samba-winbind-libs-4.15.8+git.527.8d0c05d313e-150400.3.14.1 >  @ cp9|ޟ&jr8*WMq~c:ľ]j[< ]j2a‡ΔP:FT筙4DC$~h zV@HⵓY(mƽ<vkB+B}J߼_r莖 rķ5ss, ЙNA- op*BwQJ!qPg%e>RbNg^TU)M_l$O;Ԙ"U_ ˱}7bad69bb2cc6471ae76de860926fe31c86ea8561835054af86dc9a85ff3e1f342741f63ce84eb3ba6978ea11053111eedf7d8196cp9|?X$d)ȲwϚy$qAǏo(K1쭉TlRh^]:1@i\bnAxS_6:܂y{\C%nXW5a9W2hha< Z힀qX7-])1B<4AN+/I#ԅ#GhBIA {4O;x޹gjQL6UC)2sJ|k\9wYDwW"iVV۱u4>p@Wt?Wdd0 > W 1HNX$$ 0$ x$ $  l$  $ $ $  $PY$Y Y(! 8!9%:6J>@$]>$^@bAcB0dBeBfBlBuB$vC`wO $xO$yP,zWWWWW`Csamba-winbind-libs4.15.8+git.527.8d0c05d313e150400.3.14.1Winbind Daemon librariesThis package contains the libraries required by the Winbind daemon.clibs-arm-4SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Development/Libraries/C and C++https://www.samba.org/linuxaarch64xhhh r 4H+ HfAAA큤ccccccccccccccccccccccccccccccccccccd5b15ec2276a7627b5ab7657308e007cf06563f00bee48b30c5453f38cf6551daf58c864074dfc36d1494c46f5cf93ffb2b1200c6a9899c4eac14f1f4945bcb3d778f7ce23990f936e3506625d34a70888a6d4762df58eb4a23cbc2af3bcb2077ef3ae537845dd19a45c589165a0f50fd8eea10a39f779558081ed7b329fd3878d04ffcfae4148ae99f759bd437c7e2cac46c92d37b9bf24dd28949e389415d56a7907be93a391eb1f552db121d91b47f92111e0f9ad6168e7dda08a5521669bceed7ded66bde4eca93698267ff1642666d6a8cb1ef044e25318cc37d3a9f33f4946288f6b3b807ced52acc3a1f38a90fbec5425bbbe85306e34e59f808a2a04a7aa134cfa96d90a4804d94e41558b04380ef9b0fc187a57b86a6adf477d7548822fe303c950d0c18c3afe0588b6782609ac66d04b9ad6405dfffb3692d78f5c59cf6dc7715d19eeabc477f8396d4fa287847701b7fc08391ce8b5955d9872aa8ece4f5e0abb210bfb6eddb7ec799e470028716d6b1e29f36470f4e25bf7b6aa8f2613ceb9f41af8bc3a885e5f64e7ae51d10f7cd6334a51d379ce3ef96c16e36046bdff3002a6cf93512c8a44215ee6b1aaf12d7d7bbeed09002e09610ff343d08c23b3bbe064c6e3d752ee13556f090667ff9016fb23f8a27edbdc365b47c5d60e0f89aa3696066b3c1bcdd80bccd96fd0f8a3f14d6acd27a4876cbac6b6915c681c43bf493b2a358130e998926e2d558cbf24237a7a4b9d34d5abdca5a8cd98307584a262f20f54a2f8c807a77bc4f11dc60c20857d3f4ab9c88f25453b209ed2302fba55e99916a5d78ffb87800407b927d685cef62e99235e4f32aa73f7a07d1ef600025c9d7759f474b84ec7f497b3428fb2e6dc9efdbc29d92de0b1966415ca9afe43d530e3d8c3c4db00a40039dc6c072126f55b569bfb602a7aa44764807ee7d2110cb597dab2797ab64e244eb3804afbbb479d9db9adf947e37f55d3ad483ba7d3d18bd3514e4393c3eca63084115fd1e01fbf23f05c036724d5f6fc1a3123ef04d155ce414311ee22fc278e2220b743a1d486deb21aaccadb848eb0fc084858990f5d4b7845521709056592e373ad9739b0730905966b09494d102299008e48dcc2bc566c9d1958d2ced609fac725fceec2056cccfd83cdf98464ced9259b986e6be25e4304a3743282b4dfbb5c8b7df1aa226dcac0bfb15ad86b4337c6d1c5da273e567b10f44b12516e2a75a91320c89f88c4a295426fd453653e66c183b01048653e648eb31fe12faeaab0f6fb0119aa4b5dd46fbc82332ee7acd5a0c1a076a0381dcbd8952a0233f302745b02440463c248a88cd949dd7bb71336070822a51e0a4a9958276f27d3fea1bdec7c05ee10ef3b3f9e428e4755b17b12f8b80f17e42a4a71f281125ea18a26be358b3da20e85296d07f2aeb19ea31d0af0956f612703de0b6d458ea03ff868372ccae6f9824813439c7b04879374rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.8+git.527.8d0c05d313e-150400.3.14.1.src.rpmlibidmap-samba4.so()(64bit)libidmap-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libnss-info-samba4.so()(64bit)libnss-info-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libnss_winbind.so.2()(64bit)libnss_winbind.so.2(NSS_WINBIND_2)(64bit)samba-winbind-libssamba-winbind-libs(aarch-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /sbin/ldconfig/sbin/ldconfig/sbin/ldconfig/sbin/ldconfigld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libads-samba4.so()(64bit)libads-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libasn1util-samba4.so()(64bit)libasn1util-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcli-ldap-common-samba4.so()(64bit)libcli-ldap-common-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libcom_err.so.2()(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libgensec-samba4.so()(64bit)libgensec-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libgse-samba4.so()(64bit)libgse-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libidmap-samba4.so()(64bit)libidmap-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libldap_r-2.4.so.2()(64bit)libndr-samba4.so()(64bit)libndr.so.2()(64bit)libndr.so.2(NDR_0.0.1)(64bit)libnss-info-samba4.so()(64bit)libnss-info-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libpam.so.0()(64bit)libpam.so.0(LIBPAM_1.0)(64bit)libpam.so.0(LIBPAM_EXTENSION_1.0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-modules-samba4.so()(64bit)libsamba-modules-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-passdb.so.0()(64bit)libsamba-passdb.so.0(SAMBA_PASSDB_0.2.0)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamba3-util-samba4.so()(64bit)libsamba3-util-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libsecrets3-samba4.so()(64bit)libsecrets3-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libsmbconf.so.0()(64bit)libsmbconf.so.0(SMBCONF_0.0.1)(64bit)libsmbldap.so.2()(64bit)libsmbldap.so.2(SMBLDAP_0)(64bit)libsmbldap.so.2(SMBLDAP_1)(64bit)libsmbldaphelper-samba4.so()(64bit)libsmbldaphelper-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.2)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.12)(64bit)libtevent.so.0(TEVENT_0.9.13)(64bit)libtevent.so.0(TEVENT_0.9.21)(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libutil-tdb-samba4.so()(64bit)libutil-tdb-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)libwbclient.so.0()(64bit)libwbclient.so.0(WBCLIENT_0.12)(64bit)libwbclient.so.0(WBCLIENT_0.15)(64bit)libwbclient.so.0(WBCLIENT_0.9)(64bit)libwinbind-client-samba4.so()(64bit)libwinbind-client-samba4.so(SAMBA_4.15.8_GIT.527.8D0C05D313E150400.3.14.1_SUSE_OS15.0_AARCH64)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-client-libs3.0.4-14.6.0-14.0-15.2-14.15.8+git.527.8d0c05d313e4.14.3cM@b@b@b@ba@bascabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./sbin/ldconfig/sbin/ldconfigibs-arm-4 1662105452  !"