permissions-20201225-150400.5.11.1 >  A c!ep9|J]o4 FX9_\ͰE9T9K 7oI%LdlQ%c͚nQF"JiM26JB) j*V}^]-[r7OCSߍUDopj.$kC,i?` ɽ:P$ƛ[FLPI &+_CYH3xE:&56`vK /&C-_\}13d58f8e87e60a559c2b19b04a48d2cb33064b1d865da7c2153eb964dcf2e3b385cb7d552c998a0cbb21aa08eb28ad97f8ed9268c!ep9|~Bym粚6l_p2舁ruXMf[7 \m@,a=ڬ;1$+J-. IG=^y,LZ0?Kj68)L9ED*_.ND#2 TFg/aH/!t zu~`&LR'![H6`;#< kv͎ 0 oD{a&p-lEHa99l2>p@A`?APd % D-NW mP t           4 a   0 t ( 8 =9 =:=><$F<,G<@ Hd?&e?+f?.l?0u?D v?hw@ x@ y@z@AAA ALCpermissions20201225150400.5.11.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.c!f{s390zp35_SUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxs390x PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system-YV1Ya`9;@큤c!fyc!fyc!fyc!fyc!fyc!fzc!fyc!fyc!fy39204a3f4359b2d8f93bbe08f9a7532737ed64e7aecd66391c4a49eefd0331810b96e4d3750fa33e3589ef0dcfd4cde672c2f89b916abe31cf5b3cd26b20f8c9254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3b40bc5457f8417a01891da0234cbec07f74eec25256e49a044fb455d5f0fdeb045369a236fa76e8e4c990a83c06c9a617f00b0fb5a0639ffccfdd867945e81c679e4a24af2d637eaf497982456fea41ae91c6f641978c43bc28661c2ccf41d38c35eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20201225-150400.5.11.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(s390-64)@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20201225-150400.5.11.13.0.4-14.6.0-14.0-15.2-14.14.3c pbVbby@bgbF@b+9aea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comjsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20201225: * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)- Update to version 20201225: * postfix: add postlog setgid for maildrop binary (bsc#1201385)- Update to version 20201225: * apptainer: fix starter-suid location (bsc#1198720)- Update to version 20201225: * static permissions: remove deprecated bind / named chroot entries (bsc#1200747)- Update to version 20201225: * backport of apptainer whitelisting (bsc#1196145, bsc#1198720)- Update to version 20201225: * squid: adjust pinger path, drop basic_pam_auth (bsc#1197649)- Update to version 20201225: * whitelist ksysguard network helper (bsc#1151190)- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shs390zp35 1663133307 20201225-150400.5.11.120201225-150400.5.11.120201225-150400.5.11.