permissions-20201225-150400.5.11.1 >  A c!ep9|_* rEszm37(K/aIs7K><׽ P,[ u)yHípe)]ߊ-MW?YfaGL!@R? [.' 7`G|yUQD= / VJW%;Vp_E|z+7u$uv xF^.OЀа9E#Z\ܶ`| jX[-u knc3r93921a061379b9eeb776c96587daa426fc9eba585e13d00feca476965fc29d6a48c99c03fe4b7462d4e13ec02699bea68fba53f9c!ep9|lb],x;ESo]NI/Npk@jfx;Xe3gm6t2Ѡ k"8hbR5Y [GKxm'Hr[cwւ8O, _$ONoHY#T*f|hBl1anQ/ܰZ;lqGvpNG62*͏ 6xm/j-}e 'ZU.3,IgOi$Lu#!c+Iw]/+2r]$j'\n=^$>p@A ?@d % D-NW mP t           4 a   0 h [( 8 =9 =:=>;F;G; H< I<( X<4Y@d>e>f>l>u> v?w@H x@l y@z@@@@@Cpermissions20201225150400.5.11.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.c!ewsangioveseXSUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxppc64le PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system-YV1Ya 9;@큤c!evc!evc!evc!evc!evc!evc!evc!evc!ev39204a3f4359b2d8f93bbe08f9a7532737ed64e7aecd66391c4a49eefd0331810b96e4d3750fa33e3589ef0dcfd4cde672c2f89b916abe31cf5b3cd26b20f8c9254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3b40bc5457f8417a01891da0234cbec07f74eec25256e49a044fb455d5f0fdeb045369a236fa76e8e4c990a83c06c9a617f00b0fb5a0639ffccfdd867945e81c670072b044219024f28a045e03db2a0546b0442a76f46b7e1d53791525ad696e2b35eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20201225-150400.5.11.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(ppc-64)@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20201225-150400.5.11.13.0.4-14.6.0-14.0-15.2-14.14.3c pbVbby@bgbF@b+9aea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comjsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20201225: * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)- Update to version 20201225: * postfix: add postlog setgid for maildrop binary (bsc#1201385)- Update to version 20201225: * apptainer: fix starter-suid location (bsc#1198720)- Update to version 20201225: * static permissions: remove