#$4.15.8+git.527.8d0c05d313e-150400.3.14.14.15.8+git.527.8d0c05d313e-150400.3.14.1pam_winbind.solibnss_winbind.so.2idmapad.soautorid.sohash.soldap.sorfc2307.sorid.soscript.sotdb2.sokrb5async_dns_krb5_locator.sowinbind_krb5_localauth.sowinbind_krb5_locator.solibidmap-samba4.solibnss-info-samba4.sonss_infohash.sorfc2307.sosfu.sosfu20.sopam_winbind.conf.5.gzidmap_ad.8.gzidmap_autorid.8.gzidmap_hash.8.gzidmap_ldap.8.gzidmap_nss.8.gzidmap_rfc2307.8.gzidmap_rid.8.gzidmap_script.8.gzidmap_tdb.8.gzidmap_tdb2.8.gzpam_winbind.8.gzwinbind_krb5_localauth.8.gzwinbind_krb5_locator.8.gz/lib64/security//usr/lib64//usr/lib64/samba//usr/lib64/samba/idmap//usr/lib64/samba/krb5//usr/lib64/samba/nss_info//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:25691/SUSE_SLE-15-SP4_Update/b518cfb68f7ddfb5e239b417674eefa1-samba.SUSE_SLE-15-SP4_Updatecpioxz5aarch64-suse-linux  ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=528e53ad2e102dcf014a8fa714765559511e6e48, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=013fc95de39477f76316ced2b4e22c8408309742, strippeddirectoryELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=197d57e871ad98408ef1ed02fdab040d14b79ca8, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a2759b4e9e9930f505994d4ef600fd674854fca6, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=2ac65fa1e3e78021d1dfa495b9fe24f6d9a094bc, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a734af322380f7cfe0e4ae4f795e6fc8354500a1, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=13c1dc6655917a0182ab0b008374d169b178caff, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=e008c7348bb581a47f270159587871dd9e979cf9, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3bcf97093d119a945ef9cc8c99d002f7fdce9bcc, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=6659e6170d7f920fbb3cec791098f5f1e7110c52, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=e10ef8a0a3166d9b24c4a5a06884cb099505b28e, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=04f70ab39b06d7fa678f9d0eec1c8994ffd5a530, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d1dc2a0876d78018837e1022ed259c08beb27e1b, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=980534c85e7b2092e5113a55d1db4a3a088ae79a, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=dea6a82e3c63e9b7ddd4741374fea27f7bac4404, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=2b649a756b9db215dc65eea00e25560c96acd119, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=6c76808cd18a82552e9f4a3d11107c8975fb83ca, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=076d10bc47585581206855f487a4b109e8a8f567, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=42338452b38cdffa16b7b9b4f9687e329bdfe74d, strippedtroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)troff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)Kk 1AYx 2    R%RRBR!R RPRQROR R$RNRRAR RPPR%RRSR RRR$R RR#R R/RRFR'R)R RRJRIRHRKRR3R1R%RRRRBR;R5RR+R RRRR0RR2RR4R$R(R:R RER&R.R*RRRRAR"RGR RRMR5R'R7R)R9RDR RR/R%RRBRR1R;R$R4RR&R.R8R(RR0R:RLR6RARCR RR7R#R;R5RBR'R)RRR1R%R R4RR&R$R(R0R:R6RAR"R RR7R;R R'R)R@RR9R1RBR>R=R5RR?RR4RR=RRRR0R!8~dž؛ O, 406Q`\:;>^zhc^̲\Th4yhT3q+Jp|^q"lӲƐ/eBp\]~ϚmQB k<+^^ *ذՁ)Ҝ1 PѢ2c$7R V͔(h*h-ܲwtSnU]yٺ,Y!EϤZDk`Dž|Ł3`p^0rs̼d5j͢| %cLT Xn fklـ**-4bB sHߞj@U׷t`6g#`I>HmiR.lnQS_B<~mԗֻc=^ClUpr7=Ц i_X:X'[DڣSj1UNsR"a}wY1b a<ߴHMւq>e8A%k eg&Pk$X}Xj_ c\ޑsQLj/~`AV5(L"M+.W֌w8 +k ]]vD3YdJ?C.v ޞZΠ_9s(!nTWZ;3"qFoz79w\{O`YצEhG]JgFT z:A;Dٽ+1tҥ퐊X-r"1>NH g}6Eu %od~~\i;e/ Ы<% )tbؠ,^ƫaZW$ xC?B uDN6A-fR֯b|Ur NX<8*m@7I>i΍) =Udn&_&OdQg RN>)[k9ʁIo [E|3왪\Z C&`7"5=V*e7i $ +WHv$W(䞅cޥ4e)BPD`_|ỉTP\&M Ci\3odQ3]| :}ߜfV3>\/XRRԸoEGJFeLv ,wdqDC^w!׊_khh'!*3YHyW1K$` .j^fa9mLu4?&L̥Lht$<2d2 m>L~.l>Z%]_,29ۂlRѻyh8Pi/rzQ g{4h1!xz[:mGL(}ةf~.+`f+hZrRiu mcN['I Ah^vGtY*Ī8MԝVdJA/R0cRC¢+zzzR(( J/Jz B0XA8*m(D\LFHGگ*f|e!q~>9U*6fc)C`%O&"mZIe݉򿌙{ aQ:,}yE)v :UT&3)tU>t"0R t)O f{ur MԑٔwLOdH#or vY7ܱ:B(̝8Ԋg_ lqUtc?,'&q\sj8A? {Z~x/ q)ȝ3E}X Ĩye)B}3emOuTm%;8&L")i3fݾS^8I.7fxѩF ʦKc DMƪFb2}POaMǢR.rھY/1lσLfu8,g#g<9ׯvapf<@?[HX S;Wl]Gc/uZ^kR{ fYiNb@Te9hDKu)Ӓ R95FnUiǖH2,RBI ӕ"ԿY".O24.T3j/p4˺ϥ/&C5 @`]9򉛠и|7bI+[frG-nf}/MZb)qO ix>=DL7"^DH|J7>+-w. B  70ڀF\э蒁ZQoLUYe'e);-2IE#$/ᡓl3xRR{#4ˣSY''BιEW Xt`eԖwAcd@S6rvR̗'7)I"ї=2E/jY.ug8 LJ蓗IIn|YzEWR^g@bIjm UK:W4Cַ\*& *M5ÎYBdB,]%b!a*pIq+6@۪іFrfS\m7R+n(;х D"evB ^W@ń3d˳Zk&NfEgg* 瘦EY6{JICWG ;`|*~]`'tl6'?sCΎC'Z)'RXuF%YmWj/?*I!O M,dA F|7 57c2;a?1MP7$tNmz Vŀz1S;034aC&LAt+P\ Aj cv pqj]~Q۰V0jT_>PحA[ٟ}k"%2j]͑)B%vP,KbW懑]L8%o>ՂC¾3=V}BHTIth$}n[ g?iX7gH<,aǧ+ud}BLNd1KE|ji|h?1-qipnyǔ$I0ӊ QVӡtv]r֩@!ns Nu]ܞ ,s!0nJ29g"!8bTFqS$bpSilq m"xy'qʓK?_JG\5'|/ј}~uj0[ XU,ʵ)"yq0m 8~tBQO3`|gj=E^UHEY7 b1 2ZIxq\fq9 ֔{!Zc/"+7 zVL ̩鯎n!=TTPΞ~jOR=_pd~{4T&Z. Hi:'NZV6gCMŁl{ _!ZNeTBe+ H(` "OJh +gP+&Yq$)Z@ Њ D˧Rre0ULNoјl.=,N&..L)DnU23]S,v@^Ύ͢x%-9DL47}c"F~V)G55#Ƨdqeԓ t!v {/L\[=C1w+X}=2~cw= |qO mөܝ=z$8ܶN{YKGϞ*#pflzWUu66#LȅLVc0 /Цk^FɾJ 訛<H[ҋMwJíHuT*RyhgwCAܝF+sV@lijFkDJQsN$wB?CáS]jF&6EcA[TB*%%v$]䅱/H>쬬TP%uRM_9rXQA8[EC7v069 G[6e>Rp@dge9h&i(ѵ˶`9g" I_JqTؘD+ZQH[GtX$T:iwKm|Xk2IIi~յowt43Xy3A>e~_3]uCl?{BEDb)H?`1x6*ѓmlS<1 ߂.}No=ٜ(Q߽z@ZY>wN8P!_4 *Z? Hv=%{_"^fs哏[ zxrKT"}# ,;8vg|Wg̾.{ſtE qq&U D&%?ׅh,Ν*0R1-v[ "c?h|8E8RV|Jg0NmH >FOűK%` 6[mc3Y'6nAU1F~Xy BicErw']UiǴwc=a"Nnn^# Uy0V ^Jdxr/I+G=OMvzHZ# 's7*aN& ;zU*WJki7՗!})`\Z|*,n5= =tX(z,VkU=*3>I$ 2j*Ѵ"\%ئ8w2۩ V_H43f Ax&U+Y!v{1jдr'dghS3peӢ= jt#,*`9ۇK@AG.dU-.LZoL bLZiZdž7L3J1!; 4^Q~,(p zbdU+cG|wԱM8O)A=0`tUsƍLݮicdXq v[6 /?moql;.NU %E.S-:7LY9#޾?*ĭPK'7o]8XsT8 E 5Ƒ BV4|ʑF \LŊ} \\l/HJ&0*Hы !́W39;"+p5duq"w^hn~\h1il J̊1Z.5wX ]jXs@5[nT;61ӼX iҵhĎ՗zj+'HK ΆO;+^i#k*T.w ڀ@J5$b/uax*dsb6TWoxo{Gr,W8^-:{%_  lmNSئ\v03&lmtu]>ك6'w8&҃pCl3P&U9?6(^:-j0k6fR9d M:9Pï&Yk#m[߇:a#3@=ɼb{VTH50' 9vյy3$X23Ф鵙)4D2PKDNhOE!C#~IW'dQ)CXΓ&ׄ u]:-`@-E^k4kAla$3k~a©́_zqCm5nrBtQ>a-z;GfڹJޔ=nlBjӲuPy*j% _2pҥzY=Lc ѫmWzi<9bãkH`-v(S(ۻi?Z{k#6>4b ,|4ΣdI`o d I@gn \ٿB>޾׺g8 iA?(5ȚLҖZc%wyv2-ɝ>@[2DNk5s<=z%nvK%;VUgPb+4;:7rtǫD{Jnɫ[ϗIФu \0Rrrp B+m9L2Fϐ%@>mϮ䃧JN!Y•kП07O6Tv/"_W3iwHY/(_@~kHΩ-!p+q~*| 3|6Uxf5XՒ׉tAڬ] T-M(1^746DL}}<Oli6i@v]hyh}0*02I,MjEmsF?轚 $}63kL8R5R7e8c٩rf狰5:R»$9B}{|)[ƤP#<u mubc8s hXuއ[}Vz 4yl}Ǻ^X{q\Yn`{=!ٵ-qϻZ#,?WFyZF Aaj8XD4/ %tyF dHÀ#$tX]I`{ Pk葷0a*vكu3,)݌P$75xXKC2:=0 񤘐aX8"O4EB~baS0 6NS.OJpQh&r,?3?q{ԬPyXܒRCHT̖8ӏ{q|K&W,[ lk-vN(i0)joh"ecAQN l֣AfdvnpRe_ꅼa^2YwnX)ů칍A~Ȅ&Vp.]˺`&v a86)Ӏ\@ݰEA2WP٫}m/ xON42tV=hu>%Z 8KF(5=pbb!a-HxݐnϱTnKL(Y) S;'{R3' boC}O8KE'+>g2fF6 zaA MfWTAgYSm^\Lמhmˈ2_Ⱥ8(N?/KC&|𷁫e\WV pw)eԝ*VPqgt60uP2Q4l0Zasiα':Ţ֧hA ^&iI(dFpY#KC_4ƒV KbCe ֋d)8^RJ,u*UΌ[m4մ$5!z9D"! It8&zK0Z 필dNx0f gR+KA?dSD$:RIj|iF\} ^_gB*HNߗjTL6fś_;>oM*bҳ\wY85TPkGoY`lL4k '%z!n!f]G,jB̹9d7o<XÊZ\)"E2^ b1\3ʹ34.jN: w^)Xgܳ{8/鬵H,'dXii]Er:u_k;WI38]I6'/HQ%HypqJC:=׶uDw]it{Vz2_YdU+ X;(G*ÆumN6׍EBޚI-Il0 [}a86"[i?m]qu=.(2;=37-NT4Mm`՜W~؂^$m&gMDHI]_td5lC?&>gFI3ZJ݀#I 檬MQQzt|c=ZLNzўiaЗ Og+~e j%GiFzw􈜄Q\v$8q&7LSN7^VsZWEǛBΣ:wz1^{Jx4i (3yNAF7Çu"-GT줊YԲt&Je@:ScQls"!6A}JЄkOc,,Dpѩ'̟'w:eYSrDehu.o`+򠠣v>n}XK/g2eةePmГ,5Lr3ݼ᥀=(])a4X Tu2z*ӠE(݈[N0z~^ҮVp ;"oq_"6 *ݨ@kE3AQփ.37{B% iI DQX똆b;.MkjQ#oʌ.^;,^??0nOn}Y,3UlwҠ Ԛ-)ա Q;zbqnDz$ATqjEuXT{ikjOV\ViFT?