samba-dsdb-modules-4.15.13+git.710.7032820fcd-150400.3.34.2 >  A ep9|,c /~aZ9&Y@\޽rN鎓?_XoEę%Q 'G`%rxbB& uQ/M*U@4d(twdq)m  ^A_$@~Y,4OY4F0T4oWϢ> Մ$O6R8 Zs]BB2W+4LM<BOTQ_hr2UBra7D8Q}P(DhzB'9@!n*MN-Em"i5Pd2.$JbdߴwnVg1̻<^F2F/ecKq (}}otyD|WS%[FY=YgED A~F }̖5U^h<42uUțё3K,D20>pA?d0 > P ;RX`-|- - 0- - Q- -4--0-ww)w(*=8*D9.:@>Y@YFZGZ -HZ-I[-X[Y[\\-]\-^_b_c`Hd`e`f`l`u`-va-w{H-x{-y|z`ptzCsamba-dsdb-modules4.15.13+git.710.7032820fcd150400.3.34.2Samba LDB modulesThis package contains plugins which add Active Directory features to the LDB library.eh04-armsrv12epSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Productivity/Networking/Sambahttps://www.samba.org/linuxaarch64rm -f /usr/lib64/ldb/samba ln -sf /usr/lib64/samba/ldb /usr/lib64/ldb2/modules/ldb/samba /sbin/ldconfigp Hp Heeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeec705ac84635104b058f33a6dfa2e76b98169a3a1d5c05aaacf2866e6d1b4675a71960b2ab675e5a6b48b7f15ec6c825dbffdf43c0e0507877c4c87ccdf3565bd0b34f5dc2e24720da4e9146c840f6c2e4c09b8c8a386511c5ee23435d94a08a3a3ac90f3bc77102a92d000303d874ab607dffa483262411c4a9816c189a3ee5aaf0f682866a3d7352a19833d541d71c074ba5cdb4b56d13e74ff08bce5d458bc2621979fcb7381f5b7daa1554b7ab69c7db389d4e58298ba00fad217c7f9a3dd14722efa7d9146b9ebbb8308998f76970aa6bc0766742ab1454eb126e38effaa0d088661dba7ebd5c350d27fc5e69261d7db83c3dbbe1e4f88a9b82a9cdac79ff1fb0245117a99dff9d3f75c667be26d1ec65b15e1b595cf50bce4336ebb3f95e50ccf6087c6146b7f47af3cd8f11261944518bd8ddaf20e0c76cc3037d828a85f9b6a8db94f7ccaecc70caa3a4149dcfd65abced83153d34c8c3e434488ab612031a606019b8461d142327ec49edd1ed3a20f69c26162593f4cb99df2269436586b75bfec3ab78d3ac0c8abd6b7abd0114139e727f008a5d906d24c707d7461539fccb18b4474a5a6003fec33a8cda52f29365ca55147820e4f8bb60db66aac2e9ca80bcfb4e9a1f5c22cf13dbc1168c8d7bef2e102c7eaa88a00dfc7893cea6a618a5b9f0c661f58b8f5c11aeaed7ac54e061c79326284d61722c7be31aa25fbb22d0fbdac37fbc4da66c8fe7139df3cd57e858482e7b886da3c5d4cb0cabbd582002c6e184b2508cb0eadab685a7a6fc1a9e18e49f0e6b3ace79a2b4325448f0456d2874b5a5890f611ccd5c1c399e37ce207a578d0a1e1e9be4a504a13811a5dcd45c796f529ab6a47b72108a4a70425eebd54492203dc813a1819f4e2d981dfeaef07e64f4d415d924aa5198ed8511a34cbb22dfccc30a84a447048f3324d8e753d779925194c6670663459b3c11fcab5f5cb767bee8ab22f1171891025a2ccdbf36ff2407a23565ce6402c3b58b3a5a2628235980512d3e1c18c38c5e8e5a7861731462764c3cccb9d78624b6993414ebbf75bb7a37727db60cecf80fd8c57d1efad2fcc57dbf291908530118574e0c1d96d6ffe61af6d945331522255cc339ae5c53eb9c98d1342df607f2d16116d5722c678a7d8a5f4a0cc4fd62db2818064c53d53fee4a5a282ec711206fb71a4508af10c88bbb5ab81ece79e76cdd48e778d85d9b081de703604d87492dc28855d9b26af0a99d4a80f85881ba5c756ffab5f110b57ab112852ba284ad1e4e643dc9d021506467d1d0047b547f47a31a3429d97d21f97470e5c3b8777ff5e13b18b5d2f9ac71e624489ff58de059e75ccc29dc19735613667f7bc567b2ae1555d10209a0bec257ff643a4c28e778f90d91b60d827471fc76bcca0c371aaa01276722edf40b36082edc207791cab9cab0f91a05f06525dfe0c5364b4628878fc387650d36eceedb11ceb535b4cdac3d501fa11bcecc8071ea12c2670533201a7fdf90c8f0c96280a9392bfba5de2921c14fd5f7a2b9e674de558c0d121c2fdbc543ec1d31fb26e7775afeffb4cfbb2b4ba83395f6d228367e1e5f31767725c4b97f266f8b4caa00b5b6e5ec31c690a0325047ae3e7125a536fe4c3efbb7236f7287b23b8fdb179b4a7595b8ecfa8c7debf8d378641284c6b16b2aeb9ca9bcaca260fee24e4c5004cb6c0ed5407406282a5d45be103c36f33991ff6e8277fb4d4e0e9494e6721353b9132352e2374c6e72e40dc265de995a89cba49a5869be040eb69e40634e35329b91aee76ad6644a72c62813c1dd19f5ec325864b2930a1eac93a2d146749c18c8375cddb52aa76f7701958b41fde9c231e60f4b0212d7cd8c6d3f81633f8dec5b7b49511cbbbf65b4b4b40db091e2307d9c006d86280a5fc1cbad37e73114e03fef154bb085e37a4f1e3da2669ea721858a1f1bdf0efe37ffe0c6f6e03fd0d02455ab5e06ad4994509e15e6fed8e0b272457b6984d02b938787e01847a4bb40eae6ce005e22c1frootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.13+git.710.7032820fcd-150400.3.34.2.src.rpmsamba-dsdb-modulessamba-dsdb-modules(aarch-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/sbin/ldconfig/sbin/ldconfig/sbin/ldconfigld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libMESSAGING-samba4.so()(64bit)libMESSAGING-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libauthkrb5-samba4.so()(64bit)libauthkrb5-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcli-cldap-samba4.so()(64bit)libcli-cldap-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libcli-ldap-common-samba4.so()(64bit)libcli-ldap-common-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libcliauth-samba4.so()(64bit)libcliauth-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libcom_err.so.2()(64bit)libcommon-auth-samba4.so()(64bit)libcommon-auth-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libcrypt.so.1()(64bit)libcrypt.so.1(XCRYPT_2.0)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libdcerpc-binding.so.0()(64bit)libdcerpc-binding.so.0(DCERPC_BINDING_0.0.1)(64bit)libdsdb-module-samba4.so()(64bit)libdsdb-module-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libevents-samba4.so()(64bit)libevents-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libflag-mapping-samba4.so()(64bit)libflag-mapping-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libgenrand-samba4.so()(64bit)libgenrand-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libgnutls.so.30()(64bit)libgnutls.so.30(GNUTLS_3_4)(64bit)libgpgme.so.11()(64bit)libgpgme.so.11(GPGME_1.0)(64bit)libgpgme.so.11(GPGME_1.1)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libkrb5samba-samba4.so()(64bit)libkrb5samba-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libldb.so.2()(64bit)libldb.so.2(LDB_0.9.10)(64bit)libldb.so.2(LDB_0.9.12)(64bit)libldb.so.2(LDB_0.9.15)(64bit)libldb.so.2(LDB_0.9.16)(64bit)libldb.so.2(LDB_0.9.19)(64bit)libldb.so.2(LDB_0.9.22)(64bit)libldb.so.2(LDB_0.9.23)(64bit)libldb.so.2(LDB_0.9.24)(64bit)libldb.so.2(LDB_1.1.2)(64bit)libldb.so.2(LDB_1.1.30)(64bit)libldb.so.2(LDB_1.1.6)(64bit)libldb.so.2(LDB_1.2.0)(64bit)libldb.so.2(LDB_1.2.2)(64bit)libldb.so.2(LDB_2.0.5)(64bit)libldb.so.2(LDB_2.4.4)(64bit)libldb.so.2(LDB_2.4.5)(64bit)libldb2libldbsamba-samba4.so()(64bit)libldbsamba-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libndr-samba-samba4.so()(64bit)libndr-samba-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libndr-samba4.so()(64bit)libndr-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libndr.so.2()(64bit)libndr.so.2(NDR_0.0.1)(64bit)libndr.so.2(NDR_0.0.4)(64bit)libndr.so.2(NDR_0.0.8)(64bit)libndr.so.2(NDR_0.2.0)(64bit)libnetif-samba4.so()(64bit)libnetif-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libsamba-credentials.so.1()(64bit)libsamba-credentials.so.1(SAMBA_CREDENTIALS_1.0.0)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamdb-common-samba4.so()(64bit)libsamdb-common-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libsamdb.so.0()(64bit)libsamdb.so.0(SAMDB_0.0.1)(64bit)libsecrets3-samba4.so()(64bit)libsecrets3-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libsmbpasswdparser-samba4.so()(64bit)libsmbpasswdparser-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb-wrap-samba4.so()(64bit)libtdb-wrap-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtdb.so.1(TDB_1.3.14)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.15.13_GIT.710.7032820FCD150400.3.34.2_SUSE_OS15.0_AARCH64)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ldb-ldap2.4.43.0.4-14.6.0-14.0-15.2-14.15.13+git.710.7032820fcd4.14.3e[J@e@d.@d-@d@dJc@cS@ccR@cctc5cM@b@b@b@ba@bascabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Add "net offlinejoin composeodj" command; (bsc#1214076);- CVE-2023-4091: samba: Client can truncate file with read-only permissions; (bsc#1215904); (bso#15439). - CVE-2023-42669: samba: rpcecho, enabled and running in AD DC, allows blocking sleep on request; (bso#1215905); (bso#15474). - CVE-2023-4154: samba: dirsync allows SYSTEM access with only "GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES; (bsc#1215908); (bso#15424).- Move libcluster-samba4.so from samba-libs to samba-client-libs; (bsc#1213940);- secure channel faulty since Windows 10/11 update 07/2023; (bso#15418); (bsc#1213384).- CVE-2022-2127: lm_resp_len not checked properly in winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174). - CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173). - CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172). - CVE-2023-34968: Spotlight server-side Share Path Disclosure; (bso#15388); (bsc#1213171).- CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords in cleartext; (bso#15315); (bsc#1209481). - CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users; (bso#15276); (bsc#1209483). - CVE-2023-0614: samba: Access controlled AD LDAP attributes can be discovered; (bso#15270); (bsc#1209485).- Prevent use after free of messaging_ctdb_fde_ev structs; (bso#15293); (bsc#1207416).- CVE-2022-38023 Additional patches for the PDC role's netlogon server; (bso#15240); (bsc#1206504);- CVE-2021-20251: samba: Bad password count not incremented atomically; (bso#14611); (bsc#1206546).- Update to 4.15.13 * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); (bsc#1205385); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); (bsc#1205386); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); (bsc#1206504); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; (bso#15197); - Adjust the systemd drop-in file for named service; (bsc#1201689); * Paths are additive so do not repeat paths from named.service * Prefix the samba DLZ directory with "-" to ignore this path if it does not exists- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./bin/sh/sbin/ldconfigh04-armsrv1 1703082665  !"#$%&'()*+,-4.15.13+git.710.7032820fcd-150400.3.34.24.15.13+git.710.7032820fcd-150400.3.34.2acl.soaclread.soanr.soaudit_log.socount_attrs.sodescriptor.sodirsync.sodns_notify.sodsdb_notification.soencrypted_secrets.soextended_dn_in.soextended_dn_out.soextended_dn_store.sogroup_audit_log.soinstancetype.solazy_commit.solinked_attributes.sonew_partition.soobjectclass.soobjectclass_attrs.soobjectguid.sooperational.sopaged_results.sopartition.sopassword_hash.soranged_results.sorepl_meta_data.soresolve_oids.sorootdse.sosamba3sam.sosamba3sid.sosamba_dsdb.sosamba_secrets.sosamldb.soschema_data.soschema_load.sosecrets_tdb_sync.soshow_deleted.sosubtree_delete.sosubtree_rename.sotombstone_reanimate.sounique_object_sids.soupdate_keytab.sovlv.sowins_ldb.so/usr/lib64/samba/ldb/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:31907/SUSE_SLE-15-SP4_Update/625f171e9af34d04e78337ab8ddad37d-samba.SUSE_SLE-15-SP4_Updatecpioxz5aarch64-suse-linux  !"