deprecated bind / named chroot entries (bsc#1200747)- Update to version 20201225: * backport of apptainer whitelisting (bsc#1196145, bsc#1198720)- Update to version 20201225: * squid: adjust pinger path, drop basic_pam_auth (bsc#1197649)- Update to version 20201225: * whitelist ksysguard network helper (bsc#1151190)- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shsangiovese 1663133047 20201225-150400.5.11.120201225-150400.5.11.120201225-150400.5.11.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:25919/SUSE_SLE-15-SP4_Update/286470edf6cf17ff8ebfa5224624d8ee-permissions.SUSE_SLE-15-SP4_Updatecpioxz5ppc64le-suse-linuxASCII textELF 64-bit LSB shared object, 64-bit PowerPC or cisco 7500, version 1 (SYSV), dynamically linked, interpreter /lib64/ld64.so.2, BuildID[sha1]=1c4f57d63265f8f30c4b338ff817715f0d3435e5, for GNU/Linux 3.10.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RR Rwk;$j: F񹿓utf-81d41ac2f0589fa71c490a5967ac35b488131964d462a9674a9e70364fd796224?7zXZ !t/^#f] crv(vX0MH_e] R&ۊkAWEE}ptlIdOP'2K﨨.ԇdwI m>!OiB7 DAsi)V~q`>{p@p+ԲkO4 Wu%RT/[6jR O@՘/<8͜.=t:b }ҰOXQLf)3Ses ɲ>j3LP-Ԍ^Isl W'gPoBZx#lIyb_z h|-UAEvfg<٬SĆ 9s^Y#Dza(!t&vТ+T.AzJ])c”]'# AQPNlIAl73績CR#/xۺ/Py`o##d* u \45ĪOIK-Ko{v8xYmE~GGAsGX$'\?؊/+yrʡxúyTeQAjbqp<f zHpFN~VJՒ>6d*ͬX=wS`@p9J$ >UnHPx?et9a<̹)RheZ;BEN*!f0';X>n#~ZnLE{-&e/ Ԝqg0 XIe3> IpWVS/P=WC"ny1ױiK/b db_+Q *w6{f׶43CS1诰S9tI77$"^cz1=1A۾_xNZLU;T߮Au"%iY? IUX+n<9~rAY#9S)-OD1VK:K la, W[j}zץ 2S_(?FYJdddj~pa-"#h Zt1LЃ}ޒrHh&Pe5NxXc*l5 jlk\_Ad#"BG6{ Ic49U͂}]|s4^' T?bS:qOØfR(dG8oe|Z}JdiiRN^^a,#noF5GN+tdrCBT~$Ε /'xk% ~}R V Q4f(Y~HY~48M@2IS iW{dҒ]h|6 R<`p:xb@XX"pVCPΔ5]0ϖ@Pȗ jRT]&G"6D:NmǴt|DB̓o}Й}341AwmA@.AhՅos at7^ܮˊ[1Xuɶ&%9DUb"^;_Iu7[+pql,}Ms}#'h|Ch纟YJѐZ 4ũ\CJv! =XE&!mԥ<VΰDvRaQU$6ǘ*NkT`/k+f_uݹ݄ޥ&ø]&5M2H>΂fw)Lvi!