ΞK~0Z20gEke^ĭ#GjZd%?aa@.4'4R+hjqЏ1P}HA HdfSL5hO{;z+,q: 1|\NkUi% Ĺ_m%̌&3%w/B{qI<•^i,z𶵽5mԪqd/t^ XHwLW]#hQ8);(ZݠiuBFQ 43 P c?e5 j# FB6tPVy2<>zfN&gc Fݳ)ā֎'@5{.rK$j)L&#Ke3T*[WS6+@0}: #Fch`w8tJQk- bCm-7QR!d{ޥQ~- [$ӖLźHB8ςe?d &ao!q?QM Ƃk˵_2stNk-Wu}>LMn6liSͦ7: Q=m(1Kd<4Z¤&Q I>O㯂#6\f_PT,4rYafAzpn 䈷(qӻVݺ/uCP|FoNǜqh|ST\ڽ5a޻oljʭBH1:>w[Q]0'9|(oEYT'lL ƿ3EI,!v ;[;#[>uCc < 4vY_Bgra=^ v/hUwۖ6+ 4>|96Y@Hk*ʪUuI.:8&t|\Hh;1nka2,RV!U5ePduVA6i3(t.p7VqWr;(6%Q.UjK>qzs'$/CD[:;c4ȂR%- ZCBzV3h}v)xቤzIbgDH ⊛IW@Gw1r"W=wȸl*[?&1? ȌXCRw3{3(2Ε|ubSRE8,SR5\&s'I )P{s:J.A_L0 <.g(6 9=㪼D. w#*B%qҙlR:^;31\AW ϋG AlRuۭv`׃ <5+AYTG\Az`tytO֢opȲ&F|7 ,boRWO0jp;1NBO __`YDù`+bI6 ZcaktWx)D$?îjH$(φczZ@J`)*>S@4_>IݥGc6 Hhaַi !T|XJ,@Hfd筅_/4Ab6U2"#4;BI,p!]Dz(a}8[.۞]|ﻄF12MS8O 'KWOwibdʣy$G'P:C鯥@i*eUToWXwKT .y8z=tf\ENكx 3OV|1<4%AKt `-(g[aQ*drw' wm8*ew^Vd7ԗ*UM=R0B vcLoyWMBJ1BA-"=~~IKP 6%Էa=ƫKS(;DG+[i z(G%Ag 1n0QC@N(s=5mB$X!LQWo SSc clh| Wta+r/]92ku4(HP&)CE R]4,|?fv[ׅ_,i m޲@}sJDZȡ0$ {"|'_zAڡh k}!#p5U"lDxD@q@\Qˁη]Dٜ%A$WIovN.~M2H\w~N ^H*i@58jϏGQ͘|`̟pbj"jl0T0rbؽ[yczCk 냺$hM,Hd- :ƛ2eHsDh4M8ƝhZknڤv,I5&i ݵVVV?y@/ȘFɶ}7;읨E4kP';[y;F v_tc9^J\N7>E^V_EqH2g ]IV|<6FRx|V9.L(|#umPh6\ TZy9O.ٲ &4r.ytu߆ JaSO+sz0gK ։ӌWem{RƸSu^˵+Zܐ]r MegYN`{xXA3/P=oљen!Rt̵]!дvdJOGUBk{ZܩеlRWn{j)>gXh htCF<9.-w|pr90aqd6<:!2w023ȳn_,se*'hGBFG(@ĭIC"ɽ%כq=qhF({ xI\W}/ ~6\-U /ςiV[ 19:ܥ2mJQVHRcG*K( G+38 cXл + LQ4?r'J_gHsl7gˆ4 ;P .@C0˥$5mn"B`# &⹁]EZ> =gtE0ʷ}\+:\HaM.ϐ.!pHz,||wBKb 0Bbp6‡ (h mڲ=E;.g?KlgqHbq3GtJsJOz&NV؂+Q4^QZX2p Dٜ .]2, ^ߩ0d?Wx,߶MR%sosl!g*71IagX"6FsIUJΙCE[=2ΫQY=:nΕ3qyׁZW*M*! o]4? %Z|G3N'Y*h|XiC9/FƞnL;9 \D(F6V-4A~i"|Tbd鿨_⬆"9}PΏn#0ϒRo `Cmib9J>4[dDEGOH֡YNrM#'1]S )~N59(WV 5Lb5ƗU^sC2햏8 I(퇀7z-=G zhAn_sa'OHn|hL4E=Z>%ffdN7 fsvHeN{.ɲScjc`<3ЮGPGΓo{ a:khRڄ3H`ɚ+N)YOlj,M c z [Y@l8袔6 5Iǵbhbꠇ]st(Ysݍz%'hVNjyFrP0kr\ H//%f#b]]?љҞFY͌j*b[+ 6G>tV٨&=Ǖ+\,еr9<~ɒG>r"lLUkEE`YqZ(͊jUthJ|+RTzVnqϿH6g :W`EazٝyRS\,+#E,A(O:Ft]Lj%.5wu{ /` wkwu:g1|,s85*G7Y';Sh:ǎH@|o/ ncɾ#UPQe Nf>+=swxT +dA.=!(wiO8Eπ| !VS8b,-S `bRKgLeXV'I;i]U›`Uz ާ1Rz@Vɦ9ꊪT-VMMMod&3\EEumb $b֧c魚>b%ZARER7"!#KXmXUR8ɭlנ+&ZM(Q^?+LrB;3^jAW>yWxO6yj!hd5Η8j>tp O :lw3K*O4pKGH/fV,[ Na@@NR7Qzj΂~ 0W3un}|Eflei2=c=x^ńֱ:.(fȧ{(dj@%jPj9uG'Ng`Ԧo=Т+BE;$HEOFJk;e]÷J#z6|(nnPշm!ViG@#O$JwSd3I Hde$aƧ-3za{Ç\"]Bc6F&2p=7;RT0pajm(oM8vP9U'$ȮK'}*}< |`YGT/V/"%N1glcȭź OHRzU,FQp Hq-y*0 L TdA2lDn$,0L_'Uƌxl4>.| =Lf\T&Q11J3u1(5Fz>;X &8e9>5Œ-ĺ6Ǜcn:=93-sRfj|gRb. >-#xsDZK'tঀ˯EIGwD*p7!a`\Ko5ԔצeM:7/(9֔YȤ9KJ&=ܾ+r[zZh:!#80=2H gW*%anYlzz<ɨT]o+# eSC ۹~^ƿ8{Kk0!uJJXčNwNAMqߺu{^G` 5њ͂rdig!Vufm.Huc.ߞ)$':*!%HPe9.wϟ.'2HsnmQg+2z&GID^eT@UU ~,iFJȝm_ 7Eݣl'0>qKԛcxJ|@\$dhp9^r ":݅X4Hi$8T`MToN;Y%q<4aaXwrGA^bΏ]pEyJN" &(Ȍ؞ŝ qx6_CjJ9T]g!-< >[K(>O'-/}>IS_PnԆbIg% +Ir=)m+x|VNk yʏWq%sbsg4%Q5;֑D0ѠKɮEuMflT k+ukIy /̭+BGieCHrC %OҮ :PI2kA:)80yH@j( ^kvUU"YtiX>hWĮAUVq i(>EXa(Ԧ "}gE`]v^106;*6͇~TǾ!3w6с_2p:d1ӊe R^C#Os?Ǟ Z>}{e?8 VPC/UCv⧷NGj@`β⺄:WZYRK0Vщ/ ɍql/?dFAAUBHn/<ҷc# s"}%(nXmĸHQ6eעeY5C$C)=O5mዄVO~kPL}2}W,,;7bP{e~am0{F]'_&"m6rI P!<'Éתfnl rpc2@^3"Rüv.9Əd+n)M<4NӦĒ[z_ F)=XMv|s'Qhq7_z4JG#R5S37%yި4BDMaP'=wT7`0Mv[;z(_\- I# !vpz0HIٸcz*m)sW/5&CYR8XE ݐё1MKFj[gnu&ih"m35cVuLjWBR7 2gB'^Ń x14_p;0 ;> VI*,[D5?/ل^452.pc2h!˻\*1sIwW%Td(A}=q:I⃫i,&#Q}J+fq :(߽\ ,UphKS-$dLcwT2 1zVE e҆{kgivW-,үLLfp,ɭbI8:ic w*I:x.P4EH37p|Ld^4c xܶ78O"V_l0@Ԃ m &DTaz$Y @$JQȟ λ*#Nc\T"$vIG2UDAZ5rϤӥlW?tn%5ob+6jD3iXRZt5;!z(3 HgS}`BvB YE`uj}޶){D _A;bC6:! 3Ӱ$yNN')adP]q;*r;$y'm k&,_ȢxQ\N m^5Cs#@?L#nfBwvn᩿ҏH٢N s VvP$:[-(ó8',6lN$f~O&#տyFC *aK# gWCن8}=wV{D>?y` t4 9lFȴ階> o¤1XF3iBN|`yB ,ZiuPy̞34 2ݯFb,2wvWpsd9Yۏ'2}baOw9{:о\!mݤxEă»HJ1/ զjoyA+zD/f ]clomz*SmDiRd̯_ôoRmwW9F7EWΏUȿ~%&Ȋ&♔ ^cnw;̒2jnE)Y^O$| V+r=A:㫿 TLwQ^ctѨCK!^Wa _ջޏLyBn/Co(@$/>"d rba>,4}EHf©*\oMfRychr*->7{Af ~o)z!9|yWU|pw|,Ap(` jrxGq8ٓy{|=A9%z_ŷŖBWHjFA]BZ]ks|t -? ,Vjy\7RM/RTS D*90w$~O%ά9U${c>([阼_h& jh{=$ys'ak/Me/#) b%MK]ps/f45@sce8@oPN܉u[1 ~uB1)ї W?awL }[b/{_ndUÚo\GJW'.;jCj12$. Dol5a)26'`i_DYGsgQq=c)b%A q͓TXȹqOyڎ'˄!-0dّD=!KDe5f?⑪6.e'64uz ;ȿHhF2|Aa2&~Qp Z6m#(4f< Tlu|O;N )p&qu.ݚر|o)Uf]%l<Qoؕ]AפA3)+ iXH`<0R{Ty%wBpgLsx9|q>6bq郺tLӌ=*yWp A7 D19yo7lǘ߽'a\2iqҞ_7^c3.%pϬcN̮3ɮ{useiKȏ&n`1I#CǑW9CsQXvKϯӆcCk8$a<㎖Woj]v6?b[5Sa&/$e;[ate*oє^w{xs&UyCwqtH\N3 6cy{٣$Ʒ=9a +΄CyZd#`l#,OaMl&%< bk\$fm3Ob%A 9FȈ[s>JimyAf^3nE]Gd)kZe1˂.w?noyB+(ߓb98vL>*y?xg0ʋ@V>G#e;8#k+ 9v+͛%OvӖ"k-m0)p:8so4^D + :| KzN D|X0,r ,x8^oT5,ꁣ3mb+$PGj0xyn k$wm?,։@):*\ܟ̇-^^$wluMV#G?N_m]!}^YϮ+@wBA:B,9Hmy@Rl1GFBiyc>E9r|HD=}7|DF g^JӤV-!cWQ{g%ap_L~nd9Pc-ENJXR}]dT`Ai/(# XmQޑ()Yڃ[kŻ-H C+oROA~;]|QvJV#D5f"ElVƘ>#|7lJ_ah&t2hbCv'׋vEvo<ѠҶo-=lKU/Z|1 q}=|>|' k'f»AC͛ rJWH *=o3ν|I]YRk!}Iulܽ=9lnfIބCEDĠr-d믒[F2_\+8-D=}%,k?CK~4>r*K=E\6  {=&>x9 ĝ8ablSb6͋`s<ǹ&V˞?7&A/O@n;QLrTw!u( u8V|ieտa@=ckqu:C;w?C{~lz>U4q x@g3ǐ=@CKGcKdb.@>(eYjA{箕 ޠzSLmibʭ@eOG'?nN D<&f|9Vn\[ʼ>gs:ղrc;n;ztÙM@%sC.ESV:hڵGGtSk1&JW OȳIoއ q`2ok\8U@GidVD Cױ:xYKb%nIFsd5pWME-&e͙:?v p}!}"iVQ]u0K_嘪CtrڂԥvdUѣ P-MO-)+NggUAza&NM._36^bAôD.MPJj}](%S>Xt*^X? /*}GR۵M} ؾ0\+]׻QrzU!AJ;vUPa% JKϸq]&Cdz09h`g( ގj aC&р{Oj$,[֏rlwLL)D #W`(>'`;sBthiw]0{qn=֕ 7%ErDB prF> ۹mY53p*|tIb?ey7߽~FZ!>Z{r%H@F ꜁wxO#9əHˆد3wť1 "/r@4P#$䔱\qf,'0P=yeL/83Z᪄{Oϗsrżl 6QR/xmG鎾Y[=?U"UWn ]HXj^O2e>DbUQV41QDsM`zѕr*8 x/ŗ-/p [lܣL1.+lLz`e*2#h.lEԙ~ؐ R;lsaclଲ,HD$C3, EJGuU{3M4lrf†(#~<S,'jC1i29FٳNR(`N!485WHdZhABI!+0Ϭgz7\HO~堤{](CܽHU#50}1䰹UC̤8 i]>꒳~R2u.!`[w_eiԈ;(i& *I-(O9WC(AunϒR#^}XId g(}Cb 9Tp O~V(g5TV.>[.\NVOdshTBˌ\oV,\L:Kqunl{x+E(Wntx eK202CFpD"\q1 Y6?:pn1##?|ę<¨C219d }J0[VYbj,ӷHBz,'S$ջrb BJcg", kL8C[;9_BkŕU92f_V?^. aJn7 niUDFPx-Ewૄ@h=ۣ j\#{2De)x[I.g_Pd{ݎ+MODe[?Oi7.:iKѸ75@B[u`F %=.Rx"QBNL#mem3*;IJ>䬁SB'Lz_sʾGo7fpclbu]Eh>̉D"=~~ ` 0n`=s("2Kc8\?6t惜kSP&NMȼ!"48>,nkO˽_4|]vؿ1Nu_.$[ӔKФbïsKĒI[FGlSD81U,A .̰Wx&b8mH2"q~o piLm,4[IvCTGURl^d@x\tcgEL[`:V)"j.[3uFMn)[TMbP/O=VAZbĨV8T/\γT*E(x@\nYJpTNEQtFK8do ~ Dr,a_GL>(ɼjZy(׽g[BBࠃsc2J/'a1ŻD 'ZeGkC(*R:)E XX+,)賆 1bC qG{u,m^|d+'vLy! ν]*iQ7X,ɿH v0;bt#7N!TyHo|54˽sU\C%lT]eӴhH?9w}zw/ E&#դA/Vvi*@I:O`}g|69QUɊ%XJ QPm@YwoBϾ258<检Sn&T֤cd v%ņGj^ooah媆Sp ˒'d3~ٙ[U(ijZ|;_sgR)y6WyjD5TFQ h'L >`94 le騐DSS6ϝ(]7̾e.4PO항35uȲ%rU'!oƼ; ͤ~^S0ZLk /}q^Ƿ~^&cKr 8܇>YseRj$>^~Mw$Wx(e4K&_$?\ q9qtSvУ6m.H:%{nrBmz0(S/ 9L5#Zja[uj_f?# bp[[3B6hNע6>$rSgQzkוZkTU!/gEB,Dh% ;c~uư2-LL)C`Fb]Aj,a}LB,qLE2AwjmLɐZcޫYAy7w !#⸬#׿w=DzY3daeʪӴ{1Y؆JU:l(oXhG0+WQ_t}zBԘi`74}KØ T:3Rc1˺-Gġ+}*tciCR6PG5 !_9\*hTt"``>Ajnx!tub7¾#7±X՛Z=wP=bnN(979to+Ȅwj1Rm]ny0aMvΤfF'en,/q8aB'+[jҫuTm7J;aH[=$ӷq| Zb)jRu8TfͿpg#洟o(J0[hÀ {㆝a;&"2C"מ}qSsrY:e$n| )jb ( @))*] u[D'D́ s`3u˚4 /-ϨfM\%ܯ`?]MbJ~ v`4Nf?ŝU5Źsa{vl⎑:Qy{86Swdv7nOџ\w!q^ۤaFzҢ-XaHOc!cgNn粓jc 1*ǝdtMAf & F7)%1^nhh6OaʞzxjG0SG*D߬|\'?H˖%l7iS~&0wN=67Ep^,cmo&*RP4EExfm$lB[pᖳuTN[؈Voks@;sX q* )QGB;)Z;Gιh]k2BKh9 u=  q%|F9WhTc-d"UBkmyZSrTSl_ܑXB&F*xĨKP4 sonȧw l}@TP.ڹoc7 2`k6'T])NHX k3o~ (j]K P"QU/cH "SHa^p8H2\偹qSM0'_V1$u~+l<6=,h!I{?" %n[ < ; a溢Lk| ;j3bT):fySIw>ohC$dga?