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:25919/SUSE_SLE-15-SP4_Update/286470edf6cf17ff8ebfa5224624d8ee-permissions.SUSE_SLE-15-SP4_Updatecpioxz5s390x-suse-linuxASCII textELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=ebda1d2c0d48379d27f064f8f47737015d5fedac, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R R RR R R@V{qGutf-84028037a32ca6f334553d086cfdb98f84262927d0fc65c0fabad7e363fe5541a?7zXZ !t/V#] crv(vX0M79\5*@S0\=$w#AT4}{'I5 K 0'rF1d8i_Nq/C ܘ?T9c!G "MBץXA6Lt.B762Qfs|G-nx+7vE F{!G+CY *!JAoJ"cԎI2jO:̛x1 (&IlN᪄yyHWLJMtDhf-×T K,C  jyJX 8hS ԩÝGUaAISaީOo"I&Z^.!oNʉdix?ZA4VQwAa[ND/ٝTn]>}G&Vc|7~ hggR] cG[PK>Y4'bҝnc$^LSQ pCC]1SW7#|-/<֖MRuTw10fn2M7nΗ OyzcNy~RcqѫyXYϗ:@[ GDWX7x cYJCLjP%CzQھxmj>+&O_@Χ7>&m6fnD͚=M&T~e-/~=~_5a*V~VTf>ăw1tH^#K}bȇ@1l9ي ܖr}xDG|ǖT R[:m1T['zf!^(̀_=s- DabLKh~j5hqp&Nb!dxaL֌Iwҭ\,4>AVɕw?f| |,ZfHOlԘМR5  1T8c.Vl 7O.M @/UMs!i^.B`ņaޖR1ǟhVs4dooTi?33:UO:(G#GIx$<{V|;v15ed"J;d]U(w*+ppЅ~vXjP!?)R{{Q7|o @=&6gxmEYm;fʘfIQ̊}MZhż,|=1%9GoN 灢Ϭt\P msx%_&>=Bkf[RaӴh:G4^^<*e C/7+A'lXj|fH/X~P"\Y-UPiӁʢ*ۙϊ,VwQwiq2FP˵%^&kUc7X.^#xB y>̆2:C/R3yY""5Y;e ac -pZuZMdy@$X:/G&8P9h1JQ2R:b"*{7#MP}C9t\̀?\Zl!wL{lg覄^瞿lB:R 4c1`u~A"<xɳBb30gpDD:Z~.ߩYԧQdVNQLah hK"\ѳ*s;\:2B IEla aX/DڥKJ7];HRp.k]Pś|qD|5?5V (V^c>:F{{\Ze|&BD?TW C>rr ^/&/5;eN7jOii{&TwZZu WsUL ܙ1)~tAy4wY-'z0 D.|}; Ћᚴef|>W.휴rZlb>wd]tC,%'M,L}(UvDJ+b݂2E <>ܺm,|vac?А$.@AN/<1+xǮ0@}NtEp%`? C$nҍmA ؇(S. ~ )ȶdi՗9yW#:y|Ip7dGIn a#mZ O2rpOdrS (y緪h([w]ŽU_Zcnc|;xQ;vlu܉5Nȹegߥ>h; , iZ,eݩEF}^~&H}ZPw?[G.ٽҕ#z# (Ue v>9!M6q.|m5SA:Dua3ͺ{U@| }ۏOfN&Rή]9t->J ҭN$s4(}e@G\#99\-r%r >8Td(T(\ ejyJZDj+-w,cxM6'I@g;.(ʤ*76c33Mޖ >"|#r_Z(8Z{1BJӥ4^L͟*r{RJ x햔t}crcJsē;A^*7cWcJy* i|IpJI UQ\bP>'Q]ɔm;* OvD!HDR*0kA{ssTf N{\TCiHNuyr0rL|@Q&/i$P&PEfm2܄צ0qЫ&s%|~!)A)5*åw%q)̣~}[89 z"VZuR1A֋7p8B k!