-j߉I(uySttÂ4uV{vAMVHB&/`!yK+@Њ,U H3/g0nhNv/opVX)I-f9nMX]l޻(mu ԻKisV\9ZXjm] H(O}&TBOk|NAQ7dC(= (S]a RMu6V]>[exsYR7TjXtFe{tqržb8U ]6{b F"XTACrfWuRw˲1niK2 2Z? Fv[4,-j[X?e< h;w܂&SLi='uc#¼[,`{1qs;tU/fyC f/!H"-eعpA{ (ZcJBq11.ؠ*s»:MB`PrJRJ 8e|nVroMg(jE'QaÚ<аhO!Ք8w? sI~-Y1@~VL;5[?Pb2Y'-xFCbWEתD,;4A@Sα!Jm*p5y(z }"ɏ=!W{O*H 8Rc]߁:vH' CH+1mYFtzvQf4ۙX|yKnjwǟw*}拮̯GtvosZ^/9OG/WXt:pbOX]=6>hQ1J[g$[#GÅ^8x/nP/O&6oVB [/{sv&p_'RoGX{%r9XW=dMQHȦZڇӬkK!}/ "4绖N1qxLGŜ>Bm5e,ۥ"(k,!\ ;_ITM竑ѱ1fbL'29*uWYV Q*aJc{ oZ7ހ=|.JkTm(GH%t7.˘Tjܛؾ=Qϙ5+<L 3sDqۇCJҁ3t/L/ıDn'(%cCm!;$-A+%J/ LS?} rƃw Hۜ]wzB(3UUW~tiiR Hr#svm4\Ƕoh? ٙH+m Aevf;C^wcmA|ƐX j 6 Փ>d o;@j^ᳯmt/yelRA+ i3emxDOK?P'| _BwZD6݃@ CwBЈ%%ד73A)YKY91% )_8 7q c$R !zKO)C,HN+֑_ l/uR:jЈbZQhQ"O륢8OZS(b.f+7qL+o KZGPRO2bc(+:ӄ7̈7Bx !|LpÛ\-5i(Ɇ7 /UGC$]5dhuVKqVYU ?AvZxI{&ش=pQ [L,P#k9^C/UR0==r&Zc Ԙܗ<؟~3',D`NMI.҅ W E \dY#ǵn0]K\m)FqKd\u$ jo|9ǮSzؼr^wN}rf-łБes -G@}@lGuЍ 秔d&^p]jumЄI'+#ӊ%HͲumιЫWJN5щy4,t$:hǟ#?R8?)n 3"%O!7:⢯ɵ]%I)CS_6a٩Q!o*zg9nT#0vvD:1UdCe*K3ݥ1-Y7WoŰ* ˲+OףM'YZ dmʜ ˼"| LVfArBnN9!HUPt8DhS谲[FFV1:1TV#u+sϺxz@ g 6N.aB+J+\&6_.SEK]n5խ{ݟDJdZ棑=M 9[Rجnݚ9.XW+dV=†Qٰ趎OwG]nl_,%k@?#Ni.Tw9I.FSHOX`Vš7(Eߠĝ9zj.*m<P,oeW#R[#DwZJ" ?bs[eec$%GNBzWJWJ}@>x\p’}|ǽPa 8(0!#S Ww?Uay8y2uZI`e㟳fqGAʻago6.qf ٜ5-RQAbjڦyas0L1Ctv͠HBBoxj:^k ϫ=v$j34`h*'ʁ˦\j 2_t[9oPq?'p"Weeh>ohjbY8nȡ醬q;_EZtWB..X&~ۛj0 m:H#F!݈U_n cA v/lruE/H7JІd t!JLSNrJ#rrłF˙sFډIeہx$)8,nҼCMVჀ 9#lrn +o7FzT"*Z  " Xd'U%kcirv[]H;ыNb@<̈/tJ4`?Ijq:coY݀Lc.)WB+궂tuc A#ltx!?xe:Oi&-?Ţ# !#n$"}Ш2{$u]`+ECQن#9ȹiu^gg'H ,-zVN.X7@ 2G P'cYқʘFSH]҄]'R"s@`zS7e%z݉vw()E(ӥP,]b}Vk%"4|+)$6(π-49`0.\zA6dW}_xcUM۷ar̛QBשf9]k'f~'Mhs\IVrHeaxy$ۊ.|d\JB\+ (85"Omvr`-0@QHVʉycϋp,/)cǿ.1V4aihÍQQ1Z8^ /.=0$]QSd.3>?[ 9aqJl᫅,0G8ڵv| c952>44}jΛ8VȈtF=W0Pܦv8~֝3ȫVEQ]-9s\^TǣP;[|h:ѽ1{3cZPz:QFcg(o2} N.4nɚӘ j01ЯV",=95s|- 0`f}‰W:(Xh-3 n gcG;8Bp~;妚M00 שقN®#ww-S aOLDU]Ӈoʂ2d}p9)-6g3(uQɏ-G:]S;*ѥ0V`KBS\&Nq!Š?74fp?f>l=n쥋EE%U^zq dN]5%ڜGԑdJtۙ\p6a9)gjCٳ}1п\ԃIE=9عM28A(AZf@V*L9.Hb糭1$WDUvi8nٛEs9C$*YDaC1g2g.