͠Yezirq?79 9J:n1>GY )Lغj| Ybjqou*Ԅd8#n\,TKabULD椁6SXS5jJa'䒷d㽶IV !QcL3; ><_g:Tt,"䑏 Z, _YU(6eQ((zi7.kK't+!u21Z{JHks+nS\GhLDl*D$XzM"DWw[Ez"H4upE+B$nA{@*w'an|h:v򒇳D]njVfĤ_;X1?(8W}Y91\@4Wh:ɻ;# ~*:g;9ˊ|-i6"`nR5`t,vtwrD/x{e|WkF.H>}PiP g\kBh<<-s8+g=Oߛ\XʮJ_Ƞ~dam[?'-uE?YNx\6 <`-с[X+ cy`F8\G MB9"N3s)_٫rIVrY|V_ SޚyIq!,q2 D7y؍ԐV' 1Hr["0i9P30CXO|#O/C7D3LBdl]^箎8Xҏ^^dgBlTC Txa;6۹t'*tF~QKA,jfI P t1α_t\S`ng\eL$p`Ὰ{\:174<@VD%E6 Yi}5+Vƛdz~Yjv!CZyhz <[P#s(DuKF 5{xsFM2p3ګ̣Rɇ~5UY ؐ\3 0c`՝;84[N6])a@:qlvk?Qj]!ĠOpR2X.Q%yq_emT%?8<Lh׉mF)LeN429uɗ*0. B}|vqm4?H7JlxoBUL@ <}RiSXfG-7Q5_ևD$Ms2~"C;T3 ``Ψ w]`uq{؉_^AK*rcQ\(b?w^΋?G((U!<%il%KV.674~EsA0F#* ¢pF`.\jL7Xy!Ι N9j|)=ݞj Ivm NOJuiE2"PJ fnPAc"l)0vv WW340k[i\}" *Lnvq7uOÇBIHgIJ (ڙ0~p(@Cxc80bk˦ـ\hQ,+xr 'pm%g df$$NCuͺ?V>w &`O.= &jJ:z; s[v=qyh, [Soz1cǖp1E߭8>r!s P'J}cxeXAހ;XVY苰XI]t e; 䔆2E%MyU,fX)$7EgVd=űKL.FjO=zf;pGd3Yb?!3j:[]nLvTX7 :'.VWtR*qʙ؁zr;>Tʱ? ]/}޽hvr:Pʹ"gVּo=XA %u4,SR`BZ%6[t)<2YIv,uaXAYdܼEb8?Z~foHlq TXZd}tY;۽XXFcW:== X%_P*'uWk.@:Bv݌#@Vِ杀9<+ɽD~KOe౮'BFp-` 8Zd(Vbbr֥Cұ T$85A'Ǥ+a=Aޮoe؂ o }ר #X>U{Us Be锊]S*8A0Nzbrr8w+&z Z㰴Qb,/.s+ M*x1cFL+ƝlX&›%)]8V˽٧?.}r@`aualB+c nInW2gO&ehNH1r?g>&SEpwۧSUsP4m}IgȜֶ.[I黧 !r5V7IL7:rJ'Avmd%Uu(^оɯgDT,& p H& LϞ;9RA~q1>H`ID8S"? !^'simiMsEII Bpʅd TN9+(mϟv^oOg r-(Ua^- /ĥPL--)-@UXiEvRiVKiS< \G S DY ՛y__LiK/{*`@[Wd$3\?=~2Nр %Rى3d/$~4!emg0َ( '>f' Zx{ioB2^cw=`7IE{f,C)KHDps$|?܎oGM3N[MbmJ熒ӓe$1M%QrHE>5 ~^o{̿jX0vh*I" $zU)zC[r+6iMyvVĖγz xUGBCi@}.A6PUԡJltxiOpbiU1!ޅAw}jx s}QX`]n4C 9 >P$Cb7Ayli{D|w^^+)hQ@!Ճ:-"Rdҧ7aop7]qʎse1(ĭ=X̜+822hɓhrY/72˛ p?N_H{f99/H"\*F#BK,$76_=%[a?vn'~\Yٙ,ž빈8&iwDbD}M i,w"H-[Xo8GBn6ǿo> JyFrtCmNns{wĪ :jbgyX9hZa_iCm=xcxzr:-"IQc6{ JwTʹۦ%!׾q>Ώlyu,Y%tT˗ٍ$vW.eG5{ֱ505pDKP~U,Q/Ɔo) >'c ۳~v\@Yp(0p ڜG"BbV_0"K0W[jQD]l1ItvSydƄWRp31H΃W{=E{+M:T @Pno`һY]F5ʞ4<fP$X9g=;ʂ6Ҝ*g`ȋ C:GE\s)a n a45/J CvX`|msUs8U,/9wF"Y$O[ԘƲSLA[$Ɉ؃Ȋ7,KB썳/BS5,ځ]b-q.bCB.H"}qDhijnQSOS޿Lp92WT \ro}!̛nSV33TA%B4]!d[hC[B (w^ݷ8?QfM,@^ o7M9EG&ۊ;M#OdIz ~Y `-Sfby {59|]18:bes:Pc &Ni"w eͫ8.2.ȁ3"fߣ7A:;gH{tn(㴚P 7>xƘzm|-u[H 2#_7#%!AW襄LCT6k."u5ރM:!N2U1@dX 1K45GԺzsɠɸ/lY_ pWAW_@_`Iuh}hj:2>RI{]bԌ~;E;~IWR[s],h@m;- /H 9Ss(]kN Ҧ_@# |lWڴs\DI_ka瀭n)ZO1&~{󁼦ÍFnxs j'X˜7Mۈ!3  0;]~6>v$ᙣ&m'`+.)TJ1K8QDl#'N%"!i)]ä \4).>@uX.7iHM׽f/$H^-+6<ҒQ`G)Hg}:5P1v+{?),4Ss"Rn[ɊO,Ԋar ǣ!U˲ = х-:A돯y/MD~7t!:bns pBw4uz61eK=&DS^Sm<U\iQ:x@J` ݡ6 V~rO$LNہv!ˢKcF;=^~ˊvoI3;lE~/ ~ſ_@~Y$*~ m4yp%j̧@ fJǜeqQC0Q+J#0>P~BGNnK8vѝMivNM{F26&RbG.Щ'3؂蕷E9s=dLh\~Btzh7y0OBo&mIa$z5M$a۷U}[TD'Ht5g1*wjaW7B#׽5׽/[Y-k &TrYP =˟:q MqǕ֪Ӧ7`OI9y[jȖ|VɆˤժ^&3l n$'ĒkZOh4k6f7N|h߳1u"nM0< {¦*=;VrwLHE{m$ FBVDp|ٔpr(k Pj&f͈[-8Teb86gQݟV3_xa%+ד+.3\2g5\j-VeCQ]H)@ PŒȎfŐ{*;c,_?b-r*Xq-=jT^> SN(4E?FΝIҲns]^3ڤpdKA-e$E@og$$#C@NtomҀk'H4o=J`Ο X<j~*s0@ BxB%0Sj]&mI[Np_L׬(ndֻAN&Ѝ_s0ݷIZo$]d_z`DOf ಮ[HFzLStaYh%Wߖ;vrunƬWԪu;j fIo Rggb->U]fe \H'8{, $|l͘$QTbj4\݆ m}~Q.9m]9UD6K$ eBǂ#Rw˘kE@iFxeF)ǼsPCV|#S^vܽ?mO6Ijާ<)PSw^8 *tp-Evc1\AKʌkAobȔv\֡c.L;eZE 0Y S5(@%#8o@7`0ijAᏠ&*Y2=YRu9wA6Y:O Ywq;m,E^Er_Oy 4Ugtv$sWB%g[nqoD d%.}gʦRO0@oFwJCCdE8>^\(u"N-*3c% -:>:'R!O\B kel$I2#Wj+Y3?N.Ev2!+ ssW nmgeI5PKuCJ3f .㕕$H_N jVO?I<`šO:o(( 8TgpdA9?,Q僢QޡX穼UaA$mEՒ*h&r)HZZo@Jҋ[`9aK3H}6Bbj w>nu훎% ӻ8χBؿ\xffJ%&H 4|V?6Sӧ,>(9ȷ*ln4: ?`W6ҲuR)*e RѺ͐Olݘ}b汋Q-|/@FfD9+$ꬊ氀<^!. (O,vM5yfa")ϴ 8DU w''ka5?~ y򠛔2=j#6 5 uPq`[MZr1:Qu& r jw 7ljfDwF [Zc=)'%^LQ1q eЧ Iʒlr8q+FN δ% Lu-`2F3qH%o#HP\mHt0hQIX5bEW[q9(rEұ"U`2@Q9s4iChArr@gƹ2Tf\b_ҚW쿓E!] }Lѹ6I}\yw8 PF4tfn mJKU:H85 iV㮄Uc˺Nbq4ː3NO=q'c#ֺ|諙TaT?]^rLxKAo$GX|{#&w¤* J` r]B g`"f/ W_RK8N֯هX z@, ]X L); U~i+ОB!=xwĭdr CsQv z^oAf hMg)ɓSIjf d(RMA$gujAO0NXh_Uw%DL<fxo>t&kY#0ڕI#G[ 65N닕FkMc '{Jˆ_ao`ZʙiRmJE}ĀP\tԑǥOd?ay 7 sa2逦j>߃k;?IhaʴWxhu*c%tp F"S`Jf0b.5jS@Tv6?cA#x XtN^~d6 1usmrx<I_y n!+,x=Pt|xtG bSTp NDƗ,[R As^?"3?BLA278Dq65\~J$׀˫.ƅR6$tZ8zN-nêrt8}+u~*|4'CR8Qz͗I˫*i(!qxVMЇ8F֧sDNT_0<$h(gt~7k2,U7H"CV;_TֵHnlw-bK|Ԙ;@MP(Kqgi.%P (AsUeW Pvo@>θ9忲 J0spBj`"⬗PUIgdxG >oku-^i,/{ }7|%y]q{-Y, A+StC|CC&YвR9sj<aNBCp/{үl n'ᖎWD/_E8>q&c3}ju\RVеU{`l4J GM *:Una_+`I/#״RԀn e?bĥYN1>iڸ5$'OKkb6³Ǻ֬]`y`\fI"cɯhW:UX*#VruU,Ÿ]{sl3o]]rwi{EWDpǤ q-0,Mpc[ARD!bV#g`;}1Uh(Pe} HZ#nՋhQ B%`}C܁z``Wr,ܡ/ i%5 N! n&թt##4D2r>L`3+9e0SjXѶ\]Zgz 01bb +×!BoӍAH# !uu*Y,ka*o}x:dĘ=Rft## Zj!NiHcw@r9h$H2Q')7w1F OFPȢIE{ Jm[~Ҏ 8Ȩdy"E{U'+J>ap tQ=z+hg{}>j.ۺ~MK9BG@dCɥs[ ٙD[SnQY}G{ԪSmODp,,*!^!%dfAW[ bbȡjrseR[]b fCg@U %kZFC-:^_ЬCEؗ,OuN1=7X[t@L[P߲˚7U`v\>3DžR/m ᚥJOx|uYzF" ƘT0W-עOHP 56#F-ZK;4]q}kQU"f[TmUKRFSHf]|1Y,B/kp&utýWüg"lb ^JKM0StvTE=2Ph iyK{/c>7'le On5 B|Clp1EZv̮u\5_~v6tS瞯~؀7B~ݎgj\ B50]ۥxTuvHsTǃ7Z~3 fCPj ھZB@ꀨB=K}ấSH T,|M̹NA.ZT76]퓯#pY_q#>!uf_lK-S:+SHj5qD6d#3g&e-KQZ\7= *(LXp&AtRV73\踔$ →ىbt)YsdOH+|[BLc( Iѫ0SO4k8k$yϢ)0 x YJM0i4#%{] #FK~䟫$mB.3@PpPΌ.=Q`mHC!(Z,deS ?P瞹HƦΔ8!%Py"X/`tUPePsan@A~hø潺kdw=ZoEnEqD}46S[QǎSm{e猉N'%'hI 8d2'TӡRrW/В! @?YЁ7-tΥ!!7|dR~<yV:&MmҬLT-Y's=kO%v;`PL},XB##[Mc?Y-2!e![:(,XKxrp&4'rX$=6U8dPS\98ON̮&l_'TmѡYkdJKA*Qn|i$ؚsD;W *%R|f]y`'Bt.@P=<܏} 2ꎘ{d:&HDž3F8#K1WL(G$ ٫ _YO<7П<Y-V[,mfu 6A oL]}}ZuLߢ}>yϰD>T:2P1Yԋw.lFA;$^+qN2m9ӕ^nG-qyޔAkn>R|Ýo8vpd|Э"&e7 K$f!rTSPW3 QQi T] gC̟Dt8HWjP@NC~U/r{eUﬞnS-Z/EmAuKB!OG_>!?ȴie&{i7tXvdS@K{Mk^#ۇ;PA~Gfa3mzbŢ|(ɸ2Xy 1#'O{8 ȬCy& \XDZ6zP*JDDztL|È%,E=Hu@0r \W#5J@sF&@A :H4uQ=8 шq[BT^{7\uIHbmsbƠ [ӿ$`$CZS+eS;9C6#5I3{% p8y.~\Al)+xtR7ň'iC$M7"W#r_41Rj%+NyIgP=Ly'lC?kSӉfbg:s 6ٹYzގ+w!^dMbE\X3ӭDΣ35K5*|+0=c+$49)ym`)R7TΈS3Y\i ιٰgBEH0_DsDI=?c]]B&7xٴ Ij_nx^GpUtėm(z7gv!"9 ;T6WVܞdTz+mnr)QƖ }$?%5=:aVC@e}{(O N@)4' ~Pt|Kwքf$萞eW-g&T\}ٹxrf˝EX_J'.NVq9ayPs2WQC{str:  'AC-ȘrҀڑ*c 4慫1#–J#6վ ?J>%"I!-EW&+Hru.'\~c*Y)ϡgc'>wS;Ɏ%g/Vzl1k 8ؚ}0ɇ_Y6ƞ+C%Ae4&#rK Gщ=:hukF)b*iKkeijsLL&*5INvƟP8Fb%e2Esf!L8L. ĺ@i|WΨ yEl%=xVQj0RR0HٟJ[WI@JrXGayw Vւ z 27NUAe7bHބ !s/*׏lQ$9G:E +jݍYICWIaU6%Ut)Z.Uf{гՁDh½iw}IGfGM_CMQѐ9ZC&xjMaN]H6=\"d@a,ScQ$iyw G9bD2%9$62xȗ[^ 7z:(Jubz>xYJt$%4g}5l`GqVw!>GѲb`97#swXq H%D.aiP3I+ Ci!BrkrQL"NfGyNu̥>-jfZ#z\Ug_aWx *aELI~K~'1~?Q>F#dE'[Xޠ^`uq||nQ) /;'WL<&t̞aG`Uȥ@|N5ޘ zP}wuDHGҕ_Im{\7= ZS.vXf'.4e҆+]e$W.ˇ[AwcM~[Lh/0|GT ,bo=&᠙1 g/w >I^qklﱲZR?Lofzq״8`&ENmz;S;k;T:"xf1k·Rj,؅W\&amHkXr̃:[7ښEױ?m0GCbK$rg1aͮ_,ԥnys*_T_d-$S fXK,⏧61R~ܼIr&[I c>s/jndzR׷Y-G,#cO;<01y} 7Y[t˪@SO'-ORi(0as܌t֜eO{l |Myo#ހoV+ЊK= mTx`xW 4^>a'0d5d'KRْ~B-ȍwd-ښœ#O]VBtcY]|#5C3|Li,4*0pð'8 G,yٻ5U)JУle(e؛-#b U3>PQ /B {O޶8;Gg6˓(JsK\ϊxی&1üBɺ]8IJuADt~&x !?Npfo0K|57_܀ dX=r[9{"E 09eEKܰ!KӁM7Vݡ+g<|[%E2B{}9@U!"v_V@^o]5%^ a'\ e_h~ұ@HG]C(TL*ՐdD{zO.64{ 7uϿd&\F&mf]ςO4<C@Tcw3Pač-N4ǨVv7䣂)WM˷RΎ.XU8jΈ+#jbSr%"2Yny!E Gkv"o6bL8`λz:iqUz{@[K? hA&u[qu9q^dc-t6ˀJv1b8!9. q>sρ9?s)9ms!#yHn,W2<|zL.ȬAׯUx0߻㯶|ʙ۝B (N;RUf( 'M%ˊz P o]ïNizqD7ZUghxty>œF[>]e4&3ߡtzEhxơᠻ*≌Nysup]s5:f %䣱Ows)!Ϊe^k#X7alo2<᳋8 /0,!i֠$Vud t#4Ap2H̞D&^x7hcD: pX5 M" l` oCsyIe]~~zx{9xFTu2Daz,Tob3 C"/wD9%0U3~s2-K \ٮ[%|`D} +3WޞWJFnؚ6dZ?HOSg`sPjec6c%7?kSn+Ww`ksj_.v: Ip4̏,'e_Λ;]B}Ĵr}W#JǏEq܅"D]OI)5k.cxFw~3/LP l@N/d @g)c.g çɡV&M)p-mA2&>O-ژ}=:+WƏr]:qb!