%ʛI+lYp<~[ tӯNZ^2SB}\,9Y^r$ZC|gU"U%fkvhP6 DB3'u P*ʣZHO$e¢esħh~4YnB]Pۦno%bƘrs?IdRkGyɏ}{2ɤcJKXM5 m)쬧ySF,FEF 8?,{GhK1 WC^9wlf5-YlqtQ㰅Ku1zmeq3{#v.Pպ/e._ *&uw3Q inz2405\X^x RF S3)x&\ˁ7sϿL=gU!T (MH=I{!WSd0&k^-t>]G.w(.hkãI8aR2u)]DoֹN&2;#mƐg1`o@(e ʖKa/q0~7kNm`!tO!}qɵwݚ.ESB&PAdGe#hVLU;iG.\=OX[j@*4qM܂|lSpD[r TT󪝷T9GA 蓒>ġ ľoRgexxlnt'I=Z409^ph*@1޾≾k=I/Ɠe=P!|~ba:$|;5Q>R!EjQ{2 V}{U{m[\eޚqlbv9T2o_w+QT%`4ܠayiAp Ĺ7%5Ɂ A-q4aW /OAe-Cw٢OU&!BVai \!dN:xaV\֗٬A:,85 }'[˶ۙfNQq,!7L ؿY[t|Z'ƪ~Xc#>)ݶ˳ &}26:bQV9L'5~nȦ\N@0^-3}@69zCd!hbNon~ [>P~q=v8=R!>P;BG7f75 ?S&Ao+ޣVx 3;fvC,"_@K A<27i]D 1Y L"{bst1|Fhx¨%/!+\x,U^Jn$ =xp|e ˺D*blڌVglup{(/bY =>&^XΠ K,J>Gǐx6Ntne?YPN HmYx^XCyך b|Ff3[!DL]a܃.OV)U |=>u9yع!s˘ [i ],gDS1םiA<Ў(nJ }=? &3I^*(pkN\ c=ZAϿ #;ꌑfQlVyҳԕx]TQ8w\GUwHЩ܅܂pюLWMqKo5xm]XDʹ7&S"G:V'.|@cCԇzr *a%ū`t@r=}\^Od ~Ah'7DFX; ׄaK]K[i]2h(q>,/ԡXXsx-0~Hu"`WIb|T܍NQɐQgI"hԊt"ٙfSO_ϼ*γdC{2InMkQm 3g[_bZ&hflF.ӕ9჋PWN H_D>y)įI~/('aeU'a$% >: Ξ dB(ъͻܧ TJoE5Ҳ(uie]%j` `z;Ct *\}}K;ZZSGps=8?_0!pѴo>]2zO%l wz[u{G9]Dդiu7<4vx|/TN9GBçE✯; vx& /Fw\wM<$Q nOr _ۏZ5StNr1蒫Y y|yƛZ* و|[{=9a%¦+3*È #͐(䆽;b$ 0EËR׀ޜ М\lR,%LFZZu}j /y k !IA!z:稃>H)|m̤u;`-N2A-mGDI]'c{Y^u)dđ)W|6 dU¨Ac 噶dȺEt:K+8ytKZrI ؒVYB,') %)ZX\ZRYP"[B?@Xl^(,KBMtgFAx"J7<,U7;6%@GZE%JS[7x@o19).Yl:”[Q"Y p t8DvrV9]~l" He3 [mR YmiQ?>i]udkoE"Yzi&IP"An_G+jX*_V3plA3O=UEHUCXy!LsnHwHftK_&MՖ!FC.B B\;!OB~9d7M≉m9~ lR.,G񫫵 xf ׁ7 yAw-[:ȷ V~ I ݣ;]zB]J|ph،N"Y2x\/#15QFɂF0nVI1>_%wDӅTfC ~yUQ8zV{ĘU /h0ZQ Y8784W [Z\xY DmHenQMI]) ^Y6Kw:Dsld`VՂ7n.ǏI]G(7A/Orv;a=WuZYz}R!ؒ_?8*IW?G Xkw+ԲQߍڵr-(A6>,UcsE3PH5ҝzhy A ;R+:M I?q4X[-pr>ưU>:j) tVX~ao@Ek뙡z4,h-?{U82q00 kGp_ iÑ(DqR(f,TdpèLBJmHIt~'Å2w|Vxc8-ܙUp{a`=f[ʋ35Һs"i wDȲ''=~13e\B /ٵU͕ UyJf#j[S=WFZ$F@:դEQ>#<3LO@[,e+ܶIwT"`>'iqaUT7b0,/mR||5 ޷)o˔aXǔYp,`ƩzŢ grH^vI+ksKΉtf(jao1w.J߃Yϣ`]uI1V7^F`8gZ9Ɖge ,`ku/G .5QPq Z0ϒE xIjf\H'.l`Q@Ðq-Sa)"T;#2 s36o,pAQhSOtCq+ Guy-{9{.1@5LPĉvgPSh~oU6ʹ`R( b-=f,g -ZXd@u[X~xљI ,o AqJg-͗rk|_*2|&PE&R~Ļ&O2(YUI8VmRd2<$b. kMCArCQImęIG,hjAN.q>Ӑ#\敏:сgebmL mV@yYA""ҮWFw.u"_P kw5x>K'Ȍ;eI@.w5wθ3Y3+ c ;ɜB,@N'Ռ_By60ټIn7{)PNn7 ڔ\MVs _Bo5FF)87D_#'((um|2PgxHH4D=#ÂP:l1/j<]6kpSVgwn|j܂Zcx|QCX]t7]S拶 ؃Y|K/"贮l44 ܡkF6suԕnHUVYV3Z+8oڊ TK)7ẽ9`r-CkN@nFETuJ% ʢah|qYW#]SW0~/3\\s-R3@ ܍GoR-^I!Xo ;>T?9L#Z<<N'2Ypbc2X5֛,JdO> . a!JT?;3*eT>Gd:V֡EG;Qt Z.V(ܷ#/lwQ)33,E*1 φ,Hl-=Ń : R:Ω|>2Rz@ϩ`ĀVNDl-jrq%~{^#k"tYUI:3W\Hr :; DD{R9$H;7)OSD6cea1% iF3+=9Za!O7r™5eF=T"1spfRoZ}'K\7 <+HՃ|pS 'q"`r@lF Nd")8@=A*BI?H%gUnZ޲ǪN|Λ ȵ:UMf~%`GߺxJ7yeN8!7HQfa#4RG@Tt$p=_t-U@Y6o:ů pB[0,@zjbABfvkJ QS_)w"j5<91W\1chCUb7ud=Qҿ: uByRglIi/Ms.qr>InwS#=F,T\4 _7PyVtR`%ue1X"tܮ%mƥL 78wqEg4DW>=ksᢼYp f#/f*Yrqk {Z0F0YVƀe@;!Ѣȷ" D<wm?sg URpUMC Ӗ%9$ RhM`=Aӟg`6^e&h:e*]f9mD`Ƶ4;KɂυA]<`UрNh y8;i8"w)=gT(SEw =Y]نS2"O >F#NeYX|z9Ekq{,,ECFAspKveYo|XUeSZ'i$>ĚG婂.:prTn*LvW"ϩ~# A+Y AuxBDJ!t!|*'ưL*W2Cv?`^~A@^ J]/ 3!*fRD~wwWYC@mi$amr sL_cz DJy3~ka? 4 Kg:yhLRSB Kl86 ΰf!oq n;~緆ߛ? Uq{or*RS]Aڼb6DHB>[wVC.|䖦;$R=Tq_f0,5/;B0 Mu[:`6Q6R++GGGbG뽂/s<D!x̞]H\ҿ-4 ;&qTʅo˰IϦԁ6F%0c?=h^&{q\p:>\XO0gatˏVM0dӰcʓO|Ã6壟\u] [M@\+HҰJ:w Ȭ[Zn W / ʕ,{:7|3 eZIS5y[ GȨo[cyF^1Zu+xMi#3!LZ_|ݳ{dS/ޝփ%* 8,AAѽu.i>:OMuIUX[p,FC*zot#;:d {1GnEDG6$ohpqt;i@7',l!!1*12 !>@Lm(ms\{4ȗhoѿ?pN=eF`o˼ B$۴6x U_d$LX{ܹ1&ëU,_SHp'fAj:>E yAϩZi>h!'lr['xNK<O&2~sGuc۳m˧OmW6A*eɤD墯9pJR7՛}Q05{5.i:Y>o3.+]" B78JArZoqYyC%0$ 7RE1/x&Kq'BfLNuǁwn+HqxiN\A aDhS\K6#J-ſ@5/>Z!t+}Oœ'kvٝs1!/|ʼ/,m_7V>K)a{0m$ցdя?1f[$Q1|$b&[l >& cCtSS\eފ2jEm%\a #A$YHOJ椏LcECkdU$u)^7)Tcŵ7"t)*{ y9^`KDN f0B7az%>N3@XC8 vT7 x(h˘ddlgX!H y4wfjtu 3;wGD; +ԨA<=rallc::'sVxHg,!Ip7e@opKnbkDUnD?SuxQV {w&R|iתs`uyHEMM,1?2C ܜl0z~r*J?u!a71xXB_f/!hb`K`8c:YUUxl!  $r{1HZm e\2M2J!j}Q2YQ5~;QjRr_`=0a mzknٜǎl 5 _ ! S> 2g֪lif0PV-u3N5XDi*CzYŒr~19~vM1\*?N,,`VU`Ly)r嚊 Ivv!8>:0)[Jzok*-Ŀ*6{[ϫ0aDOU\560m(FX-dI#R0ZJ~!}=vQ)~q|NMp;y}49͢#2.P[{U `Uc睺 KYwR7&F9,tlxeFB|Qik#ዽ 8GdSwV_S?I:W~ޭP)`/S̊52 ɝ?~HgvD4K2w@qii~*.u:3 qZu{3'{s:b.NCs$:45|-]K喨HTpR>O]e w[ p~\vup,~tqMSlպ}Gz-pX+EMZP2Yܼ)\1߂|dGd @v$EvaH˲!Y(PѥA;7G:p jqnhc[|~$}Yx6Ac~,2DvQ$я?ݛ-t4O읹`].- [8~0Ӫ[?\فr#[`$EkNtȳP kK ȗC4:3F&ܗ^Njv?NsG=b=z";ދq!)q _ՔViՄE'^҇uhG>8ݷslZȉVgMp]Lo3˱찿8ĈJs?$Ճe$-|'nPq)Xa̜qnP쐋Ō&Gp~u򌡟9eO ZP/N:wVo KY8-9`8~ P!LJdmXjToQC+߬? D2r:͑4j(z; SS sZOqB1ϏN2;'6.*?Q@8.sβYd@rR8o3Ȱlו&ɏyԎsBВMBPlޤ!IBb :Q׉ј*&5<0D 4152uL;B#e]jŽk´E!`wvтS' v7*(A"fY^$xO*,'Ij ;ͽPE"Uo8̉M +% j`[ ǘOo͜Is۟CK]'j)l8N,KۦXSZYhfJf*^O=3 HJQ3wvƂOh P y?-4Vt0U!"u!agRa Pf޲AQpL,C IzbϓZ&E^f>= O#?>?㦈