#$%&'()*+,ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c644883724900b9e475987fb757e06c7f4b59d73, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=e073ba3aa3ca4efeb0895ef140377752c07e52c8, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=56d66c66bf5130b89528ca10147efd8ce04d413a, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=07199f067d14242157a3099464fad8c374945b15, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=47073d393d619c701b8b2d7424ab910ba7cf79b4, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=498921aba9d268d3eeb00c619a347dcd82ff49a9, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=80299b5db789360f269c9ee83c63574a274b934d, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ad51579512863860b878e5e5621276d72ba017a5, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=cb7a82d2a7feb554ba8b4e992c5b2740a1388ecb, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=55cfc8a4dd049d77756d200dd431b0d62ad7733e, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ebd466f08b388290cef796adad14d05fe5c6937c, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=b7c19d118d077b038662a932d28adb36e6f682e2, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9481ec70817176e2729ca988bb5ffa09b5e6bf78, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3ab489c25bd2d7ede7e99d6b129c6f12af8fc723, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=63386197bb6963717366678f83eabed340f50b48, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=e07486bc1f336d4754aab501295f57d17a91f8f4, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=7c740c57e7a5f859b452e3221c8ce671bfb8ebe5, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=69f0f33a4e836b40d497ef4ce11a531d9969befe, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3a6bf577b69e9354dfda630cc3938d387117bae5, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=af10307e3fa628da7bdd1ec0a04f4644b6dbc247, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0cd73babda9bcaab387e37398d880b7e023273ef, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=29abbf11556e613b268a38f14e05c07095783a80, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=65b5586a008c8de2f733a2c91b733ffaf27a4e80, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=4ad46517a3d8449b07779b4c8d933a5722ae2012, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=85584f498d38e75e06a49b995945bb60db2272b1, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8c62db915f82284bf5965ff6bd95d7f3acd6ae73, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=212bc7da745af9f17d12378dd483ded3723d8dfc, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=1ba71f546bcf0904b0f3cf59d9a749c363e199ca, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=20e953b013a18ea5fb273c1e7d26e1e6f8c5d619, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=631906e4c06a777c324183565f5b11db9c91f94d, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=17e7e9541d33a6afe8110b8fefe562144fe56091, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=4573dd90ab06d19993eca793cb576ef84be603df, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d0376b3be2801c0c23d39e93a362567bbd2f922c, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=fde6b3f707b3e8975b25d5cb778700e8f87b4ef8, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=fb33806a6c3f149755a4a6bd0750fcad13997d49, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3d049f294c79fa776f7df0cf949dd604ecc4bf9d, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0799fa67ef183b84bd41e4cef3cc3130a98cf3ac, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0ec10bad6459e38c0b15104ab7b7de0faab732fb, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a29f340bdcf051d674192c982fb8de24b31f4600, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8123d23aa0e1e467f3c25aa8d534203fae34616b, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=aeb781742c03bc2686be921872223476ae28c096, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3585bed20b61ed5686eaf025db241ebffdddacac, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=08086dda09500179de3687294803675b88211180, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=445c253d268ef2475256ff7a56b0de74b982c267, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=4aa47ecf443c6f4948cd35b8feeac83076ed290c, stripped:Hfw+FQZs~0:cp(9FQ\o   9 ) . #  R\R+RVRRRR?R RfRER RR)R^R/R-RR[R*RDR]RQRR>RUR(ReR,R RRXR?R^R"RERVR\RRRR RfRR0R/RRUR[RQR!ReR,R RR?RfRR\R R5R-R/R[R>ReR,R RRRXR\RRVRERFR RTRRRRfRZRR/R-RRYRQR[RDRWRRSRURReR,R RRVRRfRjRRRhR/R-R RURQRgRiReR,R RR?R\RRfRRR^RXRR RFRER.R4R;R/R-RDRRWR[R]R>RQReR,R RR?R"R\RRRRfR RERRAR/R-R^RRDR]R>R@R[RQR!ReR,R RRVR?RCRHRmR RoRTRRRRRfRR/R-RRRRBRDRRlRURSR>RQRnReR,R RRR\RR^RfR R/R-RR]R[ReR,R RRNRERLRAR RR$RfRR\R/R-RR[RMRDR@RKReR,R#R RRRR^RfR?R5R3R/R0R-R RR]R>ReR,R RR\RERRRfR R?R^R5R/R-RDRR[R]R>ReR,R RR\RfRRRXR R?R^R3R/R0R-RR[RWR]R>ReR,R RR\RVRXRR RRRR^RfRZRRR/R-RRYRQR]R[RWRRURReR,R RRR^RR R/R-RR]R,R RRRR R/R-RR,R RR\RERR"RRRfR R9R2R/R-R^RR?RRDR]R>R[RQR!ReR,R RRfR^RRR R/R-R]RQReR,R RRfRR\R?R/R0R-R^R RR[R]R>ReR,R RRfRRR\R/R0R-R?R RR[R>ReR,R RRRERfRR^R R;R-R/RDRR]ReR,R RR?RXRERTRRRR RfR\R^RRAR/R-RR]R[RDRWR@RQR>RSReR,R RRRFRERfR/R2R-R RDReR,R RRhRLRVRRRR RfR?RkRjR\RR:R2R1R8R;R/R-RR>RUR[RgRQRKReRiR,R RRNRRLRqRRR RR"RRTR`RVR)RRRR+RERXRAR$R^R RfR/R-R'R&R\RRR_R@RMRRDRRSR*RURWRR]R[RQR!RpR#R(RRKR%RReR,R RRR RfR/R-ReRKR,R RRNR"RXRVRRRRTR RRfR\R?RAR2R;R9R3R.R7R/R-RGRFRER^RDRRWR@RMRSR[R]R>RURQR!ReR,R RR\RR RfR?R-R/R[R>ReR,R RR?R RCRmR\RoRXRRRRTRZRRfR RHRERRVR^RRR0R6R/R-RRRBRWRDR[R]RRYRlRURRSR R>RQRnReR,R RRdRRfRER\R2R-RXR RDRWRcR[ReR,R RRfRR^RR RVR-R/RR]RUReR,R RR?RfRR R\RR8R-R/R1RR[R>ReR,R RRfRR R/R-R1ReR,RKR RR"RLRERVR?R RRRRXR RfRRR\R0R/R;R-R^RRDRWR]R>RUR[RRRQR!RKReR,R RRR^RRRTR RfR?R/R-R]R>RSRQReR,R RRRVR\RR"RRR/R8R-R RfRhR?RjRR>RUR[RgRQR!ReRiR,R RRR^RRbRfR R-R/RRRaRR]ReR,R RRfR\RRR R/R-RR[ReR,R RRfRRR R/R-RReR,R RRfRRR R/R-RReR,R RRfR?RRR R R^R.R;R/R-RR]RR>ReR,R RRR\R^RfRRXR R/R-RR]RWR[ReR,R RRRfRR R R\R-R/RPRRR[RORReR,R RR^RFRRfR/R2R-R R]RDReR,R RRVRJRRfR-R RIRUReR,R RG:XPɮk 08utf-81e286f861cf46d942eef1a66f04f0aa6689ab817c21b08526cc91344a19a7166?7zXZ !t/J] crv9w$=[QP&|ҹf m%VAu^쉊I#UE%wUk3ˁ%S1Jw۸Tr`IC߮y"l;_-'Į kRaD,*؆Nx j92h WM,LMRm`lg)?0p؟G9Tx"5;Ff~r[ǏhT ˑ0M\E|oٵ!ץ@ c^ e;cB#iP(2x[k;(Y$`YcT2Gz&nͥD.d98A7gݏ15fq/G'fEhii+#[c"3LE 8eDЁn4gd33K?utIU'Hal,GnLwnͭ+r7r8fP;iCu۶Mj;tYb6"Ykܑz3㗸 *dij̕_N)4S"s}ݫ!}lA[cŊG:|[HT ]> [۴LaA;Rnx(ϐdI,ψC kx#܁*m*UzWmZвc5{Sw'F2WԣFC$kM61,PtKy)D'O`#it~242 Wo+ E~& & mVr>+1N~V8NEIYğ փ/X;w=ed %nWR4p%n+%9}}VOzuMF-/!o: | g`G2 V)KRpqܐ 3q7ĨZ#4g{0bjP(Y% tK1k  9v ܤa$f_4ua %@:DSsyuSRn6$, Fe {*zY`Ppp >h]VÌi(h."%nu5d*|۩*P+{⸑MrIǪJht$JԦ%4|C >|nd#(/{Ԛ{]T2Uz&@E?YE)EGDZQN\ʍes (<&9篊q%NRz3y Ro$dj }z%l/0řu`LJ-\.>}lF: ~qo)u<9nF Vy澚yly/Dʛ4r5e[yHC,cQ)d/NF.<Yժrd^ά߭OZ[Mm_P&oyBi|%PyFn<җ]˓J{p(Ӿ(Yơ|=T'gIY6٩AxJDLN)^"{7-F}8V43w|0'*o J*x%MGQp,{/С]FYq <HSY!y"R% =C|ց!B%8R3ҐE9a}*ie]x|c8y3aܳuKm:M/f$x6o||ܦ}v8]^ ήKQrȱ['cPlIKã.3y\M(嶷'MAF1hBT:.2,ۤ:x½UE#i@s&|:fY U$g8zzkz}@)Ar $}>c`mR$:aSZv#~tNvD~,#s:<" ߠA ̹?w3|oƆ\@)15MI@8<|k&E;$OHjShl>l^JKw*is TkMn`I%hpڪB8X c[{TTu9F^ǩAh0oc )XrOBTQ![}Ŕ|F˅Ϡo;:]ǁvtRǰNWX^t*"Fכ]fZ S+`fmÓa)Sn"kf[κЕP! 2司#Wf?UNkC ~}V+N տҋH!HRTqh,z>.=2/AK[}2ycJ@ۺ&Oi#4{QW~xs-08ؤ:=2;3#/E6nBz'L?=K paF oyxISyjNHn6"FylSBs3Yϓz*)% u8Ac,M*vl $s(p(t۫Ǔs|()xT94n{o%mL 4v !]`҄.􅒴O?>*jzpu gLGZ&J4\SpV]+6ZcWuj+(/LOh-[ } ~#`0pQmЉϒ18{F:%4 ByT粿 Cj !3%8p6K@V~غǷS M TΥeTILzޣC.4洌6% Eswa}mK"IbVm:bneCPʞ܍NbSisn,U6DCHcN="*$#ͩ6;=qPAh2un-(.A#+190\ =>3f1"H47Z188oCs9^)1uFwm=g%0Iȭ QR Xb"b'=_]DASt8ex$wt,ӕ9Ӣh_\]"\I>%N!COj{b/buGWj ,GKI ~={ ҳTo9#v7%swl6y]Ⱦl1 2UUk bZQ۶fRvBHk0rHmNx>a!K7mόI2/iiWŅBnKIű*h2vzBr|YT=+TMM\J]0,u?M+(v>QYR 0;f*ǵdJͩvr=&K6 _gY >v_#n)"ˢÚINr[y ĚR p!SEGE، ުm% GZ G~eCS4W/@f>Cڕ±i]%[xR)ԻA/CQn[P)` ޠ 9Ux+~t,A Y6ֽynExDڂ\=vP&Ho\6JjZ {ܰzK~ek_x19Ã}+anץ#+h<* ry[Xyzl{_,uOFH,@A@Wd'' Cw}h+8/ QVt@i>rP q#pnxd֩,`4ޢݠ\iׅC&BJ(!4 k{7{cx&!'Ti֬WeTө L9 /G7%/ňmh+?xd޺&TaID4GI'sέjHUѝxGoD_ 43@Azj:7DIJjqZ~QJ#g\R^) H"hwL .d"lpt@`'˞,'e ?b7٨v?;9%\9%Y ?!#dLFt%t瑀^_qӻ'4!zc\6|^ ә fcHN/,R~;,uJ >R32LRgj{}Hj [g鎚8Ff(q7EJrz>&Ӛ;/$Nۣs1!m:G G/%L 6Yd 5_utYh7TSo>k|ma+lmv,Q:y^[\Xn3Wu"͉⯳Blʹ+EŴT17DyL;)愰zSy| _`E#Vw漲$ ȋ1n 8GHך(o:|'FI#5qmIW9ذX2It5 }iXP q$sF+PB85c3mKѤ [Q_=- )B㈗ id\X8HT"q) iwW,5FCxiIt߄< "1hYTf.*M4 agyѲ2&͢k8$T-3|ѯ,d-n_yIuRdAuvQбFq:dP_V<'OWExw䴖v-T'uven8{-]NX([5> T"ݛD;1]o/kxyX1NYH.rՆ\WEUDeR||b&(3DOf=PYS8I#ziB ~g+S%*&ߦ`-8 تRgsPWlf̎|ěP!^O*-ZqyҒM(>)\s.9Jx[vFEpl1Gv^Sk4%U?WKx5mv@wz{x^cfE]{^H@.Ib#\$S8Gad`6PɁUÅHR7WPr( ;C),)+ ?}bgNK.Mܬ{ŀhBW\aV~*HZY5Bs5Q]~L v_ VY_ti7HG#V t#*v]ڜl [e(WO]h.ő ?` ݃%*-L9<")O{cĖҲy9~Fpo3)*tMAhosr<we*Ō>&0#hG5@L_]M3fF~"Lϑfj#٨x1OrDj40-@ڹ6Qq{+<22麺5솯ܔl/nv8:m@B8~KG8cjCEYVoR Ýp`RFq耜.?bzhe,(]`?ml4h 5݉OѬY2\nE]ldïգ̪{.ߜ|I4vy`QYD:fF֞<@5q݆Wcm5@ ҍH/0 (u׈ŜT iS?M{e֘I`^h z B?N|[IJꎡf# U#[jZٔS@V6YX(O{Nol|^E *s F`ZCЫq$eK[M(7Ew2 ." -Af"à1xC݀( ;=bikB@KESN9W)N8!JFv&GLJ65=5ΥC :"vy${F&E,fǏ%)ʇ" b?f^& igH)"]i].%WPfITv=qzxgh@mK3G$sᯨO Ԙqޟh9\O~r\6s>=+QPfdCFoY.]nq{l851;fC(":$_rhmz+|2SٖOYw#1_HZRݝogN C5,7W oگlĩY ktEQ͛sfڢ~'t0|72X/z@<(́wЖ|D/XվnF=WfvYXw]C_W5,%$@!pu7 &'ft봌 C'|yɏEY}MtO_><3BpYSG'j~Rq,e &Cw  v?k?bH{b(^28_V숎cbCl22qځ#?ivs~!O.mmTh^[+Z=Hy25[pM\x Dq<8*hc)NQ>W!ڧ؎h7'M"!Bp T]v.oIp3U;IU0K 9O?bg <\[Yl1-'ߵ9Gr}% ҅7[ErR6O>]{oኚ;cҝ {Z o-q'5y_0Ȕ l̕` *Tt ekztrМe _9>Ae7@0? 6]̚ *tu<"cyt\gXXv݊a.h@e u4iS \ vVě>4҅GgT +E0TaE 8e6²D(zŢ |l*{ i6xƏ;-Isv2L%r ~ߎYx Ӗ)U!-@;CYYDiµ?iv5CLhZ K}^|kɯԃh?w^(-J1P1.1jIi+Ш0;l$|Wp`KA^HPCV%B?YA%t/ ŗ<$ u4MGm6scvA\Eنdv.;d\!s?`zU O2dGW^k&Bs#vֳ-1̉$8ƏZyrҔ,I8x'U ;a՛QjD1'pOYqp #a_ɖ˝HXo9c?~4ب^8H!F#=MixA .# |5L!L6ati?q\X!J:zC(ocGmDlc\n +ٵ?ǒӋO>խe2_eV8kt7=Kv3q#lKR@FW9؛ֱΒv P)P>^<}.1 -YyL"Rф4ʘV֡w@@6E g)qKKu{2>qxֵ&]8B;!"UAZ>S 4dnWz{!;ΡvgQD3j#J+ٜFeK]ɳ|- R XP՝HQ{[G>&ՒmP3Yzjj_vW0=_Q'xYZq5N5) JAh4،f1K {5ݸyv jiޥCgnP䎮6e'alScy :}ˁhA P3N+'%&Al5ua}7o.ҎpŬhv K" &=YĎޥY_|™?Li4]!SւYNPHEQYqs #eT*-ڢRMdϖhēXqYVk8Sl =-njP@l qz)gɑRڊ;\:Pl2#pܧ@ &y$NNF00ͥn72 2kUx =V -<5k^q)I񯞑5bǔ`ދa'~8)NIpaᥐȚs؝i.&^kU;Ȋ=#eiH #SVih Tb+o\8B0&tz$cFޒ!:cG=!vJ(H Axgy@q=85!FsEK\)rTY.,sY`j;,0l|XԋJKJ1gPG\$\@0}i*8J1&XrGcR@_xs)ъ3z?k?)ӈw> Ƅq c|^" ϓTWRt/}4wӑQPF1,\B kǻ?. Ԡ9 ~LX_Jݏ_&},iP)Vp˷bw*'d 1,J1A^[<&dI"r␐EH!G?w+FTxzID-%66QK_H@T31i~+n VOc̮XutLЊ=H*Mg4_7 }1l\%њt\FgMy􍃣Q}lt+ٟcv!s>)gId.># #8c-j0*:ť;wؼ=k[cA^|fᏋ,=)8y/m[QkFxʑex JgM/[p/LdoWf٢<澬EфÕJ~ \IE얉`:*:6p7i 3ޢbWyʭkRK1]N'}lEbYz6w-K i?!<·0*/68ڝ<j%ҿ:;Y̌d3kTcJvok>l6i$ZX1硞&KԮfS Q w6r P5z(E+F2îi3vj٭q()6]}?]‡8{OD`e(7R l=WFl c^kmC 5Fk[ vx'5-giKR/l%Vϧ?i #A`&Ü2"d,p{t#񼬊˷܅9}` ؒ+d.?T[Cv& An ~@S/Ea8Pk'tKtB b'W-~<GQή~M˾C~AӺ>[Vl@-g;*=;1a=έ Ym0]ڀVH޶azޅ-W:őӯ[nSi2C翖դV \-t$^ZU&K(WzRH*RmsrDMl@hʗdr=@ؐ^ EBőQ҆YOnqHQ;Xl%̹nreBA]M'=[$  ㇓;1A4fgyӀpgy2|6PZǟ5A&MCmBD/vBn=TUPLuoq˅1/Y+kPh;v!sϦ儳w`(<}%S81Ч7 Pym[n !ð֟1fd`2ꏪï[YReepD7ZI[ qmxHzH8|yvE2D> NL\J+ߨwU3d:UtN ~Kܰ _Iߙ*܏[![r#$,/z.!.l(`OcYFO$k3OcAq¾# {Ľ*uw\ܠ!C/UtUi2 UM_mHJ8f ʇwQo >x Rg9~V>1ZH ~r>yoid۞۪> I;۸ϝ)D;5pزH:S=csS")x, \EGKZc̔KN,,!-5^3;:E\ Ƙ[& INs|&m"זsh_BBax#Qa9":9V?0R]0th~ЍC9FVf9e)pU/ZG5Ȋjȧ==?>PBƗ(F>)h^U ZQtݴzCzܙ 4h|ooH{ɳ5RNdlTxdw9ix^D@[L~3~Mشf`q&[\VNե/D n! teqK7Rso<+|"3x.3Z<\"BG21L:C4jD(4IЈmV*EW7PB4_|e%R\, +VA˒5UaʉD)HDe];J9F+@7Ԓ"i'O'wuKZ_@[>m -'p>I)|_LQ)02.GgI_ji!1x>gͳ VD\)&V\TC 0O]jMc pgZWYu9B-\W ha5|kY@j(ݲ%)N!q ١^qgr^7 ANUL-2Ԡ1ݖ-L Y}.$OQHBxE,"u)2:ōլ&XNIz ڨD6M;F\4XlT2=oϝ 4r&rw$гa֮3dF9τ!}+˽퓼'[~feDPϤImX̊R.$O7 (`Kl'* |H; fF\fj#`=1+ZO7BY~E׷Ndmvzf-wO~!A]%+Q/Փܝ#VӿWG1O*f³ Et!"쉽^Y&qrή`HۂZo^d0t *!iɑ{Eż}k)N68kTh 6z/|G+b'K2\c3LM@…;({3~؇ۖơ+9FT%s_`xwgӮm lF}k5p`ƅʊo?j()&I p!ԌOq 0NꢿʖQeRhP /0IQF5*Iu0g"E""a+nUxJ#;1Q LmCX;Uڭ2jxl?\q؞!֭ߙ̭K5c3`0 EPdU?\cxd)ڶnԁDuP#Wf?ʖdwf?:L&$@Ǯҋ5ͳ4uQ03@?yL09DCwlZ?vLG'Sj]MzMF:BY NSL؉#iL]<;A4Úb=ٲ TDi5H"cf=XD!=XE8i 2BZP`8_/0Rv 3"ѵ)*Z(VHU?Q j'3𲷺<,xX S.bߛtިb'`E7Ã/$i-s+"P,jŃWB~v̾9aA5;1 5 %eƣB`bjN8 B*#urrl[cYrYf̊$ӳ S Ggwv  ߻tx'I3|:~j9l4di=ȥz!ձ튧rIB[ a]/C/ϛϨo-  Df <#tCEjIڟFf?qzcP8נ3I ǫg%4V\4$j3.HǕt)R$n<ϭccr)ڝ ij F\6~Y蘐|ϱ4IbɏҎN@ԒF1x+ Ei~]+.2?1ײRP,EP5ج>Nn]̊LcPA!$w1V&! kUR#1Ta}i*6-]Y^oq4R]oc ?Q +/{0luDI w8 x_I0ƍô@Ú/sc'f' y6=1RU]\A\3_k~KVV0)|Tt<+fv'DË#.iS s<9J5Tg#F{Z{kfb̯nXٽ}M. YSs` %a0uwT6=FtH%3ί9ЇCŰxCP9|;V6 HFX`k"u^mGY'jec{b P=弦g_q>eNxk% 3T`aQ @bkOjǖX-'\K>n{&?|^IM^q4]Wja9L$_1Fq@?ITQ!h'j=ɀG:)0էb/`$8_Oތ Ci/1 1\'>L׼jDvXA1^.{9!W KzWD #ЇYơQ f U( SF!n^Y921+1$,Z?i- h!I’՞m$. |.zU P<vb V$x5dGї_,0ϫOL{Bxa qї'44LKqȩ'X=T4%zs$5%q ;5pq+8| MmJrN!GY,*υ}i9/ā.bMqB\gߎ~N~,sQ|6ΐaLXn"qT/02ErIx46GBoPT:[Qȱ=RRb~oۙF+L6UJ-stT mʛRAjblPpJ{e96'4gPxYrs>%x]WiaıOXXqvM"#Ȃ!وa[F!CVޥ8b z'hL evYљ$ߚn1s@E&܀n4Xh*->er j`fXyA{,]x:*cVB3cR.ދYt6o1M,rQ- Y{ v5+/nP`NGojT j%xKnBoN>A.GBm vQٜ븵Z;.DoF)9Uj( ݯbZecfjUcYU))Dq3HZ8|DVgݽDy=a0 N!!OJ(_k֕ӈQhq߂J{$\N cGA"9 [0yq& VӀT+J_+0R݀BEB ]eG}豚\C2ؾC1׹ъE謇S J7)|eYX Xlo(uH$bOidd9aT7Yt,ަY<0d4LnJZy8S='e[q7,QO&OI/M?;ԽW?𔅽qWt?tχ` X%ַé*m(Zi&; ᗾ ޾|Z qߪrw<*6f4]4kGV caX>fQKQRuqW@XmߊSǂU+7?73rŇQVoL.k-ib/c%5u؍Қ• 20p"?02;54ϵi[ kLkIalL)e3ʹЫ(˷t>;"Hu<ħZ$,t{=s$w}-+潥~H׏;wl|1$p̠Ȋ6}]1[&h<#}?#Ü1zK 1&->Ϩ IKBN5w|Z*m]dq R[_A;uTAgum/?}CB$IF6Q_>Cwu {K漎\rtޅ4Ri| _>y?%_aG}{Ye<LYl~fd/B@[[8MZ?`N!D'egyӯՒy:*}ЉH~OvGZ+찒ak$߆R|Ǫ/ ȅalg, :ZW Kz(X5sL9N`0޸YGhM|hI4,[B%2E?ѣ&j9| [)_ 3PUHipp $k2<~PCiXׂu^~? gq}4,/K|<M C_#NB F>盠U>3.gutٲ8)P2,Q{蛙c*x3,b\@SXA,lS qLUڧ$"qy/^[B xȍ /lUV*UV\9|^υ 2`_Vޕ䍅<ɲ밑mkz8m*un?܌*s1 63 dF4B Tm'fdpNs'N;4wЍ׃ײ3Y sa&+mAǞ,\7uRYA8=XH1O%I7EдF⫔M_>ـs+0!Ǟo:Y;n{Zn\_fRVdKiAӓC$Or ^{~.1N[ q<@f>bR`.Zr=(81m[Q9Iv{ JZH nrU?y\ZMmvm7@Mb lZ*[f1ee!hb{i(Dz Өf\ ɬ̀3'67 1CGۊ"ʑMl\X_'fe#>Rwt\e5 l,j][NЄ#eB-!mL6-!h߮1268D˛'.ZI/=j}7B; s/*,H֊=GISIUiL~ny(DRh<N9_ oeʵ)۱ nʩ="i.1t%s{ s/%#ÓE:5\[M7j;L'˺wNbC GYW)VefTi%8/>y_\O#2azg.BCq98mxKؽcVw9.,ZŜ_9G 3R\4<f8rΑ閭G$r~gn1XlDU߮XPScG`$k!QtpIW?t. PǸN;̈{:;I"TjPgg}?8rϪk?CY H)8c y,EWÝm'oE9!