ٸhTtA[Q*T6:& ug7wz`_W6M%b xI]79-K$:]0ܳ()UNR$(ZuB 7L!\ j㖐˗lMIhuB!|ƿS|.u}HpvԮQ.?Y<]'NҺP ·k@Xw] )&tap u>Zӝ :Çӕ1#O9D;a}ˁD 4\œfܭw{zdxW[Hq3wh7*qA|~lœKe"1 xU4n [UwT`xڿR"#,ľIPW<μsinJBEjBJ(ޣ]I^ UX_3~VD-lk{ b6~t]8Y; 0g<.;*]AO6lA$%]FF> Ԯ'2PZ|#lc|"b_VH48&0?rOXCI/ jm&|tҌgbB{h>-d@OYє*d;1<[,(nMu^R JoBƃ儧܁5|Pv78k򚯍֜k@k?, Yc9gJ")hG!UvvfN$oj1Z🕃тM4E=y j,=u1øX 4v4ąS2[Zd2 7AE.L7!yBNj+^% c-s$op SjLwKW(|NS̕6mxI6-7ӪZ<tkjg cShu{o(?#` .AtI(S3휦ǎW{ FQwb lqo&NEMITX qȢbT)|FޙFi_?-_igBX}a5 u6ٍ^xZG08Rx /x}1VqNqe/gIu$?\% Lv?5?'Q*+Xgwv8rVXj{m;? X9U~w+If!,%jr\h5є}sFn9n8Y $߯vzdPf}ґ@rlrJʰHQ Řt61c*k~n!mAO޶쌞=j%]SuQ=eDH<|ѿg;i !$Q3$&\h\(XgT.ro:d]z vbA@ ,4LSMw |3>xjk7r'fE3 \p :Wx*DN5hOxmJSlN* ^ۜj 2C Ze, pf2^5T'10b)tL #9w"u^⨬'x!1/#)_{.ҰՙF0X.\Nb1 nx)TuPwxz,#዁\ c"op,B٘ ??f'hHz%g8 U&- }@TfWLIJ#Mv) d$od\oQi7]8_)0 ly^MiqUfB+ۊ|#9_ SmdO=eXk/~%ݵO/sy,+\1dh.Z~J?GSybN] cUi;hSƾ~6كD>jUVhn#1Zl Q'6GƵ4-{âcA 4P[Os7:E#?5oCuPWZ$`^1|A deaJLgB{/wܡ,._Y"6W $D=2D^$tQ$ Gґ#=$vSh8„E jf2b 3l&hpg )/Т d志K5R0b >Gle`/Qa7s%0Po4V.ciOk;S8aNe Y& AuZ]hIc_dǾWnF? hAch;Id!~^h =!%M3 SExfO׮ z5Er˝#dx!*T=0/jݒ"}}$5Jw*Tv\`jϮ)è H;c* AFJ( XEV=5U .zURrtb[tAbE +dt"8g׌#2Odn|+AZ_0ϧкN)U9*ȳJ@wg2;r銬@S mv&]1dX訙Fd: z0$Y0܅IS3]ݚdzp*IUUÒ2+ b.x<'cnw^qp{`&F3md3^Nl"m 8 HDgD2D<SػkVbSپRN%(.M{F#9@ӴW,&G@﹫0A/)ٺ<(^RB;04R6=0цftG}URۅ'/3,U2mz`YvҸ~ I(&Lw| 1R)24i/rtgP_>o8xxtBp"Xw(xO@iٞmh$ 2(DnhQ"bL,l.䮃l2u􁮬lӧdzcrK8t vN/ATlę3kZhBjƻ%XOß ټ)C7:(_3B˶'j;eg"~zm[lNYZwpr| 'xVH$6*ogMl8]^$j^+BK0g&# [`4 (-kFS c)x|+'~sWn.1.+oq~|ٙ7)U5 綼$"V%?)#EkJj/Ъ7]#/0L+/wo I1ugbyL5%a},;# 8o\`5ٜp4 Ja&m_@Zw :?@kr4gEOH|,>${ΒSw?-P-ڬ${uujGYNҨͶrtqz'DI`אhTF J#73K.g/('I>|&s]">hU` KYF8N>V)~PLryV"ֵ)h.Yj.4t(*=!50Qg#1ta=jU!pW4ǓV|}>s>s+^i3't3NL\L" _4DA5kutΛH)L-j4}b6V46A 9O/ BD0pidbzB%CBDz>c63&:AK˫6Ƚ~ZPHg֠jOIBw8q3/k h"Ve`E[*6 x[+iY%~ pQjq Q_vS./:tW[L"+Zh{@a!e)\{lۂN7X*y^ד̩/@#"xzJa),SCX d%[-OS(0 Ҭ5VE?[HaE.<Nu4u" B*nKg}g0u$2O1>-NSbQr0f7}JĐ:޾@$Y#8& slM6 bbӰgL2tOBTLn#1*WZGB761=g +q[ ectFMV|0*w<vV3iVc?Oe;)1^||Ri3,}j ֩e)ž_J}K$k$uZ1P",xȯ޳0Zz "i$ VD%7*nu'LJF|v.=Ѵr =#-yGnQs88;ҖyH~Zw葃 rT̀iq0/+fLl7߄Z iPȢÎiqݪ%/b[,U`/vE:xf#xQD}'P+"YP%^# km>ĚQ)<<)ɼ $ m(,WaCoZVAc&3=l Wy]=Df Nsgr:{4 D(j h'ddseOyϮkfn[:pEv#BheO_x=<>kBvB_[f;&K1 ŤC.jH'X!ϱ<-.`yH0]c]䙽!S{=HdD7E`%ma)cс[0P\~XiCa\M٠'"&Fc4ڕ" Dk-vZ2ZYk>DΙ! 'ЍbrAƐ*5h,q Qvܵ:י(###9_A;, lvٕ.6i"D +N-%)*{mH}M_Hw÷O%ӂJܴ r:wcܢ`T%bq}:n˘"Iŝ!Pme]Jezhi{cg,v̏C/AyU,yROLtfI0y L36yw V Pl:T,ģx?X n !Ms7C3kT "⣗i5(M!S rLP U{m ,)82yL!dʪʔ0ej[W8jS f9~iIWU2w(w9zWRs-AgcA椕a{'tN VJ.Fo.'i78'ewށ3?"?GOsO|k2߾}zSTnu~ 6 X-Lx#\S_i:8,ЇfWTi֭x&xuZ ו!kNkəNXi[}w(tl 8"p RglL"ׅ`m# k9DFN9aJG]òqSy8Jǯ6Fo9 '5*6ȐNۙN[o2;Y=ObwW^_ $b5▬L~Bz"H>y6(pUr1.-3 t8+E, @@WuO,R@ zIwIHG4߉MSF`T&o2–Ҋ:^XD`|OC]0yq..^S_xBPfʈ]Ԗ#nOt{ۣMr]A6JL#=D&R)%ctMENr=IF 9?/*qFbAcpwz*I65*O cX\#WfBTZPz"jc`oxzfmJq\½aekS'q<|F}|>!Cc1LEj1Ξ$4t` xkWN9s)0 [5-yUӳy,o1xЀqJ{ 1ʪCګ ,lIyY S OBPX nC,Ӟe8Dv1z:futY=[3vi?`H1ާ۷耏X`Jt͏)0U˂^rj9j[H z/@s!5=@w{„3 $ڪ؟ز-V:dM{56Y%qWv B6: tmt7_ۈ]p iԨb%VtމYŭiQ;2ⴔFOTycM^Qzۏ^mXa5OBԃҙv& ZIj{u % AL(I"^*i:&K X{W9n&; v)WY øi7J7'fR:j`$u@TZ58/$ڋ]:h* V;*s 'J C,R-4)) aY]3J͙Sӆ]~Fz0}s(+e93g l7=غI6d 'Tq{b# WAȏ^DN R G3FJSyUd`#CS,5d _k/ԇ:> Ei0 t)ieR4N~ <G;;$.̽/s)񏕯i>?[ڮ2.#ŲgELY( |Aؘ4kN49JZNPZӓC%64]H9Klt2%(9YcD]p*ahVl>'}NVj @wEbvq;K1̯_I Oc'/Vi `$U|6J([G Q/vj. 7~0j Sr'1A^{3}퍧:fZ"L55 9ctlM>7lk((W>xf@ّ&릛1a ؆by!itFDt3 00 7p~ >竖 UAB+X+9A!۽ȠYpTsJX׼x(Ã(^i&@Ֆfp%Lm8L{ݻ+ >/ԕd 0rymy/V@BGCTGYQ&$Kžwj1zGkO]M nUz2}c7 Q;i4J8C UvlLa $_a.z`Wן-lSZqht*|gas^ ҐUR5f{'°QPL*Oj +2 zj!qp,RYW˔T'ޚqr3H 'F+7;L$~[|HY"9wKOr3/|GEeDyDRH||M7{#U'[Rp]|e1kV|\*}M?hY8^c<؉hg8˄Hxc9 Dj/mZ g`ۜ.&L`'i8jS|$4`6^6}@?n|,Sm(`ghlMvYR5MZ9ҫl~#ur#^ cx~W20iîOiL!܎ x^yMBcgכF/Lxzv6 ,ҙgȵv%QIz~1 u a2UOPA %'qZƊν%n ڛ;A٥PW67NVхG4)MŶVףoSH#ZΜcGHC`fC_Yܛ դ4@E=@Ot"Γf&^X`&F!Ϲ#.zsiauq=QtcUlKDDD!3AC*B{I(=9db&b׭n?sC:+ {3!="J7hL?6ٞn6A1CCiէQO}v<:g^͕8? {LjDKE¨Hp؋$ ʍuUrrECɏ~2c[n*\mۥV 1WxT!d @&gfe2 *d2m ^MSE텲U@ >(͒op۠O&qO0f\iq[˙+[>dKR9:qu!aw 4bm-U-`;Zfs UΏ_37(f^]y@*\,mcߩVgkj}qH>OCd5KqO}`;ue:gݞڸ:֗]mntf.uLbI <8fmq¸_O=}_z/0** '7Wz28_@PBg,VjDxy3|J`vpIHQN, |PXs _FW/T nɕI='1ZH?,ٻJED\'Lv*FDvNߙ4AaaeHY% _pDdEZ̯HbU,"GHAcSj|vHL )_9 VV;f ƿLqsQ橐uN%txJ:5sZVIUrHp3W4g20B%R2DY7|L(sXZYq_t|[U8!+FaM+h9hKpsbA%kBZQ=S4YpsjWb62 &NJ%4444@ihyVzIJڈ^O`>F-} R#c򗬋nSߙ5B(pECP+q&y׮G*8iPDM`ewԖtLJi6s{bir ┝ә N^ڳpVanDlsfj+J (jM_x6[t+3rԗ)se5vlZetbHvB)@ k6$7))eŽd|=sCd{r]\Ĕ5b`B>%?aJ UT7jЪȡ>t1&'AVOe& <ѪA2sDVq .ِ ".h \=tTrȱE=CF1pl=!%@p9~j$hD k1~Wmn )D{yOmщt4WE9.%;fvF攠r]"fҰ8Iw͹G,[>h"DjO>D -!.QUI$[QƁg?0`*z+d oD94̞i9H.K+`S,p8kZ5IA9XԶH4 -!̶#?(f+Y<)LlJ]LKhL-@!K8N}Z&騙w<嶈Ѩ3C`GnƄ l&s?̬"%#xD9[|$mwh/Iw/_E?4#x_*Ċ0%2$gD 7^@[J>ߛ5nOL:wZ|聓g+?C숈KұUt-UaTŊ?hfL'Sv¬߅ƽmGn0n\ GT&`P*/:])-RC#E|{*ԇJjXC\^^X="d~0LCC h]J&$.S fj4v^b'S"5=?'<Wg; :Q;175Wa7w`-6蘞?[*"׸I a6`@iJ˿48`m>{FSȔULf?!A>Am9頇3zybmK?[;w7<"}X)}o!/Fixetk%Ң4. >󩹔fOw^JgNFzŵꓣ2SWaP2ӧ$vT XO|gۘLnE=_ZE[ `Zkodw4IG/ֳNf'xRi i=lO&718%GQ(hn]$~(m/#<0XݼUe_ 1p]1mC:oX20%/71)mlF>I9&KA}!AnWVN8'd#5%O٘I.ԩbjIs{RݬrZ;ځloI+2ǍDi]*bwGI0~ NoإP .ERN([Xۅ-i.6~^2Q]/Ƨ_BGmj_'?#u6{ƀώir=MIw.0笃OGT~%:kxϽ(w#0PP_p*gf#:Xe.δsG*)PRGvNм96N>s?'w,F%H(!EHO;̲a7i}(@$LT`X>3pBpB-* xiu'/JaΰA.8ƶengeY>QT/nǛTl_x4$E" sWkأٶj-E"uvPZoce?B(0'Ǔ]<!2va(0\8%=̖o z[IaXڣ] Tgioznㆤ0o\SO{A񬀘u SL\C;iUzj_Ә^WYV$OF?oewR)ۻ NL{⬪X׏wa `V:+>xw_5Uc|@0;q ɯ,/4XڿթArmN5%3o Bb=cpvvf'-sSo H4:m~/Gу'?CQ䦵G)VkdFZvw 7 i @wZey/._ģnq^S_Cma,X 4 Jm!ܙߒ3Y)G^ǔ" 1þ\}ǔ?zWP1zQuCw_&ȺDأ+Z:q#;ȗpk*9בGD)xVbvHʫ79̷\;c[&2P1h;лA @*~ #l^P.euӾ7%gnOє^9lDZxf^E969pPfOCTsr!^),ȫ|~|{(N槬 P!l%_uլռK@}AGTlmٍD@^%8~{c%-%%"+I &Kley2  v:(XZɗ)䈦C–tv|ڡ74#Ƶ`XAIDYRQJeo,^qrl Ksi*$3 @tɥ87f^OkiMAk=MNHmBVJ)3#Oo83=/t2aӠfnnz)HٟvuRX\ R0/oSHZ~zcoy煉# , ]GGU֑D޼al=Wj//QYL&ʍ LEzem, :k FgfltJpi /2_qA۔\%EH%O%, 7xqZփ"7yw\" :U!e@,1F;8 ,;8yNj 1S 0Y%#*,.h6og&Lޤ+xS|@ؽjU"Uu qupZYpr x{%ĥo6xnGf+X7 <rK@3|8C\ [5qEo[/Bw0v#V:&T<Qh}{+O:4-jɪE`C angfO}+]ig`nWQ؋- EPI)3l IKayua܈0$7805tWe)EHU}_B9Oǡ!zlr.9Yi4ـ[)V!\^МS'Z@c"d&{U)aTBS|Mʖ,as#;gR6Ƚ|<Ѕ);}8=bAk׀Ńm$׊ >$3VQ#I ,LԔ9wǁ_C"ߚy!Ax7U,H<0OV)%H9O2]'_>g[<~BoV'S4{~THNmL&ߑgzQ#I݁EL&TzSL]=AUny-u>2%: Mp{Z]9[iO;BxZ?IrgAl KEa-ZFfX7wQl^Ej B%BAʱ:7s`Ip8 ^BpHՂHdu:e)z'L.;UnF8/o恸ؔ U#}7~L8g|b!,W\{;2qW_eD`Xపm!a}@dȸlOkO=UUT BP ]R"@b@(N 7wLa~8" گ۟8&:}$P*-N6d75eltZ y1R-<%X52*C/@: lHJe!j ATBcũIg6{1%)hiO+KƕiY U?ߎ ]p0{>{zuŞ8橖1Ӫ2.|gL]8Z5HWa^m9h=?6JFSQ2q显# Y,$U7^\u-^r(N\;$n}3~; +WA&%i6m[s&z LݿH9T J/ug J7 ᱪ0:%NT+,i]C`,cwK9&S\m.3:xo."3_A/s$-/$eG& 4ř=4ܚ&I쐌'󾲨: BzypV;>hGԻ:ruJ]E b 8܉r=&BS(.v qyPh<0R׃IDNѣbU)z(,`1f-{ ]A[O[ qWIA߯׀-7ʣ.bE=z0-5 l`Rn7Fe\=A#n'ܣ zͤa3qɜz.4~ŤLox ]|fp˙A&OSdc@ nxx:$0Ҡ0 A }s/09Rl6V 6.0A|/EbB:.asąSFV&>ƺpĵ9 _~crۓOTiRkTU+elazXy/ͪ](Y) cχ23 |t ϐV ؍p@ xX^}u)8g1 +K?