吰gp!}($':-3%3R_AF*kq@,_wK&YF~$ m ? oqY}XG%5yqp.析cp/L$Ko 6s e޺xQԋJd^-<IdzrK=6"!3c,Ǒ=وh7mxlEKm\g%h:o4Cu?G[3~y H!MC%Y|l~9GJ7u;NUqG#rn(9;'%O*W'0PO;~Ê+0 N1e;` %h =Ɏ@Ǜ(R ( :{<2V/c/e8.jT IX[lRR]QY3\&a*2nXVT ̔,4UZ5y:m粙*|@Xcf"+dJ ~ {<(VG hٳL)M5Ov9 вZ-^gyqkrV~a! rJlY(l 'VctK%ydI%AMq ig&BB䊁Pr">ч1{~Ӎ(*>9U9F<"7kLgE몏IGq]oC)K DH<;k٠La۫nIL.Ի{KL7ɗٷ[^ O@JБ h 5,;S;wtRbǑ[[]fVrmyI~#L˟evmXlX[wvޚUK@pyrE>.$i|mL ,es(t[HezЄpԥ}cudaU i#&軭K(MQIZt\Cj07r@^ Ӻtf2$U<uD/;d 0KxPKqeU늦apodǙ(`w dvK/639et6^)~6 @L5 í ase#WQA0 B.c<*O W7O@ <|(o{=zza6ɟ1eS!oה#PʉiK1c/;4"9bq$}&$$V^Ĥ&䠜g7 AV;#떿 wiy_aUj:p,'tIqPN z&q]ojʻo tҊ)nH*iG-p::N?|&Gku5}a'eFxыvv4bEɓB/o}lK!y*D5wbh+}jZ)=ﮮ#njw&YԜE@ Q@.H miV3)k6l-a}]{>4bݕs LD38* Ջ$,*bGe#dX76[hDH p6մt^{#M.ƥr(8g#e5n=L(H_A9_hI˸W*#'m"!ڣ\(3vq"kv!$b'w!in6;M;貾!d5ceC<$bUkqҴ5j\6aeٶ9׋8+vQVƐt'fXcKOdW?fkp[~LCJԧx[}T3%Z=g% +Ai)y& *mwB検N}(뚅:i7h¤Rk~*1ڗ5dT6 IQv_g!ZQf&&ZŦ-}BBEx`)(A [uM ʱ- t#ݩIu6ԣk<ӮMq";'"#FP Wľ-LTMZ OAr+\aDp3uþ]8͜?OLg+V9/ѤTYD_dg! g:- =`K$BQ糌qt]Ƴ5a"2q_ѽ,3Sj19sʽQ_H]%e{4c]pöS= Mtެ9 /Z:AQW;АoDVӦWS]:L9~BG!^ f$YQa3 ZL|JA ]"ld68/(> 7kO7Kjo)P~xC ^uy_cBUIDXbp;Fj$´=.-~\ } _6||+=#ZX+%z+^$^ 26h22VOқ+0W|\w;ё3W(tqa ҮȃYkFÌ87l2sj?j։iߘx0SX$NIWQ/X6W{6Ixa'g?a!^BSѴ"3Q*Ƀ>Ow 'Zn41^"c@3(O(maXBb)8}9Z:-st{Re4&ֆpS.d.9hOs37xǯFgX$ezTҿjAW `KE{t֙Sw@ ܊,\TswA?-*ftmReT;Vg3Ye˃>dr[I_bݮ Eq(%gSz ¾FղH~ +E+ d{"*nfKTP^yz:|A%:UXAΓؓ x^'!Α4qE?i,Za[b+i*znh(];_aNFCrL1{P<\7*<u[ 6b$ qvS7@i X́ɠB=ʼnC2HU?ҘJl}4}FTWtz9*ilf8RL.@qc*fX%O^5HSݗ'~AEotn}2Pl<:Ct^0n:[w( [_]ݣɎs"ˍF0J(WNn{w/򍅄[w6L# 8 $ѰV9<,(#PآXRfg8L Oj{"0jtrߩS388oאA:gp2V(Veo *F^]5_<ےȼq}北۩XNrYнa~&?6խHY<.E8,'/DaxH~%";-g+\BRhUM$={}i@?!MJ㯞16oh_~z:(~( !j>#Tc?N8Ø ^}F"jT%4\3C*ASFe BᯠIF4M>ʢ)(I"Dh Y"]"#)^M@>G U ΠD`^|{g`ڂ.vz.Oy;+&b}'#GIf|:-ii'@?'~^ŝḛ]A#E1/ӮjG*ޝniT5xM(ڪ M{&`œE.<?nM}^*8 Gt(g̜~VloHlٗ,BnEM{e~Xt$\!GJ%+]& +odޞG 罯OdVӷ'vt ]N8`oK6 pwa,QP*c|(PJxaybZ9+<S6\=ssLy^monl5Xu!