<:U7M" Qnm |1'rTYH{.]F {o]}JnW,|ICr :z !h*9"^vj#^^DF{LmӉ%EuIc1zr $nέ@ *Wg; (sAmp^6AE7+/(_7L4D`xFWrbzEoP5D2/`Rؐ 4EQ~(Dobtѓq#lyVߨsMZsw,^~nRK;V2-U [ZśC /6o.kȆP26΃Ծug#bS6!>?eRƼ@n|s\meepG! u_"2}G+YI *Om5,sϼTK6 _iksiq v-kiҜВmK]Y;j@̽MVg=gΕZn!?wFuaSH7~)Px׼|>%6Jxɰ nI^g$u# 41#b|t>^-ě_B1 bq7pqk Tm?5zg2t 9\G|"[wdrimuP͂oբ"l'fVw<1E.ݛC*Tw8-'sRjL 25,CBQc-h49+)ki7{6=szr.Bt㗼!h9}}~K!AfHxZuJ6V5Bͫ4-UJQBm,]`:Y,-jVu_@^:B(8kG8{(dz9w"߬ZSW3%LĎp 6/޸\V9Udjo5ʁ6':i:E26"Env.Yeϙ7qq8Y%maTS7mff $Ub3  x#h/w'|{hBݛ+X}CS%mFi[zb,CH].Aٶ3ߺIduYZYUҙ'ν3Ul Fo Cn6Reebv|E{$̇Th%<:Exn1环F C>D]hYja-w'MŠ2}3EHbu l>8iǿ硊H^@*eSo6E WiS;-IJs¢*?8.W7Cۍx z03kw'E ]vBo~coEPKkp;sZQϖb. {<6Æ&P*9͚jeRT䠞jGNvϝ~wS(x'ݬ@-6!FEUO=&'S;Bg\!e$o"Q,޴հDp/ZG_3cmA7xU ؃4x49OQv TlFs:-X)E]-"l,j[%v[xVh(KƉO C6="IPq䤕z\DMgJ {Ȏ%eǫ&uˋ(pE%(f_̂5hgly?X ,VT~l]"1A]yFOkoBzTPDM;= i3QU=Bu+\Q43.M,_i lzgH-@o TIٖHk.ʩoM}VMFO6ȅ LF&nkY֣I-g]6Q'lu+ OH? /lYE<=x KSn_~&Evpc7#2smz-7L=y/O]tl+ uqE:Ѥ[zI: jнǎYgyA/*-&RZzzI@|Fӊ4eX@+77fVv '@to,RiB! 8/)BHd4j6 hq3/nP3(R.l$5`>=#Aq`zW,FUخd)΢y̦e R4=I3h@pgYW!<# 6FZqNuUV,e^[riSMFҍ4[J6؄j^ thM&)9qSيEm ,cҽ >` KZ#pn0wmSF8I{2c.5EP wgg6hM7uXwzȮkyB ©CRp( ilTtM#GgVvsj%*bGm>Ek8ϣ G@pVuaHҷ\A-S*08XU5X%jwlx6%|ˉΗ}3j@j^))=#yZe+e0}Ow{9Eey1cʈނٓ쁨kh<;WPIPT`z-Qk T4j~u,Gb 5K&nuӢ5TyL@/:)ch<ƅ|Ld\AzMl{ř*<(8G®}" `ufdNDjz=//^z1Rn-JMvD"P#:+/Tow&жQ4[:^K?#}aˆ cȤ#D,;cD|H3ؠߎ"l ӢC &m[(㰻kx߈5Tț[( ᡫ2lI^?B3A\35:(Og&QnêMk qzg#(̩mf߬ھ^- PašgbwGMtC}~[ޮDfhxLF1 =BE?^(ۼSQf-ْK5y+]'嵃A2Zx^DX*U.<G>fJ ]c  =9ہZܤ .@lkTX1I²|eOBz4bY]WClMpEƕbY~g?O$Xd1C`?~פFOM;ԣFy9U=ǿ-v8RjgeCli|k~4(LHyi9d?H$?Q{$iZ~tG.x/NT[#-Ȭ<}P9]D/Z4ܞnj,fnIgv1وBՋj1="2ItkT ,•¼8Q6"j].OD*Nx%s11֬B]U{+vȻ)@}qYA)= +2I /rX!Y{"RA02d *"7{e6/d~SR)ydK) Rm,vH _MU eڽ)ۃ,w&՘cn`WEHFfjqsYJM@Iy wK_-*r;,a>OjH' ^7"DɸKm%J&yhG#qվ'R ?}Sf֧W HS7bU䷬וߘZ,mz^DM좕'ލD,D(0\ Wg ]hY$S piá 6Bp";%oW*IsE86-}RvD9vG/OۻN\ch Q )EWLB ~2L~HTRT6)VRg萝}{ڂAĢ0I&PjŰ|wOba_('ޛ` +/M$zHS|9l'̩XeF Pͳ/\ ? ,ȣ`wz `yntYzih_y$s? #\[ X3smPki}:!B܀}GǕ'4"ģhLh{<Υ> ]Ũ^N} 1ZlS3ddrRaItY%!לW-U+7 ^:?ƅuC2J#]rhz8-ukJRM&#\Ĺ e$&ͤT$~L2o ;;㶆=icei1ܔ7J Vr*^ݝ(Kc|GvbO&d{eq3̹N1L6aj"HLHܘ??%{@(N:<7zfH?pu-EBntk#ma˲ķ+eym_̮̭Ĥp|LE]Ւ#DDuuuf/rAǛ}l1.j12c6[ X%  yMrə]g,06*÷j ojp}W(rk&Ct*b:-}y/xW&Mh V|= ~ ֿ0]"Vt&}2] < h:M珐u׾CW*>~íd}8ݣ>:~-ss?]+R4bw7 {*i8%LTJE"2 ~-w& rbeD2Lb&k!ӯ3tZp~0CJ8Xt>:JSs1Lc&RJAS`H30*Њ B9N$!*(G3f^n<çgjD$ Ii6ZTNǞITBƝ7B*Z@ S`tP9G9Q:y?<Ħ0Eh]vV.?,r7FTmZ\ٴ gfiXۙ M+nhp(2 %.I]KX $AFNAQ6 K 1c2d -pVnNggp@>5)OI .KJX߈?pD4`O]~{oHJ1~b2ɺK6A4brjOKz/@vE 麿 ſ\"mD Z}ϰGc-\p:=1ʍmR,A ά T/X z>rwCstWNMȮAPօ7D Fn䐯 y@_l+@f{ ;5Gk@İ`, *RD"o?=<i 5h =֗t qBO"il&N!@A۬ΈiRZZDoT[A\&)(VB27UQ=;_Il"ה_u=N W3[rqJ$B `u4.jLR+FZ ͒!hF'*62v͗;_Qj3R:z3ZM#G\F߅5t ƁQPǬ(* C}p{NL{n$bd%e4MJ-S4̽})GJj-қ?< l!@+dΎ p q*s9;2aXrkN+eR~5aսC]ISjZb&?=X!R(Xs kw'Ahes$2^uT[~&@peL b{[SCb'&.Q!0b56 W:(~yxPuD+YLсv !F۬NP8,Z}"pES=X5y)Z9=c܁dHv16u/3$iitnlf*x]?nkeBƤ(vd@ pv'OHbRw=ԙh=MWLL"}k؁p}Z@:٨o|Ư C\+!w:q+/sFpf/Jl̙D큇gi+x:n_%`3иz`ye#Yf8j*հzb :7%N/ C ;n{6RU8)r{yq0s\eT̽R?H3m ?Z:;ʐwkQ`j!XG)6}95|=xqǑvdpV㬮j[P ^,_o1i yx7])j cw 0߾(h^@)}v 1%($OZQ#zmT`%p;S@EsvLN7(ms܅BXAc+m A4P?-I\5q>"i\.~t:{DDjt6l=o}u 4FP; nBg+?|+vzUxUt~\>[62 }ykDz;&03u \ 1D>mL>gx @8-\X* (%]sm 8N}b8S-LtMcjA|u!CEs \2Mpu7ǜd7Hb{n)1n[H΍$,u$8I!_t󑅼K,W۱@z,PJ*/GhnLXmՓ:'nRMT$| lӮB.}ؙyw>*lnRd||a/+ r% _IxgB@O1p0ABc'8fKSW 8̗Ճ8]4봺ad:b>u=(ݦRUzOYxyRaPMX[_\?k14u==T/>;Go 0 Ĉ&I)g0؟Mٶi(;'`gYƋ"^& Kv:=- H/u͊ly'*ߠ},ih-^jU>`1E&g fu0ƙsq /Cnض'ˊh>^!lfB:ˁM|b^f';]'ޗ;T`kfH[E@>4rmDKoz% "CCIX2ҿ|;dcRPMXp6g GuiU>鞤bMsy4ء6E ?b+=ItHQCh",_[Pz(;v[EveJ5,jI)>-*:=qg'I_ BL.U=,QP m%]LMqf% /<,GHw,Q} F\?̔<Pvp/" d7ӘI9dI|Ns~R|&>J4(9*߳0MEHS\ڊyݍbӝ>^mZ Wrѯ;4Mw5?:&`a Xs7ߖgT 2< E<ȏA,#wBw7_GM/\=imTg?d_-!+TacS#&{e#4Ȑ1{]FyORWZ7Zvv +B%c?\?7UEq?#?[9}f/hHl9B_s絋!0Fu͛Mޚ8>C哵·D+~Pđ+ܤ0*B}4OHΛ]MH?֑RClo W;~ǂ;*f>

3r6'4c$8.\Z% i[~9 WP]uV;H/NaK^eUmuCayose3gtRot/g҆~i͝0.ٷ.Y ꑮo`L!fԤ40t_s?߁(~ o |0Ԉf/n5֔Ңs$Fio~7_C@ڪlE)5ds,xމKJ~)=ò%sU*Hq[] rӲ$V?Y{^?/NQA υ7~3Һy&dCJRI:u4^8Dt?VB|Av&0tK5V_c`w^P6 5x@pngx}";B^ ip٨=W%87R[9D AP,esO+|?8-0 g=[]?Bn@%)r/$?=33ڟEq[U e+/ust+];inL'y*,?Gb-*7jn_h޷+]ͽOҨ d%W2r*{y$+tt!]}8^M&B,?utnYilp"5[bDo#{N)b@&Nbc nU 7`TSċȟr[ ["'\P/ڋRd gC' xQ9̸^y %@L˱R*?-bU w5?KND=VvYdn:㛠;j8[tq)aU. TT؉4 ؼ9$TnMjM汃g2Aa28{,0,3me! =t(zUxu) 3E%Y<ȳO30YY+(٭^XXP@tnW[ 2Tn=!Ǫzs?duµOp.ţA6 9ABw!u.ʋ)5Bj wY#GyR[EUhz4LD4H61$6B(R|G.ڑ%~%QTA_p`èkTl\i=A_H ΖƳ4Y-3Y⩢OSE6W`ߨm [djm!X;NjκI}luA TNmupUGRBD+!)%ABHl]-1n7ʬ %h[7vڴ zEkyh91}?:bE;Qi$iK `i^0[j)hI'ME [Yfh{#lQ|IRx;2Ouiͬ4d̈0{~[3xp:/f,#W;o= ?8CoEw ͝_\ do /dIR[t!$:*;՗Ÿj]`hJYqD=0̂%; ๆ㳒GEq~7Ԅ8`]UNُIUcv7u|ZOՆ>oKN }W k8!P]-jYh޴&NXn+]=*!`:&&7t!?W" TYi jq(T?; 'btfzZQk60˨Y}:_MQ_[)al%2G뫜%"lϔ%Gҍo^2e=9kO\-:r蒾3I"s~`!f-U;IH}clEB:ȒIs bOZVIxTZD,A4K+ԱZtqkL) f<ˣOzᢪ-Mp)z*,DԂ6O?3w;^w@US [t`|=0l2XIx JyɴGla,n?qX1}d³!Bn5A_rG7*n M&C`Qc*rqk|%u TkE:^~"ǖŗ.}C eCl&BC}&\Mf!͙W@b@t|%K9کR^`@ 4Lx),N  h00=e~xLLjǢaoVSqB1QWHO}VcZ /¿ERr<飌1<_JړE}>@Ǜ ˘^sߊ˗MʢlE9dAC{EƎ+\O_G_ziǗMǷ֮ʁ1dv-_d/OiϳLW{Fj}vHj]JO[}~Na&yN,1P#Dہ+ pTSQCN <> j]s Y~ľ@/ {{`CA<6YG.;Dꠌ67QAs/1&(1η%ۊ2WWy񥁪DY~pK8{(9KwNC`iާdC415\i` C)Q! u`EV\`Qq1uR p G3.``6gCPtsVAK|h813U- ?K18@K ѭ1UZ"CK"4f`f?7RBփW\c ʹ aV"t'k?3Ynky ijJ;= )rB;VY2A2=&Дwy=o8i꽙OP|M TlYM΢ r6B;.~Sn )~ 9=lWUu&7kEppV"d}ΰ!.1 VwiA,{ X!(&'ɀ)w9mn?_~ӱ ?-;25Ȗ* -.z YۇX+/fS‘hvw)^~WU3T?= {+z%ԸaY>)oPpRB\$ca_&Vy(ϋ[ KsI;Hѱ41;iޅÊy_j++C2ЂA̕NP|bnT _P1C7r/;:S]}| .bas9Db GVZ?4N4=h6{3ˊ0\tͺIj*/0=+T,lѷ5҇Nd\&d}2t&,cz๖F{(.Z[fzpfOHq16F[k7H&9:s , e vQ}6^k',VDtG~3bg m$08=NUOSe TgVp"b2SaGzD^0_@ [42(զYHCc-?YDTyPnҕ qK A3&MEQCY./|rR1GU*喒yw࠰ t]&`W.7OňDVCU2N|{ưֆBy$cxd5;Iv}g"3PN?`A:\؉^{zc?v {imY,X@]@0OVADW‹5I2 䄕URz{iVe0ϟZӕAHznB\Izx2gaN4ІAsPў2rMZ" JEW߿ۥ{8!疜fͷ̣YL'w)CL?>ȸ*!kIbLeI5,T$Z6W9@`l#Csb͔$& :&7.BP-;/ UhW*T҈!HѪ?tO[Z%HMttۻ] yom=qe`6ӌak8ͽtiRW_Em D"^j=N ~f6س5DPpզ@)^]ĝIXVgkK%9D H$]_U(6<9z3Jr5s2]Xa|Ȫ;j.8p[;{ ECkhPs^.?mHrS* BWQP{SLgْ4kU0CM tAI iQ5vd\mthU57~\کZa`Z9R|M#/yuuE7nkXCҢB9W57)NP7}zlPֺ֝s:R1Q-C+p%: e&RE=`CF֬>]y۽NKF&tm J\> $@J$;D*i R8xPC܏Rpϴ4-L7Ob!WP 0e6f?L?b y<">V R(-Yl lW:ӗ Mo7ݲGHd@K48w2F$=,9ms-SљњZI֊_~ܬLQDK,h` 5]k]ʅa c P r'1;K]/8@B<$Dsd@N]Q"Xog *B1ȡV"o" FY9c[;%C͛6vg.i>o[LcvSB COK)`??<>O[(57+bN>|9!]ŲC`4,!Ocx18 Hv] =ܲPdA, l;i^`so^;l9LSfb3A|t;)Yjq(pd=[ VѮF .Eyc`{lB ;d|%P&^Ԇ K|$]0RczΞO8dYT|Dek5, gR|+&VIlO DAAvehfu[ֵT~zҀg/Tj~JDT*CF s`&^bwh\!qjI|xGyoAFT.+,"5 wKXC *AaUps['`_;g& Kҵ2p ܖ $N5t<9$c7"sҿPkXP$,CIQt,ٷ@j˄'2lF{Ϗ\BmINQZqMޙrp (2֛@[^hDqeL3c̔$xF4"(ëB| `ѨM۽_б WQ-=sŬ ?kw͢7+г~h6G^yR7 Rv7+/3RУ[[L=2x3:YUp j '̅jT{TZ`;ֹWAI/hnkM. ,s+zʏd[1-aWS@w?߳>gA6A61.\ ZcnzThW[:iAP7/2Ll{`Ŷ@w#|tZj뉯yӦAm53κ t:B1d`Q~i%ŧN:~ ~ ]ÿWcb@1SqtʲRVSM+) %&/I$Noj 4O:DD4OEh!/[Q=&׵gKN7k`usu٣P~-$!ϱwAЉaS@"AnPr31j&f-ZN\b"ḙ: @58&Ǹׯ:U@w0`DC!JIWM@Ĺ4*4Iђ}1V\W- P;4`R?p*6yk0A,Pmy5v$V߆+ A!АІo,|;3z3$' {&K'Ej5BtngDnJ;8| y,c=`U3[F?T}cfV%XL0i^jz5 3CB3~}3.ŋF'oQk@`U-'L6tje -k> ƚFMeK*4:ثeHb/O=URq߻> hSIi}p[Qo4_$ EF+H.@5" 9z6/´ nEO;W|8 Ě#s7ÓW*ȍgiUlٜӌ5^^y L^#X&Fqcm,-[53㭛 i&l>;I!Жp+Ğ!]Aͼl,O, {.pRZs=4Gˢy[2:Ϩu1撚[1BmegUb$i3Wi- hR-)Ӱ/o\D%yڱD`g׺2Əf-! 9 /#1YWC(=-)5 #)d/d;(ݜpB|.[7"Iqr'&M<@ުn a1>ATiQgaʂ%g|'PRbP>.k\il./*oŰQnlUIQW.E.{F*+BU޻?^09/o{A7S͹nZD• @-m])֎)V)7^X@(DKcc| Gkγ_TztS\ +~:p0B^mo_2ynX)>`{%h}>R9 `,egܠ:C%̭8Lew:r-@V۴u^e$~ɽQw|3^S@n8 XSwGͼпHtjh̻W=uj6Pm^+T4 aoOiHi&aQal÷(ϔi"-o,4k:ybiG+0R [&НLCL0CJ{N<#VW?|RF5l~_/!y;}1m V xh %S.owM֪K.[cc`x)>zvE TMΧ& נ| >(+ L|2hi B&4B0̳ӑV;wl:XwP#lC(I[c3ı.h-([:G+pc8P)ĝyJ= D 2a#`Ǯ ʖ[)K{7A.j+ӳ`VԧY []'~U P/2w TqϭUL%9L_X6!/h7 klc4ST z' *mjzD0j5fQJ>j\M.EA2jbO}yppӉ9wߜXEov92WN]rq>߂a^띀2f{ cAhbT ; X BnQL)XL,yUU@YwHWmj:ļT8_u1V.RH|xGy-;'.%«\TqZX: e$,I+wx`ѝԁ2a?rȏP! 0ubm$=t/IIm"ALݡ}RlUwy7н&򹶥4]-WE!\䂂7l;UG'JVޡJ%dzExw4i<}@B؉l%x]_wBٗYȕildm6g?bly,0pt'K2Ww] ?]V h+O7 %;MZlx˱3b}7N;ҪWʛSbiw G9Ť4RIgX~etc(= kkny慜>)`ρjP2q]JGw QЧ$#/Dwǐpߣ(0cɳ-NOt=&6nЕɾ ?@wa_@`0iAj`@6L $K7>sy.1ªgAXd^N2q.7\_GsNpyò{xyuFf'9}Q|{&Pb$DrhNUKv:J/O?BZNd("E񴑙rJqHY)먮Q#d8[@E[:U۴e6KZ0nn==|Q'8CR\PĄeBg`"\ئ^mhqEt4V5J \zuo6 {H6nJ\xGy9F^ߝAIWb Ldͤ;MUi^8\k|}vC2­0zr#Fuհ,()W>eu ڔ;U!@|*3T*}ճ2U_ح @iUj6|Os9Sn0)ypyGu٥/\W[*ZoQ -9x|ZerH7y9G7yʯ]ڊ?TND&(FZf.g P_> J.0񃎍@:!+y絋y-._{} prbzݜ@D!DN4= ˋڜm!ܖDf&C5:|csA"gF6ڨ '; g.Ь-7Sp*tJbn9B`\< ¿w'VY0tKI}gO[qf]>\yOKgx[3u:Ҹ}[Qv2kҷ`͹D CF݆62%üHd _mnL_E&b{& Y(xQavϣdJ/t震'v0XqFRRBQ*H9c!Nv{t$76&DFLo, K|A!`m{@2@ σ:C!7'U}5ǮŰȗu$dd' 㱶/9 Mq Ovk @R݀FIһ~SmU_T)ta,H")0#39$"CM֨Y]ct7KQeO\a_鄺b.f"T[09wWHsQyGx#~^F~L?pT-r'e1([=l5hؑ*N(C,x>f=irems@knmtN*Y9ݠ4ea>ED mg)ŧ>tKܒT-t-e$g"\BjK1ʋ1[<V>ERd5hl>> >*3xAYGɍPŋ{TI4`—.\x*RP@ßT: ҺT aN7LMSclQGdtod>cP8,B/ɸtа($]bce耵Ӈbbj̗Ű}rT"v;~*"V.j*&~6XFyr~48*సݫlސ\voO&]z4biosg;^+ rL+X*6Gg.ǝ!e|wnX)/p&{ P$XB1P݁=5%gU;;Ɇv )RfU>EXi!%`_.p"tw@ߥcc:kA(g bȕWq'LoF ȋG 1TLBq>nUH2γ!"a)l2r Vdas1'!&p CxvD EOam*(ED4At{_R'n$2$vA=ym2fSpK2z~|x`a؜(Gt32*~gߤ#@'ʆvlZ^]ATO#d4(D9==3ՏM&8jX(z_5yk\۸BLb<~R]}fם^o C[ 1܈;CY*p 6 д7e$?(ČOp.%D)KvZ䈪䀢Y/doj$Tsxċh1vJ7rY_bFw_Ԕ-;qx%7L73mJre";i%IAᝪ -%%^!0ٝ_7+= s։ǹfc aĹ*yu,{O-@F 5˼s:K:%!PZ v]YYq +أeIH1[lC kUetbAJ-lĀ^Qd%ZR"xUt׳YDL? M'Ua_4GAJsxc?_H&*Xo3qBB;+{ x0(<081 cLzh'< :$0]*4V&R}_kčp4dJWі1y'c$,2 ,m$&)Q`Mn/lw>$xg+뫔(D~)x<"I~{\pksmw<>$1Gilv{MuJhW7~!rxy9SjQ1`W Io*gI7;6fk{Nj)1-kG1xm'D|+ʾQ:0]פ>i]>x j 2"Om"[@&|v E×T#\iiA@JG}{$Iawx}K/)F*'7Njl6gL&:H!F\ ^2*ynV,u4Z@~1%:U:V +ԕ7Bd%z1 q0m+e[Qpʒ>#lT$0X~گ@,DE^ZPzId㎌z*fLzC%74} :Ts+UGw:a3{;/znMpX%BX1F%lEdʚ쪯L:鰦%JO5@&;*/݊ZXs%>q*:yX*(O&;uz2ݞN՜?eqbiEޯ9hVpA%ffe3_0C#ǮyUuj.ۂ#s $Dxe)On{M$qE; ИWH'Xv%*EIL)H D}؜aXe=S.9ڋXV0Jb CP2I Mmm,>%@1*A;&5\9w4E lb2__jhB)S,LqѮ>~h5- _"o'Ip|ULL#"ʩ[^@uA36b i͍кnlF~-݀;1˳hڜI/Fxqïۺ$',Ę>0FűUOw)uZU[ #v'v+GӡN@jEZ9jFMWEй(ۡےz2gcސ3"?m7 tGrb dL;-zF .u}㪭8?2豜UOꓒ#*,}@^z4 za% a'WH@ #e cr!-[AFjYYC Z%HTy-YAN?<8j!&j6dJ 6+C춤$<kVnP Kqf[&E"ʇT+J.1Q@7[D }4uwW ʔ@*5C4ئ n4Z 8,%gEIvǪDUZ,?Ƒƕecf?ҵ>-pB()yDG+v+N u6ѧ(hwE]T2(k쨍] `RHr{GSH|_F\ꕁQ䬃4|/l9{+l6@.+Y ak1o;zk@[XZuw]xIZ[ȞLJ1ukOp~+&`hVr؁4 6myʹé#(iX,)24&-#8b>S{5p[l7 Blɥc1dZP+0_#Ҿ{F,fo[=ݝ21#eUTjZ} Fr֞%ni,Hg3XSA/kϤL^ &v |zM,23`jL\x׃]3~x`EMp-sB+^ 6n]gݮH ^u_%7ڭqT_D\=o~[on lm Kij{+*xd4(ݍEDu/t+YЈ<w[y2ϊWp.%DIB%2mqR> ÅSL〪R+@Ŝ[e ߼U8__+J47B:CJXS=Kjpx(iUki73-IO'[=,IΦ3;ZPmےӴJp9tv{ؽtr2̶i,\FǪ+fHFVF`#Қy0KJ\í_.&ttM^XxPRkE3h!ʠxji7utKoWk<< &v6NF$dЁGGe1ТZ౩ ("ӵ%ZԵqv-ŝt^]HQto/ HE+Nyt#(?RABiYA}ޅGdEy=Z4@~P%ϑ"}b]UyNPnDd g/2ЁXbYٞEF*Dl&]ukQ~H[]~6GB[(`u'VKvtEJBQCaHeF hFѓr ۝wx@#qY H scmrHvB.1^b~c5+ct'kV* 䎥1/Klo) EtwYñ{=h>. ̀/7h|FFgN^ J% Ѧ֜Kj-܎ -M7 w*oR%s>;Mx" \l .KJw2PȢN5"FXm+nM#~Ԣ|@:̠j%ұưT 9k<\a h!-MLW5Q>/,"@Rh|,kX-)Lmn S b4;[/wV$֬aK rE D~`䷴,^:7VYd޶>i !ҭ}a7P5?̀A Jx_)#Cr!S]cAQ@UwfUEC Ě\IAhMHh&W)J(xHX$0<2RBH.!)2* :]W3ӂy; SJYH>q"^ w qYR|^ oƌHW͹*vx,iݠRw۶.mODPQQFY LӢLuN.7Km^|:RMZ=.2$Z;^-,l֯mxRSCm^J`uJ"TD' qǭb4󲧾~,Q'A??İs꜠>;d4ݽsZ/ F'.Ɉr_TX]@jjjn{Ŗ 8I'Q.eFC۽t]CH ,fַ7ӢtV&ʤ[hU4yfÙF_F&e)Pvbxk 4osH.TΟ†[$:L%(D:{v-*NJoثup>~m".t9>JDR|i%'^qlJ@la¾ n~ё .8sM(̸n0.AE!B`cFZʉc8%^%`_Xb&Xѫ ~Ӊ%%oj98uPsẽc>T ܖ|Ӑù`޻ОN)E|Ui$pN}&ނb`L_0R8[PYc鞢3U9coFLT&oCBIv~T^k9/Q.Kkaj~ITdi _V1g =4ػ9$Z>[7!ͭv@&OmkO}F%sF7qֿ~%%Wk~;57=@u3~YDzQwE(گ1."+029T$;2_2wɈEvL`-.ҦVqzz*-z0H5 !_-YFy'}>ߠcmNȆ"#tDFq/&hA衡3,m%GW~#%z{>jbD˭3\1X%tXH⾣ͤbDxz_s *YGGL/}KORV;N;cn\w56H<2[U6ѡpXOH)UdH Bc2].=L1|/ֵH-}`'. n?~YUFZ `I(b13+H^9ŖTpLu$ |~(Y棤v6nJE{"s{kxujUđ ,>[+9Ky7w1ӇH |eXK0J\LH_K| T ]sJ֠6<$pErӷi<)'sMBDSFثO C҂o`Ф_zVoBpR /0FEt%=O 0ڳ,d#\Eu' bD1`ƶlh=ʗdt)G PԣC07[{_G%# p85SAbvcGY"wzjCx_|:naI ѿ hDvLL`Y& vRdϴ"f8FGD!#[o,wt\Jx0 1ZKS!b V b'TTWmEws7KU8BLӐcsJq(XTB@*@#%Me4Yxkd@)rI󋅘?EY9?D +G֘(l:927$ /HǙԖK=@70`cycS\* r2Mܙ©Y qi(X > ɗI>4ctHy>0=5b:”Id\/MK!sGpHGRfZph"X̣^Ay+s -u'E9'Ƚ޶ kepN0|) L}" :)N;7՞">' .ly|Ffje1(&htl@G/?50k?E~(SD@{Esr ҠmN:G#pxPɻba9Y#Z~vT6QxCOC61hzPcsqL]ly L}ۑ<0z447F6ӭ '9%Śdm #g- u,s<)7zV3Pt LX<7 "0v5Ff>/3:ł44x H')L;Vew7C)3߯1̃I茖 `|A1BqoX@zvtW ymռiZdP\~~;K2?>P2Ԃ1k4wCPd )p+U=Y`氁iZ(v{N#M1#cܨ }yc+o q2U<0q'[KL.cW|~q*_˿}&CEf/i]5p"b-,ԚP㉊4EϷ,͖ @rgȆJu`'m=k[ CWN8([_Agny~eL4ї|Ie;e򶕴±\C" ~!Q${-Q^~pgKAbNoP=-]aW~tsl]9KP0ä%3d/`#;xԪe]Dnq<T2PKEgMϭ))hF}:3j#/bQЉķkہ_s^{`k¹; w\=kzFR3xUt끠`tT[33ee@'jH|d#~X@;**IO]N0 W{@J >lu0F(=Vn7eY$k#S=.,4Q4̶suVM}TLX XeO DVR{='fri9n* 1cSY1qn/)K4S>c# sYo̫!C"Qj@u͟3.='у8F<.l^^Ju߈f\9.=BWԉ?Ӥe?/r<YCNdg4te{EK}sØc0غjp-Λn;Wd-!wgw.ʌ6VTA-7LW1ȿ a`~I~aa6ƪL(tQelWka?Ƅ;=\;80Klp[=v.!(NMd\hk}scT\QmDl6s5yY=уu|]!3FD`p߶"Ktl( B6[3'"[i;N\"1Yx бo>eUcQ,(1*5%+1=*c)ljFysy C/ߡge-54q!>_v?pQ-7Po.UJ*<^%i1˔")IxPWG[v<)А+RldSHƍ/AFl-5YICKls+,w5,^y[@+jK+[~n^, ^ptŦ sΟ{ ,ж5Yj )I+Sާw.ɇ)mub7ؙj}ᜋz||XGt,Q.|J0pƒt[aKNqX=,yBHjgJj&%]E(OtP jKuI#2iIN.3𽶅f: . #UeN?0ƞTt5<[I=rM;9n9  I?> azS ^vrK>|ch2k;/v|uҶF8l`TUx,=; 'mtuQmGZ(f 7V.=F}+Gζt7-6E 4c|L˖ٝ=!oqEf=Д9aEnPcF.$AOC 1_`a l #dKJ~CgqaV38YT'C]߷0Z9t4F*v,ȤH+-.V;&9QЙ-ʮ=IrG'f㥍+"gAH.