ʕ& sIOm Cѵ\2[%:iD;S.fpzi)nOX+rdR |#O=ٽx0,JIIQCrOLw*mb-+OIZ(r) #SgYHo)4>grSrhoscA,ڿs*][8+vS5IJϜ7 H&,n0 :k&>gڽFgBp5Ҹ-{HSDR2ssI"ﲄ?TCa!A=wS7(Lk=h:8X>Vs|$cEm߇2U޻=)ho9J gUSƯLy= 3&qEMғ]>&[O01ڻ|#r1>uvjz\ I0kRcScb@˃*;MQ]Og+P'C/ /Bzf8x60M^~%e$ 1^QTVLov~ p>k}|Ui3gs[R9RqϘ '6 kʬ,; /b&3W5TIH+UoVZ[,4"]5c*Ȯ ܘR["W `1-o?]/㺂  ӣtZ_LS f1Ui" dG)؋X\(Ac/I.iO#,@d8sѪy]DPT6Aop}3%vTZ-qXE8tuXyk<kib < NPѹ+:Mmg>#/TNʐ7{,=ga~M0Dn=t}iF4ndS{uд ؞3/]mӷCSجmUb|٫_ `:W:7$V1ZUmI_BL(G w`m+vRGfԑVg&e WN[ 9#ߞC5ѢYz%3K 6G< :BXU 8~~ vv(̈́>_Gv'h5\o+}͂ػ Ht} `{sUy8%РC5 #ay}~ ' 2TUTMrw>2fthi>WTY׶na7?7 `16Ԇ"kɜ͚iK^9|eA5ݜŤV;\|yF<j4v33UoFGjz/VH=$@[_͂h(VwNn)96oH0B$-q_k˖M%QBkJYsD-QcJ2Th^_r 1~˚'>gّ˰@{K46b)weG6ƿ3jV$fO=>e>9N(k %KN㾴ê\ <[@d_ Ny4.~FfDD M6}8U\.j[?<BfޡK1r:hoW#Y]̈́g?uAI#0S }"|e߶\w {t byЬ)/سz`n(X^2hd8a. `| N]<;h" +Ӓ ==٬!M |82Cb%/JE=Ų0FnSaN)Y)DmeTb;J+>px5C|?(#wW֑JrQ kCo<"i#v5w4Jk{YGEumRb]ߔ} C{cuBk !l+3 S,kMq`$rbCK_,7e{^,C `yA/#x#vw*PkM_i84;^+hMHoeV'MCKcyI c X)K~v)TmHX5z93U\AX_yR:LsM1-U !ob:&43$AVr8cO䈵fj?I`yO8P|633iӳU4 n~\@0i!wxZHB7]2@} Lp/'`)3lIeW|e{/eSs .RrHD;Tf=<.VEHck<3~g?/\u=FK O SGB)j2䷑bOC-KwmUow,)$J}US+U-qXh~ڃoÝh$tMnվbjUdoj m>*JM#|M˹q#=;^OvOJ*q`|gǬqNuF_PBfА<:jVI&ͤQNʨD].+S)zxrkד}jW N@'5ndg \Cq`XQ_UBW=7]33u tlVF' (K^,NN86iBsz>Q-5v$b~ƃ5q0 }1Pvz- 3zjowdM #~C?R4s|5eF>VM: 9h3j,5S4E` v7$D7`v-&ZGJ鵼篢lX)R-.GWQzTb$JWd=|qlhk CW*6MBrI^{$ (嘜VoDyJYR/[ ""q Į7;u'z1i4O_<#)RuJ] }<6CG\C],vиd}dGV,{GfTH8.y~3R;u]CeC&jFa{pj!nZDqoG?2I σ| DjU?{SRUA =;K^cȍFsbqjPPE,C([Uqe,Q <B!iꤒMvI^"aLs5"=>}IGXԫQ@oYK뷪].nk4OVϡR#ڡzG243äjUt,Ɠ uC=cDza36Å]ŭbHs]Tr+9>чqMC3TeQS&zP<@B؃IO ԡ6"%bT+lLoD S9jչ}B5Iʱr O2aM*UׯX:c#=0^f[ yKdA< 1>L&;<5֛rC6g\F{ˢ7w/6-S6 [`pAիnݻg&e|fm_U=>3Ædo7>.a~ZT" f;oVRɛc4ldD%}m) qZGHBt羝L^jJVB-Y]g Q<-D+OZzdt^"4@ :% R@r*>ѽmb¡~y$oGϧE@(W͟=ep[_9uLŭFuV9Q&fO\j[|~"%bF^`d@Hg"o<&(w"`MS"ԣ\#{k\ R~r*jLgZ`arnz@(t* $5)>3S{zU]Zt-}:394KipnJDlo2娭/G&62(:T_9uHwiEׂyXX,ի%Րll ,?ueZ~W[D^ޮl =YmAxð_U; "գgd͝VXP/.dOx.cᄴ;hܽ| ʪ#Gq#ZwR֛]aA5tx0wt$$s!} r |kTMڄt}/^nGZW I2n wY7RW`P myزPT86:q_7زp@م@3P<fJ=1-H:/ 5CS/vh7!&{Kf½۱x4)-^Dܠk8q_)TfO[FJ膆|+HXZ\ QWsםՔ@FuE}hM!2(6 i\P"?s06o"sF%uIe (p|v~a6^K-Ϊ\ `8GD091U 8'H8o eݲ[NϽ3z_u7F*5YX7^\ "NL=Mf(TRAؚ~Y`y׀M7K$D#Eag.!HQ`lv4u*YF|U[NlQx8U לɚHl땹_M[2lkY ==9X yju'5љ$!yK_=EѾ\"ĵGHr% yZ5}֭{NH~Gt璱> B{;jr.c߾WGl[*/*]t5DAVc?6hPC5y"l'cԣ"bm_gfLlSUk--Sŵ_(. ^Q{8F 6j#:TzE2,s3')W _߽IpiiS~â?Ad}{f5hɓF;0J?r)ga濁]dMUP|}Yyì8H2< yL{';l˄ko2D; sjH &jnPo"iT+Q"ѸSϹC9~L-aa|Ҷt]"Ԉ*[+pIliUJ%'`~qgz!fG{NPX@zRߞ)DeJ!mC{i-*ܒn;b\hGxۼ"3Ue:M}CfW'\_b|o;=R{:6hο$B;j\R+{&"m~G8)-4e:bK2ViJ/l5SxIYO/'-ɧT(Ld\P&9hOm*ʲdT݉^Cş򔆘6x]r{UtnwB[x0*n0helb G_xM>-,"۴yՖ}..U,>(bICMNJܹpovLΆ?ЃY%l5|'Һ 1շMhXyxevFu!!Ww#SeH~?(¥,_mc*(ӗtlo] mvL&CNiyơQRvr ͹בj[׹ɒ1Zĥx8Oo=qTWBfw=л3Ѯ#0tRvG >M'SDXK&.Rm&_F'Q B`wl!,'0 Zx+*91r\V}-2JκbjKu|bA:`GP$_ī`~M$V߉g7HϷpRz$q;m0wq:dBh6EvÆOMb6 h3}dٚ3\K>P7$ ~PͼuٲzX9NVph[Ruh3"%tqyG7?rx='% )&]oarQVxζ yMZSџ< `ob+KP-4FX"[ QFCxlԯ %M{f=ҟBi/M^Ȟ݊aj/TxΤ$/&],L A*e@cacŔ[@Cj7ߐ|fl bֳ/'(X_wd@e cr9,~`7{:S"JxQ!iUt%z͎ PuCyp "[Ƨ.Q0Vgofvg0f-s \APN?z+# E(i8:AsutM]]&~Habin.rVXxd`IVrU+"z#݆ iYsu5W]K>Lu% ڴTJ`q ZD=i -Nx53јkwh%<.fr iΏ"\HjQi;|! L+M؄J{7c96$MtI0P #laaN&E* zrWG UJk%`bzݥe.|VƔvDѨ)B9 e 8j+% lq[^Z/7ߨd.Zi?V;,by"JXcʄwE/xGaD@O@ifãK"K-];4`e`JGP rU1x,;h]D=|D|[04C tv: ^z/˩N0H]$BNVTĺ. {~s~00SwԂtjSmj`aX@JƨV +yb}{аЕO[;4Q9.ͨ4J]7b \cn/́1Lʦut|An>)iIqh R 6Ot\5IBw. 2>vaۦw+뼃(2&7$ ~t-$ ݊n(ŽZrLkoTL'\@څ917o/:wl ۳ND,ʂc_c9ٮF`I+lhqw[ѹ`>Q E$ux.koLfȓ5IǜbֆO!,Zz.dxdT@eda7_RWBɎnr!O7FB {9TDrvKkB-pap#}>`o?:7VՖErZc`a?1k3c%҆èyAzrlv/3EASomz-j/TNSw̝C+,gAPwqRz<*j91Nlg[ahhNTU|h6ݪ P7gffFgpQgyQz쎒õM%:<_t fP9+M5ڸsĺJ)-Dnd Sؼ;:q*˥ ryJX&(\+=4ŸBjTQ:v)Hbjf*Jw!g+1 ]+yct>8UC䕗l+<UĴv<:|kjBi!E3 nk&fE~H?1SL gY<39Wr5]IOiQ}֜tz*r n|[Y:yI3dr_Uo_EF1\YŴZF+eǮOYɩct5uʞ35Ol#xݤ+}@Ua05R ;+C[Ku͗W *t1^ﯿX.{ =Ry t<^􌷵KW1Ctc3VM4L+- *G$s!wͼάޖ8[14Xg%eIf0(9[3U`TZ$ WCAɚAd=jy0XxO(;/2QGSMgcn(X1[)L9ZtpW+y2tils:/7b~[gźظIpʁCxHBgBJrFϙn˩Z Dvq9ΤBG=+>1Vi鶥~4qhڊE͛N Ŭ@_9b^*e&hZgGOA(wV٧؋]du'ERۊjP$K4}bC:NN3P]/ D:=N B<*UROwۤ7}$! S3斦*kޝ0$ 4NOcZco4p8k&J4$Q+n;O-oTj<pͧ~y8-:t)?:>€2@]T8*IL]ư3*0nK.x_8=šX/ĸ []@pu|~<%ޅ'{'W=SeG;j8F trt4'EB z_`ICe|: Np4%opS FozW, K9{ʴ阡 J~`T,$AqMzr` L=V=Ɂ6{S(P$TD{$,ȱj Ofq]gxmȗX% }Ȍ?d͙G#.$A]jt`PXMFB$ޱ۠p;UVR1?3O@j1Ēbf#n 0Sǿ,B3p^V~UI(Yj*ϫH#?v\ՌLWXv6_=_>(CZ{0$PرyYؠ9UG=e<@Ef{IޝLJ/lnaxG>%:sзQc1FҬ-cY5 6sI-) ć_nM{ 2kEw'H tKFQ화AE '^jy"K6_*;JׅIة|{-%tgzV6&*`ZJ?ӻa"iɕ[B0{9h'k>o憯͉=\'v=M6!_fgdE͔;{Y:BѰQ(W(7580>)!ELͱqACC{XɎ +tp/C&#diUq`4 zza eЧȑXXS漙0D#H V q85ufsz(,Tk2>pZ lYwJi& ~>zY#Qy [/h(F~bKkD~?mm YX ׯ$ǎ~C!Z9)Z_nZΫb@cܺ\rZhMOJLbLco0Yna㌽L}:"u>j1,gvS?K k瀪Py,tr |Vyt'vb]c8wLLc| 8.g&l)xZkw:L?l7_uF# t T'VZ EuqB B"lSVWtf#3'*6pCQhMtҨ 6!𮡨52ikw##HVGŠp (N_rI+,}c]-,_HxݣSk"x_NR5dE0FveT`:-')v1Mfsᣴ%0zo(KaW(n Zo`sꪠU'cKRX_O ɱ  n]4ޥBx;Z> tB*\p<ٞ/s0YU /\ յ`)e mO:): u.ȵ@nE8 l'# +M')C0B+Τe#_OpJ#t@6۹[.`rVxu ؤ8 l[jf~.qqeO?&o j]-T։ya{^fHSqwZW w뤊Ku,A*U#tinΈ,^fR׬C]J;q+mַ47oJ;$, 9Xܬ"DÝOI۰Si9@%IbL ~9:\\R|P~AA“w%!.Np <7Z/-:@ZvSdcu^?Py bvwp BnvкYfz&(_}ޖ"X7ĈYnV!uIGᤛ+?]B5 SB{6‡d}#,.P}KBLXYӶpG!]]N1Z_BE̊ҡ676%AozX-剘A*t#Rdlؤ:i_kښF)  j||IƸSi'kmq TPWz)^R%(CƯ^5R *,.d(ϺnwciGJ׭,Uy}<˯ 9sguL׵ק7aOсbCLL^ƞė;Fnm'/?Oz{!PWA/t zzch!\K[c`rr$KJ NF3v5PЎ|f j;gd$(_.#Pc&vWUM[ R7I/͝s%( $/Î8 I5@vHtQp$v29 }^J/pɽU 3̏(|O&srFqW(>K&hR*O̴,83 _ HM Ym RK5TL^jd7m惃6^yB$FuzThiJqxpG]&l"tgluDCH4#D$ У#\3OS=Vv`P*I˚^`g^3)(6""7QLBS՜c(5 (D34;P]i?+扱kJ EAd{]2ix\._7M0c2x94[H_ >Lz8zit%k БuQk@i/40fin{Xp4q'*$'$ eczvPHk 0}~gk8@ 2i?^: >"^54Zo,_N$-y+OOc}ypҪ.{ ~jDik|y_zz'>˼ 'l8UB@+7s>eJ(xhKkVӔϩ["`7p>G# b>\h5t4 ^\v dVZuy֭<b5i5Wy[ojF%${٧J-煲#3S75jc|-٦ . ľ|&Bnk֑ wJEOKȶ<,{xUgZѡyDŽD*X­|Iɭ6+uCK~Kj*#ǧj#xkAAl GGevT N j*•l(2w98dMDdx"). 9 _8צ@YW\}&0+rG](yR EhÜ /> ՕAάe=gd}%if)`Թկ\ SEH1(1,?$nl[d7#S@ػqA?{YIj9T+>%{_)#$BcE̬|)D(DH]Hs#{-cyr`O3osg^_0`mz<뎢eoQAL yny}cH&o I޻Hg*q/<^=I7gϺ?-̀ܫ@a+U@d0E"'w|I049G}+*чiɵXaE t1 ݽ]E{kD-6'!2ߖ '"@ʜq5:לUD ሌ!98\:a<"3{ZF!,p#6 X َUm27w&r{A-qO`Xh};j T~{@=^!7*jZlL{]9 \B=\^*n#RgPpfchyWooHpcD*jx83Vvvw^D`:<%\ b0GPayhs)cOniᩍȐR;ii3UPP49^E🬞Z8 `{*uG\JkCJ\; x 6N k IȬNH3~iva;~kd"G[Yh(*+DЄ').8a5.?&JbtVDֆS]6^o7zr@SY_2,M fRix oe~\rMc 5QAXum]s.$3n \. +dDo\j1R U#%h_Л[5]"H*zhP+tЍ:TiYne):ys ,HHu\!VÉ_^up3s8H/(q:b)/@h*1CݕlJ:_>q>>#.xx@J)*L ,v3ӍD뻣BUdsY@="鈕i7x)JTSk>EQWмY²Ӯk'Ks a {z>E0EN=%"[׭;"#93cDΘTشCAk,d/n vlF~y4ql.*Y鮿ٟ5UT>mEic^3 1p*1ndY2: ſT { E/jvG;NH~TQ@ڞk ˶hlF9+nA`8e zjtkT纥$ɗ kQKm?JCIvC5( X0O0y[ 2I]#cD VGnRd}qY"ic}9&_m i%*)zg %U G.dIkE+7evdJ|Ok9 48|Wy&c0'f9%4''`&QSq{۸ziYMaweȂhn!#% Q,d0<$~ {Mk $̐W`W .I9btZ(z~Cr U6HRқ:mk $m9 tDTCdJA.w[^ߣyu5m)gQ,|"yIN"Rts KKFuل#Fȶu&  >~b)RN4ұh:;PC ]v)]Aր1I!`%.)BЉ֝38Η x82ElH+V|JD6lp_b] qH\G޺,2ハ{{+Y8 7=e`ކ^IXt=nBUm.ӊVVEsRR v#f[#l~33p!+6vXAAսn2]bJShWOEQ0_n.@Tc0xV|/\8D .ju]֟I©1Nv_QKp3)MdD MA/B㏘4^S ,"GA9;3-?