偰{Kj|qizݲ#c? @gQ[oO!0M3l]s*?9*>0mGUc7H+Q$b;GG֖v1qEXVbFwƕw0"?8Crb+oʹ{l# c0Ejɟ`:E.Nhpt4$ҳO¶ن|~Q^2h\x,_W)*?L:/c.}V>]xP_BFٺ:1mbPAĥ6kR2L1ʷycSJ#_Yf.pV\0V{ ``1kKp8I~}FNG_Wy \(VVn~y^pl[ޝ}K]aqL>m`Cm9y}b,v)ὐ{CeN"O!ܕ l3tolT=8Rx l! ce[V 01m=0y_Cp7 >Fk y5%nDPI*6xegtן Ŀǩ#{ǒw%Fpj dJj(FWBlCo) ١/=]4-|sP= g+GԽ؛U9_ ?@ka^ MQ0UyA,ގL+s,-%)OBM;C<4yUt_ٰ8; 9f_ФhͰDu Qb:oM q2-) 5b-XXIGQ|IG[ߘW>S oXn0(GQ._9Uxox@&ۜȜ:@:OyK ʝ7= "PIa_{޶jHg] n37DI1G Mۗ*9fruط+w<ʅ4&g ivs}]Űۘգ:0[h (YB ^ u7$ Im&>uOxs^GkY5r2a9Y.o7=`6|ކA{ҍ0B-FP3[49VV~D6Ȉ˼1:w)"dΗG{dfAQVB,)hl4Zp(&ef>'KC]6+PΒ%q'̨z.27ze G ps)WֻEM,:E'^Ee+ AıI(/TWk/Qw@h4DPOÎp l6.o[dd|6! <'3s*Fڠc%)KnR]&`K h%;P_=`M#|#!؅U2?>=6zM[C_Vjuϋy ڐl_ɜI'ret8jz3D˳Ow|}@ciG<=lkz/}DvYwN0\@{Y}Ȣw8|a#r^M+v=Sh9vgF)3nm)EAqpq<YxΆcICPATׅ<~0Na(AY;jTU@K$ ʼ4F(TB5=W[Ia"jn;.Э]$hRNrb[gi4`sN?MaBo1bs+t퀃d;R^ˣ:l \g6lGUr"_Y- }8# EZeQ7]`XAuy=D%UӤ38 "@^Zp͉A\mhb VnB^d phl]ũ/0suaVR |}sOm)Q^ 뭱-@bm\}Ro7A|e{yH.5St3dot!(#eY]όV7{ Rn&/Hһ9¨˶:%J wx!㹨fuJLDā3:z-.HR;=$zھ 't+jwS7+Sm|/ҳpvU\)/rVe }5W'UQ&Z`}ǧHhV52=p ^ 4-FwV8ܦ}r4g~gJUk/~? %P*`j4SVzkJ &E)-z_}Ǒm^$=ॢGp|h9┿ )h7! m¯~tDo}xh[Q@2D_n406Pz}Rɴ* ~̊֡("gQ—f耏bTsv`xpi6J$]8Y<nRp1cȧ.|#YUt'}g闷t|!NBpJTvS8y|h<dbK; >W  8tB{+]=W1)ɜwm1x[V/0AyT= N߃fqЃ&?ܘNSD?x~d`>/an]jSޓ}@ntV6m$if'lW.K՘C8RCڧX5?iiBܦo Q8m.yj7˃2tYU‰=K\cިW;M '"y N {&95l 苟7A.2zyω,{:Zx^h]Ȧ%$ȓ Ske@rR'̧g)0X\wÍ,o?M>(| OѯƌE$PZ. tLJdtF@l7GnӋ iHwڏF㓵1!91!ޤkbIQ(tiJ'NxGqHMuW%&'f_ db4Fxf ׸s^X(^AGrKn)4Bȁr6;jsf=z@_U\!F2IF>cc=&;Jq';} pU:~Q;J[m T,Tgmn[Gvbԋ"cTI36%Mswjeةyɥ!\m }gխH6(5{8Cտe+,xz;g X_E+)Jj{݁ W]Wa\f@Fmn ,>`-%1 `ZQwy35SFnlLe$, ~~8:|03k6b)&s$ksKbPtqL B}OB߫ȓ5= 8'`Dߞ?<0Y0T6+ !s?]D[ )*cƯ&E;UZ'/g 0Xc])8 4H|7hco(wиܡaqAJYUvΌ.?[ҵI#ҡN n< &RK7C>q?brKA.'NV2P 7Z_k*Du\D7m5Tk뿥4|H1DHSuIK7Ԭ_2YaVe,LP=A/sMG3G{mf4$ r\R׃:WQMcgfAuBrnQ+蕏J)zdn-Yvde_>2gO?4".Koy'*I']gޘ9{*j86#}<,8AqUZ)trO784j s߼TTBmd'VЏG#k?uZuU4o fq}0!k#Q t?k\8(L_BX˰u<(=ZXI($^ZQu-23=G`iC[ +Z;ٍ\y֜UV.\NDai:)zd(-NFa .gjyMSE؟