抆H5vGo"mk]LA5Í(79z1 DQ'>ZLmx|_`S7vXU!Rb\iwzjqVmG&pDaMx;$ļͮ4HOC*I[X$CƄ%۟Vn Mx1IT4CR'A[UÅwN'zp7NC gʪ#-~ oVlwǍh[X# ɢC_tBMEh>U*c=<̰Cԕkb&Rikp>R">υ3 eF)5~~]7/{-P6dW,٫ O]$酹[Jld챛.h+PK2ށ]\s^GM mO 1UD{0qn'KMaP̵q m_ A{R\8{^iG> Eh@,;8s}+b 躦@&fGnuLE\S)[4.I|BRˍq(Jc,(<$͞,a AF  dL5"ނ;X A` h~ӲDB=~KڪaHX&˨Y]h DRB"X͵dr({xŒP(U}`qIDiOtfCCr{}L4iZLC9.1ח: 軝:ZZujLg;$@YwJw9t{=NNx:L;RoGMܸ0=#awe7m ^_"hzCє kaZXQͣ~✖AÃpkǨ(~Y <0hv 'C@*Jfxq(spix!?mܯ<3J*n1zh{^hK爄RX*w~lcvi+:Ib#{kJK ltN07;p%b3>/)\VTp"IMl0+.'P@9,B^@RF. Ft '#狔~C_vU 66UR*QifF+eV\׾8 MUTM(Th*Bֽpβ" xI0-`Fgj=x_}ii#s!/|R~Y)-xAp4~:uL4QubRlκx, 1)CQaç 2Ӯ``sd.uQ1IF#h47~с~3:=! Ե[`t8' 3 Q1m]RANՒx4M^Hb ^C J=3kdTBB,mnۙx~@<49K4PZ#=[tv""mt  Eiڪ7~%6gzI%{kBtͺT?([3n|RX!͖AzyIP7>h1sEe.V]Oe \´K..YLT 4sb, @US /on~[vjLMO]y;d&&z:aIl(Cf R%,FN*XJ@$YkԒfc~c2 \N$dBRGiz akʶX𡥼M/N;$Xd2 mZ'W:2St^Gt%M56YMp 1LPNnsƹ{0!(Y$GJ)g$r L}qɄsbb4dJ=?Jlҿ^y)=ܪo <_CU}[rf<.z`@ÓT<n ̣i`Taqf}iO?"moTbA?75T75Y \?_c!&^iAl-"avSH=ˍb',J@z[t/[Z'M Bδ{~"Cg~ѰZ.t*R< Z1{I1z37۸yjzt7Yq 8L ?Ō4Nę_0u cwpR0/?Db@I⩴^Q~|}7m!b~En+ìVBN]7e4C7)zh5w=!f57մ ,Ǔԃ95vec '4(-ʀs\׋rG!8\DFq=Sz>6wpn~.<=J㷁WF?+J-Qn519>l(fF3h{(<°`X%K|`28f U Ã>ѥl&6>'-?]JlAL)IayXYzNWl+9=T_z/zؗ$i\aH4Af VhS'I]L)#Kf܅zy:҂H6jpRrTzvސ>kҞ:/^]ggO 9_1BfmUmK yƨp3d^1fvD"3(KÔbR :٭jt68c#6`P7eLiUzSԻg : 玟ߤRumNKшP{!y#æ]) rtwa7&Vidи3Q*D{ҠZ5D "thU6ڀRIjg dOaM\F:?Є)/rom4ɒK۞=%ߍ9g0ۈ3 vɂ[N=jc3+Bg/a- 2J8 b,f<0NkӆϨҲqtUI At!-K!w|z%"]*C 62x>G~;hYrOEtC#0tc&LvNA@h)H5o-OLݧ;0|do=?K0Y$t # 2HiD W㜋-R˭W DBlUF\0{Q^b㯞`JOJ%"]^_ !}e(Qfq⩿L?G6oDأC7XD1Z5tU` -̔N:Q /FAP.LRn(>dC0y8C+%t1;BѼkh sbh۷Vd+ihe Y E^bJci &lR?F΁ST !m$`fN Okꚛم94n7 BDq㍜]`A!+woRUڷC^(K{?3& G t'Z&NUTY{h`OFȬkz4ˏ+Uu<@}DPT]EDWn3S9Z4X]r2!̕h6z (EZKS4s'qH *P d,iU-b\mP KT`Dhv]乨!~8VW&=׉rIuՠI8I`@H< m-Wfk9:{LbB\L"?~F@m Ɇ[瞠..c,0X~i@an 7̕Aa< V@7nqv'3qJ@QҢ^oF/3.S):*&uVˌ?/#𥷞@r>ٜƤ/U m 8ڗ?:cWn+||9%|Be9 Y3οtA̙GDV x8}xpA&܃_-vwmQBpaJhe}m|/UBe"5q<8tB_SM RSm6=;mg/PΡV6BŃ@jHhſG0Myd E^LDۖN2 sW+te|4E={7;[-iQ '*h,Xf[n'Ǚ%-7HTu]*-bcG[ @Z.nI3o^#0G׀̳V+Z wo*Wk\$q(vO ! =D 8ZSUstjE;2ܖRb8g/$?ӏ0Y'5=I2LN:=~$ToښʇyurmN NnEKv7 l뇴0iq\/[ LfbB4qƥ5S˶ЪrS"[+cLφ'5w[=`]ۡɊ^%(B<;^!gQ!I6&d˺QsZs1P>}LBӕ,9dSie$@vAn0/'?:.̄cZb  \NA"{,CwHA]U-KCz&L+Cj4`5`3Q,2~J˄cBKzɗfr>W8{ a Sb-&Hy^8x08Åp 6o;ة!\ Œ%-&CWuRعB5 *Ȫnz1b_ft1qIo"(nwQFyI{)HAiz>b=y8.r[6+e^dr$ #{n6s?3UAOM<ꏢ?mRNmzt'YtHhJ t6׈ wgtXAt=tzZ|Q&&҄4;eN?6"Z3ipO AdpLJI˒T o"8MA~ "YD[)OE;ktGoF֝bB[KWk?y[ )gy*e!OUcZmqN>ú65MϩM6T"Nv(%Q\?+]a $-FV*rY]&&SnI_hP9p:~qp\؀ sJ-MVڳ%@1UcÜg֞ X*n%XXڐ\up V$i];n+#뀰2n1 1p6<xmC/-{M.-ީ-"MC%l緬#̨1Z$[eCZ4YȡpygfR[xh/nkcMn 玶(i_Mٷ6X8Q4Yqc4&D,/Cx4s@ '6c)۴?Yp0T|k,6דƂ|>|Rk9ԜhFX`X,Lͥː{Q M_\/iɕ nGl*q*K f' SҼ&F ֹRC ^uFllwffG){ǥ(a'Цpn)$e(x l}?zzZO9Z G?9IK0\v,fYD+ C&XF`+dpfnl~ϙS9x:5 ]|XbHޯjޘaa;цeռ=,TXo>y7ĂSmyluZ1FLnP+`޶(Wڊc.-*C7M.lFYz9 Z NaUӂ &.-Z<آ[6GnAJAox,\Tu 4IšoE! p J2< CLކc͚9RiitITd;D Q^>6iq}Vh%Pg hd@<](GF&ݫ"e{^@IIuUu MWG")z'M 40 s$DdR(s{g*z^# -}:x'BdEgcVPz'r.Ó=A>`h[!zN^xTm5m_hJ=:,oy;LN"Fp+N *yKP9##Z63Vs~QEϝZh$,)۫AE$F7|d9l|# (]-5HZ:/76 ,!-3B5n;Gֿd:҅ql`*zW}pqI\piAn!b>?QfHÿOc<-Qv;L%D"JlWeu$.At57+?K8FB@OǬĬT#ˡn`A4Xl 닌| ufl%?.fN4'ns tִؗ<t(^Y:Infh!|r)UAH`jQ>`!~[h~>Y>Lj(|Su{/| "Ķ^jaݘZJjϹ:ÓBJLc^ܣ^XMW$qC

+YkF}H~Jm_ɞ_f$e*Y}mY7$ iGp%n*[o`e1u.!X2 (\0@O>պ̫#Aa_c1&J#9OL'$_ϔ5͇ձ:v4駳*+4!-3d֢5`ǬB kO!)\fXnUADf!P;G/!⅞7zt9>fR> 7EW#^6Z>ȩf+u̕%Ж` ÐXԩaa>Z}`n`f WU }82H SI:/؟#q{R([u*IaMzᙋ`R4 ш \g/_ 'mX -r1ܓwɐ7{,DSNSG&s]؛7EJ@s!!j% }ѝ\T134Ąj_:57h+{ Cy{Zobl |cM^|U^=ix޺8I7n"O~ܬi=An"6e"aّ{۳k|q&Zz^Ń調6j:tB"7là*#cW!u;D'!ލxNK Cb k+e3رJndcC&_qsCn,bIm"VC!7 3޹H]ӄQcaoF*BȦV/U,B2}u1}8; <+%˼[~8s;pDX;b *T{˸xgI9.*Bx%9'XZSTu5Pje0orP!;[I2@5ҎRj<ʃ3󒆃[q=(m ZL3PM cԼ*!AtQ&od!}Lhe; ~cT@L @,ԓ/FD)QHk՛ژN?_Uk!4Na/V{$ XA^bbt,MHtqUp{7ػ. B} [asTd$)y>3[szTͣQmB^]JM41;Kz؄}Na_2??9a{1,~ g🋙dB"X2Kx8*8!uĺZ}^xsV) :ŭ$$׼m - '4ˏ1+wԂSfaȕPms@=*sQ[_Q [J=rv_ 'zNT P]xθeOU.QqmKa=y``RrIʇSb|X˴S3+YBܴ8AFI6߮cžJ#̠".u FQ|g/?!wÆLY]k=ѩzO/O3Wث۝CFm U0ODz@j!`L`DqwWr>ޭ*UEk| 9*s%*^˾Eit(t* ,"-ڔ/'!<˿\mw3Te}"`Nʐ~I}fQkDf'q/: ­sRj&=Jjs2rޫOt@thlmx롢V4-n'wSr ly:-͊M/;Sm9)alEJ [`T>Z),scluy!0fJ ekㇴ%GΙ;O" C.9AKrrK5ߥߩ@?E|@K'P}$|鷓>˳V΀pibF0~\\TkAZ:|"YY3% T.~6aLc(&zB{g9lEG\D :Z5S2@c2o(C7:g -ٶJ~Cɝ/3,ҙaqE$c|*ZcؔG#?| )d$1Avx{:܃Ea\CXHc() ©9y8fc*I Lefݍ36>/Ԋ8T U\)\[,%G4NrM\^ƅfy߶18tY G8DЅ /KsYqU~-`v+*"wz1C$ }#Au@C~J&.J:L`fb+_ӻ =}UWe9u !#W7o\ynU z+Q5Q|h Q{??ߥڀW(rMdr?rv*UAgXӇFaOIS~S dvޜq~+sh ,gj$)l%" eH"طbE9񉃢S=V8hZWsSveesQKWX7iԡYGԑ46.JWn|h<%1U|6hR #ˏ j%l^6KΣӣ̲bw̍'`{1rz~j9@u$ÅQv:ԙxWP5..):~ފ]fO9llܳG8x)"}.ܺDFQvfJE{qymg>I$Е=eGB8N c+x!Pxҧ<}OØ>8 cWF́N UyU2yDh0Dڿm\!B(BdzmyA cu _Nl-wF+,VI 1?P,{>h-wXzIۋcu&|dr[2#v2Hߤ${0֯Tfo:qזUgafwdC1> |. ;`@S KX2] Eʰ ]aW#&x_jb y{-޷p^wMDL_2K*VlMߤepr37g>GC㞙O<$n0N -`CůO%+XTָyOn^LK9%}мyl}3O,:5.2Ѧ>>JXqciƀ*fő5=ܼ/5;Q޻ѤX}_,XdN1 kkF2;#W4xFѹ+ejEDIVQr+C0N0[.^4R AW Â`,~i+)Eي﹙MIwP`[¨TNA8`) @֟(H. BWaeB3 N &Q)iE?!QCag)GWppQ4CNʰUtX[…8y jZb?Aq"s~p {dEqMKX'xDn}kzaoڢjJ[}]fϭBZPLEfJ -J0Փ >^F|"z0$@^}/UQ)U%gϲhT-4zIeӪHDGn"/`QiQ(?Y }`"WuUx{b"dЍ@EQL1y%:6VOV=s)w'؛NY6P`g^w}̵zW"ѓshYK>Dy\s9-lZ$ MyS1@[6x,[^.DC˻CqTv] Nޣt{X>y); Ʌ˃)DO;.  qgHȔ9J [ΐK?%?ӴUO>=f}~ּ~K=>s6 ? >rʷs:.z]f5B]ÔltƔn8Al`Ϙj~v#K_;t 3rD|с>ڵY`UHr5/:ݲ=*%kn{W,峋H5ut]5\nO(^wahB7) /Zv!|'hQ-]T_ŸȀ ݕ735KN;uoxFX4esSQoܷPo!Tciv=:e|` ׽JH=2{`WA*  A3fk6Cܕr$ |(kgYR/E SEϪ%Ī닲{n?4𹒌K=@5;Q7|\9nSN̘!ȡg3o\Q%]Ohy1U rZQѸH.J9GU)Q_ЋhYVb^o] ai-`uX]kr|aq;+"3p e):àϡ^\h<+ G]Yv8ׯNH^: yPĴe}^#4w= SV^KY%:'=ImTKlYkWq!E`)| 0b Ms A{`ݾ~Ql[oe6pwaigx*u xLp.qTC=?uQȹ!|4ܥ䇶1ᰆ:!/o/V9\qB!ȉͥPV[;iS^ +V: -!Z#gha䜦x1_06fxu]mJ=XMǺ!=Y#ɽu7K05]A'Sno8`"/ "k8?6?zF5>R AؓցRg:RW3ЕQ0CEea ͎#Mld#B͡Ǘe3x@3dg'yH4ïYk3.tyYbqBWH6 >?Q"T}'S돶N DWf.aTy%]넴Dc 4T͏Rņ.?rtx+yb$ q[iމ'87r [?3ҦF"|yb"म<:P(VZCvqpIo ¦`SnĚ1飄0;+\4,X µjPZ\ SK~}40&8bHͺYmb%?+g}^HFqg%jC(;Bvë!8葈>/rp)%ozj_aj |ϐjM-@5.錌hљ|ț;gЦkJ7[c$KNm6; WLJͥc~;Rd}ZḰgt_D|ۚ;b>ST޹MڟpKECbڪڅz2fjlm wDI]q{<6gv@c7y!e%'\2Sv GݠOtD_L IyOɊL H&6W W(o9CZF]B]N\#yBƹM]C;PۥTn{Hz5NMhh6E`UZ؄7AFTx JQƒA90UDp- #l7.y;^& }k3Ҽ͏MNB߳*+$3盾~TG4uƇv4p/wi@^/ux0y?w dQ[3}V!ȯΰ!% e 0=sW#_ aWD<y Yi^DN|.|RU/7qFv/w ͨI3Sun튚ܓU=O<d}3<kNǟ,m~b-](6TLyb ׮=Sg SZHzobvGj!.+&.j'[{ VB3iFh{4~Cuu(_^囩_JQ%pC ʰIt''EltO Fa`x Y{ #Bo9IӪg$SĀ܅ng6B_$ҨDoC;QJ!|RbUF9u9&$i)wXVWlO6V N7J$2r\rS0tȹ!K}T8>ۖ~Gߏېߑ͢&^xpہ1ܞ#v322[MS]~Yq -vƑCOx(1:ğM 9]>|05t7n7[v Em՞kO,O>ۙHQSP,s@{ 1H(^mPzVyy>7EJ5ӤԳw ha.'f ;}ڇq R NP:$O֖ZЦC%KUpx;sp%.ȒS~oMDH;J UqS F`$1TbnR7dj.Mi?*ԉP9đ >qI;d&~9-Pu ,e 5x)a G#1سDJt{"wt9%<#_<`7EŃ57*pG@w>,3#vhCX1f1ʊR> Nu> aYF5=w\ַ.'UNy/P4&d8/S H'LGm%"J8ԯ|~#qI4 g?u`oaA^>lE׶_"LI+Z70"FWtdY%6kvhnl]ˡ?}YY\7 rx r {*널V)[Sy#,Yvi)@xreK݂[\z=@djn8z.SDs`y4i|,Ƃ F)c/j?L+@y^ك{d5 8+RJfefޥmvJv=)^kS=IdyO7ogmXяf )M+ ~8DSWg/cT/idg]ʅG3|/YNm౾iUNܹeX$)Τ$m<މ?{cjA"zR&f&w`]{Ґ=m^7klBǢ*KxcCجʰkr|7ԡDɂ UjN3r53"h^ _`: D,/_@И:ʷ97%#ykyntNSP^i^!_6hML[3`Qb!Rթb rOp]Kfdg5X/pHD.BRכ@4UèP@<چP=@soV([@x3qRx9ޮ=HC_үNk(ݿjRzCh[\E5t:#67CGfHdf5gflmiE4=dG>KM~٦fElt񇀺}\ a fy32a~v@.>E55wm(x]-~B9,oꒉ B֝E,=7k{Û >BonR(y ܱ;BV~@0LEۊ77^{\Tzi)X|1VY*!QoP\$+-4~Os!&˳cHli: n^hsfC,LQ*DrK*%a4RmPgln`υS 564U@[]~ zxaXoIք 9-o%ō%r(fzfC2 `Dł*t3$Hx"o ]SgB~z-x2٘`S͆+Yi{{iֱfmV3+bmޛ= f6#p4 @Y-.>qFef\'X-2-m qd2UՐyr?"2ݸUaH J3iSW%A:A4ʐh~Yz3r7Գ7m,h| _u+D5O#:$ 2\@ {XBN3<~:2 q|c ̞!gFh*Fz !{s(!|VLB 2mfy;N5bP8wu U%R$އwX㜤S7]nyp^7TZ9X+Z8,{>3Pw( ^$6"u.ŲFTH'(8.f[+\b<Lu< pYO?P3 kNcsot*oB|=X68|qhU*цZv(']&92o:0^W fi$2q i??*XJ! %#t`BAOKK*L&k9K65A'%o IxMhY~2 z[KeDF7FucVjJ7 ];~O(\i$^BSZ0a`L?=2elb$]&1"~ɨ&w=K B}i/S+{+Wh eglzÞCa)j ՘y 35{fq8-K. cF2nc(=ëNWMoG& Oy; oTM]{'":5:~ѹdyx=)zU%.Tuc1kN2/:qI^OYa^Ϲ6_[^lo`5pCZ 5^V靺"Xb_ u&r ߅v> P@?F}q3%GL< $oÒZhB'0/%#Ө9i.;NO/ %u_&G+3bT(ԀkO}4Uf_*??G⥔LmCп[CMz $#SgY$ 4纎A}:Wt~~L垮orgg+BT|~VgACԡBj5q25;3`ȅ!]¶${PUd%]&Ɉli6ꌱXp__ _(mBeeX rpKp XqF ;Uu:sLf Ye`&uhk7YA\hfzc^diXшMPSa]j6i7b`(GJPT鈤m9ܗ29^3)fw(#72꒮U]e)СtAzB組[ GڕM'3]#糰R-G$Wur1v @Չxg1cŐZ$Ga@`H6NA'`ue)Y|?k4? Pٺ{kM\jm\z1v7{>yW#?2H4P^S߲*ׂMqNѲȉz)egl4w5uQrp40YS6σ)Zg\,`>nN'~ai::vGedsII˚.q8$jц*HgK::^]2n@kݽVV PLR"QvN*>$Qz^κ 'E`6=*T `nb8 CP7:G#8}⸀v(ӌ0T_0"LK@|emoGή|\H{eZ,ȷF-[\!i_Ņj80m)/weu@E_?rQL"Yf&_!: W/2-S}\S!N).rmn N>8*txgP}N@L`N!LBѬKhЍ~ͺ''Lbێ EO|䕴~EQWjoR0l#,,x)0UkAtpMk;2\GO&K8 ~' baJQՈĠi<(67JAC8m'5ΪّU#MlU(]èX4 y]S)wj 獢IST@wEux/\5Bi,n.cG>%u/DJ^L1Y\$]P>ZՆA% <pd]?gwZdړbEp`<İZ'gЩZB% +'y&bj|?y3fA23w}DDx)C}!ц\fI_lh,>hK-+O<ݱ` Eå}Ց>n%'~ɕU,'`+fkwah5oNu E@ƎnΙb1N:C6Bx e~{1GzL{%H24Ab/'=@ ĝ8yޚ[&{+"ya"]R ӣ+9[0w5+Y_DrV'9 V;D罦I, Q6˕B,hG F?ZF>G)B{W@oNd%q׈Os9 "=Ȥb?~wݑyh& 2r՞ srFy<ѻ@2[=ېL[kiFՒc3M1X'e_4ޔwL[ {TN,x>wfR:W%Ds$Vxn';CЏoycpPd~.INxϙ4-B Z)YܜJfv+d;Plʑ%Iq}&RП5gqॊ{ٶ< hQK~;M qN\aCafHB{,Z/FRK:PWX^$;b)$ K ߗ~E Z)ټ=t5WUXI0Z%Yfye"wB$.wq_\hh^"$:j/Xng|6 _р{^By'Oyk,( F=gN-KhB=XYbkTIubi} %pm>]Gby4 cAO\ZBBI~1L~_0iR L<~1H ` Ĥ=گ'.eߖ]eW˥ywzg ,o[; [[5 l,UH̉9lAtڪ+f7Iι;F$7o @nb|( g!R'T. `_z6Rߨa 4t))Wn]6h>gPY8ݟgh֪13F;idi aEUAW @b?f`NTh3Zn^{CQ ?!D&^lY\绊 PB,=Svayg֣ld0Q'2T"uZ^a SIj- 񉂪y7 {.T81KZ bcY0bҒQ l4+x4B)A<%0;YgZ(yMoY֑?4R[N'WGr @'%ˣ!_<#jh7ɓ؆c3CO}ԍs34 ȵD%z26 #zyBъ(&rA3h>PR"??ٙyxEP_y1> Y`sbWQ1jxuKN]n[O1@8ki,E4ڐ{qKeXH^WzF>M"Sk#pV<wFJPrWADcN&g16D  />h Ayʬ_=tD_ AHC}8B'/b: ]F+NW@מUѡS}dM+#_Lb/ڵ2x*Y)б^-ׂf喇du! ٺ棭{0Ûxoo_FHhoY쉏>ElPfVgkeX"wn@b}|/3X 03{cp'd*5rS/.[Da¬D&S5d\>-zWؑlZT1"Hd~4c~v_f KLu _N 0R*Kq@|d==1Ys҅4r7" ' +U;=׺gK(]Xzͤ׌qeW|fHW_\8YW㚡]C@AT Oϸr"o`81ྲگֳBQR5M.=/UMFLptaLk/V ^ZȪI3;AP{,J,l YBu[؃/x\2МF~~Y*vM]$%ާz!j;J́`-0痵"mR{WwiGl_oQ߃QF@;JI<{D}C2;갗]bjmL\N~K"Z;x|%EEDƙS;dWn 0y6gUetfti?$d(g"?5!Jjviݗt&N,7oQ&Y( `k3Ƿ̡?QU9n-b &ѭ'b8^N#6f>TYՎ@u¿X]x7f03Zh3 9u-*ԪPXf$y^^QSJ4:$* HYd;!zE ;#{@/l~CyAh_MƉ}?"0?.=+\Q\2(}.ap=/ix31m+#H0]9Jn@Xk:?@_;CZ/cU-.KBp@ђܢ)9RC@JB1ۄc7} |m4+KI$-1Oֿ6Z]P{'D2eqjK5^C"B!pϝVo~21k\K-+@Ww7i! /R)+qãWAN {]!;/pI>3dWD%ZPr&ȳ2M֡eUW|wn_w,UD ֱKPEe;"ԩ7*zaQRv``ڣp+=C@<[V,lX zԯT1B(pp4HN.>ڔrU\n]C!ָSo=Lx%kAd{Pp#IV6,>U4i{Tzū"$싄)u50h:2G;24~'uр}e${_bJ-Kpt2Z7?FdO]l Cűa.`$rj8 HM;^AX@Fl̯h$0c;hʏH72Œ* nxªVCJ1/B' ՄmNuJ< 2=-{0pt:̣+Ӻ1w[R> #.ƾB>tɧPY2i'ӌa.g #&/-<G|{ ne\2[ =@n;j"l{s_z1:U`cy.cp1\U tNrƛ}Q 5J56ߌ [0=伲 xdI[dUYeyDfx=~C yw,a{O? FO,m[:&LUģ-s9NHk ~/襞*~`Xs+ojY9zu ,8LY!ӉvCh]e \Tb.E]`d[ 1,3z U$I'B~w8 u]dth) cWI /Ɣpr\( >;&9(@YY2%*+B/F΀QNdF|fg_XD'3Z਽ITGCv)N"ftg,_ǧ`;י?GܳG)\)J ^]-#u@VKyE޷wh| x ?6UjxEc 2m'$bZG7QРA*>öㄏ}n`J礁k]+ygm v6#4Xs8:w6[4~l.d.2gNW('|5zrۖyHW1"U& ^Ku=IQIa$aHԯm97HP_X~wݛ 秛rti2& /%? |,Ha24H8qDw ?Ŵz}ZUPE RYKa@lgsYeG UkM>xgMє=I.(@)\aR;kT]ވcGznR8R_е'0G=P){u !_U2uENg $oV J8BF_I͛* 2"vIɥ@3@Mnf3~הZވQ=('F /} t 8 W 1EyVzÉ&9"0 W4XYWI[w9_jػFG%Rӡ1t'S2)s$G20Z? d.0ӴԓXD05w6 yWO,$pwx)i0{-v>j@myD`N 6ly錀kϟ_XF9Bg-<sZ'$ $lfzcd5;(MB<*{~J$l Zx/cwCVgUJ@ї D=/ m#Nz#Pkm[h vFe{ }#1@d-V"%Fb #kL">S (M/ÈW]:ZϺ#u8ě wäĽoY~JT%hj^f۽Sx4Xh2fUixh)*XsnȰRj^`-dTtcS(p#U i.ٻŠ]pVsyXrx6-Y/GV=43 V }2hCR`5'Lu`R9)q{LRk֢DjqN $FņE(v%EY\^z!sa"T`m3a*]+ϷQ1pec.ubf^Fg$X}IH._ 1ck#Ɗj@dm'#`_Z{r7 `# !FzTQZľlFo-rP0y}6p`Ʒء'+bOoچtpPCk.RnjKD Mm.,jmyyZUn8hJ .2.] i>͊!Tv?*js; q̮p(\g;-f#uƄiXv_cIq ϬYPfkF/@䙿AtKÎKf;QPG Ol5 +F1GΡƻқOV!C"]`nMJq)AYbvN5γ2Rǽ.L=Y,#)߰DB٧tjDTؖg9ttZv$8.vڞN'G/vȋB&SX3vOdSQv@XXw\l=Z{O^AnjROk>MvQ|IERӏQFD. We|.&aD(Ě{Yfeٿ~&ְ*)>P] %Nh-YVWb$ vayR\ūmYѐ^m0B5?D|^FG˲$>ȅpKr-BxMF7c׉dS %)qhpTν#Jۨlirn]J7Grm\/^Rj3+9\l=˹S W!bglbdN@%HZJc_o *0OW#n*vGuL??x8%R!c¿aۂN= X's#No bhpЛd#I!3t %w)pf΃P)nBϞu`.!,%x*i/F^\MSUqTL8%뒒25)'i<Äzh(6tfRFfElʭM߭o'yS9˵ <`#)KYdB%feq>&N9gGt)n39y_cu_J r|_kNLI$AdS_G ~58ןN@2y:P /t>i֍_>t0SxWJ:X{ T^t[ez8ߏ V֬Y?E#RShL wfi+i Og9J .sdZ9""Q+8b=]qZ9^$SCu}ddx=U5GxţB9Y5"ϡ@V.'cW_Vmtj"@61Y󞦟LθGi0]+lj xPVKgJFSHɿU2ao6>|%3 Ei\F")&w=}O%̩Y=w 6dHPpEot-s)Z3ܰmMVR1>XYU3YJm ~*,$I1OMsiJ,9]MuL.t@ci6PeѬc G!YuVMkyZf19'?^偑`uQ_fe&TN$g\yw)B:*8˱#JAz>[waF@Pô䳴0)5̟NU'2G?Ǎ7G%RBgY20nYaF?fi~pRr:D6O~z1VT&;f]UH8\`ƚpGkh$2PH3]F}"˦q =avHjw$ Ämj#2 oaH1h-QEYbtu/vx \7(%c.\ƃbTnNcf`SLJQA%9lr v 2O&1'[ q)5س!(7if:)S0+VV|##%L9erUtFGPs{$*2|#)*fB(3~İlunƻNdH@v w[9˧'Vy4jMY+sYrIn|jPm M(9e{Ql]&=Nk%{2yXQe>O s^, $ 6,t0Oܸ1ߒff+<+`dJH\c? spx>45Rt9'ק0L3˱>+y?^-(p䢔%F:%WDͱע:BqaH=LG>ECYS^UoI]x9ات ;EE2$IqKI%v$cXi@X0K.4T0\Pc봻j}lʙd.91ܮeC<RbVQi-ߑN<0+͵?s@[Ԭ炏R^Ii#7뿚1QZyޙCWQk36s’bgʫeDr 8)n6rΛ #F#o ]> z4{wfO&v̗{6)ODZQ\y70M,IUvew'B l6X"!:i$֣m)-Pm@]sмP&q}o>kHg"0|:6)>Yho?w`ɽ  ĭMA/D4J}i;H!'߫eٿ:M5}R#4HCr;) Xrjp">(vo>GiޡFmgx,iښUxY{aBX?S!mp8C,{:m^z9&~rx1jx͆*&siq15Ѭor8Jc >".y%LH ap[DL"82DٸW St1[iN,hY-$BEbD=ZvpيKws@1kf!𼏫< w|HFj/>&? Nq d̘FUyuw\\[GF^"PF։܈T\MYt޴KiZS 8+>QRA\AT@FB;_>N!#]v;Yf!W!_:;ݛwԲU7EFErZ5>iYNDD zcV/HuCOGV5r'=(6Ac O\Te< eH&:^usIBvԪ\.aEnO|4;Ӿ*33̓+S!2iw]^Z5OR޸A(0hլ֕뱓08~3޺ ;x»H.B+(իI%(YA̝v ķEWm'\2,p!6hU !nkތ+O=Xݗ[fH>^[o:Sx)]X-ځY r fr*@Tms >EwZzY&Eϥ:uJ$U>;>t_]fmU~qВ @tޙ@0N൩ t@$3|bŵo`JUpelg '+a27PB^uUSQ)}~׾֊MʱU ԵR7@=Fi^6!b2 A$qx-ƥs9SJbe' 3Z*6TjU_zy=#odQXae]ѭG٠UU|2rԜQ.i%@X *\SCRm Q&WmI 6V $^MMJ,y.k=>Dit[} ? FMz:Q< K34n[ F/ a>,w/ʜJC$H2'ChԆ{F}眧?