^ xX!7c饄Q`67娛 ˈ /] _LIz l4c %8ȋ\m讯2b1wDXEL衱 h._3}TFk hM>u(k;I\ )74tA:Xq#gɦ".on6klAR^"/3w:PZx6[!W6=Y1T_I-0 hNu\lTCzKmRZ]͘T|/=شTbZ+W]ӝC׊,)'WV|gxg8҅=s`ш~GC`YҴE\&VEU84o6-E5=x 9lV3B<'lC~M(Q+eB/,:-{1ZCbϝHE~w3<}@+%_]l|lߩUܸly$!7K/I$1iw 8J,Mw1;2MP=7Ajd <.z,X8L2"JQtp+C{[-0!&SR[5(ReP2BUz­wg!#UPT&8Ǫ uڜ2~55ཆ(z0q:5җL rJr~EH; I$Il|P,TA oWz-5xkWaIU#LTp,N6?FXM]Fxrv/ dZP H!Z $}LʳvC$io!>9sSw.뚖v~2w_Y&x'}']?Vo2v̐Pw!x-qpȹ!׺cIzUUkx`!8~xɒausTz%?|">O{0tP= nYCYUJٵGϴ_BTr 7B3{dM2ߜ7}RbuZr1~I YđƇH *?L"Q=D>uҚ >>5e^| ]\a?8_}OJOjU*YY̪0-l;V>˰`'$3zBD%ESE GΤdYcf&bפ'4q]\ӈ: ֈ-FV÷}A@%F8sQf"2>Y`5Gn.Mn, mFڡfݻi%tX}C>fĨϷ`qypvgY\SO 4'ؘ <ڈsn0ͤ􎘀.=W({k;DB]<`\G9'<ފO*\q;B}[FGFjnۻF<1'~P鍩1MZK t9$'\< Ō:69J,Z‚dX5#=ߏ߆ ~ fKSSaAź4A1}x\)NV_BZ3XLZ h<ht}!;́;%,n@bp13,^`$ג>6 Yyt~$@OЈMdO@P$[`hoh*PnJc͓#Y $ |1[`~h޲ A)G84a(4U㲝c_\F03aaJ@+aԴ[ xսŅ&MտP,gB8z;yMz(9 ՘<]FJ|"CœրڸQCH~cB-uٗ Q!QЖfe sC*̿mW#BΈ,w,wĜdouyF;B\MYlk |ۦQC3f|L+z>Nk^W<LaS+[8SSHUH=zS$fƙP ^[ ɘ?|B3=`ӷ !9,]( } uM-.%ZٲQ}8My7i/CV &k@MLo@diQ[S64Ϸ[_qw9IRl1l;!LW4re_by`6Ոte'Oy5xaUU:Vsl"^{aq.>AV(ѦVn(ݶ+ ){@-bZe/@D}.e,ל*Rg$rvO),U#v x13O+S;ٌ-%p3UрIn%vqí'h/Vn/YHy#pu oQi ^G+F'%ЁD\И bfM(o)4.ǐ$Yuzk"bo8c*Ht%W AQ/9X^)Ѐ橐~B G*{b?A^Uf1c-DFOkbމҪHp^a0]^uI[()LX::95 2/v6 ^0=9 «}s=iCy4a~' N(UAVA<5K8V&zBQ$5 F&eYKSRI$4ҿ^ 8Xr4IpUz_%9OBpuYevG Kߠ(y[wy-1/K1^S}Hz\@0$D;KPr6,!E[)Zjk?}9%Mƫ^=tƍ&TMdZF%i\(Metci( J#-5oSk g- Л KYX Z9hŏa*Th+Hl3k9;ƓqCJ? ,m3TPEF~|*ΧSbP߽.ҖI 8mIڤ'eVsXq#\/a-P /qBެ18|G8k=ÚWrmwdf}0Pp)(rG;16#CZ4 QZE|f|O vX\Ԓi ^P9IB58U3a4?jA9rts፛SC bSfݸ4 v=Mtvd߫canfjҝI?cZio WhQ`; 6 0il=BA5DJ%M8{p^ew'DU^?sXm=,0|+w)$ bQR|5PKu` x3۔.`,`t],߲U;R s=\vG˲vwݵdUE8jX6Pf07*{63/؝QRP(Q NVON(`+Fdp}l@x&Ԅ=;ZSOkDbm3ܼkH8,B4 6U7,A޹}ڜZMiNXF]FވCklCcIl B \ݬ>G}WW X?ZdΩ3* TA{`8^5o9,]vHTS3gv*\;:UĮ@sIa7RKcJ h2*Ɲ 圎K*[d cabO(}l.3 2d[ JiiR]ou<-`mi`?EcpQ_]8bֳEH]U^n `L%_CY Zk0ʓ`nOӆxDleVԫ3i6 My;u%Fl@CD\ 4ͯ-(6phYs8vC^מNG%TKf!`^XZLih\N1b a- <ڳ#[ _a4zիP'#a</tURuxG.yWv$~Fs27^.aB8Go$Ҏ-Yv2 Aץ`Xz.ݼ0hH!yK."UܳSv7@R ^UWg8<4K47uq(F{a7k褝-Nck8a J4UZI84]pp?qЩՓ=&A l@=jakb(n D5i)$2 *,ǎq[i{uS^;*5Ͷ#&i Ga +ԏZ'҂G2fZ;%9`hMC,ChyHϢG!ފK}U [# LB}ID 'Cav!D!)!xD(GE"*phM fpF99X>rвIAZisaKhS7^m mtm]kYgb 99vam/c0BFk<QKRB!L2Z E&fo7꽨쳁߆TaF{Z5\-?(8Y@ +ּdT W^M+Reo5Enkڄ ``_1>m@|r!ցzLnth(zQ$qXb0}a6`G^+>3 [v~@pU0U -F_;Wq]`,sNcFMD6y#@H2@QU CN!0EQٔvzv\{@`6kLD@9+˝q 1q֎ ܣطgL+%.cy|i^$CR^ x>fvGW:2(63tΆ^'pJem:نO`~ ċ[D tUi&_t 8HQQtI(? K7YZd44Zx;}?^f@#{gav-R+ϕps U |7.ۣz޾zq|BPU'W~ >y"HU1愬"ނب' FԘ90UGl,n+TWb;٥;hPOed D i}Z,֖\֢/4#u3Pt +5/[;%  h}[tXc}-wIO21sjh*tooUR܂7C91K2Ψj+[NviDʠ71'yT{C]8j ,v0WS=QmSL+`uxppADKH̠4 &T|FqW3&nޡ _~ ~6=_K U^X\Q:lzU E)elW NuBYXK\sDB{]^?⨅r,ZК u`xgNV0(X5?qt4͋ j3N.TV*1ƹoY휼1w0P;@ 'Օ28\&8X_nj^ 67`l#0X݈ ` q0 *?c!ZY~.=pBN+] v3]xXj\(F%vw *Ϩdžp/P 9۸)(ˈ{gp%F*r"w''g-!>^%j~gZRCxag15\5?vFf ~u>S΅uX]3)3y7~DD gѯҢ H{.#,xOwoQqâKʇ(1;b/(9jD;TqE ȍ5dpMIR} OJAX(tg;\ ,"3+2r=IѸ%4?3-[[8i@GV37_3FG3-VKa0a6./ 7dd_\Ԃ 9`8)f;[j#.?C:#\%++)|ʟe=/"h"6Mᰄ&TZiP+GqGգdrv'SNDCY!ՙ8Sc1&Çwlúp -^e7Eռt$ : e.2i'H?Q9;g+7vAªZɷj6~7n}Y:1XdQ.x! gUvlG#vX"q+pY:|ϑ1b#4#?~Q ̼.lG0Ԭ0a\XwWn*_cj:ʾ#5_ǣ -!D*`ECߖWȺ/_p/;l0^Gćo#!U4/Mꡋ rAnha[755>,Wm #[4i*)8٪ V5*xa^ ѥmn ~[Hzz|TA$wSBWkNag,ot|͵^DK37;^A"MM@ ْmg( V<\cJ-ECU6˂%Ҟ I;)}UM5N$@MQԯgoդp{?ڙ8@2˜.5\"~@)v%92L-=Sd ^iv?%)i0Y-t鹂?ܭ&E BSJk9-@1rrt\ a*f9G?oVm; 62Z-]+q&-d|aډ؁-Ep櫮U! 17_Z&V}0>- ߢw$ @4\M ɈC G]U(*\AqSk8Z+:Vu\L`JR>o|;.IvҊ}%GQŒJT'7FYJD:_Nxg- fr4 SئypΛLMF^!hn.#豃Oz\͔03d.ENnbvˣ˶)tMd5XO}ǿ[Ή[x" Z[a-}*ft[a`p?lJ+$>6h⍂wO'*F[9Ne VGkG x:ier> ,,@)KUAHY M4ƭZeRgH^ .8Lrf Ջ7'wwjfCo)pS.~rt9C-bFC5cBuׅX|hДyc$IKQ'`ɻw< (n!R606paATA>!7KE=erux_4f7 A!;#jлbԃo5Xw hvߎ 5IskԁRc.5潎_C -{`iqsER )O!`sHچwuf/È![b[$ΦSc<Ʉ}|_G`INS'bIVĞd^]+ rdƫXnJD{$ O#_w5oּ/e0p<K͙*z%&%abe}sgd \gy2eIyw 2puyՐMym#]ڐdx^OK4mm$ SkFn.vGU o8<&ZbN9JZDOO(ziH|W/P-\F2lS.\8h~_:K( C ]y6K/{ju􃝧iծhm\G+8o*I|Cez=<܉&"UD|X@c3BP[X^NgdqF}0"Kn G͏zfG+@ ߥ/G'=̦Mł_tW&<}Տu4ۄpE~M2 iB,32XRt)= H5kPwIͶ_skƭIU{.(,2YNb3鍆]a-aŰW'LtrhS vCg{(,3;^Y hUŤ=ߧ'f:bͷǐt{j` &ΔZ9Ox?9`MhuߢEM]{,rk: h1TḥLҁ5fDOlɍQS|V`1wRR*󸾳'2. ,MQdp'r{@3,8-ޅg|LlOė| ^ʥd Z9sk!fԛLFHډH_ Ȭ|RÚy@Qj,5[^fiBsL-bܣ BGcQT y?MҐ8u?v;|cЍ, )7Re|rΔn:{>h6 6׃JIu 1LZPx$6ma,8 = r@^r28 %e$kED=V; /G77[؎K o޿uvw|}~ʍsӞUDWYMIW #BAwpA s{^lY^lj͙=DyCSeXgrfuHW܌J|+Uk{&Z>X[/ dN䌚`=&)1mXsCUߒIeJƛvVBU0_ D&`u)XNX,`ɭ%笩i0~]FDt ĵO/FwhdR$k}IFsLO?(@"py򉈔zZ*oVo:l ^tx}~&]uZU;ۀe-JG?>t2V^T9hLP25B-G"Q~;Uq l܆oN,:)Bs5DgaY {9^`lHc4XNR6$KdY]hFK{w#h1pzd${)&(( B=Ü4QjC3|K <^ _ B)2Սh{ve%Vڕa;C^VHX?Ml?o/<+?ufx3f) = \%cZ? G3bCz$0 F?i+Tn09@z%J - zM{6>Kr6H|k j N#̀aH%U* Bre>Qk gBp`4Y q"6f|p3nFÐ<>⽵5XC_\`N@w+ ϊP~p-_#=( jJ"d"ڬ&DQKEF&E znYc-NN?;j$*`*;PK=J !tl0g~qWHT+}ɑd BA>VL7 k&?[RPL.F,Ya: dmzwfvr4A+K wpW*Дo=G\O2f9쎮tu i`>d&~QW:O{׋߿C_ ״[E+ZyLJ E0KW)r@x?3X7\/ ~6\D? Y}{?%z{ 3:/RWN@C8MꥪO nXҖ֛5ڐ 5=E0;" lRuM$)@=2(gUh牱N trH tvQ긕Wn0eq^R8|t$FZLnaH0תX1`!St@F1>b^T7nbDzJ_6اe3[F{B#7RPh?!Ӆ4Cv6f${9ӂvkĿ_TYWx d%K"ڠ*ҨK4 'Mm1{`?g8om˳9E[$H]K?rV1}yaq.N;슾v,QE̠6<5D$+ g2 hxi@Zhe;@e(u؏Ϲ*gYF aV`9?67. j(of7AW2|d+2 ʲ@.8>Qhf//O/U\u-寠qKɠB`!Gj^'`YZ$$NAV$8D:&cQ΁"Mf"8p~n:HFF$P8vَۛ7۪_6 ӟa"9 "\<Vb\#xR^9 x?&+z13&s Nw:@h)zNC}H;Oryyenc?}=`٩[fW'TeSRyl>2;eA22x 14~}+:yKD1i^MrvkdS%{ W;"B5H {%[uj/f.2u |-Nհj@z+ !cºk}u D_{΄拤HHQcCVuO}N7 +mIÔyAxrKsP2:ܳ|\potW6J=80R*>; R>Br^x޻T5%d}iǺ(Aם^+"T U= {= }4SeEn֏&ۤ5yc C$r%:^KL#l ty( .>Ft}åPL8,Rx^gl;oO;*< -HY'ǧ%no34S![^I>Ζp8a*(r+,DMẦ(2 u FcJF̗cH&V+L6xB[y;iϴ8xwR)Nt֤#!= qm14t?Hws?JJ5P@V5/yy&㟹Lȗ-{ݗrHfCDHKx' mKwbӟ!qr ,<=غK^wQH=MǰC^hSd c ,Ē_=Q9G*˙n5F%PUy^Lٹ*c{R*H31L- -L,3+KXq#uMx|=7|iML&uc#]Dh]. o\L0"{bmQ "KKe7 O0Ɨk+5ǃ@Er 98!a5wK)PK}Ō0 W ³Kva AM #UMs0PVP~gS.5gBИ 4%1be6C6;:6_<&.O@i8`b hDw)HKA?z^i a<BxmfO=ɲo>_(feڞC:[1D2]ߧsSY QOBʖH%JXryh':Jv%@͋ nropsJit "\ C]e޼ @er.Ò0\omM\Vu8$;Fﵢe]DBtock*8djњgQ;U0C6ՅzL҈W 1~wcѡlo1KM=;=ww nfvʡ_pY kӡ K> 7SZ| cGmM(-FSqMFM1f׾.byop *k Gz7߻$&SwINxNsLVtJu )VhԞ86#Lj,! D^b#tT ղh'=A.BGƽaN`|v=2~fuqLmt(NI'ptt`.j`ϼn>|5;ˢQrܿdBDQXW8]?AT"Kj:6pדPi}UsFόdQo(z .4jdr9`q)^Yy.xfcW\3aJ7%=*ZQ6J='vKXe qd@J eWO.̖(mvNws$w>DWx]Ћ\RqwHҖ q8oy+"9+hGOb?Ř#b0R\(ǭ77:&yՌ%=\zY ׀*-yS] -3Q(8eX;Gռ+ƦytM K# pӡ(ryYvѻe os].7?}1/ir[uV= mb&V"U!WID]\:ꄧ~?" GMR*e zZO8k( ;X`5~x^Y {#O W K*ՖI@(W%Gd'|.`R)e|L{] @ٌ{(Eoj4ahY-UH>T_K_2l%dg9q`G>[h˜vMKOg2X'׆[. ng*׎N/>lag[TL0nyS96N1h|do4F_3̦?UȆ% ]~е,ȥw*׹C0`K Xfk*Y‰?< FMAƌ? ݮb9ن! 1]ۊiŰzcJX6= 6}W-~tNΕN^5k –nK` :f'<-uOaz VQ|T4c?JܴGy$2|PeMYso\V`D]mnwwxBs.ac3ƹ)r|{,s˴hakL{NMym]k_YHv^熕y* :) X ֱ~0{wۥ+ٕI0ώP=({F@NDğ3ߠȈM?ͅcـ7c"#3z_Z!/z@,;]$qmw/uZw3q"~G{;)ina~95rܡ4Sߨٴ$ꬼOlc.mՋ#st="n\ӽۼ7s6㐼)ǖ36]PMap`t8\Qٺ]s? !BEUY`>5R oNYl}|rA/.˸R[0Q=8e7 z`_7^4tq?BhgeT,|Jv|惄 /WTDѵk~0BV% 3|(1:h,1ו }k}x?[uI͔=]sCҎKƹ#!.Ck㖈@BS4rGO*9CSAlڼxPTkUnK9õu7T rdBk-4"ivH;/%;=֨sLN蓟acDp;w#\"~J/mV깔7":& aoK9#Vgn qJo1rј>vOnHjD!l ;&t=މ#OqP0 mXgcDOCm%f"Usqz~'o}nWIp(9عr}וn hKv(@P! zŜ4aXtZhEYfaMA<>gOgmcJ`nL}>L)/7h!֍ـv;SALPie*нBh 5 RE c_ǠGRj^F@? UKOI!Cp m1,+Y0$RhϔhߗX#6mo҂F`ndi 45"ӛ9<ߩ/] [W]À7C*`y-2O(gnjݧKUH!