'"S;8f=2n~Ŝj@$՛{i.dPQr9:D[~ ʚs;tDҖmIƄUUl>6O#{2:&^YcD0ھ6j8^B>n뺁^lx%YȂm& 0l\>pܨ袷jt6똠DyCG[_JLFV? |Xa ð'x;8H{L+A#W(LtlcbռP$ b5Ik}+1{ pes&ok&챯_8rH-/}mEWmDef2W̠,ڨ;26H{x&:RgJІ<.('b3xA{aM`ёi[Pldҭ{@w[31\^>|29P-DSx.ǁ=r{@ࡰtv~gӑȡK:fy̠]2wg= +6]wcQx18\#\/7n(`|XڻWDea[줻.QAa.C.*3$Ny/9u{5_\\nxSÏ M%s{OToL)8DB(._ ;&v?RkhQ BSYH<6XE"c8mN֦,F@H;)nmb%ܻ9pR%ɦ坝~MbWR*Wk;|E[RU-:)&t((7mURkzèNV׀vάyΧD8a,\vt i]k ~ nU_hu.prHԴ7,#!-ռ^'M׷zk@Y0?ܞ #[[IkXf&mxb$ p-|k`Siݰ=[u{ѣgzCQ CmN3bLSL*V2Xu|,לHL= EYZ:k!SL^mt:19"M__"C4IzѕAL1pMnĬ ijt՗fܬ>ߴA'e@URjov |i#xWF.4 HQk=yzXB"O|'W"i,brRmO[%,ѵ{ 6xYس hwOfRlЄLEEXY[/u1v% e=m3)+S?-aYd|¢\uf;dzWwXf(<-?$)޾,A4DG-*٢tu3VDW 2ypD2 ka5%QKÀ'6rWAvx9& 3-hHadyIH)XKXX ;] io#d[?t!* L%foz+gxdK0KB@T2G{&8Xb❅vҡp9pS=mM䶄 4qA6jv1_ljo?>WI% c|kVHs7AyG&$XqgKclI3MT2m&UW2^Vhi9,.I'ysK}k4ƧO /V+gg斵Ԟ-K9,#HN J.J{i>*6*%v:2=,K EVmᄠpcv8ri ]h\mp$3,z!"Ͽ#r-!T'OhFsU=FsM(zj8OɁ';ip~_"Z1zt :VUS|\'|ޑC] GD(CEo5nIsk\|U6hI7%1,P0 IeEwJTW+χg[y0#0C%b'eԣ-Aֱh#qb-G1+GoN|qB\zDcEԈ.-x!Ì0@B|_| ?i6k$h8vQGHCq3 9=&,D`ة(]+#ЃRYrR$~ie3|TJB3 jm&{]k:Æ|1&Vȏ<5l#խXz=| xs/Ǩ2\K0͝0Ss #!2C K 'I;b-Gr}C: NlomN!l›82-m_ pC]D96狲FVhv$(x==8ã"i PK% )3ez#-/'s"_!-+`6Fw}"m6,}ivD%BOمax~,=c`c6ou ?XH=pJ ؿܜc|_JE%f W:[L!+-DbV#|KhJ[_av!C)HwEhM܃O?gw_}<@o~,9b@So>L-ZW̎ŢGj6~Sx(qQIާay˚? V*ȃj?OSHYsr{ލ8wtsrwU r+ i͈9YW{7Y*s*ӣv9|вP/߅ͮfثr$f eWdyvpe 4'P_ӷY Ar(SéV~ zuz8_[3uOYh̏lh6Q&ꁠb='gw#SEn(6I\y2lR_LsQm1`0[h&֐r"? xdZVy;Ȅ}mzB:E;zm$&%$7&4ҽqgy9pm8we!='`5""+nm&WZZs뵩AՊc$k p9IyhuF`ZM]8FI%Ty&G@ڠ3ׁEoúz3zg!0t\yC{/v7xt,$MW?4^ѯڔ8)h#^>AGԆXmnh^qGGdA{޵NS6&Y(L7mϽ0 H&Y.M@ ƓNOdkNxKe9 K; LÉ'2= Ayeӥ;A ΣD1aBMܞ2'/р3Y}Ά;)iH-EXORmJկ[FL| NX `nrW+z9KGJGZt̂Z;ӕ;X]sdAYשFھ״z^ =Dhy<|$f=T3Gdڍz-ܚ@ֈZx~\LОXva~Q~Ȣ5H~&hv} $5 WG&+t% "VLɢ'HKƞ^ FPH\U0`,X0s0.1)c#ETK jLG0JC7=zE͌1i0>W4>us ð&J#2ݼwa~y"~)2|icƂ٤6d8 SҩhcF f1+nu?Ga|Pj R?leĶEUH)4SݚͰYtꡤü$*i{˧ie&2US|F@[ɝy)^K(Cd_'X %t͢1%=׬ԻҶ YZ