}G?aZnl\<ΙA9l .ͽBjkʙ{u`C'N0ٱkWt'6X!ދލl3֯jDY_1+_I-1zFL4dxFoz@6<;K x.6x#wӂc !,R+Xcx|?bzeB*gƦ)Q|Β"gݶcg7#ogmΨnˋ'AM^hg.ğ1o|}M*Q C㚳ˍҡ5YK6xIru8/ |]YSw4 ^lQ bM/U:|]ͻR;9̐⁃տupeE)c #x]"n70j SI* ĞTP͍Uoƪ lѐzH' _]:vADq Z[Y<0$E ΊXN3>y7ȱt %9G 斨lT*r${##\& ǽUN:Rxfɉfc΁=nclR-|0RةV.@UX@o#ᖽ`Q6 C/N 4AUkZ{S4ѤTȎO5ֹ L3R3T10*TJuE/tt{&Qm+yv!XkřmC!;`%1$i MSX^7ۍQ?%g`X=`@`ǡ:KHz3vO`i70t7 9h>J;~zulC b`)J0sF5ݽBeg-__U5d%/5§3{ŧyy;STSk2fbJ뉱 ڗ>3پrk+` VvP6VYy4Hht#?Cp(a[j>'k }rdaԟRq+a>'FRy2OQ۶RL.l.M gk;N=] _4ܷJ #c<;Q~b%gqz$v0I"'Xw|2īB쿡5Ɛ!I.VPOCiœ K(%̾)12hnN6m G DJ[evx֎ClO9t;㮕W;H @">)]X葥ߐ)bfwft}_3H8^6>5sZlv(Ԛh{g3ϙ4R][W=XL=v2SM_7MQn+Hl3CPח#s miai]8S_ʻ/xyCEQo &m5Qż3M/V>ӑ-l]-QSXݙV#C;9Y"`>}oMhېky;PD}ebIR#Acj. gP ]"CyXD)QJd>2 nDD/ޮAfJJxI>'XWgаZk֐j]=.cĐHI~D55y hJh<Չff`{?ʗ9B.Mɓ >]c8>_ 9V[J7V)IMg^6ޗ^ [oBV#7`7 "0[hyɛIcA;S8H)X D&doލO*56ϮMcy"Lg=æ?3#f2\BRx,H@ه9ï7FHx(wk:\l\l""098Ox9*L(͏Ȥ[akCyN?>єz/S wԶª6H>ťb9^<&>?NXr*#CɏOb?EzI)%|4tuNиIWkp\w[Jsx8DGrY'Ǵ\;3Elэ8klZʲ A'ЌC1%ѽq7N m c14)j)fd#j+L*q{rF]4CNv+|M]/_{ްmεBS5bpQ\U?ѥ"ZhpTO5 :M r->L/#%aM,`M!+;=(&؋jw, RvMy6df}:*G]1,PZQXu[H1%4 mg< HP?߮"bZf!b 3櫬:(UαeC"9r=!z n|gGg8ή.U?+) D$8H'r# ^[\9]hn5;a$;>㰶\9 ̓߿p|z)c[Q5XllM'րW< 0|^Ԟ4e4tI_ >K H4E" - oOһfExɚYDT i^yHM<j,${|_A&#W2-JҎB+%>a&<,fΏ%ȅ%)8L3ƻsߎz>MNỷҽ4AЈ1x='*9Y41+wz&)IrKe6jY`薶vᆪom]"k ~ T$>R∄)~4_59߁&SVщ:-厳u. 7`se|~PXJ3}rI<Hm%yX_3oA&`o tϭ/N7'pX1 ռrW37eŚr#,_!eUt,GHײ,}ˆY7majGx|P~:/-e-%mи }R0Sƾ,5eaf*P(B0NlB;⡀ u#',G:4f b8GOb6]q"0/@ xh/BQx H!sy,To->[Fa}W۱ O;ڄrƮwDhbq$5ߴ ci]AU$ C6}XAN_aZvU RF>tHַ{%iU2wkI;O$  T]_T lÁ* 'J̀MsI bozmg,b\H¬Xfpn9k. n(r$ڬ:{w3UnB6bߍmZ6@LwqB߱m3I_;$KX, Å}HG3x> bT?5@w/PɼYVu-+I!@]\CW;j1~Ro XPv֎b99x;UK[@ $߰zW^[/]l'q?^3_,vlXķ!)[48 lndd}+Ċ9E>0ZAvK30:Pƛߝe,r~u]$} ѳm78) ^ ʥ^.v#]N&иG'QM1!t2q>rer k;!(0Tj+-|7S Y]-\5e# Ӡ"'uF>{(Zim aZJjI͂w=[rC)hI3UUJ ;_Vb8aܠ,HgбD p{-Ym=]w-/g"|``PZ S)]ԉ EEo+Ư^J3cKRE7}5W=<a;e ~l$2AJTlb"-yckY ~盻n;%19ǑޏAf 㦨xiK)ph2m}ݟBT!s8wSZ9@_SNGm<+Ԟ# nIj#Ph̬(ژ*_Cg&U_[.; LFBP?cJO7 ZDf5WSW)n'/w0ؾ f&O;5TPﻛB>nI#Vp*i{4u7N\^G) ¼]b>0^oYT.r ΏL=QH`ͮ^V49S?UUb-v 4gh[$ѳwDב׋,u'1%_΂b)ŅjR(;o笋i7t7i#&O+VΨ2+?sYWS/!={]Jf0S{X-`+U臮sV ˝[PChf.қۜ\r83bϰpWy˖aٔf^F\6/MwߓY; בm6ej U~DUvǭE^& 6/vE17v16VZ#V~>ǽgڪ縉}lu,u-p6Ou~گPE=h1D {%@}x0smv&*‰K3aJ3]!TxyI<~{ۤ_<^pI[8.<[0\/v7E^MAW4h&Lz5ݗB 0]s`Q~^VA?)X4+!/71< Nc'-YM 7id12GSNeUux <\~1цV|qSss{ uN[NW^/I*; l% u/I=)K d~Yʸʳ$(K!;3QeJDO:{}lOB_M!:q |Vw ~IvUo~8 @_x21/([x6j9oxHvaฏIdvMּy]ƓXk8yE-+f % G ˰Xayidȼqd9.64A>et3ssu獒zgsT,ԂGvMfU9岋,7j]D!p2Rk`h6[+yRiɁq ȓ8ȨXc4br nT *3oCw%&< {*rF{VcpD2J#Ɲ*:"9/.ϴlV|auQ\5K5lѼmM9p1t#7rSZي TRg, 0|3 mEA%IlQ/f7B"n_dw;ѯd:ӌ7wTαG<;Քt6; f//|AV@(ӣɁm*ҾPTw_lחfbY(ؑ|#'soWUl؋3Zu3ZqXPS{%9+AAQM;d59eJ/"ι g>"aX4p(G5p? Nn@r (^Gll"ꌼb :~ǘr ptZJ1",piE#*;oOA&-Xr7ҪDVTH:ˏ oȥ"E> /Q瑕E͵};d7 *, "Ts} q {Йxs9i4{0ǯ֋]Ƣe[&])8VpK/H75EMq0^=8 iOO< \4_jEqvVn+?IĆk k@>ƼqDxp:ЃY뇩devo˪Moع.^dͧZ 2L<Ѐ~}jXpm<5Q^6=S7f"ihn3p1 W瞄fAj.3LER/޵[fzO6:eZxaڙ-K$w:QRnG,ʽ8I7?-M2*eŌMn m;LJr+-Cl˭EXW W; @X7= O-Bj/,,W8E˵p&6G׳!BE4GV|/OAo(N2юWPuF#@dA?bSORr 1~/V+ThOݒ<䃍yg^[qֻF%cNƞMd>7Hう L`ފIM٪K=5WtwIkKM,pӵ!<ۃ¯1`Q6C [th4&>c]\qѪљgN+[d\PRשQ8˺Dnl{D&' {R Am9Rٻl~l͇͡ޒN˲>^aJ`0F Jyw,kOG@%.weo Nv%杯 VfR??spl'xWUP;{[!Obbz/)5҅c/-{ k s""E6L[I72:@.-j:ZjT=x.=x&g&кi#ݑ*؁#+d\r)&rO#^?|!:`[5[`kW,hY6Cx ,@+b4؉wy͟+HHǔWnD7 |ШײD4R2;EQ&FIpJ/DjV!j tªZP m:':zзfjV!Cx3H,!B1yecb:C&5V[CdZ{w UK,D4&cC1][2. ҳvĂz+m#tIR4v)j}KtT\k@!|-Z~Kj]+e3  k&E0@RZgGuSJdnh/D~U~4<*pe\1isqd8jY^&:89e5Z=C)|Y/zެ,~Ȃl\c0 ͢P(Uu'AI]MK?RO`ZkK=챐 b0չW:Y shzQ4;:s>d !,EPu+~BԐ ϡ/h@/+C<;-a9zNcF%䍓i n.:=^P{9v">!a zV)fY L_ĝIEW_CD\~Dymo.70xO2NyzJ xޥ+ȦptCE Sړ[vp< /`L0C_wF0Ac5di`Y)~+.|6ŧaO\Ϣ1߸וrCTɱuE;߀ᦧrn8dђo]t/-صmw{ښpJFK,g=2^^Y%9KT<(t)m4{ƟL(>!Y?8Ϟcc>%jhi"ᢼ&lGe/`Y&~=7go]w9O!tPʈ3bi]%YV O _􍻞K[{d":mX!m7d=>T'eLR u,QղgUHQbKuRꪭЎ Ov<-2~[~i<R! َԫ_{Ӑ`oR,ɪ3_b(= 7\ќ~" G|1~`)Hv6a²)tpH'ݽ+wփ# 8KH?@5.B4IyE>lt `7t A# *6kS8p?z7\[=xxI&05(1 dHF/k(:y.a^o_rX" .݆BXǡ xD )/:&J#ªs6UsCb~1p"V l0!74'\l+:Í\$J!Xp*-T/|Vj*8) eB悦g#}Up~, p/=B* Jt=4m77YOPYwN1BPMiY1,bTxtNɪ-_ANjEÌ+`ӣ4 ;wrIP u^W+seU8+ ҋI,ܣxnyf ʆ_̊ f`I,^\Wl:O5xRL$k4s֠ȚV!GJGɠ^Pu}Fy#2'VA?c.b`ՁVS -9\nOHV0I/9^y{-Q<yIƳ:;;Emgǩ?dr+9K|P{%Lsw WX}Qoxa#![/Nj V+ c~L ǧZe6+uj,賿^GOriGxv'1Œe9Gt1ErI ޾Cng3DhU/R fSЦ1dC]*!{ETz0 il64XULCܗGh͟R)RqȉqJ~Z)ajSFoLg~ʩe,/V٭0S?Ku ?* ˂G`8Zl< *'Z]-Ïp \)LP9}g9N 9{#´LBT9K߈;.8.׆46V?bY ˣRo6ώm4g <(wh~NlQ Uj9xeoN,m rU/iS9zxzU 3WWˆNut7̮?2|dT,u|zZ 2J:h|'`BfT2wiƕ'i Kӌp_+^nFl/O=</4dcξ䘙g}{^ӷ_\֟V耐ͭ+ !=eZw_\/k[1 @Ae?.+(7_~YlR"B7eU Eg}[ׂA:u iW0n8Tk:iZpe!*5,>\Cs/2hVVrp,i,xyYL𧈵vxU.Vt;!e3X 97Gq8P%o-')v=f^SXɬ˜-,k5Gm̅k[Jʱ"x;!c~v>MHz@bfH?]ƧhqʫxUkL'Jj+< ŧS U^FL593Gƥa5c%Imsm2> ڼ+4喾ܘ6|w8rVp5t[.%#>d!8Na*~^Z`43 3J\ SxbXްN>#߱RQh]/G:X^ǡAqz4Ӫ&akcrPQ'LXh1l q)f FU&_wG[Bdq?|>0}VG,2#yjP_SM z:AQe"piHLkplT}=ት-4i_ݕE2= 1OSc &cSSgcaL8ΐWѳPmq<)\,.y`Y0|=92! F1Y$o;>)AOзi"7uϘt?~!jQ7"ꏰ駌N$dFXߵ~6!ޖ*j,HVU>`o_n'AbL*)CuLKRlEKGmAǶH> mvG\E }/>V%3Ŗ@.nV ɭ6j'>LKDGl=Clp2F(e=d Gӿli`T&0l{1!TIN\HQ!(%)LW-&6K%9H՘fPbJ hF-r%<+yf4eӱI$t,ANZ`@ܯ;uϹ> x HtG:$ɇnicuuJzb_n'Pj *PB Z}XjG%36@8ً.qu\a3.J,5 yjHpYoM2=;F ;˺-tŚi(=T*i[i:'ANS}^/pw3:@ X NTz[ޭJ3WW99ܚBԛ99F_ճE9 T!nVX)F5E!RAcǽ[,P;&hɠ@;8K(Iu) Ut)paGֶSbeGޢH ג m:jlytGB9PS~,V%ƆPT:͆i|>RI6($uZF{5HOCUq%riՏ8]J׭Y~@mШ4,lYݡG*OV\ce?rIfh!Y- h{A]4uĜ"Kg@Z ɸr;S|}z%\>d)6_$v bS=37;~ ) 1|g Z5Ăo5KA`#\ +v-o2y>d8)=Vn_z4LmJΈk:trjh pt%?_cA"PǮ. \T*.SJTJN٠&ZAAd6.S ? o|}Q+d wrд$۝Y͕Fi"psjC}kΉ?`l :7SVѦY1oLN !̳!꫉U8-z@"+SUhj_ҧE[N|p`1#KXĬT ubSnja-V1۠e~ nNV5%q7@C7>\b~H}?gW8  ڠţ?Ta->B前 ̆?Q] 'I֕꧙:G C ~o@nٔmT4 X $)EH3puf7#e5偘4 iGI2ۿN3I2}PɰIX` (&lbDoxqN8)TuͲr` F2eU=rivjڜJq`P1rbfY7kL 2kV5JmϧlC/޹Tz5rx"&ZB]ƀ\kwx^<$h$}Spݺ+&k3SӹI<E-E?R)Cҕ_4vCs$Ca|R}1ϫ‚ ڞi mGtCƾpHL3@*T!s: ӷsORulc @/8WGeJĞh ̸[c0jT1~XT!Z!~fN#h^u Tm܎qZ8x W;>$@gJ:|UKƒ%[zԨ gWsٞ;vCBG˹b8Ll]Cǒ4 Z*B҅}i9lI4gmGX,nXwUjaҖ!xV,@DN@ªުDނMk3N'̰_[&53[j.g `[DQ03t䷝EC*9'n$|3ṼTiJ6zD5"\8ץMBj{IhͰ!SLAЄ63ƾ1{24ܩFU8 ط*{3T:hݡU=xW*t>.h"@f\f>+O.+DM@QH+M#O cF7@&'_ΉOU{Y įmt"lzQȉ8^iͨ|oW7A\4c\9<#vyp~I{x;$|a=Ի=z=0WjFM]B43U;",냮z9=5 .j޹}OV6PE[w6(,0lcm=C ^D8(-?oFBrtiwXpmfz;=ՂGSᵱ=!>Œ ]keu?ХOR3beL|;Ӊ9ޏC-FYzƮg ʋrb*^W_8Xsu[[dl HСfRTfA;BƁU+b#ב?IќCx^ԃ;j3 yc4cM)W8|iE5$ҔA~}7%HO 4Agxj2@-dyX IfO^qjDeN1-!P9@׹ُ!qO1PЅ&;N"i}keY(5ΑZZ ɷs\~(!n[ X/8"  =jkcK 9Sp@rz6فŤ%8' c@5\a7*!24=kn!)hHZr#*0t(cF9)mžc3{Hn^+rFw;Na)aEGA}]˾3<\}m4}D9z3ਯN0"LI(;)A^w$V=J^[1I9{\ _r_0L%p,k9PJƙo'רG{D&cIڇOT3#S\;uώ> gE{(]66d r`ozi 5y~_[Љ+3]z܁:$b EH:GݘVIbǁ>~Hs 5G8@I5c +{dpi$yUV~XYܦ܁tqyl6k?UoҙEz0td˹+k'I+2Q%n%~r{'U{0ЮˌKqHg";PBCay(xdi[ ȟam,+^*n'ȍ%YXqT'{/1@_(^ YAvq.oFl$:K402Yq]6O"m *bsRd lP 6C -w_|4;VN,PkH;8=C|ì^q )2[$׀a2> t ֣#:qo\M deP|36R:cb1nj.J> }W8'^kKVAzFٚW q%}I-M5(4>AVco1Lxo/Ԧ?M O*tH\'Ĩoi[g^ !vXÛOQ>n\Uw:$*4Z47׾Hf ͒0!ke$=RhDrkrFkt|Y8 <@^V }|횘`B ?9I GvWQ0?t@Okwh/N2ͯ ԬIb%fP--IBhi8X,opaD}xaտklk3 y3*o o@2~ nHqNpYn ۑr6s dRm|5 zE? Ҳ TdÏ`NüfL 65Z *}a/ųU!U OEu+GթV5t>zF#>P |%+ŻWNS~x?ZG|9]1q93(,U0iupzLϺ> K9#a$`EJ`$'Mό]=Re*NKİ{ .@&fмRDb:XѰl5FiL0s*9^{DbXbƺ 6#|:A£> ] oSpF{Ye-dq= 88NJ!/.0z9+}IJoCplU.'uO̼q>tʙ( pXU p0 +cS _h'7I-LH{ 21N+c+EoU"R0aUY}ش%Y/(*w© m08jׅgFʦCo rjƱdĸW"|ς}&7ۯIn||#*A苫㶝`0-d6=[uw@׮ VdZS"(YeZ2$SoF9]&wR{hLfVB,O*s|{y/ufa4@uT oұuFGf\1ȍv"UR'r{?ZB}wm)x,'lcyҗ&Vn7g 4Kuwa*@񕈳uHTRr|w~Y7g 5bU鄭Bj=PE&/|w ;z&N>ȓ" 9[XŹn2XM1@حvm_r),-~LM4g6!f![[477hi颭tY̡eWk/"E:5?[ß+u[[R+BU)S\&Ա~CnozHwp6JM7ƾVCrŬ4*F KFIgy|ƢG6f:!ߖzUSݟ(R#ѳu>{Y{ФVuo@LڭB8(P:0W$tbДc?WJ-㉽{aĉ'RqT攘(^핾Q-{fj*|S*rա+9Gq|D DC4ix |o?. [~e\"f7[(1حLH Y?'m 'pUntW %O]B nصF"g Svf:'fxnZOYR _Bl X2ΝK0UQ.:޿ϐ?e:' xxiKQJ mRKb̉cNlĚ2z$$ᰵIgp& @ #YzpO:1kO[aC&x=#Mrvچg G^jFr*,"5l]GyzER8[ظ Q}W^b+)ƴ# ndP^mo_*lE 'n(prYKSfoqv[T('r4lOԅ_$ SG,ɳ' + 5Gh %N&^boQ{$hmp[ \ۥ?B(29e9fBs>Q8X@4ȷ MGt(P ˪wQjͿ]5xE&=t}]Y+ weFwXV384[IQ)R.Y5/aLnJ.E7%>9Wn盺ԂJ"#>UIk`>~@nD4t?)qcTxp3;ƄMI5>\LT#vn|P=- Эܚt20z7j/(!Dc$J3 \+V6T{5νo]/ "wME¢Zr9]:NfxZ͚:r~+K3ȱecD6W|1_2`2ĤI |#A6 }9PN!D2M O㗐uV#kϵRUZxPkU 4ǂgcIj^<N LLVJȦ| agq5w:5{u] T׀#)Dc]yBK-Z-`w$rDA?c+ZM7Գ<6 S փZ{Fbeľ(9RF(0_M%! y02B ܩT[S($&Ql!DɃ?Щ1]ԨmѤsLPO/S&7Jk8"T}mt,k:7!{7b?Pva&zFs 6[q 1bhoHXijF 4F6@nBv|6+Ϥfm%NF!C<ÜϬ^3eˣPE} YDφExFtn,V~V~inw+2K:½Krv5bjEUeo4-Bt\yb͚, G[.b9u," B/?%Jm+iGK_7Iu߲ 5|ob'4fR%{=]kqXAD1Et'0o,!7QA, Dc~NܷDX3@AEq- <ύbw[VhNIG 쎷ڝx{wAqGkqnY&x2{&&m c|'k| ےo≘/CkP;H$zАc&nH%5fƭJyBIMUoH sXDe`VP V1 -BD5o6h2 ` _I/#P}}8l:r#y/́b tg568ܽnbN2HJ?i #@nkgyAav=0|phPz^D+>Ro̠l&D25!^HB`otz|$a#~ #Qu#Gb(D~a~͝5qD?(cP4==% &:YSBZAFuw8 t/nophf1ROW/o[ qjZ.KǩeSf 9Kd{tFqrљ2diDmT$"vY@ɦ ~C8/qG#ʣ=*A?[Iu^:<\'6zG>Ȯ/?7!0qy={]`3TT^@Z^B"Y摜¦+nѡcn;^Al*aG>_"ɝEzR$.؀c<CƏ#Qm6i͖{jFezѩY X?P0ͤ٬q?FM},@huvߪnlLe`Gl]kۺ[2`FbM&A_7n$5jN$N<ʼnCԵj$e&lAM)؝,7=KB־Bp?؄.JkpvJ = vvS9q72 C v4S5Hj@N)]FqG)=BxR1sALRg !bq/:[ٻ+Pufs(C z܅JȚ al~`Ze ^\6 9a8t4ş] hAӝl\-$uT?YH?1-ugs9oJm!RNV>+>SMߏ%&{[&DOvѓlLrߎ K.&u&oT#1{2;(`|5Uܖ 3*{B@|6|Za /.̭a| Y&^PMS]n i>N;&̛G}.Rg[(cDQd!h02;<9KJ u]?M S_nlvj2ȥ/oMѧEܚ.˽{J(BMmzv ~d(kܳ$][Iǰ~LZ* p N#o| ƪp@[ Xc`S>:҇`Fnb&DXB =Fc]TlX)(<`yW 7a;{Ejc]$VS C*z/qwsf-GO]$c\%) Ҋ.lIP߉"勞3J"j\'B^U>c$9VAb~<b E~8aZ %jrˮc}?4,3e I|}/k}-8$7Φ;뛱Qn_6bNrrtc+|Nqshm|o<lRPa8bƧ/0ŤAilqZ>H35+q|/qvD hkq vG?]J, p %?p ʲf #c 4sXnкVe9`^z:Jdr^)܂pD(; ~10p8p9z dW@~lC_ Zh&L<"k=`ZfD~6kTa#)T,.ڢBUlXSZyvo1 Ê0G:1~CAŗ^3,f%DYTuJVsa$}6;jRLu-&PIDQO/1jR`C:ޥКj(I{fB^qT[cðgq2h[4kfmh;, iT.gh6W4ŝ;7`FVTӽ1P& [P[#¼T&tIJ"r7y }?54ȥ;TH\eWY0}r`%ca9m<'.Pf"'Cl7໕x4-]1"3%aE;@`oFg|X]Rd*2(ss1n"<Â_QdpE;l7a]k>z0W]G)tYNoeUvYtÈVi2?&EtqUaYP+$WZC S^wqa.֑ ySp S"?,X}A`d5Y,l_m|qz?:[DpS=aqXWA9.+$Q۞>3%mFagθ7hohW)\5aSU}bYnYH/3x:LUq*_ƾ8VBm\Os<FiNsPi\ kc*!Z# ɤFx1 q<}[~H˓o-`4LFhl!E2^~Xbhbף[&.S-j}ƕBcδ 'YJXʔbWN fzu2+8O>g=@:u+ =C_'(٘c}jâwzLoǻ⢺UPP@ o`rP=_JV7mAthjWEf#WC)Oӵh =آⒿDX^UMJ2"~Q8b W+ 'Io׆)_!W?q0&ϛPT=>%iˇ{R:MC3 V@W,X!ZD_k{Ƭ4aܝYY\ sm\QhG:9msWE\B$l fB'#Z%D\ <#(mȝ|fᘐib\[eϧN#%,A"&RBωОjX-u<н$݉Od\1C>M5͘ uȞ{ @~?L$iᲢ*Rx_8=, Ͽm}SQmtT ` 'p@ffȠlT!n`a^Ļ9ϰ=4cVǹ d!N(1']4ٵZ1_TDkI_i5B!yPG3*n[쐕{6a:Z v3qi5$ot;k03LrwҵugU@6' suέDxҫnPfțVXFo2` ĵIml: hf OF[ MIvL)~E(VpV 69)X"F;*x{lj2$ϼa6?Y!tڔNQH};WJ1"%|gp2j0'飯AQAod`H*W#%G쏔C3Z^-\]R7"t|)Q TmyV#Eғ5Ҝ9(ƲB]_}'уV`uYd-M A-<"I"}77C؂/^J恾ziI d=Shd?`|D ;}]2Wi󗆘]@_Ĵ<*h6P$:kp#vYS |ja@1z@(O^ܹw=6#o2T*p$s\J?@a)C}3Z* AP7]c ˌ8XiPZ׈{J2vUr0ˌ1Xp?`YaxsDёGMftJmpa-(>NmH2aa0!0I1T\)ݷ=/yrnUq C~ZP~UcZh7V+(W?&Q0Hd`1R!4l,h(o.x׌Ĕ>cI^Y^J:s["Cή8CC%QPjE,$H){.;6x.L8pfn`fELTy6uӂڡ{/M՘'rRl*TN[sH8ls3gTSq/炽'op1?Z{IҔi@5isB81D͋ўd_}%ӎH pnWZHΞ:pސ%TV{)LVL`DY QbֵE*ýrϳq^V %ʕ3R5\sŢ U23[aBL ~t߫Tb Ub157鯶kg O6Š(lA% 韸* -S1VZxh0 zr?l39)!m~#2{lX0m{0R 8 #;h]yvSS|0&r1Ʈ۔JeJ2f"cKܗonO8hCUH5is@v p`2yj[pՄ SeHr)?$)ԝ:W&ٓ@l-u9a/Wsۨ'(ʻ~#n+X52Be hӊHUVӖ3u6{ô&{<}mB7YdUd]ر6u5c⿳3̶[z8@}પU2Ņ7i{=aTIJ (sCIhk)?V[u- *A|E zb:>S6 q\jJ=}p|,PtEΘMTG i&KJ2='D4βaddz?BrIƯ\" dQ$d5 Wn2͂`g?#, ZĨRdqwq!q|](5^=\AoWz=Z(` H D W?>F5SG.ilҴn卌7A7킚ǣ5x[ 2߯ۑHɆ"ۡkWd W+FΘt ESשBe'<450g]6{9|j^E`i~Vvj15e?h0+9j֯[L Ƃ8iQsz $/aqc ׫/{k*g#gi3!aWo\bwnTʳ+44/׾uWubUŵS%|om du.pJBs3x 96RKy S#w0ʆrF0@(97PE|d $u>vГzXބP V 3Y7zp;-chה,2% `!6N [pýkg8.x&&5IKT}Lv qrt>*b#Z*SLgL4~ӵRD"ݳl}OS)S&{6r.hRB zݡ)J; M=`L'N#~K4~C%ky3h|EIޓ \L7(Hl6n1L 6\9_D!Ŋ3Meq8+/{ĮQ)B} {"$L*q.':4٬?:bAĈv|(J~Rښ3"A@ ZezwTՂռlֻ^מGTE x `zN ٵVf6wkmkz}],7{oT}~Ԅ1r-? d8%pL?㛓Dp`[Ǘ0|ixI@?q҂GWΈ $)듙rtF'~!ysdbQ1uö.b¦&p_Jd.zxHJ{1fq" 0@ |;3+闧ycի 1ldQ$dRjؙ&3&#NhNk;jSտM'}=mɾP<› SRa"ߡ}eIY9׻WbEi8 >x53l^Tմ@ /*DXL7Z=@SXOM qgcg,|r1 ]Hq GRQ]12c>̺R!,*džޫ WsX@6K!T 4,F"izP7[&%PB/|s7̆8v#aD``H}r写AGP?1m?jjOH<*+#s3йZ[]csqL(4jpNu;dxz @Jqhyw ]W/' S1?>Q> 썢 lj#iC(&ZWopau㲣gہO̢&ƵwEr,*S䝧Tf>ϘT8-&X#ZoYf[!B,A<#m O+AFì}xE+WN#*>u {W3IGKKy=~]>@ďFZ>q8QqB1C%ؘ]o@EƚӁm SRft_q"`jXYv{?<\P H=Q!0 ~}SDe(Re>=Ҝq~f6uOnGa)+[Mb2H>n,j㴑a.2!OWH55 irIF񵾞F|.2"q^G+콄Ylkk^UK8(ZJ/yB5AA.ZN"HБurR&VQgZ&ZAiHN&R5s =4O1/|+m 3ѣoh[ylLtiruj㽠 ~p;cd ފ ^bdN1?:6p܃|4\ԡâ `U ة N:X'ObZ xbdn\kvaA|Oz[RǨY GzNna܋&F)ê49X,xOH^PD{W: t8IMc413,q5W<.*ض}oc] X~XO;:T=虄rmі{ޕQNJ=B(9|Uw&T#gIY(sB!PLG~kof~8D%o֐%V:VYgG6bCǎ%s"0<5K^铻۰48M4yVJ$ l5 ~a] +hw;ΡZڅA["| hW3ZNN߇};toGWue:l,zqv f`a j8J8h#m:HoS3ΝzŸ3f֓n!xگ)+-e4z|D+ss55E ~9dW˥E(@;E^_\;_-i;b3`Ku@+ y"RݰD`pFb?(}M,O8ӟ}q6 cRj" COsb]Mm ¢b–@ <&0۵-: XEBvs? ]j Uk]e%"xsb@j$2z$V8_!)*DXΖId6xV.c:6Z73 })pn)ޒPm'.WWmr|I w5xcވqs=m{h;6 _u1~KxwC7oʐ9/lS:%L jIYhTJDsVe}PAMb1dBKz^xOoXCIH%7dN#q)S=b6L_%dh)A|} f-WGO9IJʕPy>HH؟t13' bkzjSd(h(k?N;g_'nMBZTye+YE OwNjӡG_)GU&7^[ic*9BX( Bm=$tNG^JYlTṯQ&Ϛm}w:@Q~f#j`L0쿝x_}"X\i=zKG]F0'{XXuk 1 F31wl!0D;:PY' X2S-;z\㖎fFs0gh9?US(>#d2%BFO it1G-u+^;f)$Fz@]oF,Տ YN'/rww7?zȁo~!iD+άr].u5j)Z>Xj oQΓ0v6k[ge.BxTdҨHeZe*:e+)Q(7hϞE75$pA+คNOoŌE sw=up 5n1݋߮[@ %%9n3^Facg/.