~r[`uS ^zAeĨA 1mhQ!:aGyZ.5Qxf \wrq 'WLy;@U%#Ԓ6$F0t VS@4(v #r|X\"DvviOs#fbui F1 v;X$X ^3Glp_I8 wK5=C8Joj~+ Z06ZJ'5v!/BQZ:f E*h9(tA| y6DuFf3Rj17 fs\Rq6Mj uX,k%˰m9ыx=6^5,V'vs Zn6F\ %KzJ.6/WQIaI=aRla4 E?!ն 3?eft G/bU|Id=VsDl8t_^2>4S3k @eqvMȤ&.|+Wn:a:{f}i2/GOEe]b rȇ=1Bx>N ŌbX S{]r @ r]pZ? J4V0S \Uj0id)A+fRq.q.AN儮t'H%w1$:a4mXqz{Wj$/O܇I㘃6>Ow"yoP?C={##-_-qM]x>>6\s.Ċ@PdLZ5dTAR|Z1!ϙ;+y##qfkYq8Hm-.*@?yOft~2tq-L!];QU+IPDܓU߆6T6)QfjH8 ǣoa~?R>vDz~0#Fȣ^hʵ:c}#)IF]tRuu_6hG2ڎ{e_pHlY/X:R %h 8G׺-qMӎ[&8d}.8ߴpC|> /։ZV@ b}ڞHb^-HBO2c/.\;:PO w `KJ64ƙKz'I]ՏۅxrTj+dqF`1D )7ͽSӼ~y(fNU6@_\uQhpJ);J=N˲RޯQϰsvg)9K,e_ȏ˥Θn jn.[$@ d#6t%tF4W}F`tv6PfOmo8N'ND݂4b*9B=NI ͓c匉Cxr ]8%ER)^st׾X&hI(1 ;dͬZAj^D钶 )6}&%$=>6j k ;"2hKX,j |*OZ F"qz,yzOApΣx_'Wv @ͷ;Η[%uz8.h.t3!e(O f܃ATǿYSNxS|m۾5dlnwWrn^n 3:NT3"/An_߂nU XVh ?YD4Do4ݝ?l8cP0oQ`lIhDuA<h9f9aLc`*!*/_+?_RЌ/y맃 Сr {goǦzϳɲI{mD Pnz{7kr(@LN%ɇuQ,n89z y1*Lۇl]6)fu [a0Xߺfr=]z(5SFʸr PS0u]D3rkl[th*LUb~L?бIRݕ{Ҿ=OZ+u)Iuk>auUך0"qsk<ιt@T1U-?+Wl9A&8{{p_fYfL(˙ckU\H@I !vr7XVE [Bae !p-u{-2H:f=N آ5\U_`,\9*r1o e 0*?ޓrg 'dzrX- @x-ڽ㺷TlqHh+W§ݷ{ 1nxRUH@ք]8! ܒH7jH!vK4Ŝ)G%xo=)ĚZMFrwVn[w~:N @7A&N7PSqy^֌֎B]iqVxHNJ,sO1y tL/A]Zk ]en4}1Wto_"\C?]j=PCuq^\3^2rS}ts8Q%-cW3t8/z~]\ m)03zI z#zq Fi8FSi KV|8 |*Pm]V8 "BYv,Q{޽OXݬJ4s$blZUr/`v|)U-pLNs2A:!+9̹Pw@]_+b(F9۽(4+|t@Oj+=tQ;fߖ*l{n4?=ܠ=eF]S͠3˜ x?kpBjh`G'XlPLq-ե~jdNJ:Zao ˘f&-뜒T]Ϋ쾶8$Ao&bĽIx50 Y_Ƽ:bb%12(pAWGs;GZ}x"g/@ BR eF?jR;#"y\}XHj[0WDݖd!e  {YܮMz-]ACޫ}uV8}2%eBŏ*K(w %]Z_H0Iߪ^ϡ|_9ֲM?S|# 킱((݀]*~F 4 ,c z߮AuйTh/0`u˕ MeswbװSo"7ؕ4!,  Iwvhs|=r#-t4d2sGBD5fʠZ[=]=RPzp2̦/؊?p E0*W &)+xT ι։m=i^5yӍ4-ً4:,{AԬhJ9m*Lqe* h3 >.79'$H֌SRe粝] vFn_L^k ,[Pu$~wu튔R]WvʣX+vo.yߙKxqB+5e1I3g3ك:aKb.C1Z#Z }`J?11\#6Ms̏-CAnScH>!봃ѕⵎaXzڨ $7?];< +Z]Wr m ud=gO"]E`!L2Kn/`n8ƣy.C {Tt#&SV-2goBQ3lGi3@ҁ*xeuH!Hͳ\lﻹthAM`pBלp}sa Թ?2CYp: ,AzauB!ꇲӷ sy>nЅ)uF@k9ZDI:m-5 b%_H Fh \a:vF<dan鯸]wz}܌=%A>H26!qUM"?i6 Tk Yb"YJf|g櫦0 89]s3O/={zu_OX W& xiang77 \oaQxve@>[* 9:H^ 1ŜeX.~Y,h'&bn|i !ymAamƢV2l -+sscdކ_ڎ WWjF1#2l P$ɫ惨r@ia@MǮKhQe!0ޔЄht YTRgm\ ( X:fg+|ɗ&g,wd 6 -ܽ.YKنtcrI,4]Q!{öh!4u}Mj0sRdչq'eyMEe,ǰ?Ι74']Q+R7ۯq8"&FD}ֱl q׿n\v:RSn;yC:,\j0`)Q:Į]48RG\PUg#g2{=f 6v).IiTHfFE]r s5< a`[tWZGp$-C{3iGTA ȅE/ @IAB'׹0M^yȞ*:Ż(o#̅)@ ir^bղALX.a1pQO:H u X0L=!9^ǃH khCbvJ@.%4zuN]=DNR't/y"rwA;6)a|^.8.b:>!l!x~gk#0Vw@anG [@ kw)-X^ ~Ї7fJm@Z;tJ?R 3,d$P-kRcDi*}|)'h xTQ \t!! C@r"7O7c)@A(9P LWl? e/+/|`9G{H\_M W{ew ~߹\|wL F^wJc{9:Q~:H^ 9*(ͬϩy7:iAjW~Zl}jSk Q!%!Rl]/lf/"*=&x\*}v,C,j㑪iY]AwA$h7)ob]^b^֐0bXM|Pu[xZg|m\7YE4zK{H %ﷱm&A+d֋L?p0AlPV*HPy")EhSK8J%SD|ƊpHpO"EDA<_woZ:PV/ h:~">fŷB81YڹV[2'P+gvh ޖ2f yISζ(r.f썺LfW5{y4Rή@tLgp{,&|6^qŠܯ6)>bKL*t8X!% Γmq~$ͫ k11YU{u@}?MW!ld97^cuJ9_Q}qmxO;&!bPE!$Jeh#A;z(7:{nN j4&%#rA%? G2~G|>dd&?seF~R56Yn`  5 Հ Ղ(rw O^;H[:ћ?iVb%&a Х)xaqMsjp}V,SuKdb&vnW/XmēUV<_3!Klb:M [U$O8IOmĪ݌o}atם6)nzD S>p>vAs4N!p"ZY+SޑZ<{>^iab('&p!*\mg]x7D䭟\>^ř|p3;Rzy]-~x*^' RhHgge9oa1;Pcm59d'F*Yr,1~C1B.*m*~SQ>gCGwV&YB̯'UL$4TuĜ:{HwW}|R)po8PgU5m 3FڀrjMj} na]iѝAvwVls63q] X+R2->  B8Yhq"ljXdا+F }~l1yVMRޖYk T39|`ZS ! ^6Vj \6Wmwt,j>(dd*S{F àue6(}JR+Dx)KG9[Rp#]>/DgȖp j{gUυ/vi|*^OLZJlf6\}&0.Moidpֻ\-!o*f;URGs˂>ʹOZ2g46r.OvIсj1X8@)YDz|,`.9(7cK??wIOFI%к\}qXl9%4߰AIq Gy!sed"Wdn뇶=o~Hfl2^۸~Jn7gbͩl JIU F̬TBWYۇr+OO QkM z\Ut<2pZWF1KJOhRy3ǼQ1锌a\eXvO(7>#تи0G&p؜q;eq ,eW챙F%GԐ2IG?M. )BWsN %՛1! eg$yԭLoQʾGIeC/njHp짨v8tu'ޟ_|%%"bDM㸂TZHw%2ߊ?Ѿ%_cE0B/q@+e[0,\E ċz׌jEQ e \wKu-[D4/;c}&{$R5Ix.p;X ;hYv-%M2&5ݞ&K+hptG==_%Ϣn/^yE//6 ڬ4jUc=:?/!Ϧ団aoP~,nI&I1<_8Wjo?̀#;[c94#PILS) d4r]A2+,d^UE;+Hΰ?@zeV!<D$zSua#))甤C2;sN轆}{$u{Oj L|e$#"K.&6;ކHI#B&fjȸ[0N!BLLo.-10ZQsƖRymYrKA4$(̌δQC?ƥ`w<Ϊ:IA|R>^U9ΟM}+6xk4ԑWmog;SpD<Wk)-+|gW`ay U"8O/_tC^E^kt cn:l@nuo {KRlh£R"Y6o_鰩m`q>dE<&׏2ޑN0r * n4zJWI>R"luߜ&G NウMoV#JT${N/6gS/R(׸jER6PVG!.2%𖏌(.F:S`OR׏qq3,CsW#:.fƬKѫнU?aqJ3:cyW?2YW(AMShҨv%Vi tRTp7Ri$"BoLTbOWPU޵zFȆWi]A#88A2;j1ALѻQoK:R ݷSw\pm+,NyZ\A/o*D>p)lxa;rZ]rC #a!ݳZ CIGѫuksTbua&ōy-?t2 veZ͞pw<"1Q;ZHu4tR RnE%I"<槍BռSkeg@W[i ){q I̥Rt~u(_oaͽraTy͘SY }+l"ra!}]HO%nnH$ӷ`H,$g$~tsr0%߇}zZzzy~Wbjkc+b}ib2x8lIsϵ;C 4Ɯ8y|7&QVIzS#W1' U0H\䔑"7A 7g7Q^ۥ{Z&Bk8KClv#v1%h<%[ia(LyͿxF迄+8\KGh14ΰ:p{zf E^Jb5s';~47=V i:9‘(|vNGѶ.+_,d헻e7ʖۢWŰAm0/Ix !n+h.5pǺEGxи\l;}E'Κ~:/˪UL f9D^S$wm-oq䠙ǿK)3 &ՋFA<Ӫ{d܅3z5!x廂T=!.a$@QYJ (dpM 鵚` ]?'ߛ6"ܓHŚɻ/Q00 +V' .: dDƙ٬@ˎ[GVXH{t6Mn,JME30Z>^q&`j "*?n+{u"6pfU(5~TgJR6dbv\s+׿僴.W׫udpZ 1_y :6&q R:Pֈ{ήGبLܳ꘺VuَZxX}ޑ܉w赶KOT5`N1Gm~a4)"HkUm|YB\X=B3þ-؊#>E~)S_=_C:9Y}`%yo^IH`1Υ%V.;Ě4cN>/oIJ`^m,%7&21p#whiJzM8Π,49[pVic(9-F2-0O.*;yJ#|A?m̾{W޲HR %HwQF}hX%1)y*mN4D^<5_O 2Bˣ"k2~<*IѤUZPT6#J=nP 2˅ji[&3`$]4Z*imSzLwg9ҊV /D知q;ƕYE*qGe! o`C>~aN:Wŀzc4m'i-ft$MTkA:קvwWi Qw.l0'D%gW\,ٕ}f+q3JZLzA]YTL[l:VM'X*4Z$rʚf)zw%Tw(upO}oIk̜1y%̼,=x}Q:0,y3/=~"!!:H2##ּw8&0dpf-v ս($KTT_C*(P<>x\|\Y֡e71|ԉm~}Zt䊱6p%(cv !=-KKs%=8}[LE \Ec=R >`Nvurp$:`ԗo,lBCjLߞWN*ݺUJOv9ɗ P~-,m/5!KC#dsp0,hGZf'c\,ihFVOlhB!j>ܜn&)1,ݱ`o`Ǽsud EO_OW*XϋSI7B'Ok#M K3*V\ݺ/*71H%A|Uo4RZ!7BNY{[,(P WK&9 ђM1>sK'; SX}b>1 Q>W~p}00ӛ|ՅBefje^%E , -lTDZ6pԻ< jd/^$\ܢ;Z zaۢHGt/?N,!gciBfg\Cd(v|{\lOm#ZI hiul#V2qtXIyx^aUr"xڲnڏYBUz&f$.}If/&-؄[d؄n%ZB 6Y6uwn`vL~}G_=vEݽ 뱯!*ۺԦPg@t੕NF[zS؛lŇ,a֙i$=\\IdJ7fV^$@?ު+2Hٔ3Y͜i$Ni :~a,U检 DXq $$gd%Ta-YU#%EgfdEٗs58"пyLW\plI捇B`O qw} mi9Ø[&gq(8. HrH]|BUc32e~Og_R*RJtw D^51L^d-1g~G_, A<.>[_車<,9:Kt sYc{ذ'q|>`i ŔPEoO _(k0T܉6FP=3V6[j?ID'jb ~He3y==I<2~sf)Ok(obh~V@@X1s:~T4L1()+%bm<܆AqVd>AIʲ\;V\]@KVXl[A8NlLzěI~IFKnا] K-fP7F7γa.URȵs? -Ch~Epy,ͣ~6(vfL=Tsd^/< >ЋO  r|]|d,xv 8C&Ƞ i8.UZɼ=Î HVZ=.7^ry8Bcsj\5ʮ ҫm׶!mOYpJb[e";{2G8 K)5M:EMUȀ!S0,r-uXFZ&|d{Ij0kXtkAe1hS 4xs,g?p{a`I្ȂR%> VudKp,KyBs.:?*Vs 1ǠX Q[te^Z-v3}x>D.-)-K#n}0W+=q9E G cJ`E-CBδijB3쏳{i1Q]+i3- _K{ G7yu6t`W.˿]ohWcDVCff=J 2cYe&쇠o 0)pJOg/^-׸Jb kZ9D" $au 3 Q Z2 t(w4V2]A+jԹd I!]vz[PZք<T`>Q,9DKTKqjLX(A]ڛ1%VN MӲ--X;:$ԤdG$r crB^d˅7ʤ`n{+d18OT`&X]S#5=9&“bJTN[Os4zģMȥ,M\sY$ pRCd!RNhа Nru0Ƣ!֐daQԆ Qȵt`o0c =Yh+~/%Ζo>ܕb'oʥ盷$򛳁+ȵ ojK4Qۙ 7@w O;="\T5A?[ڭFca; wPJ 2J! zH/cj]-7}GŏLf:.Zh#&,8Yq0EbNTk&G97=61Eqpr0L>d"B~"C~4]8T- S. 0m3O) *O"{ |STD(!?I;zC?*'sAHe+>H/엔,3`}H&kgYUGt JP2wQBpOO VeCw" lLbZ ghWT4%t0ulRc>¹-Hb3Ξ"BhSAZT0J6#yE\gj[ϵ%a lF2 (̿7#Gɾ.q@aiyd>vHFEK9 j%rq46tA2]a)س$S]6\ Y`Tof~[߸7# a 11x] |W7I*@rh$eT1oΕa"j\ŵj*quPUsxF@aվpO%ƌ4.i5^X{ё# e8:)Ow{SV`Xh}H l&B&awH (Pϰᨎ$ S{7'IWbenϧnyȌ?bbF~I!got€etCTe 퓳MJ3*~BzR$x$춇k~=DsY\KbCv_R܊I"tg‡ͩ'\aVՔD fRDuԱwAqCUt0=~0t5٠Eǩd.Q?/3cSym.5PGϑfPD3 #?lظԓjYyY=|WǤOH15iIx=&%E-iE἞|f%o]e1=q.#5q%K@>pnzF:k씰1y:4lxfb<9N^;05]ꊶ~W B\}NQ­^wjn$JKĩV;4zgj"q\XRnC,lOȖ.)A-pys{NWOH:z\.HE9JC5B WQ^,fJӂٽj)gT)42+_NwE Ik5y_:8mp;g"tO]GY  /gauG-[N> ȶQMs*M,}ܣRxD_$y'H}#GD1I;|aY{ȋ% .~J@&s4Aj #H.Rh{~= >F?q^{u'?m'eUFç5 &S!Sx85 AVe Vw3u+,unmb2 ^7Yl aXBb On"Lݣ\;3Ɍ4Dk. WH~dW0>Mm)}rEyrqY 7t)2 FݣfјXe3]LMi+ VDpg-vU*z *h)™)kucՎ۸p1rK[ߐ2C8FɎa#|;m  5X~^D (; F= <v=ΐ?(T&,6PԷ?U:BFUzVC^yr`b61}Ht +\?!h33H&e(İƻᾴ