)+=Lv&>0t;veyBMV`NԚzNH<V;tb))+l1C͑,>(E8'&7CUxҸFw%^4k6?cqc>|UUYPL`9 #{v>: ^Iޛɗc. %'c q ,`5Xo2ܤN<ԗ"~\w-g&zdoK7ECTZ׾]x8lyTR-0m)1-"6\ipp2W0Cl /yO X  }1eٱux.T*ھp71p5R\X~G.OP ?}G[0wbOAl;( H=ϖ\1cjw3#~K $YvgJ̨4ӝTeJSo &Yz)L0FCq-0=R9& ksLٻʭv@j՛ПSvOG[tA}z-*u݇fyp?cK>7n̹C27$v#CB'sǎKA3 ƨk[{ZIK͡5Vύ:Џak6,ͼ'5HA}3mbp_%h`@yJ66:O?ꆬ*E>.eBjIiZK"e7.9g?jXxUAbgYc/7Wea'yQl'Z{@ѷ>F+o9(6j'Iq5Dt' |/)c["ўb^ƢPvDvNF$kz,dt)"vĐ,FZ4|86|t8ey1ft9[&7vfᑓ)ZXdAx预S+(Eo?u:wO*z'%3-Ѻc:\VxZhr lM+|@<7hT"QQVX(cWQoRP~1g0pL%'0|c{Y5w65*.xe02!U c;&]'s,8tS=QXVT$Rs" #VN"Ʃ{Gr%~$]s “ګ7 u=<* 4se|'w9ܮ1]h=r>'9.r2\ۣ=zE&WAۦټ$f-R InjahK*! +{F(HmjMJmp C͸,l-؈U4GE9! H2峜R+\j(5 ̧MH FbPp}+ omZcGQoXFM5 jMJXN/KcLWI]9%VX 7*k 5^( MFd:f}T PY%ܢAgɐDbf0$e~UY1`:oIaeBE^FbN߫Ai3~^[rS@ۍQ_8 +QS¢"(HJ@~TpORC,>ҩI]Z.Mŧj܂-`6lfwP}kgϥyC2zR{C8FkjÞ0*䌳ɝh1hw>u5Vx=`f~`QnrS3cQ2>Y. #wL#r fk %Az=N_ȀhAuG&EKGGBjͅOS7VJ 6!_k `c dL9 $RDay y6@`gb/!zDA"3AoP *lG7! xzkeU{(X|7c3!!ө;֚נrdNClC H,35pApHkoCDt1pk$V;ZU۴DtWaxc% a[sU)hIq^LK3j4_!Up,_rӋD3-r0BUF Qde"KZ]Zt7M9E}5EaM [>s2UBY P(56n[sNPW~^ ,-cLʠs%^:z] (/&[2 Cs_2&tcoj^z"%K?!AWL'܉o')$Fc4j%o}ȆbصW/?: Ɣu^"vN.g0Tuk? Sd;̰i5nz&[*}s3*3Q5u?!0=8 *WOZ;u7ն;GLr$оp*/FZgDYC[$IJˀP}y=HښYG$/K$acq8qYTˬd1Gz4LxMq|媜MĆy1 zO{AJ eWSHFvŴjs;#Ռj8%G&̴F\/YEQI(ō3K5qtU[lg3y֧^=3 >CޫoyԻ8j %~_=7-17YbGR37^ئST+˅,&fb/xi+)+" jyJ# DNJa1O4TZfRu5=Ok-`!h[ )s*snɓﻺ"@RD,|}lz>hz%ɝ_.*radWʊ.oɿ͹u[v..y5h0gR8|8}IbN8Zw5m"l 'z]~4{D}lFyrcّ̎L[kQ:Tp66gT%REqp}c: &GfH/xlNTE;tVX%kMe,w3 " yhBL 9!8B8VҌp7,ZD~kjܚUdA!B@ѹ\@T2 iߔdWxpB~: YZ