&[iAڨtS!H&Iګڌ9dVNřkK5] Ǿ&PY*'nnaF]c+FrQF0Em5͝Y^^B%G;Zc/Cߒ7I(ssσ6p8'ڔH0<EZߗ3 L34R!Lf=D+'"m+ |ӟwMħJq>'1Yx{}zq ¹j aR݅3^ެ`O`3i[:[S?M+^zPG0ɭdFy W֙&ɉ7)Dڔ e#1u o8'<w&w%S׽&-vO?N><ǣ5<TC>K,6ș8|͊nɼ(h>ϷuDwXnM +Q񫻪w D;8-$6)݂)7ﰫf~47t YDTH ^ٚbL"76`f˃$>&YPFmX<௒k, E b&nVɆC)- Paprp|k @B]!iL)rMKTL_a~8-GZrbI3ҤN}t93!hDC4qԗ} I7}38`vIJ"Ffd"*гb^R2yZ֣f"}bh65{OѮ31uc yNte|>GSr~i5aί ߕeV|K/Yr QЌnNeтfѰr¨1\OX!qBu,P \#$-SGEOSx6ЏV66Ȓ 56~a@1AqMq0b,n7&M6[VYQRwrvv9G'e;`8TGg"| F szذ3Bg*R@H%- -F)'Se:uss9LuhYi{HD:˶_ѣx!yf(4wuZރ=%H 0Mj 0Iv4!UM%? d WjNgn,>_t ӷa*8Nkr؛P[X4|GTmomGCk3CKѷksϹFR%f!2{.?ݾW>RԻ5$2e~f~2xZFI'ޞEw b!lIMB^|&bKl Cɞsɣ1F㜎)'iD-d/, f\~Q0艓cGr咻羪uFqSCXSp2Zqs9 AIZC(0䔌^ޫ:+B;zPZ,ͬtZTC>ˌ1(oPX5Ib w@@FE>Fn,2yY:CUxX>O<=n.QcijX)!LL?D=KtWxP|ߩ?sf`+Sv[NFd{jGՇhOMqO\EM цjG?"`p7e\PX7 :q2UٔVEjet/;RڬU. `UO3{]!UkXڪKi`v'Dl<LMvУ`YCqF` E-=Lތ|e k\wVCN2#"P,9ONLљq晨 VwQޮ҇I5za`B!fJ4G\I"/hBI}nmtETp"DPws69mL8V(-˨;հU^YhZR0 E6ԁm-%'łkf$|(j4f ^UhaP_5)~|2'3hCa+=V6%7t3-CXXO RXbfqwd~5r71uN[1b]j`rszr: Su:Y6ntI#X..,,,'ԃm]3ÊqY޶ {e ۀ.R-N~w+!!G&ܯ\v`sHeBt4ĉxU5;l#,yle6g<wF=QxF+,/d?Jӵ><|+SݛG}3JN|"DA8s.}({V!nOokbTz 0pBe)+zBu& \S z#LecI6RCv=Vp_`UU3P3RLY_HXUqkRtdi/φ*ZXWya|(Z)rR'z.ᇼQnb(X]0Cz!U,a>bPGKu7eqngć&X V5/7B34 16Ǹ/;%3*8} )F0#6 rO#|+1K:w1FxJQQ[b!:ـ-&\Xͅn+~`YHnWٜgC\J=KЃ>mtka8A P" ٩TFyKQk;א :$XPov#Fct9vkw :\g4G WvNB/TDIU擷Op˓Erݷ2]Rz)&A'L2E,t<#)tZ{^h3JcJCJ}+C}axr7VJCsᢀ Dܨ5AI<ĜVbX vq'kG~PW6H+4N^ s>}*cjnv}]UT ̏^Kq0A*e FQJg@-z&PQ; ;cQeJP$:4FnX/bÈDߪB+G:ϯ.ߡE?'\.pfTTBI7SфƟ;CgJD&i ЅB$H+Jv񜓬%z{GXPƓ℮/i_jA$Mr(Yʃtm"gᘶ{<ѸB ZGPP=UmIx6xU6{yA?Uft8I0+-X Ԩܳ{^i[4]:X0BcT |5]=3j@nn=ʔ_JiqܖZ`{A TrSzR1yR_b 1&,!K@!TOqR*i\Ձr'vE0vҴl$~/+iܨ:ĠSCסaC< / ad^7|폊`K2 uUf+}tKLQ#a89oԛ M|T~$ۦ%u3B .- y8疳?\ŭ r'PX{sl'7H&kûeFqvvB"̃_қEBM'ǘ;[~smb\?!X_IbCU.aL)vVNnkߞYk y-udi\[ShxaOl6?W}e<rRiςdթ9DǛKwG]Ӏ Xo*e̩AJ0H1ٽLZ1 \J流e&B;W\PY2m_ :aZ J6h.ef'aOxgR+ /$8 $}yկ il',o͛ozgjtx6Q_'J 7WI3X6Far]tpݴcbM5B>&enӝa|š;V:J*,>y.SF*]Efš]ڷ$-p_YE' 8܉<I|&apͭ>mA#rMfRPteҎD dRcH$KH̀Bh~šU D >C j|R w*M,-%@Ko)_x]C݅[u.P8~} +wdL1PEyH+R1BW;*SH 5sH wKt!D'uJk&"@ڞ 4I+vtsܧ[nl[Ҋ/PGڀStl{&y).xL|j29;k Za;+E\o:2O"EvۢS Ǣ$ߟ[7f#>Pnu3>8 uyH|_Rt{DZ=|<0lNчߤYEW0sRbOE#ȉ +pOݚQۼ%#ZB,hFkR%.Hy:Kq1eP:pY3V/SU836pYsve.۸mAkSwx(^_?a+,Us0)AmAp莩ף?RPa F?+V֬WЂ(!޷%%JEHVp^s󐈫und0TGHU q(ºZPzpsgz'cF1K+)H`%,)5Xq&D@?m[58UVqBz+u,:CO 1(M(ۧ*i%IKD7UǐIցk)֮i-U f^7V(,2P!L&0mVr|Йo6 d8V~?IiUq^jrdwWĈv}LV\[=s.15Tr\>D+o HWxv9⒊mSoZ'bs|vMt;WIꨦgBx~B@;\Y\l:L*ȩ]=e ~#) %)2*L'q*9~^#.yȝ5+ =M2l=BЏj׷Dܩslg P0MTcZjκ["9_T0H!uܞ@jLG+ {9~ u46Ԅ?T]M>Z[M*G܊hO>EУZ&H @Y?vVAY.9o8cC9%xs66? "{t6 )O*Gid{tLzr ||^ps^o;KpbX&nklhB01tL7\:!YU)DD&RmN Qr01֞țYӯ5g .XpOC d;V˞bWCF.53e7@5>}C7%n!"CB?fpxiaǍ^ʹOvrW=[JS{@_&6uZ!av`G1K]0(jx3,ۜ>K=VsZ3RA0yR>ţu}hbNlI"BKiVE UXqvs0{1B{kv!(zSX>yM'L>IE_EfHK/eٿפ|6˧y7-O= #29W#aEV. g2.$d ii/aeVI }*z 8(1^DeVD%,)!$d+ a)Xz`ya>#2I 5I dط}Ҋ:80Qs#w0)"&9ANu5EɍΡ/Q0ky݀5جvҋ9dcQ PDP~;&-훴k΀8HDB`K~`wZȺCk8Y%4(3f`]*l.2ܒ|V=<=h3\=|ce ׋26K0Fm ڽb!Vq]јc@JL<(t7C2(d`2,-Eղ7rRie%"Y<;YH8ois\G9gfZa=! œ^`QXH)yL,K#G37-[6I!d$ Z yHm1bCN;uH5KWs4 >L3-08Ed=zAA˕Kh]a=EEs7([ 'Wl:2|w%H `IDygTܪz, (fIj7nNTl - 燀EWu =K ˇ3\ jɠ8Y,FW58]؇-O9YŰ[恾M*XNRXSG ^:i t.xv-@[c7X l|E U/TeA$@+ʶcx$9XAG~A &k#"pשYk. XRJ$-J2u-!l%5  $syT kz'fzF.bMb,*L68uTzӣ kBmle'%̲^{}a XD= u9n⼵Cuuzgww.xr)TƪO{n&jʿ[ZHiX4sŽBO-AF"9 v;7Fq5ʹLå]p{HW$l$mWu&Gr!)#l׽u)I@Or}E@bhCn)!m(4w. _s֞*`XiQ 2IoMΉ9{<-hʾթ{.5Z~K0~68߾;\WEW-$;"¾ c$(՞sc򏟺{ Z3Կ(Z`g{-aq1OmIn~n̆R__xe;L.+Qke@GEsumM.nBVDhs/kQb K$J59ʸ(#[4xY>TE⌠ BuqnV *l>'W3F_/C@kxt{/ KՁX4B QO:BZeQ21ɣ2C#*S#K,o vH"m`,]|`7/l4\0sV{ŊgHiG"Sed+C(pcQ@jȏc"i2w0:g f}4U\AoY)/E|s Y\u=6)m6d]2kUdɃX($t "4[eZCqw7p' ȥ#@|^iĖMQ 󨹨[`8[LxBV5 HS}K9`q5)QJ-7I#Z1hd~`ɯӢ\hN'o?ܦ{>r ԉ,YqZzفR͑OPŪ,_?\+\HmҐߨՂX6NJ" L%0>WSK i<C+XՄo(کXa'5;L>7L0X/߃Rt0 ݩP`p/UP鬷K^ϊ4i*LsoFøۼlrVehSKtDqb$*AvT `9b,c@\B4H_]L={Ar)0bQkTi2aqKѦӂ n!ْS6TTnҧUBVCzʧ ޶κCGX2r6UJJu$yVL'y]7K}0< ϗxX|怐e(Yqj@WݱZfc ]ώ8 (Jd6&kSoZd.J[?+A(Zƭ ay")V@;F (6YzM뾘uHǃBѩ2lc˒L|z|c55lyRh$9 Y4_Jy$<6&8iJ8c:J$2K0w ۏB+͐)Gχ0X}Jad.1[ό v&QhLJ)M3Iz 0W#r'8i:Ǵ.YNg 񅦕 qru54NU:y9T˙7<@>oLBaJQC,EAo񝔴x 0A [,{W]a0ŭC@ 'MrҤ7=; 9>8ZQfXYb)}ʗ%9)+li8pv[4Rπa-/8$s?&,8Z} 5$׳\BD`zb:oP< 9 {դ*s 4TyP-69UI4qOI4Q@Yzw e肱Ut34ƚ.d52}^4>]7meug{{i=Fbϳ\miL,-8_thKޠnOlU"<_8iٵT;%;)WKMWn(~i !ta*8i$Z<1eK g:0uTEc%u^G 3/0oxƢ:aTǃu qN@gBq[qt1k37W ߬4Y|O3`:f˱ScVxfu(M6άEn ݙJtKmXsI}Q/}\dzT0P Wm$V?)&B߿4%ՔsC "(эߍBLyib]hϴ rGVMqgű]P9XOPǣv ,‡D5<:ï ?^)#K'J [hF= y9v% ]kZ-C΍(v! qJL!J!) ̳DFep:if@u`td!5X2@(܊f{XFvTM,s4Yq4B6/zfW=-~F UN,45J(<0 'QzG[F44L]1Gv0n$^8DfJヌ5)vW_^Y{?ab +uX#eF9E]W>AY(jW xPIw .ѹGGY qs({*= }^еg$c^9#OwD ڭIt*bPV縞iWAa)N~T?Po=J.(K;+o&Ҋ۪3'lQtoZ), 6}T/~-xti0ImؾRG6rVJ"6;'\s%Bri'ud-Q^ J/KdմڣRkFMɃq66!d V9\F\K٣ JDcOΚ#4z97 *.<|)@]87dRaLΔGxGUt>`.PBt渝3uic먱H0U-+5m֍FGqWR[,1"%2m8δ>FD븫;z.rq)oE|*g>mXnϐL}=({ MrcsZ gSx P~EċVԈH=ך-RZ3ٓ 9BJ >6ސ}^܀FXx?qo%^)'};Vނn?U}r˭$H;8 lFbEXszMTA7`B-bןJuf5D#1i@88;tz.hrG2d9ҙH樘._5)XQ.M6"--\%Qr$YQ;Agp`'f11Kj=+ -:?> Snț2h(öVkc*huO~ [#y#VIe@dy,`Mv Y#V},t@}C~`#ßot$>nT){%LypM0L$FI f|:ҵ#/bND H0:%gH8覃z4Z }j2xͅ5}Z&&|į1AaiK)<l>%W5!=a04o'h Qeᅆd |j}KESt(䱭*z9(rD>A8)ͥ$=.wllVz_v{=*H1] _xRdr✎[Y#gBW!X@`D4i@FxhYX%^:Z>oEME[?z蝨uAyl'7p;=x/k 3)yVb1|D:uh6t=Oz $pH)ԁk:49%O !-ޘb XS2D&䏈Ѵf#p}YBVC!{rEdn0 -uTKa;:n=tUZ07)mCM=+d% ioV㱔UNW{U[D%!p3=>!nBM`LE^iQ6Orʩ7"`zv @ ބzLn Mpӭ'ןj.\DCNޮ+j/N\btQ`Ҧw5Av*u\ZwcZ@O=;=OJHuRr ^ƢOCnV{dJueZډuz]Hl>]'eEf!!NeGq2 ϣu[suѫ9+ug=̩ZWƒc寲c`&`į<})1} :CG!% j|mk : $2<>J ^>%8 2GXdžCCs]D@ K[;!)lZqI9ֳb_ExSwՄ)liPOuA܂Ʀ@/zQӈzDC'5ٔ7Uꄍ0B59-R؂;ՆPݖvlOLϩy`.L~L[DWMg&l u=6 2~@}0 AZ A꿱b~v5:>ílI l׸nJ*HAn-Zl|w4Uꀵ"t{7%Ҏrç _7חogxw7Mv&OBke3*UfŦӘyeaƫ@vfLYݾx/{Ol'S6& :8_} fxB^ :ᖺ~cdYv_ o4{}p3ی:ZLI ]Tww0K 84PWl FMx8l)!AK g|"(d=lavlfZ+2r8I`d2a$~~hKQ P+#JG-:C>39DU }R7)EӾCd3 w0䢂gR#k,'dQw+>?e TbDk{6_W}͍!Y3n3:g0-# X=ZrHV@6 4_ BZ vRIE=)IRDgin}UN6/fYn\kdjUC¤*4Sk{%KDxȉt(G>lX2? GDK\Za.V ֗2>+TƁЏ 5l)Epbj<݀ez^>RU=7I;HC PpӘ3Ү% ȠZmv4Wgh@(-B 7lC22as>i^c!0:CO-ĖSw+˩\;_vPt,DdBg ż|$@뤿,-w,t 7˜F5G3A\$(2Pgp y1MT7ψFqhOFovB#ԂF_vb;1:cw ?CLRM>4*H/1 < ~.tc觰6*]HD|Xx csrDWu0qW8k7q;UIU6ץ놈YG*1R$ƒ'%*y>ݫHA ^uz/+f ю {A45&c;'QZ[$HMh$M4)"ّSpڙO5XCl #t*k*tѬkJn8X]nu&U+kXǔ>qAhh HoG. KhQԑx)-4i݀љ:Z3D7sLЏI"=t B̡2XTgtPٴqaeEܨxl3aJC}yǖ888E@Tch+#{BEU&cKg3~56˟7X¿8 ׾)(9UĨx2*qkߚ>[qkJ7/,H?-xR+swXYݜ mH[y90B8HO?iϷӈ lt$`Xx9La(Ц-!bJ[Ca@C̴_A304d^[46vLۅӨr,F{ݏYcjk.;h75 -o=5u\* &Frx^۰T=QKn.0i:+xfZSF|BOƛZ`&']ߙ,AZx#d:CE\:^4Qm4ov8&V1qu)h\ Br3$)ܤ>bFw=' #fka.)FlE k=I)qwѫq}7VIKNe[ZGOHÈ۪|UQ` }vf>fR$h 7FY h6IB3ppZt`0YI T$R/8y?h6*x>bxtK> zlQT+JM,WTK!DgS0sC2m^ob'g~3pg=v+MJa!l{uai]0u늆r+"􉣬%IYVΊn-[L4)+r]XM)]zDfbDc,&$fND#=@ɺ["1<yiy|QI{݇v*: MWa#=x qÅ7ǥe%^^GX2:SK_YRTkɍgtpJd;Vq ^1 .0J)HU@uh`,CuU7mč)Ei-;]Ux VҦ-@ՋRIx*l2ATCBx2A81 6;YDb(fK bz`9=6_y,A֍7RGuSHX;Y!3 GNAt{X.ii;P%3Vf fk-Ѐ"!!,!4Aβkvk K|)yd4 sS t/UWBΣ7RB#NEdfFLop$M.F GWXDZ0#s.As't.@ʁ!-iпD`k*Ih"mZ eAMqn59*SXb]- /@6-0ۢw=󯈀8E긺27V[p_]+ųLn桹 U%R-%+~_VYJk8?zUF~T BekJZl}yE%ݳ!WD#?D,$ )\4Q=Uy;km0("_@4~*z–wBװU:E~W.&T(!#uejImNڎcMsƞ8p?vW-b5mVpkG(h'm+ߠwHNް#ȃhy$7:Dh#XyTl7o&97??Jf!i>c$6|Ja-:cx'EVkef=Wƒ$49[=!Lc>iM]18~,wuϲ==oeQϤ?lD@Efn=JHv+.2>o@dbL{ ݩ.Wg }iI3"BTNYÎ^sfs4I\xz#|WM{9^#SRn;ҏ~fs|rLDYP 0kLo$G3[@!2~vjօwfb~4s$ihg0%]6c5}#zRۥ`tGr_1(px ƟiZMvPulg Nlg, 2Ӵٱa!<Θy);%&7S3CL](?Pw1"!R-?}'35SRQOŵx$8gsqiޝ `,"6v a㙘*)͒b>PHj, byˊ$Ps=VKvh:3[K12&m[xsȐwo> C/EP}^&o5Һ_7MX<ލKm |cVESp!vʝןi%€4 /%/ŧv/Oݏ)jChݣBQme+ᘌXtI 0 fW8)Os-3RL`}te 34[3ܛg?kN[-%(Nn=i6Ŝ  $EbM'I3{?6/֋muimEg.ս:Irs"ƍ]~qZE$5t]0YhDn?.z)x7rĘ-V8=…Q⒖2kS]/{8mQ&}`K!oJ VoMWLN ']?T+NTs* 8DڢTu^sWpҭ-Uk1i:ur_@agjیGDWN6ePHT5Z=fR#saà7>6x\5B]Pej+fbv$mXw[-ۅ$)Z, q *Ρ$EH/[Ld#f9k²=F,_u -3#z/rf`<"luvAI;< w82.PeBHf]up@-:֓j22C$("QV)(i u: mނD\/9-&dXJVWxp~Yi.:.W؇a[M9!U!FRu R)%n\r?)+Vȶ7ܟah/V~5v= ٍ] `H.Kw)/9+\pG$n40 mh_tM`،R9L@by?;{i^%|{\(TM0v<:Ɯ@"qg|K7 aR [y;` ]~t%l / ^$'%!H#0k6<5F0F[_A յ'ZQ9=rZ"rߍ`un;bRZK kNz{J0Of)pǾKxS/_?/|jyrZKM1Xrtܸ[P==O߱9EeZ"ea 1&'+_2@{7_U4A xŃqI$r=W(= E\!38%C-$SM5;{NQqj n5n%EU F a-r{=i4ЄYGUBdOµ >s&jj:ԨKqd 9FSƠYqQLx~ ;FLכn0;vsM9)A^3L/XOk9Dr͈'9^!Bݡm?]]1RZglf sGCvCB-.PZ9뢉~V0ng6;,[9aUE:YM.uMҁfzN20}t/آuff@gF!n0 aXuc tahݣ~x\kWDLV4-`No$7㈟ mRUt`]c"S sF丩]!Ÿbt5c9ttyj9Cm+\=q[]3_ilW$D8W V|]+|Mg˞,1z/*v `FPN6]MC MpB˂ZWBSڀZik:DvؘǛfgdp<KŖ5J):Rlz#?>=x4/7/( bݾ!4mM4T0:ibeN~xeS~/G3zBxҬ m4vwm.ILJyh:QY`M5J_aV^0㎭e/kt 3GOBz[Q|Ģ4ަm{]H0[uұѿ4/Bu/q,p|JY)7v(x ā$A^ސ6#]=>)cI3$jvIWJ*ѼH\8z;MX^QAH\g[Si}jh.p2&np8*;tsѱ6-Z{Ӿw}IT {ԁ.ro.n3y^*[\p4E?Bs6=ȋFпk]d;%6_BՑopIV2%80hOM܎&SW/do!|Ҋf ؍|h m_ AU:s.0~FuLOQÛ 'vz=x 2Ndgo_GlILM_*CX0U>im5:\Sˤ0Qޏ:rG.-`( =9HӍ7|T*~(}{zE{6<(lVCrB#]O,H0ӼImMk@տY;k .;csa%A7Zґw`I: 1ܫ\lZSy7 ECE;r78 s c+2m 6$'>HH}R{i|+C77/,)j*_%H>6f-QBL bAR^P&myڳLh Tm3^A9g7՚ck%^y$Ij˪av֍izbW1k#I8tv,poByY!Ӄ.ېn"E%[bx.`^3Zك?l.10UԶ tŮ.J:3m (E/LG,YB"}w4Ia4a;6zox83a(/hj&6J|Wiw:瑿Xc|p!&`9KFJ(T/ԙFr*"=7|k:=ѻ&8+i'.ecjBW97{ A%ʯQ 2`}<ޑ9*p#fBpΐUwiG:K|GCԧY0w1}<{ӅJC/ܣ-,ft/wb*g;]j^K - 27fHe1˂F%=ӊǩTMa 1U;h\%[iԽuz4L^*($*cAvćx5qd/I!apn8NHd4)iX^\R!R&o?_dJ.IZLT{2"o)z~MX8glnYP5 {[PZTZ2C"KtrO_UGqeBA+﷘sz(8kW}bPZ)>S`Vd;QW|]@~Br!J06 #_!Ct`0F%Cij(.ǿHf?U #jwJ9.N9HȢ_֮D2G_Oliq:k(H:mI}Gѫ/[B ǐ,M*u; Kngi_ 2}fAm&%TC;W2lN"=a0ɅGoulRpAQzb7h qW2Gl 7e~r6\ʾnF]SJ :%y)eq ]ѿ7Cj(U^^ ̫HguE7ƚ>?д')kccԿ2!oU+?IZɛ9Ci>aZBrdP(d٧)@:gHڱt^ H]Bj2umu}e P7h2)_R⣒U99p0Ohvĉ+2Tϴ+$,]f1|#: 0oWyDŻ!l Cz|9< KND $zY[qlw@c|}"mudP Gy,OmG<-.zb^wmD܋\G*gScF﫷O7a%obhtf(LΘA}f$K &  )/<0''!?6Y+c+l=v ;d{IuJ[|=HC  ZlOuHt`WVev,7q0}q'ϊ\CN*;i:gϦmRA´5G 2q=,w/dX|E< rcOp5O0R#wyq(CV,lJH|{R_'+'S%ԤU]8Q.g Hq)gAcH=[TM|cBmv*g!qtdrkV*S&G 5%yQ'0J/|-i\` FW8~֤=?KAq9XLj,[v3^RF,M|sNp-[$Nx~īDU R/hM*uQdT^e_aERB;8E3np (տ%ϫhS3iyē7 4=1ZK=0~͖_{^&S>tR-ڬYqz1+K7Hɟ-GdۥDj F=]SW6FŃfҾ[UcRџ؜5skZK{T?:眂{۵!ļ7K{@ kjvH3 5, pRᆢ{??Хґ ~WZdgPs=8,#Y.=`Bm[Q0$M')gI & #pf`Mch:5<PQ@hB#Dikoo'Xv|-tccN0oMC:,?v% sir6"IrxW]L0?E_ӡƐ0Z1j`$r ZMv7`ĆC(LAv c,_q~,X߳Kq gQfm`Pff9QUE}~j F8zo㛻ARJs?xrlvn-;ތyGf_Ici[_A2P̈́G&dWel(SdnLL\g𛟐s KYwHYZN;؈CS Po򝡌3Yo! %̊d_WԢht^}N(flYƸ~Y eQ իni0cC0{;_T͑ ueq9D_7 jAs_ZN^P:^.Q?\aÏ䞏wޑ'"K4R3m 3,+ _1u 8i< Ow)ˍBu0\j ʹ02e/^-:p/ wL\vEӱE" BᅑM8MSV0{Y?|zXbٕbN{9:`6\-7Vd3#̾p# r\N6VůGD)a*Ю{zƔi'!hV^J9PixFxuX4dAE,#m8ΰP/ CǸ^t&@7!*'Ax0 >*"4}eU[R5b~{=RU+4חJeT0m 8AB|!*; ԁFwiĖu؂ uif"íE{Wvoo 2av~] jZ*bm6H~A11O06~'-nY!@vVb܏m ^5i=?FdWtj}rcjwJ& >?HE\EOنn[uG;;n̶OQ%iP<*$K;zf8t4r#0m?8 m**D/d<|A#1R!Fry:)5t;QM5SVɠq}ԑAjf\PY.YfAj|<-x6 cZJ}p2U!Av m2qcjW-[Aq'pGQY亳/X$u=D,X}S-x| V'*ߞޤ~p=دvoe) /h*Z{U&򠴅!5pa|%";Z X͵46Zn+m:\ϒ0%Eⴃԗ_jB90txVR759”4Jyn hZ[㱄`εPB[>*B(CpSXY+B-ॎI<5 Q>k !g^ .QR ZA:CѵX^‚~'p/re?B2$.43 5ZZ.T) m Ik[E'/e=6?Vҥ.TDG؝2췚M9"}l-Ofcffȶ({*tv7"nQߊ8n&;9kƃyȹw IӴmwd*xwR1 m_VAnK Ag-Ⱦ d3eltveD_ 43M}u HŪ$ۈF~&|Kp$Wˇ!4kG)þ_HzBnQf.LRv9{@Sn"x7rFN^6q'1 5(F[ ea:uݪ]}qt_/*كھ'1ۓ$ FKZ\Ҍa[(_2~3< ~p  ȰMMutDur!ט 9P_Y, PP)KJpt&5W:whSԃiRwP%|ʎծ?:m0nahR'yDҽBynid9p$hS)J(&J*8-7WD!\6"Aql8]u*|uQ~._5W|-~z>}+a?go ,߆BfJBiܹxy @$e&!m7JC$a% Wkw69V*!nOEq+(+,'ZUK8!48A!Uw8kq"b{Oe4|f_ЏY[9UTbb3go=U0{@7Epxr_HӸ\߫.b0\b #zӛ<*efv=x\\npy:H,IߠiW{g J жؘ$E\}ic>޳ܕ`pX.0:L~ј^뗀YCrDT\%C@q{5@ D e ,DEmthq1ʏTaɾ;S m'%$ rU&r?sד(s1/" E[Xh)# ØUZiX?XyS4S@M"h Dݜ}9y<3KOKړ!o̒Ć4!5'&seY.3k}I\޳36^*ur41->!ޤd)\uNcM ڔmڗ3T9-G0'Tfn4l (1roAJ> ^9ʒTZ>1# @2d<:篓n-ª,uX5۳;rɏ,*| fSyXUxq#eA@z(Μ,V`h<2Ū\w0 SxTlkcM6fkxڏB, YbJI%l)]IjSxPzgW͐QG|c)@K(/,VYFYub6qҝ^8=.MVA#xl#nK7hƒ]ϲTdoG'40f <[zUhF9Shr&w-秘OM P4C09^hM`!/wtpa \f9ƸE]'0EVB]mr'j{ȩM9^?by’@uV?)a`{ō^T~d|  `]`2a܀ukX9'a5$* r41FR[fG!BMݾy6 `W(BCkSW~X\P'Amٯ.|B7n8?,fk [NQrֲb+oI.V >U}fv)H#_ڽWJ)Y8= >J{t\Q' [??gN>*Zk׺s}Ay cHCħJvb FѡbȫbY_|'[!9~yqOw3<Dz,z }W_e;o'Z]:Ӣ1a_yEG]Ѱ!e'̆K=IlleO]֞qC:q",|Fhh @O2Dvt<"ڡY+K'l;U 8Gu?R{b!ذ1GO d'p}U)pCf%y`"c>ɱ:N)i`E?C.><9nm+ fjE_U;6%=9R8$ 8N4Y5Zq'Go6xqPb~/12⃿rZp^ YS_r0O |wQBf ꢅt)!$0(O4K{yO5gNXg+\r%;9Mgj2A"ꇡ4ke׃|awPWKփl/D,7L"04.٘j4sxêwXoS*vlw*g@l]kEZ SҧbP I-I:{vsB4k Pa ~9T0vq({Ytn4S5Z0R&[{kO'xMHɔPPenk*dS3LI8OEk5yoϺYkI^R>uR*tR-~  P@곙TQbg)JwbK9d@KTИ9"B)Й v3nL;F˸м0?݆R𵉅`ۻWl`!Ѧ? v_DG4E i e 5LiىvhҞ_zFX`>]{IȓVs~vZ.OLp `9 ] ]$Uk6K9 N߰a#RQѳ W9 Ɋ9@otUcPvC*~ŃR{׺d?DU۾*V .yB4ϦӋ{E UE5IQRm̉]jzi!VUea* ЏSgfU +YzgkXV|M@Hwa\ԛm94ZOW aoPVCO+:`Z}c6',Cx.-poAjdf,؃['bPs՛"*x > qcqFǁӿTBq8`duF1k(:Nn5n82ߨHfZZ>RAE:M¶T]sq_İwaB`5BoPf:=pDӌaZ03lqBLVnM ~oǜK 2-YX%ma xK>s!Ke}v^=+0̣9my?_M'YzzbFǡf n Ёw 6cSӀ %DnY3Γ@Wo4lno.m.5f+a4eYzN57 8ʑzMm# FȸuxI}׼U&焸nq7cvjlRPDwePuthW /]P-#@6{|{{9 e{u(iUpl0kVK(G 8e"V\_rOP'Ú*H'wۻe)PKrFS[Ҋ(QK6T!Utz3h*k>4@=lA 5YocRCuB2Ȑ\ۆ B+V=تL-v?[L"t ɒ AjkdxȰOoPח=Ͱv )<2"}}^q6V)ٸ(dޝdC*?|X,"6}Lf.j]cY38P;ѐ]'P.(IZPk7gauO9 + yUa͹Hpy{L(ɮ9!xzBܑkaF@4Z)Dȑ1/Buo s<pt޶ T3=cjVr2D06.-CMbBf`h*|1}$m25* F\p9U0zOd9AO[CDx)t?~ VTR:VT.-cP۰i{R)[PO) m7n%^JZU;y6eifBfønkĠGt$)C]/y=SxJ#ޞ{0[rYCR l eJ̮ $%862,`+ؚގDk-@q_1~K)4wKF?vK¢O~"#4yv?"*e#ZY6R) ,xt:"9%ZAWFa:°~$smS}ER02 @f6x]QPxUtU?-d~F8E!WqSLc1,T 4`v!