M>UuzQaVH-#g؆T+!F|`',B!T+N!juzCܬj+04uR-]a;iboU&-V1 ԠA[_5ahMAVޖDi_ +'e`v[ IA^#`ipͫ 6n?`*M5O8fڹ0i(f*ְ#M "±~.egԾҖצ-EF'ؽKx>\ M3ah öz7GIml,<D4Uh.푣D՛v'gVj`m5 (.~_Ԣѩɺ}LЗ۔䚏%-fyvT]rMi%]zq1eFϥ* !4|v*y{wa,`y7ӟ^nU> |"W%uR c&ݮگd7R@5 ]7Qdm-`#;j*g9جeeDH*QZG8&zŕcET(>R kWx#0eM2f d7%dܥvQsׯʤ?o qCv%p_(w#Vjhء^-P,FSnpPTECCWnѳ ;.Ϩܴ{&}]I!?HːFڮێ_\6k LǓU14$lNH_'PĎ4R"']h\5WۢtTyPo .,{P id|BjnSCv11Z~|]/^qWJ 5 /"PaxD5}TU8)LekK7O}qtMU:Gmd=Sr/GR,ʺgNedD>4H% :T2ǁ3}*Q!8Q)J& bє%۹V>!i8,`?)axYw(9qǤIeO#rv;iF=.bG8!WX}6^7~LapO\%2[2–q+]72ʠX%d 1Bh%xM3hrW}\{gYGr2AƳ<`{2s.÷J_NH̳c's<\?C!gABWFcOfV-Dyn01 _1L+>gŵiḏ$" E͠ °6\#:2A=g}]V$jӐ :!9|#5wHC+x˺#p+%=0i{2fVC֘ \P"#A(mSCHչqL{i/M7PqN"zH ʓ,C"Pj HݸRJ3cDWQQ w wN6O JACiG6yQ a$ɗB-%^Uy{?K>V$l_Y&tL #oEB(R8P*0ҵ F ]jq3e)u"$6TɔM*>Q~SSy{]S*LS4rL#i&05:Ͼz$9=B)Z*#^W@dEl%=?c4p—uש?o=U_'"O=RtEjIiW,Bx F X @(0(5صBcEXm=FcVx2'xKݤ p/eXND\]>j(&nTyadsZ:9G Ɋfp,kQ[fqJv$`j{ߣ:!=ޤ8uר9@nx7*7Ulb.\g=m_Icgc\Uء FRh~y&16lk6{a32FqmouiېeU@Z/F-11Dn0KS}dT#7rXlRe_$9RiMrlF0ͩhq?+çtft.u9Sse&ޯ3B!HCӐ Z;tȻWjbșo߻ LCR8dH?(u yeqp׳d+x|4޳ӵplݥ#,JK5wWTF\:◛Fd-w gRxj*,6'8҃/ qFozӚ:p-8G>ǵP T\㚭SK`oN*趶]YLOM ?oB2ԟQƺM0XZb{-iby-`5VkۖgJHҐ'RjwePbJ("U(H :*ը Tq6,O;g38ޘ>/v#Тer[`ߏ‘}i:Rp[0lIȩ>C2nױ&h-ӤKӤ% X"lo趻˭Yqu _.ݛk{3"F.cKԟY_jڤnEmy1n8ѲLPAtƌOI0T9XZ\qJ RB?[iG>fQ>̪;Z[(3;FSUG+vA~<$o^#W m5K=Y!j=&o ײ $Qd[qXs7:oqӓV{'c\b YO _>T:B0'38NM5r`>`v}w Yne^B]:jE=IE%%z_<ăF6n1 z)MQi捬$ڦ|*'msE ` 5-A3W:q"cК%iKB>[ %P0} Q)c8{mT*j7I j8#?QlK{[$@*Y3b,zCW̏+X'O-N1YK\ťF[?(&>c3&uH\3A`sbkmF_-tЯ%Fn9mӈ6>ۢq+ԂrRy.݃}m~L+zzIx}uP[c-WvZD ˓^ K牶5תżV)Z x;FA"ovY_|}7bʳm&)IwD 1&!qNϤ.W=!cy!Q,MW?] #/`Ab7ϝh:t;Lbm߫.~YHqNERZ\sF!^w S"nmJ{@$6-j}YvۖS|kh#KRKJsX'eH7H( :T U,9 0~-k#*=^OAgR{JS9mՎSצ_sV񃄒b#P 6#) (z? W*-vbZŤ[cŷnfa_2[Ⱥ8* P) IUڋ-.'ۼS>f~jD)w\}Py+QƷPa{~wؔVv`i/s= #^T0W- j[eQZ~x]:Ϊ|IyutbA^ Nw Wg߄ڈ < &t^1WP$v -թ_'l#зbeH=3z(eO2~H:G|HXR,VWMՈ0̕v,B\8~63-aAFgf&=;;F pWzi ]uA0 \Y&1_>*G18QsKÒg0#?C.Vi" '<-WpuB_~'+ ö YZ