ֺDs [~3d{.ُܧh}շn01ъ6E;[@3#i%,P۟:5ش9S[nCbݺj-}`UEXcH)[f{ޕklGŔjOTQsZuBJ*hR*•ތӌaQmdžCTX)%'P~`Xe_lV<%ɭ~dXU@:>vby6 #efe/Lu! yr dHNg!tTXs^5({i? TPފxlK2dқ qWZ;=xvQ4qmOJvhݝӺ{slBv:Ne]MQW O k9-00t ]. Aֹ&Q D~U Ձ&rs[_fwCc-k;H6xi:%x x|]J[Y?Zy@j9ťwGE0v\8^^.}*Wvs6HZyy o`;;Еg9{mXMEDٗOڹT`U=GI ҞL~9¹[εP9j+z|U'hp{`n8~O< 94&26LaGGKVG.<8t$g?VѳPRsE*o8'ahv 1|lP8\vCNܺu-ћ8)WֶrFC/I-`ݙm^ױ:3=77Sf~:~iiM} gS4^nG?MJ( ,C5gp޲\royAdn>a:\1JGyoCqrXW!*7qx:C}f6>t9!q&줋Zi1\䊯B´qUz{k#:2i1§QReĥb]'gBhU:i~ Pq9g YwB-8DǪqt0'WA<0y̱"g,}ϩR0ĂX/`^CFcAxKėZgۿ]#uh]3__Vj?xmϳW5Hf5^?v'`rŬB%`a :5jdh2abҎzr:@hg )o3%3*Mu-NEKGs#Xx^FaX ^2_?FQb5kX"w#>\ LV{Bٸ/܈{NNhaOJ t^™"uѬP4⚣)SĺTŽ'S׿5*kUy=+!Lؑg9pNէ>G8n)AN7aRTTyBpu4&D,:ؙH.&ԑ1ԅmB|ivQ%҃;aquG$#zfG+!Pot՛E@r*A{ iuW\`H0_3e%Szzغ籭† @yO}Z-ZאxQ}V/U[ 'аu3e>[]dm2xK,(O3"Kp$Wh4ùZk˩hޚjW3"!"mЍ/d.)?,xR"2oD>@ Y+kl &nkA1L~Nr,l9XOܠ $B P^8s#gpr% vN.ne^L4zHMGK@*J(R>-+si؃)5"x? ~̖LͩSQwJAEAO( M_@<zC_kJ⛁wiGߌI|*H_r`@# ?@O2pHwU@ kؿ^F5)\it3sg&Ӊ_o)ݱ:& P,f1t轫%s:Bծ=뺅4%iv\-9H寴Nwx-Pں0YR`BE>c$ aw7"ss%r)Xe=񏓨r{-W1{P{ERzk_,f>u9$pϳNC]s?o:xߞB)a]WQj?aP$ |a>]t,[l]/"yGs?&vwSYAB=I^j@(3mfSw [krBd.2KOxd 2AOQthRbmj}pDShDSYlX_s>*) idLBg+cHv mYCV UgN&Gw\JY&_M.c5zS 9^T%{?9B &=+J̇ykZsAԸJ35vU)Nu@O>?gogpe V %A%Ǎpp2cwQa*Twmbcdn,ȪĦ229Pϒ+B/w\nBz z tp׶cs ƉPAh^9CyfC KaKG0s Wۤ^)5.6P|@Y.[B|@s䛾ĉitNtX=?5eU㚩Ѣ+)TrHPWgC:>74zKW!yI[^P=8?{o34:R+D-M3JgO4 pRz̉uIяje6C':Űi34ID kY Tɚ'⑱O)~mJPj֟]_S~j>OA7h!r#[x ҄ JԺw<@;3H+ Ow*ʱ1i{ضǏI(M~ؓPTֿgը{_5pWXKkR.-߂  V>m J@BZ3xc wr`e^"gHx&n5[--b0FoΔƘӉu :Iho|;@/SX=ʷNMeՐ^p eų!̃JH.uG s׋cL.s%D~dRT%[1UaG5wZ[:LV=:(&:5F*exdtJX0\]08an_rtU w-8ZaFDw̍W͉qFVN,CRzWU{\U(S4BxNcYȭa$)=B;CQPb)W7 n#(t ɢff h<RRVʺKCwߙIJ0ޗ7)N|50I,l ekH-]/]_ãFuT5pUORǢyLǦNd_+p{2 5xBNރ @a_|$2$#x\rƋNɣF7u}>q˒z3YX[׆^O 9b0Ɖ3qG[g"),jN=Z8S@X^djmP CiJK*Ң莝alf3;u=P2lzN5iJKO­7*Z%ScAThGr}rP3 \%h3( S} 5W<ֵZ11< ̈́S1OM ,3p gJ;")P-U{:?/"<cl?n`HUP6x-?x[hD;TCK|Y@Ȕ%; 9wQx*Ѡ~v%DԳt5H(CW@n'&F{n+81hSTMT%CV.)-0?̕kl-dнl#\1F**OfIGiBr;DcY^i~-$ 1/6( 75}D%@2@fZ9JL4|' 7#) npO}6E %C jT_rF9"}ndx߫3|ǰ*WӶigSqt٫_=]syဏOwyE-6D8ZIgu/mek!r+djfs૸k):TADPְ,y&_u S y73t 1f[`Q(P9EaTpi**Pթ|S2HwRn,Eݭ֍k߼f2T /dP㹕z"U@_G_Zc]eٴ^SB>T98|RF(Y3:z:AcH.;}iTZRh? @5~a3 CktI+\xv3LP}6yIWF/ ~Bȇw@UZh9b)~I+Fc'2k۸.Wr0 iH.̱}BYa"&E;bǤkH 7x`MT/ًt|x~- @H$"?`MQ*1JA}9O%8Їs0=Ȝ DA0D$`cr:V}dh͗YfԻbNrH1Fh4 tC"N,I_ML1XGIrQCk9o4~F i:ƥ+[>Yh\gZ|\QX.6a4 WBW|cl!ݹ }[p#SŇ ]);̛a7feH]?4h,MB[gpsZ&IDdUn*.IAPǟtoZHk30nPMΈԹj-AsTDOn t̖`،('xÏDQ M=bd._QP-ig8{~kMmEiB]2o(v$夛F> Vɐ5+)FriڋlX#"2 %un6ʍOp$OfkI}.8c׸H*ttk ǹbHȞ@8C4^f{$5lQLAljƄSԒsԀ"Zi2ߎh?9#( Ca(=>ofs(#A_(+++,VH)qbz_O5yg6 w; !*pȰ?+8L9zl`mtL@zj3HQOUp5Xzkba/<ɳ&:dܻclĴGe?{VXm&6RƸO|\ܒ&(Td1cG!3arj^^"Fh~ή9ѶDt/<< D]NJ`Tj2FiDn5f͜[3v@Axs8cDѻP5݇VLN)üftU>biv J.-,QCr(Mwa v^UP\K,Go);mhykF "E1^&^EAMMɿQJ =vLdGFhUYf ,k &k%l-He&Q|גy=f EaIZ4p.)v 5HoE.dz5"SlˏDzCLӗͫ !tJwtݞ8;n{ƦZ؉TWjK ;)j+JfBӖ;5oCn*< VoOh o 0\pj|(৽~?3}#r!AAZėm~"Kl@wqD~Y?bohA!aT2".&zM9ʗp/?PT|a$K 3ҶptO&o/~r\Nᛘq<ÓB_9F 2}O11Cc|+>zM#J#}holbs߼ξ?RLt]Ǭ#^$ OD8qE33wq4*DFwm2ۚ{He8 v|MEX'' jNؑ~Jӏmrpd e& !%KX*lOqWφZD$RjΎ9T8PR7waݙ$Ǩdk&4u5gFIdw[D<]JWR\=c4x;qZ̗{X┗K80!̕o4;8@Zlj`$:n] X~"\@@SRV8ᩴ ʂfOF63v,[+mD|i]I;_=WGnEAZ׷oOP˨tf:W8t0b㹯Ҭ5[̅ъZ?_@hRy4I*D譩RO'HAA9e>(y䐂_8C'O'Y hr%&,עhb=Yi.=?שe$ w KM 1L˻i>aQo* eLOg:g!ati#zJ$=aDf$bk#{T ??=9d(F_UKTP}YP4] AW11!|o RwyXwo|pV17 S Ȝ|˅odD$Dp|sdv@󼳃&P[hv>=B uF9HszN7Q%Cd 7y",4imN\Lǒslӊ،4TYNRB@D]'C@PMY&@p#IjkRѪ`6aZ-]zgc݈u`TfH[] [PĴ*ڞb/T_lR z,:Ԭpt29:L~8!S^ZOV*˭^Az^sk4\HƖZLQmBn>\Y?Cs pYJYa⺽^s-O?4E墍5XOO"kkM4d;9/Fad4!L VXg3ew0^A@TG zyhi tzpkk+lMAV1X 7N89/JO<` )+/ >ކc\'*+&>I^"_*#/lGh(Bd* F -7 !/U]x>D[J7ׄB)Vb-JA-;a5 &ϴdl0a>0&}4IvP91rĽL]#;}MW[/` >pH6)[pڴew Cy[|뽕1<߼\`u1l\-Č*+΃^mot{PxuEwkgc#)4xKtWB,7ga)5M'26Y&2Yna*URsa ꈔ bTCwtڪpV%1>#qdkH92rBFA;}I!,1ʥ,Fe#ٓo0TW.@'Z}CfZp' [snFm,n!tSI|Myӄ)P֝ǂOhH umĩQQ8'cA,*Ygu nfUڊƟ :mYx҆b=Q6 wZai } IW^Ró0r,ȉƬt.(ʞuuӕ*yZl aY#BhWK-;;" cUtopqOH0ֱ_?QzCDXp]hXb#T HϴdΆ\նraacrI x6O^㰖7PN "M4:'M݆g("YL/7g w (ES$@=' &2@t;2j̪f;#]rIUqSV;^#K)Ŕ)1NǗ$G0a4n)c/ 6nGx,S] mnaؐb wm)>+ Ǯw鐴q9Nuc}XSD OC~d;(ʈq& M]~etf#^pi} RYq9xR ) [!dT6o\2iG`4o81H)ĵ1IM3r{|կ*ܯ2Mg,Op7X,i!tHXuL+b~ ScJv ++rbk7Ef(T,WNߵˍ[$f%LCE|!!hKK!1ėtFH"Ɉ[%~ DB&jYdmF1{#Bra|~CDzÔNDti룊UŽ:(\F{yy" zs'4x <QWCAc1o~JMWi%{b 8C`/xڬIZuB\E]Tm1: d3RYm D:La *R]WX)^$\ z iG$.ď))R{&BܝRM tdx EԨQd,%8'V BTMlGޘ49^ȸ#nr]GeQ=Bvвat͔bipM-dj~F"j3@n]4x#m v'Mꉭlr h/-_r^RjUi3Ճz@SS^L݈$&\2kDtGp/.]hE~#(j ٮ <`=N^G{m%>&CUuB-'4fT4$H/?a=CШ~q2@܉zQ>mށ%yŶ3,&"tJ7i8O|o4j.A̚ټz~Տ+' ùg2Y.㢒wbp WUKb8E;e13#AVU7TӀfH ٗ$ZXvug ET`'>ٳoizBzIz͡7RBN dqz BLn66 t~6(-%8!Ibĺ֤.,uŽV7]R3MͦhL}'j.o#䒭jwO6L#x2pJۿKKgn;'< st@cMضnfEoL`W*^mP&}:`C'%נ+$H3`b, YSQoL zKWЊF]/uN!<%?HbzQ5plT91!(uYR~ZbB/CJ0o'dLFQX ^<~/LiTȜ O9enM]P9B_C3~{2hFؿմD236tF1(!7PfFO8:9ҐILXcgB0˱ c3&n#q 2P~?" `j?ޣ@#h,'0+4""Un< mqd:4<]/IL6~iS,ɵ[.6<{XQ=-&O }c*SA ʄ ٤\2*V R2>N^5(?36wC'Aߝ0Ҵن]/0=p $?z "03\S;V&B Z [N{=yL+)Gn MKA+2`rp} =`9c**ؿwNu#qEm3nKlb*$AhUl3Y2x=Co,/tyioPY#/؂XkMmBjokщDn#P|:k[9_/6y&Ol +Ů974+7 U_>{I{X#~;Uǵ ;_<~<^piٽ{ڃoHIf ?q H{aW|;Jcl7mQwOI<Z1֓X.#IJ0id6cK6q-J]iKu鳮/A *-16ٲNo bJj#98!z)CUsALi@~Lj^ w)aͧSòȗ=wgT M6f.h=q&x@;"nmNؐ45/RC`yBx≻Ql6ϐ`HR*JZ%#SKB薏T6rA(Z9rߥ#6OE/伫$C'߆B][=yn}٩cn΂ #UXodGdlNuZq],ⵙ{mxwrU*)zL3{G]Φ-?Kc1Tx'$$C# hi:iB 41:L kqѫ6xyR~4_NsѽLaP\hc[GrX^jA>B{ZI;.8}fĊ^Mr*C9jN \bA ?l"z/4QU4 OGF#l+<y`khh@ Җ `+;6ʒYXy;ʾJVt oeXhLI9@=zÒ%| ;g9iϱ.ŽD|Ed"4Rچ.tfvO58_F7y a9J(WV!FOsHmi!UYr1~:T Ɣ oX )azᛜi'-]ϣ5pe~5?RDʘ7I|䢘 ܰp!#!VDRKt _fo;Ci3ȞsǐVMOOxOy<2 G q|)EDb,M5|ZnGmH8o(ݤ!/.f&d#`(>e[b PLM9lƘ2.6Ϭ>2NԢx ~.pT5=g`[T£b rH'fq6ϻ T1\ڵeVq#rfѦ9²_~J4g_n&LDH8b-2{ JCL_>1*v[,MDٶʝy7sJ9®U}0ԘgKtXvz{3ra?@zF /-4hx*H%F>>ԢޣVOwV^>ZV*-YIsRPRMxօ:1Iˋb,ZYѮȗ& RDݭRJ8~\.yuhCGWv4&{z ?KcP]IqVۻ\ȻenZs8.ԸFx1!!HXyш z5#CF;Z]¨+6Y ,ԙ3 r \<8_s P<$,T")xzTjnI>Bm2/7,}ֵzD]nE{gL"rX*D(DcCcH 5UseX_11PҶ^/סu< 6z !aZVS N^ .+MAoz{C4QS$;^mREf Gcesd=H( -cT+ zjۗx&8$MОN5'3p1- Z.+>.u=lkI @2њ ԇΤ[qPVX%γ&ZAHC( Ep.EV7[߽4EbMt=ˢ~0pҨRXm˱~>NHELY+d!zǵXVXm4[mV3uշU[AKE|}V2 t9G2cwe#U/H```]LV7S9u{OmC-( GD Ptdg+u::noAr3@F *d@!H5#M)%Oc|OC" x+\ć=0J̞a ET`?40x뼝l犿O>Qd NC C8e& ۝ be{PXBiBu R*)~m2̛h :yDf<Қ IvUk_lg|({mR9W$sH}#.UiM !17dLLX?gx$D1S`P-oMF֞̚&.@wOSNdoY/%3&pV67UNxhn[iIŨQEUJH-8I9yQD2?6Wwnm8# o-J@⒍8Q=*bFXf*@h+~rE@6_-gʣ'EkGIV(s:QT}U}O|'!4=So=B+!RsctW֙9f>FTplhYΧ] M 4~YwZ^>frTM&5k+of(H`}j1I3 ]ӎKoY$6VqqAzs#=j|&kil|nCrx;|ZŃbF~ڻ1]GIxdhRQTb\ ٦v .{W-6ՉщتLm|eD!po2*g %"_BnJkcnP,&4GiL>jO$O d\+0Шg1pSUd%l&^3m3ĭ39M09wl_A|ʦ6{UnצF$#9{[}q$-;+iqk^^xMyKQNTy08ELD,_Y)fƂ Sƺ B*mLO wCna| %@EL ؋v,%ix*IAT#Iku4YԎl&!?rg([`-~7Oޫy@o "WxgK*yU- A5L9 GwzS@A!ڿ&r!R1OQH#G# uslJ{th IkٗӈVoI*RMķxED"Cv3 vv=j_ ['d1#ږM6% b:"<1zngbdh')!7";("0 *uGh񪙦wgfxmˮǠ>3T72Sެ]:tg@^0f/ߩiC^EaT}:7C*6" C9V{y"VcXI $}84^6`o*\[N_9;N|ɧ˜1E;uuQ3 4xJk\D{] }yֱZeF 蕽jFh8Ce-;ni̼W0\+o[FA$A\G]jX/^2dS9/,1(DAY=;Mw8EF\y$H6`B _mhҶԎHvZmVs; }᪠;lhVzoN@"zHnmZ~{{һU D]0x/LJO :ZyPt3V!DȰŸ>}鈚Tʼn>JZ3F4~U 3"&υ3ٷig/BҦݑYV9Kl;?w2h+[i"n6[Yʰe*ε@(WELyLPav$u?{_irU$ @=۶'ߟ* HV:]ۨGq?-Yc6Xm.49߂Iid'ԌUI(,7' Um5 ֨!by9-~L! "AӉBj뼹l(5w֕}gԒrp ;\Nΐďgܼ)*+/Σm=}OAtlh[\h9a= r# *p.svStKW^~UgިL64SD/sZȫV/ /=ȓ͍#jyRiS֞ݧDOOg00+RJ V CTō dqe2M#wAK[!eXOQ),j$a195T#V}KUص"=3vcm&2-W'* A-;Se_JLVGk7dwB Kzks qAhH]jl& zI^й< $T"`ztNZ|1N /U6Sh[VmQ&C \nk,ޱ#,abgu3ͫnN'9ۼ(Wv!sέf#^bdML !." L(o.X$\AN9HP~8N;zR2HC}&9&;>n#BLŷCwfˋ5=_y"~Pi+k\|U% 1Z)*]r?>b.ohDdB2O䱖i}f7ZYw1tp=6g.۔_e7qxTO>^ܵzrεL*8O&P yFŀ|Gi3L:!# tw381n˸Ns'Abķ/ü#Bu^u J=[!z{ϖI2gb%;oG@}_w—q^B391#FVGYqc>p?q"Wڦw]V۽e';2ny!i8ooS7{Z77G2U]O?м7PU5*E߭pl}>8CqK+̊ȈQ^|EkÐ}w ,P0W-~  $D6X]s (DD ^$ڷNHed?u6K5*XQĂ,F=T)Sf QIUb =pAn)~,cOHT_" cE[0砹o"{yx@}(JlU5 KޅߌJ%*F[:-G՝ƻ-HHB.(> B?ZL)R^{1J*îR:,-⊶z<7 ҕr͠bpBR$Jk!g 쯃c$ ݇O[i~?jiȿGZmY^>mGZN8itR~4ky#yEGRFVzvі/j~:˽>761FJ s9-2/ADɼ41c?KTdo1tև |~K(`tbĩY$qln8lƲ.SSV2TzPxÀ13_zx#NGaEQ_uö[)(`\x%z c=_ZrkDω1Gr{|qGP804:UX  DH z*Ci;6 1OƥZH v8ĉI`@_8oGn0Yuxxh}巁cH\E N0;*l)JIw/})K E'zvqg.QPCjoa+}kk,/T#%~|E_g|a*[)t2@L@6+F]CXg5ŜУ[4yev®A} {Q-z-X.ϘPɽ4[,I!HK8Ѱ`Es%u׹鎚MԬ\EɠQuJ.b3Y%Zn7*8 +Ă[> '^W,cͲ;Ic2p0!:*f'^ѥs+2@;=QеB}ۯKPsϤ >!>V0p U PH[w K42{mͣ)v3)Tkgְc`@=?SeiZ+E`E8XO &h9&pr7x]U?(F4%"ٓ(!x _䘺ɩvFP:m!b XRBS !la<wzqܿlB%g/WBdE nyPsw Y0c%&qg&p58䐆 ꬆ"{q^Dl$8CPL&:%$h2^tOuCPss`/OSߠ/QPF(I/ڨu,_8#X KӺ{ }ӆa_UTS/3\h9 i)owGDtzf+E__қ(vbH.csDLȬSxLf<$"k@U ,9l[E+%@#qdYC6|K>VbNDɪB`M녘jZnj)r:= zlë8bqdV%kQBUEΕHʹz@,G% )}B^n8%+nӰgZLJ̯BR2$)~Б`Tn8u$mij:01c&h<4!L% -ehS!!䫠{}9)Oq\Hc3tb@*5xS 3-5!16a^ȳ~d Ю^|hinJV :9/cWqJl !$x\IF<w?OUqwzD]Dƭʚ9nj|g#"q̓fLƲ Ur̬du@HX3H` 4[K'=e*nc>vp4@à!ţ"HjiRI->UAe^,R̃P.H :>86"őK!Xㅷl,苔VQGVo[:3=dZznDwo7Qwm*(R7YW-UEKlsU۩u(I`cS Z{6FUMlB%-(N™,fV[#fgĻ.G0&`L^Ǿ58IHC}ڽ20"*SZ I߸h7 #'g~ct)=r]dڠ 6⍂u k`!Isdk';],bWtKnZvFxqE,k]5+cғLvNK`V^*rʁjh6:;(K殧Bvh Ѩ.MʔPZL6lrirQ.-xf̷~^֯_b>NII[KQF+M]htY}y#b=J6S֌܇u~h,O6]SQG0cEqx ~&eC#^CGga'!yu4i[6a|qU Fմz`Alq?;ϕ!@]Q7pŨ RfvėHEgffRC|u['ʐ:8it*]yeXW5 8Ǘ EjVR@N:Rx}ũusdv0b,-H/QWynԫ<:5o<ƋK1~~AΡyJvdU;o!?r y?[MLo諟ac%;K ]8G)]R8)f kCѥnK Eʀ>r7A#;Ej<¯$tf{u2a0?I=T>QĿ{9߶z *4if >9}-kC=^fئ'煪$ZP`8PI_( {pL^2 nziH+.  f=ظr@7zDhD0k",_כȲ%?(NŸAu^E :TVHPTJR/۶tixx~Dp[F_sJXx)D"9c#|>Ys5m~w)!^XjeE'G 0HcHH.aa=6# @W 9HI~Ab=ֆe<2&vJ{:Y@)Ec320z\Sb[7Rj#J }uepAKte7`B䡪-`~b!O.|bC^:^N=tsꉥ "^$xLk a('$'?lR>V&f.SLkSvQ bKkkCQ(,"sڸ\5ҧ<!{~!x̠zxvq:ֲVg3 w"#mLn+ӿs\c6.k5d൝^˟ Q4Z3r]Y _h똆 Ja:p^q3s*8$ۇWPBlMHugk̓ISW_ KOQ2:u(NØ1Q\aN 0>A!_V?Q|1ӭ}g%4WDr$]"L&.&Wg6Q͝˙n1Z;?D5~K\>o7QϫÊcyP"+)tTvcvF_a\?>~>`zB12N  񥺂vHމ"HfYYG!hxLlP;C8g}RKB8"h k'r34q<ƹmdݾD3U yH;4gVo}բ69" kU/7;.|hY b7)ĸVLk+Fi折ԌrL<)@rX @ҧR9J;HnҤűzjTks;muNKqvΈ}Gn bĕ0&pR?&kU_G"?ae;?kQNPGd ;F!VaDFD.PnΔ%_{odLդ a &8y7fG+6Ȏ&^t$ɵ5+v/:jboNǟe1Kq4ŇUy-oܺ=#_B|Wtv/9&I7OŐv#|c&l"aWBO91oL>jeKnAɿL:idCslٯN5bė^"x+H /"ғw^HT]XbE:I@\O۱Zw"f/aTn@L2XKO&g#~|@HfZ'yZDjpFW}9ENda(U 9] ??d]^I7.)!ܶD˨8!K !e}.hbʅCgēk y.!,)s+&v%bD]"U g*QOtZ|_阸Ea b*n02QZt dȴo'?ܙi.@h֪>w,:E @ߊ(wWWap7w 0S7-:y5 r9؉cHeIQ"IG?ϧM`2Q_^Dc"w;UWa*_Xzx~2=$?\SMX߀9%]aB/R=<@bHr׫5kG=jzF-DPcSHOO lu=zUI\, x 2 ~=#mh r^MaN/A̫֌$sy-g| CHKb"N܇TȒtﳾChb݀u$IJ)DӵBuVT "u*F @8&Iy`Vem ˵bJbO4ϕݭ*bP @U'x꘥ֺSa@GrЩ{5*{RC*A)\\4t̛g>jbZ]mk.>DӹX;|&.~6;Ds+£9g/.`D'&g>=$A}q2\ܑP10}sʇ_רtNMvm R] TR>eJBqa炮)n30ޘ] IE|_ o>N1tqqe <<0ߊ1kaïˢZu=|Vw"pΤVg[Z'y]ƪ#e4z5G6&0xf,;ǝ()?.vCA>➪PȝpôȞ lBetyVrTK|Ā5h(eDyrA #+&h;TkxPu ϓE4֤؜։u#46 w a}"`"oP=%'x=̊U7;{6K)ɦ}رF8&ކv7y [iI/~' X},|˪_ mH4,) ]ʸyڒs˙|{~85QM` yHw]-q0+ gb8Xvv^t d45B*hg}Wg%.<<ӀgˌD݉tye00ث<78zzo^&CxS8PE .x4,nŵ!I+‡1|['Wo>3ߋfriþwģ/ Z D( -\;e оAzXWn`/}罩  ĬY@]C1@LR"4>6j.iS+Vr~n5XV0PC#a9_lkkK j90/DW74_]Ut U%@Tȫ=q:d / pe4L8Qw2Be$3hGF0u+":K$‚v,i?'jo+j3=~rcM#'Q=C6R#DXb.${]3%71jTp-z%>R;Cɩ .:T']k}v 4hFR H/QjUԹ˫#M?:fi7D*.Z6+ETS ]m 'DE x1=+򴐀]j21bMS[OPidzLDI`d#)Si](äT8`;V=3X}4fL,}P4m(TS) A&n Б]AcjQN3[$A֡*F&)NMh|2"quVA~4m)qn'".4drmdƅs`،F껝jNwr1a+Xof,,F;lM<߹ȩWmzGnJוr1'ߡ0PMlnU)?XgN)!Z1 |;2F6cZxڃxyciC] ,eR|$Թ'R3iGm }&ԁyYmː0 :+ץ S^dPe!}N:"ūi=e,lso} yUR8۞(8ٻn‡; MPqT ^,p7QAg*RzLm[.Ƃ}{N3xԴJN?qYTΑS=q 0q1ŁWe}icBܒS ihq] 6\1{Ga@ G:hΞ7"\w=~ZP _wiVQ"?ՖM+q޿&>\rMhq>G.̇x7,yYuo4ڶC6[@4Vi/%y&krO0`ibӿ7}gcXһ6nO|AenChm k(EV>OFɟA/ 7%ԅVɁ_dNSlLE4Nyca@99BTånfGuZ5RJǡڙ#k{ҿybb:;{A C㙆V`O#ݪ/Rj۟G5heS3sԝ\{Y:bBDG;5.m(hSط|qc:*(g .hZX"T=oNiyw6/ѷ}R]S0;H9}kl̮ VTpCҠ<ۃ' {v Y 'M~)Sw0F0Mk?q}3 m4  nԽIh3fyh 4פ󓇪H~ p*+|z82 ?:J3w@j £Q-FB !"!]m#pH-iCV7 q~P ⪽?˥@ܠF+F*|*E)!4w[s{2X^L<_TT(Uø]Ӷ&aI~ Z~S(xDuD!o*EE+GrV3;_|Kl%i,!^@X,"LՐC^HЁ65IDj^r ez_#"b]c(_f1@o+th~ִ6uNGt#˰)Nh(a\;x6D PЌ^#DhbOd,8sfLRǣ|ݘ,@ W2WiVx2⡚Jfۖ5x J!*~ȐfۮYx*ʼ}}7TTVGr?9 ˗6Ae7#>̖+e8hDr$ U0iO-~ɁB"ݑ"{v5{w#,3G}]QU\m+-zV?Ԭ >kJ5t2@둱Q=7ɠD S,/@uF>9[xpg%W=cUu5+dʔpi.I>44qa?eޜJ%9*S׿F9j!˜O8lrW.*kdTK[88mOJꃈ뽟ܶnNan-[0bI9{2.!:eMXQol/44C3'ge {qR,(5m]W3XMXJ jqBh7+;'_g6D+ʳzbM.3Ym}YX9L/k׬ !nfǞh<@զ4|Be_vmKDX聯؁ QۿGJTxk'aPBbn_Wyw,ڬ7- Jwf _Qs˼} NxC TC~;=Pc4mrNqLuUG]2f͝O% RK=IwG,璓xLi_n!B`d{cG DKG%N߇].h(\)26)\JQm0^6klbgVGH>fxX9}xL j.NJkHނf⋴j R~['kQJ EXzf |-Ȕ8wkNg!vh49 䴀*oR?{b39h>Khyq",-,S`ض:({6TƩV D7oϾ Pڏ!Sn|Tפ >[Dtw >m#2c;*+E}E|N?M0 (x|: o C mSaxvp&}3A/Y<7_l:@"󦘧'`A`gJ /X芫s)\iS"$ӯx5DxRi Z ]J6 sJ (xG0_WCUVxqזн8 uSw˾yMk g9ρ0hbPJoY+JcjiIXc.KfQXLEK)H|.=߭PK5>uda$,^GHnkH:ff2$!ȌqyCա)3O&^*/I_;Fo|mI&$8W`@q\xamn?0VD,93D.ٳ˥n̏+S_k5fpZ…φˀ8Wwty_+whSrXM0Q.R9ƢuɐXeS/ۡyH^4LA4ݠe9 wP y5ˁ&9mmq顓A;lƿ]?Xs鵬`E= =˂4acwK7kgVagBB0_&|u TP GŞIY'|Itߴ/DYҶ) *TҞ? qYK9z$z,LIXͧg߭_ߌsNwp\{D'vP>HkAs ^ےNL\,Q?F=0K}>DNQ/:?jЀ j3iKTm;oܸO݄ou4gU>|cl"ɀVY R%@ڸJۄ P|lϔ56#43#o;(um`s!q]CsY,)~'8bSN`ѩ2٠Pg֙.$|o}r(*h~^eq|X坿L3Ɵvdilk^n>a~<-0Cj#j8ޡAZjf3F-05A{U) ʍ1&w9[s~}X, 4#*PȈFXY <47&?`ep ZFWoLglu%?LX\[%<\ ^]J~&!8f{JRV#jւ$ј ՁMۏ.Jy \U*s/ě[Kd`Y8"odyKdr>XPzaEux+#82 Q/tF~ k;(""/`.7Vq>s"4#^4#|[n{_Bb]>H(r Uƚ#گ=xO0S$ ~Z]s16f+u^^2$00G9zB,JW[/ۣ{t(e_ jY׿0eh|j_%Б) ێz'cN| ;l귬JNXP r8vid+UHu5v|rգRR25)gօ\7J<_}鲫I@l|G=NV&7qr8b^9Mz2I}fLb9 i=UЍ0 -ASh\%Z>vniʫg3}N/R[ 2 b7#EA/QRت䞓a$7e`]" 3"ie0gȀc(vycnP /Ah5'^FRӽ*cvKS댟ɞP|**^9"BDrAMo{W߮^ц5*/醝pM8#UWr+ꐕ"S<:> B\`QT)]]_m¼{;N*qu,Z&>-Sa/؏z-';+I$~GT.%pDxjT$"5M1aBB.u.M7Gox2 Rڿ(6Ce`)T;"=YJRbXLnM=yTMG o{ydrѿ ??.VeT1h@'upQH9s{7)F$҈gCZCx~EqY-: ڬc? >&e T yЛ/WDݖ W,|6ʹλ^U f vyB| U9~<v+\RAvh:PPhٱ "(Cy:TjԢ-P0um s7 mH yYXa=isnoT|V;j-0tLX%HX$_݅}M zFNѿޘ-8hr-/< Dz^*}p4M=ZӬ8^D2{RwPxY*LU3峟mUhQ'5XlZKw6*uw@+{٠iruiK@BOw0xN 3lzvP ybA[>=IO ^&y ٵ )}J>DjKv\.l66F|˴SUfщU[ȼB4w p <FqH\}9T'u2e靕?5l# >l&/mSqQK6! 7&=LV&I22k0B5u8 |Ol7وx*kZW t\3F&!Œ}mmMّM]'i 5P2! lW1IOYPkLo˛4lJ`IH~Q4Dl2yzq\i1ufsV9)64{nj{v~Q\k-&qz_` |:5*m Ax)*gAќX"jbMl>q^&G R`K(\oƿ?5atk2< kRUi{XzC`_3 ?,zmP}G)yU& RTr)EZ(L@H4FtK{ʇ&B 8Ͼ_9@\^;65GD$^!=)hr)bg~GdN%>4F3}t>0@0o2 1a*VUɍ&Xii39 2Xb<hFD~1{v-g=(h$ѿynE1$w>), MqKz{]L9u],[s{c>+BzzQ~ȝgmw**&kowKB.ٔ˻ i}kh~Gۦ՞Y4e@Rb:)u]#@ꋃ<CZR{AY8&˶ ]SPl fh:Ď^.$Qa*ZR*0Uؙ"fɼ[C9-hRe7hC|'~5Δ-?B?#tϜ`Aab 3f}6ၑtI0Q]2͙!v,NeӮ?DmXQRޏT'[mȝcPl魁P < O kn…0+ $d0$fy5w6`3$:C$r= Cw1}=jK\gCnmBƶ:1nCxoT:Ljn?cWnUѿk\Vq\1+xfh p,z#ݾ@( RD^: V. *p[57 `7OW֝aߩ1=[m= Z"P۽R|pSdž41RGy94\\+&qeyDmGfxuXɼO@3NHѕ?Q|zSО%η.8)\ޜ=a:.=Nޑ}re-Q3CtM kiS3wd"t`{FxRMɮ!}Td~gTR[4Jb+3 `y!y -a痺B-?')# QCk/XmʿO1H[Z'1]!(b/_zv90!LH-K<5RBi躭1m\"f4X KnKNʽqٍnMAlDY`,/@`c|HZUx6cM]hy9ՇNfk/8Q4Lo #ԟ*E לx؋1򩟥M }SᐛgSB^ V\at!Jw *hke POr(q^+1"|.; :'x` :y -G,W %K~pq μ{Y^Z)@Gz!eAä{2 foun-`a&-sDW\h&1^(:'(/\% 4W4 b2Tb8qb> 3o kFF8|iH S uzJ"8A:ʱZ)r߄|BNg BGفI nK+VmPT9|#CCwipR gT6 4\ ު4d>LepE->w*9+8:D` ShrOǟꅟjAz5jB(ۆu+xVE#Wvnݘ47,r-i;Ք1$PcR'0mg抇n⁏uZM#)K(٭b޿?ժ Q= %\J+Vtvj^N kczB0F9CKpՓ(rB#n {R/3(pL6cw\EqZ. * SwW|*A:klU 5@:fS1q/÷M]]⩃s:ǜ@" cr q]qUd]1rbbm?$iFkВ E-'K5C]@.<4$vL?j|XQUg&*aԲ_s!D͡rlmz'OCg_~>qDAQBo3G=WOU/(L + kӗ(@bSGONMY]Yftpzsa}c m&tW苊Q T,-r0dSi#pP 3?yfGI3k?{F+vT=<D`2h^' O5!GXvnYG-Lw*=3:PYEgS=`qy.ZjVw?jhz{A"{XxZL,>${GmAw| tl2N˸PQ馥h:+2aQ7| ?ձcn;( Lٙ ӆzU0+~$8'r 9DȚ|b2y:Gжu­O+7k yM4R_;,mw-LJ|n'|#F< Fs0E_V3 h&2$ GaNK˦Fd0q|cഝ2c)Cph%hTR9$oR]#$XH&T#))Lv8JGE}? 'x0<{.YՉctF ‘%MeF! a%`8fzՃr{<Ը^  %607U;)DxK#xS %\WkhˢeSnp~D+}9? ?mOs,|Q~g.2e+I~n7GIҨ4t> h~>HxZ s@M4h[h źa2fy yYe& cVT}b3Ьk *}UI6P/QhwjJ 9Gc,;> 071a0R;A%XVbn-D9.K6CKw2BZc.'s#|pMM V(˗Z[(*'a׺?שh5|au-Se]{ 6{!ύctl &K YQv)pA4_79o%BٽICD[Jfqs3he:-A}'Pk֝@pF\X^,C4hc'ESXړ ?^e=V5J*kmQdYsxAdLJK)IA8>@tKQ}Rl}Wt1XPhN/!YϊKD-YP j|\~X0tDk|SDw[e\=f.X]}oҌ5`6Zgf ð"P`--cjnBX#vjȹ ]b0Nl<ӠF W,7G*V)\ #!M%Y8~i2rlK>ؕ1Mo Ο~0bPX.\tggO'.t 4Jߗ-p/s72i=+Jۢ6=ˆq_! ؓ̕K__Ռ)ddVCo{_tCjscWMu5u#+y/IYP3źu%\>{PEyjG0@o] }0%)1 .;\巆 úu*,& ?-ы2:i֊O`_g F\>aKNQ$;8jzaCCpye"4":TN"(o&6{`ɧ/V,8e\B‡DHΡE3{NEе#28]\~"7ݭ37HzQo~ wa}fP'{@>| X Ç A{2 @w~ pRq>X5MPxC+syRp z%[)Gl|do.`=#~Eq,Y 0ꛌs6`ř" 1 Fio+1sõF 赼\άH-:Q;>u۩2SYϘ 0'Ppziett6C ךF` ٶ%L # IZ bue'Eۋ, RZ ЇD/pNn< BnP)Mtu;adh]Rd%t<%RʐMJ}^>|ʢ=}uSHi!P MCñ`J;of1Gi#-¡41cm_i7*;SZ:bs oڻQDyw.2݇s93C߫I^Z&%$IlϿߡ3J;ő6,sE _}w ffroӞk`%xeGP|Z4밢sMRʶv7e9L+&QSOo& Fa96]z߁2^ePփW`'ܻR{Fvt("i\4<!E^eDžSJ a٧pCά+Ax Dw)a.eCckti}h5?2%ӵ,1@doOL:wk(ݳh8.F%~ǮY~3]D\?g؇4\kN"@2%v.lkqL }:.?7e:4BvcpZ;-ﲇ4=e3='K]+4?(י\AX4S&Fq CuI=ү@F>#o$g232E2ӥIQRN#:,`+dž%(I!Dc| !.@x⫑| \UЗHOQs"4>Zo "i6ꂆ7+&t$a( 7F_PD֟}7H`pBc%Y"g9:62²/ o-6Nzؗl[] "_$|6MNGWU2L=ֆH0.X!N{xgjP fexmޝ_i;Am+HՊZIӊ|w5D3(Ѫ7fsk_`@g[=m(b,l7I6ZB[{P+rv%~ L>Ȣlr}m 3h8A}v%vՒXaůjFBJk3hC0SLgR&/gs/)]y,M 3M R2_?(6O`os-{ĦL|争m71WЧG6pʑTM#Ĵ hTϣye 3N{ vX`;!TI9ty5+.8mZsPs") m]NHe_~yg^EJUz+%Ԗ[wMpLP}vHIBjEw(`79s[iP{`mq;\k5la3 w;ta֫'FRX2X{cZ`'$Ɩ^1pOl<,U^m(צϛs#Wl'X1\ބokr}1YX*i]&:+ `xTHG;mj:"\E0_cgdhf?pO2Tb:_q'0>"s l'fC_߯f* *]Ôe׵ FѪ=}x(N%"RH#5Е/JGGh"lm=Ѩ/,>C 10yXm4<"N!|J}8agbȦ+9'E/Q:5?XXN*̱pYAH2T> (=fDLGo/pvyDKu2~y1έ%D_@>{"HoUG}٨0# X/~*{:ڳBƎυ ͺ0"Qj*{!Li+y"GĖp; @#8Bwn) W-b=+=~,$*% ZKm6[N(ֲ<J2Mt)77@9Gz~4ZSN~5iuV[C_@k_! >/6ܘ4;U`[H ])+Ęcd}fȲ?3b_yU`2/8W JcX*\+8ֶfP#_2R] LɓfhjVv+(HRnoոmtZm .TMYex,++~z6Ӈ3y\s{a"n]Jw:;YB72e<Zgf6+RYe“;#,F|PTǃ^Y>Fj܁ '}$Fy_'PӇ> gI q~λ(>$pfXchr7@UNN=g\xQn0IXTgYT;G)T"^5.;Ý*XueiflVھޢa:KWc!Aծ`e>qYAM`B( LeLjAejzGV["UCrru7'lL@6 @c3rk린Q/,XL(؆9L8i !RR CWb/HKz`K#Dt:/'?Y+*v 35bO,4T>tdjEi<乼! tWz 0 nΡ_bOH L8VO"!HƅĎwwó<~c8[X(@`“x.ٷ;zbڥA=Clj`s98n+(@tS&B0>Sl!QXrdU5%qHl`i2$yE3Z,M9զM '߱0x%4:QLZ89FAh R5 _Y@WFEbB ޔc:3Ȑz_=>'htQy*ёJig׌d3PJdNRȏ6xC t.GdĻ$D~SbXzI,U+x4|L3^!YsU _)^" !kO3V|~չ[$ɥzbvҷ`1I`b*9s-T՟ݺA9}L4(kƮ.{Ğ~٥WF[%@HYF?muz[l0Vؐo*1Dp#),BC-Vfyedg0mf&S=KAӪzU,kryw"k -aVm<7U崕֝RRi\cL5"ݔ;@71,Q=SM;LLXR%$B0tOKUoB \hׄhSIPLs *1*1bsWYC~%6vA{bNſ4 `we!rpJiTgQ̴Y $Z%$V}aExff'xYJs)`sbZSffa9;uʎhGHE,訕wem.s>œZ.qӝ bx쉺O Gj 1?v<.-ܤ&4Pd|)WnS5&r-m~="Ta/Yaeq%SyEc2=7 xbHMH؇<Ѷsv XZ,FW7 TS}A!ӚZSi[vaO؍ص-7A ;~5Z@z~Y4eddki@#R۫I{qߵP_H:Lu*{J&PKM{yP(Im'&*9: KRaF1-7tyZE+l1;2򶐬I'A}C&?DGsؠq"*:oh/$Rotjջl4eվl, ѐxzo%~ՙIF=.^r7{M@;ONwHMXJ*o5އR bAa{4."r4k4φ8)o`$í0o.lm.Tס#%*_ca,]̖k#9EL? b_7#u qٯz;3Sϑ0 \~n.D >=ydެnXu#:$؏exK#Ѐ=٠BXL s܋+fnZh@W*3~+ԪBd:&6^S:N|s6wUzJ}$1+K};&DvXA30KRXBS#Tm6qYsL#/X+(sEĈ^;wI3MOm84G06D˳*Az,rY $#^N֎IzoktQ'ȇ,9?lke[A/ܶ;/ id&B[b|*?ٴ&Y!튳 ܱ\S(P_,?}q \ԼAx_ES_dZa;"*S[ rנ;bɬؖ SPWMi߹gb@uhV][s'/>صKt=`C-@e} o"THb_W>NB_R^rq&Q\?9ÀRo,,d' 'X$m&c:J]uaCA,DjA]cG_,}A9X8~Ǽ@MB,`;zLqxj9MvJZn>eV(2Y;P Bcgi…;`f6˲!l7LW/s#b T3@r}`/›!]QjɴhDT.Pk=h]_N~ l"hkPsϖ2.j ͗r[O("l*\R:AQ.1 TUL۲_ Z›J vpA>CH`i("a캋၌_hbHAV,9xBv61Oߐ5) INi2wte%Ww5 XuuG~w)Dc/x"G\k@8vI 懻C\w~(cYLNω&\Nw+H!o{xlY:MtrēIoTy-C*o Ě,ؘUV*:_) 8F/?3pC5*d=ctxtlby2Td[ OLMWLw^2R3ɯb2sPJ·b6'HcیOL+rE#W!qp>28lOO`tNyof(47EaC\>_G8R NH2"Wt 13[iϧ \[oU򘃨42f92ڗxi[F+`_ yR"M_iH}ʋixn%Ne=A=Rn#M&(:3 7AkXt[@i+͋Dd<7'v8[8ì_0aIBIC<+ c 1ANes;gtAq]C !\V*"KDZc3/iMxcYXwQp:i ?MJ6r$8=)k?A@WR/杴%W/Q\4YwM7pڢ{PqVUhJd~:U~5Dq;gJ%}G9yũŦlwwDZ 39ɄQF%T{ÁoXi-}vH*WMfɃ1}wʠ1d%(dh8  fk I [g)P5=狦'=G`jk!܂{}MaӖs`[`kSvY!&$Ø|2_ºLL K~Ɣy;K:@^#kg".tt 1|<|hƤNr]'b8ӝ _WTM+uYϲ[j^`m|!b0u֡nΜ^!Mr]Rt&g?qCVUXBȵڟ\'sa>ieq\! x؈.?ъ{ *նZĢ=HZmK[wOQ&E>wsW~QMm: r~^qMrJr#|:Oggy'ȻQr'dS A5ZderD/|p\S(x7XPSvSȼ%C)~P.H#n5779cMnQ ,Xv-wuƼdnl;sیRTz~BX :I*O5硤1ڥ)~ii&`z]%ˏ|p e3ݒ+vV.u@ T1') n٬fD=OmW G*V"l5J*aTpOʻ_kIu7pHDIKU: Vwa-"bcȉ4Qljs a ( W; :>'^?xѺ~qQ/FH^cƓ;hb#>;A -.I焅(pBʋ'p=BNWֶpjI8*AXV0DlHUuրd[ԮG]YkVa1JA\KБbM|=[dg9P1;QPN3]5ywI7K͍\tK0mNk!=ᝮո %J>fg|bqjOv\Rtgj}_>2ȣ܍3Z"q%;`@= G:3kWrWa{Z[3vlCy &&h1mvɃTގY=J#d 4}U.ZL,X]~-[ZqSHIWgɿЭ\`Fj2-nZFi`MAuIG+!NzC-寂aiKk"c7RjW ] 2i*D G5Qakd cJEC;l{$TCi 3;3(,(W[I)'0%!/I2I1ҳS z}oGag01IKzRQo, g"*֑Ar."J[؇[^GpN+ؒ+xpɟj IP$;ui(`83W6cc G^ҁ{r!1OL\9#Jnazz4S8ԝダ$Cׁ#޲1.%&|h=nAa@n0ZepH)p]#2!-&ws-t:xq>:w LVy ,du?#,${ya)8}n-0&H~#d@av`yWMQw.2sr+Hly#=(~aD Tb82fs7\3.D)$^#|r974xM_K#~ zh|x- 4xU[@+mặ քm!9VO%gh躰f. m㽭ڇA~}?9gGbtJb?TfAm7?vCP1^G~`P7u !3$/"ݺgsi|*c:[̂We0r)Pa w]&[~(̯- G,8<~ 8N-|i@ MNff9 Pr ?i[жxBqyxOQԥ@*9̰u,D+,gYѫ!`TnLb8\ ]$3 P…/{G&$҄f@@g;4Cj5;2>-Y 0tTb&bvvmlu~?ãQõlP̘)@ 5 ơPwϲXXp }m֮yCD-x鈔ϛz=z_Fխ]lA"@G*&׌[S]JȋϺM<#f`H`xOshLH\"oKC6Z떗d>68/MtM4Ë 0> àsn ^ /2vi& c>C'PsRu>#ʑu{^l%e?B|y r7cU!5&a_V7D_ f4gBReT&~m"Mżu;[N}uʻ"Zu7}~PYv[B`4V,"ZR V-Ÿ#+ A+!0s̈́fɍ t8dGn߶2Q=EyC>3waED @u%6*wGS9=CSID!!=E&n,O@a7GiT;6: S{uumQ| jg('6,I}5ܪp~^3#Qjaelq im|@#NC`^`$^\<٢hQ!v0Q8_Γ.PM0BNf@ | Zs@L= LjǍ?8,uƯiln2 xC ˒./M2L2I{īV,n?S%/"yJ&zv%.PL/zfzC̱~:[du'O%ނ.sVrƱ0ZF M4 0n} tV%}l tKOX2:oke.2v3m67+1`Tp>Nnv:9_yߚ~ڸenÖwY$toB,:<GB"]n;P~f~FY'^hW~VWfCWPhd;AAl<~ٲk)mWg£ZTԆrfG2MaeE!dM`k4>j}{Ƣ\d:cI$)$!Z?eOb~wS7TPN}clIi#;JSZ]^Q5mSvm|Zg%h7*eaZn7LZ:FSy@"됚2P'% ȿ`JHv+װ0j:O'2hHЙ~ ^)K=*)c?K ëo\u=tӘ|oj /or,ljJ*?X><7;dwW֣2 2yn6< b*ݓ8/"P!Y%%0]^G]#2$2^X f%jB'33is{)\k QZ\xk{GCpD,e;j"m`15%Xt=0::}@Ql]Ro=cܨ-ܴ){Ls^Nǿ-h˓}KL22&m-qm5vGV5f3y(Tn A> 0m<Uh #G8;Oqgj=wҚgev;J \PuFw#EkN&jsļ'j斘67y]vj})1If4jsذ_\8fK ;U [[i99 nf/)m:s'( -ga{* :7pgjMPiZ=POn Ut!_oJUv~`Ns|?+fͦ>mnhvCS>t!3^P 7Ө%}Y [#7޾Ri$ԏjR䮀/#gƜ! !ZnL2CtkH@ UbO0{,fOO/T q69l\6m $K.MB_g;g9eL"D9d3av/N*> ڙ+OȫeAcΟay oz'LH⢀ED8Džt>QkӍ+2&30;63+BDX"4\բdTN1ZC_3 "EaP`AoF}`MRh(6X.Ʊ(/_ū­& EK6#dq}ikґ716>lE¾I*++2Pl|Vh!cd4vRB6Jů;<o-8aN]d(#YԐ1J=I9(84a,i,2fY9?Z /;>L@[ +Ōǯ&)Î軽NopWу0im-99\΍$$fpbd +7 @$ t%ܗAtVC쵆b*,]] :N,nɺ212Yg[)<}/WA;0T[}z(]rhw焩h]*K 4N䇶q.K'}E>fyh.\6*@t )ˌc5yĢUډyb!Ӂ;Xl4 Iw}2}p n}i [ OCOaiNp /cM.lhkObGX)ׄټ 4${Bͭ#']_78z+`6@EoYx)dݼm0<uY4 B\,N*>.ӾX 振`܏C5$Wx\*La_< <O3gl y:Yڹ \$m}l (@^/) WۻR#|~Xv͟k~KɏP'p]rGSkUtϞeۚpHfbVE/Ȉgax,k-q]GYX^`wob Pb'4JCf+'}y(k8(:`uRgoZG5fnQF"6&Aih#MlZMiԆe<KamrAqK(H>fARl`HdE(Լus5uaa<ÿ&v-h67TY?tۧđD/$J fOCR&CU6z: 8vX'R-9^K_f9;fYerCKZݛ&#:usA{wOl°ODj M^.#3t$|^mVA4Pr:"BAp]YҌZBY @o'MJ'%B~ns?ٖ|ഄo bd vW"Y憋gbO cf9mZl~t_ gWhn{E5+/@iej @¬rvo [D['W0izRTiFa lV5m% :_˴s`}8!I1AM$_o'>l/` nB;pX/ /  o`D@ƵhQFӁY%r ٠-^cAScQ\8a$gqLmxq;=ۀ{b'XW>V^bK/ ?"܊Ji@zVXJ<"3/L_ИLܗ'[ɪz5J%@x؇hmͽM++%À#d4>z7 /< 4UZi:RB'X|nFyiv6_W 8rIT[^ɢ;؛G`WI@!;cH$"_;!-4iI˩cAwQsR6٥[ezQ[QDNCݜhq ?yG؈{0U011LWu;8@:}2` Ց=|H|2F a@"~|}a#wOl8B $U(te Y;7lK[bG;'҅k^}_,ޭUCB&)̡ =*e2)qthS~ W? rĻ!43~9F:=$|3# b;;SUي8mIZwͯl/oQVQܐ y`NZ%_HF5#2?،x8F]kŹ}A؉4 Rw4 \}I$f 5lxЭv6r  '䙵?NuJoDJÔww3Ɖ]{*{W ;1U3 lD>} ܀L%a_i*’gDkj/eAPwRg},Kv(̍ax^j;anB7?11xpuSODؖܲ&Zi+dGȹdeʚeZkOCfxY prs&K|Ïdg2g@ZޠKN Dvx*K^~]qwҙ.ZnG*sKuxݞki/7rYk j,s4B8o`·xs Ty>f[C uؿ|H+Y/$ڝ00f67~<}Pj[j? %0j,Y۰W hGRjG:'_z+ 8S$f`(yZ⾫Gqzuz[[a2"1u I€0Rp":\B[I]=֧66dES"nɯםz+II d6-LÀLUкdRLů}ua2H\)ƟzgY!!(y 袇ڟ۰^ qE*&``Rl /R 0Ḍ.yh$Xxh8n^T^=h` \ndDslbQ/{bcT>iPUՙ\n>>U1%Z2j9 Ig-Pzkr!n  z{À*1dfq62D6G9y |m+9 '{J=b?9 GL7 Kw z39PP % BoZ\r]EZ h@u,*>LBs1~mx dMs9!4EOnr{dSO_d ;?%,wH3oMQn_s <$O;OGW-i|(CǛ%W+J97?JtUN҇{>wyf|^pQ}g(21ycesyX[gc=2J\|x(7޿NGoŐ% s?m.c(悶v8,Կ9`@\';3w8#[&f7tg~(t_UODq;}:ouH\[ hMz$땃JBNJ.y%񴏥DsB w0\f*yzՃ rR;NuykqXnLd`C"-g"PZV8<P hXPEE`G+4vZ#t8)B; C5&#C:32yt߫z?Ɓwp֌׮ 733;'۴FbO)F;pQ͗pfB1OǮGĵñp7faN?b۶!J~tX5*up>E<>lyS%PDs+dtڣ{u@2>U&ֶSwu_I??^ٌϦTS4B//3~]` eMh[k9V|CTOO ͪ21V=.qmBã_R;Hr49L~w.G[& Pkyیkf T_Z`1 !1eV ٻO w*RbP2:lz$@P,(r7*gF ziC_deFA2S }}B?IU˗WC`C=I<w y8c| s0)6X1-R"6_A:Sx4mᴩo IbItgԪ_c@bw$ѝ!Ov* "6rRN5Leq!!=0 u3yt/6Qw$C^prPLoB@k '(C0eЙ;Τj]+q2S%|YA(;'pAz{QøN>A/fSי1bj]?f\=etT0MrX/l=Tmuݲ_xABQ7h')\E|xt]&b [k(vr> V?rV{aĭbS̗p֯N2.; } ;y3zB:H p^a k1:,Dw1ђ:]P|Km$M^nt(} r)Tଞp^RF5aE>D=\>M -1W \Y8 Y.>Y@=R/VLׅvТ(6J̉Y !"!<U!nc>ӮyJfQy苧n`KQFԚbrQ%!F6/a6jG03͈~naUyP .9`5 OwfM>ڲ#pE'fVT?63Qu脎.8P Q*pˏV0Npg(=Xu+ i2_xGO2kT,U0֧:顪q`sWXKj`L }"DU=^0Ӷ#lwÇ,1m^Fqi6.6r- D6dX\8$Iɭv/VȐ,>8k^hvĸ!E a.l)3gf9foO9 l@MRjV4Ueॱ}9ɾ/Bª' $气- E%c"{.HS~-\<(fpq4R8^`g1<AND8ɭU3.Fi1?)HaZΦ~3';HGxXAk tb+oP 54;Dbtp!{:L\(50pP!E`B9m5\*U 6JJLk})J2Lxm*i*À٥~q\¾ވo>u3U\9Ѕ6Ѡ<|3셳ž"1LK`*)8qtĮ~lTFS ܓ^Ν_ }jaݱ܇D(+SI])Uz"GD:5>ɯnO6bK|rYGߔ—>J1A1|-d3^_$M DĠ3;R[!ͳ^kIb^S%Yh.HǷ[UiC`v3uxA2Arֈ W.r4KM捗|0_`< s˶QvR=CU֋!C3Ǡ?Y["оO%aI!4w*qzgAY\f2Uhl]㌌Cs)X$&<0jmՔQ=QN%B""_捲`{ڛ.7oBOqpr!PG[yp_qԲTVCNP +l:涶, ]CI |3KD%ǰHr;EpDƏ\L#w Ł9v|ݎi"FDzdsjRދضƤpPn܏RvV_Ȕ(J9*gGgVdy}1z' t;m3pBL`{BzFP^"'9a⛪wꞿz[cb-j*R{˅'n߫/: lt7v\ ™nx&@3l4 ;Fܭ7+-w 58s P *!8Sc_ለR׸rx[qnL%1e -B y0-ZĹ;!Ez)x>ܕQ{.Z1ª`q rrNw6ã#4q3D]' V{ޥmAGE, eN d¾{k1~UBޖWԂZOM..Ї Q](wFDr$DS>Ls!9l,4H_mChL'2\;jE.P  Έ8AV5 kHdӕG{0&kzv9PA,:vh;fi=_T%E gwg)M(e\i"S}_A9-d,"3YۤN~Vw87M 074?'aJZP_d;Hj'ppGpt()QD)0lWTRiUr ҞS kMcIB m#h-$I_Lz3_4oHF 1%AxըqoAyx\,:k7Q_H==S~op'iSjm>O綸w%b>&#<}3Yg:+?N=!3.-h+S[(hO_A {Q::RƁ=MrPY6w)U ozȳ?'".dFb-oHAI}c[oJӅ@vԶu{W k xI?,z+/,/92&czNoC)dڡ_?D&+RxW_dn+ᬈJA}qǙi-'ٟ,t;h8ώ#1Fă`Hf2 }[%`gnz`ǽ6z)^ }ї>ߓ3|DOSp70HVhBh%8jϑy%\;fp%~Ns/˂4wcTzd2Rd +g<.df:JD==pc*/[أZ^Uh'[{16X~*zW=(?z"h['GEdGg\׸C5[JdK62o[oq~K>#9}V=A:J  ʠMP([l9lFKWpyx=4"\-8F`>d;jdw_6|Lf{TûIzG8r_^`PBf1`Lcdip"s$:Prr gqW>ipJmã3}d%5e"kԳaHYM"u‚*IzWWؖo۟ߔ9.yJ'yqSLA'dЌ;WAD,' i? s[Kqf1Lm"HΞEV h-rbO>sf ]EqWT>$ӹ5ϛg3^3xM[J4WݰO.1Ŵ!HfXd\Z`t=cC?k+`iZ'ޙ> d1.򄧦ɜ#2{S-Zs4pV wirkP,U@_Mg&2Gm'!/&"/Ou#{s ͮğ5tDŻ"dzWO DIz9 RXX}\ŲFf-mqU j]ajG IimsRd^OVqUs7ęqgI/ȯ*f8kP]8A$va]&fǛ8tv!~J4[C9rOe:D %&kSQ$0Kqced^k 6g&w'׷K:orBa 6ICP&6.b1dDZ Q%)qy9B`LD]ed-bv{o0A8/W'/YP JkTOD2/Bs]MkW:(k u}puND_:?8z5[l7Nz?H,h۴HrdFAUtdzIȪgY\:S.l6a8lKK^ TP7suQ{j"DBM,̄ &PD2]4M hOߕ GpWv'Oqu8:5ѪvW a!҉}"Y6ckRHBO?ӗ=QX55M3C0=#,Ɏ4WNрZf#KW]{@H|?׳Cs-by+ nZp!(ERKd-:j@Ä}:IhB5L ;68WQ]ZB `!|W.n{TSkJh7)ߠ&!6 #L"nsw,%ÛD/_C)/߶1w&Cу1d> >N{9 L0!K:: VX?Aj6}5$\0OӞ*|߰2.J$nW> J[,rf~7 mu%ϵV}$Dda+۾{Tګk߄H׺G<#OTA>3jX%Û9 { m}UACZ 1K%wdjae;vD:䌍'qCd# Z,שּׂGgqOUM=ۻ8%xAIw7pNddxOc"̒^SeYpahvVX96쑔5{Ӝ p d݋BW=-I oF7ms$x 48Z'MǃbǕ_wJP"kRPNl%J6ߋd FokomIMzò&FiF,?reP(wlkӐ ?Yf6Y `eOxq,6}\6-q%8uII ϴ?9ykFBTSG9XG1Qk2tΩ W n1CiЄJ:okI-We5-?-PKrŒbk&tY=_y_{1В==ӤFCˆF,|WhrDpC'ڛpA1 2tn^YDG#6EV?I1Bkb|ĔZD9Qg;Chk+Jzѩ{Hbޤ&?*cާrܳ$* g%sX$?97qM pFYdw=) Cc#Ui@ އzTeO1K0k}=Es,Nz! j2#K &.jUטDPߓZ%ܼK}5%rwA/dT %ґ°<3'+pW\3[I~+So|d쳣 J'_z}ntI]4I2EiN? {7mkZi@+x0[$}\6@j-C~@6{4 ,5H)m}1a-x?U\~U# ,*1mV`yAz}&92φ_cyyƯGbvy"^PDVE-ڄ::乵Cx03ķ)f3Mf` }+9DD5m3:]zuH`:yeRF &G>O(F;\fB͜~HAh$\d v]w6͛t%znCoU'S: YZ