permissions-20201225-150400.5.16.1 >  A cQp9|UpMcl7@o.bk %}Qs߯u5iz&!%nt:<`1iM M{|g@;Tc[=+IlzY%|w&xşvb,KLQR.ywEܪYn%$ߊ0rc1@ 7hQ #7"{[,  *=XMxlp8u3 !j<̈́6I=Mè#ȉƆQdS55840fb83d94fd11bedfd08cae0260da350fd7c437ebd4e19d679ab26f3e4ed5e620ce92e19a4c3cc79aa83bed4647da5b32cf8eĉcQp9|S}m4м-7sn~ǁəQCE٩T~O&5~ mMl ܒaV>4{.-{-}\aX:i"˧ìcF@yK>M2ȘƥQL{ #'c*0e\&,8ڰ9ƕ[fh%LЦ+zy|阂_eUG3ɻ6e>4^.m Os@ݹsN-Uެ>p@Bl?B\d % D-NW mP t           4 a   0 t ( 8 ?9 ?:#?>=-F=5G=L H=p I= X=Y=\= ]> ^>b?c?d@2e@7f@:l@<u@P v@twA xA yAzAB BBBXCpermissions20201225150400.5.16.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.cQls390zl387SUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxs390x PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system-YV1Yaa^`9;@큤cQkcQkcQkcQkcQkcQkcQkcQkcQk39204a3f4359b2d8f93bbe08f9a7532737ed64e7aecd66391c4a49eefd0331817c692a2856a44b8362c9ae147b60e9ccf721f11b0defa87f54fc73c45b17559c254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3b98674682d88472ea9f036494f6f08168c78423b08ad28403dc59ab26e8a830b5849517a933145414faf8627f1a237ad603f9ee09b67e3affd02c6ae983aefea8439233de0d1a940f4484a10233c28371ce072474bef90cb175109b84e85c026935eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20201225-150400.5.16.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(s390-64)@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20201225-150400.5.16.13.0.4-14.6.0-14.0-15.2-14.14.3cOcEZc pbVbby@bgbF@b+9aea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comjsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20201225: * permissions for enlightenment helper on 32bit arches (bsc#1194047)- Update to version 20201225: * fix regression introduced by backport of security fix (bsc#1203911)- Update to version 20201225: * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)- Update to version 20201225: * postfix: add postlog setgid for maildrop binary (bsc#1201385)- Update to version 20201225: * apptainer: fix starter-suid location (bsc#1198720)- Update to version 20201225: * static permissions: remove deprecated bind / named chroot entries (bsc#1200747)- Update to version 20201225: * backport of apptainer whitelisting (bsc#1196145, bsc#1198720)- Update to version 20201225: * squid: adjust pinger path, drop basic_pam_auth (bsc#1197649)- Update to version 20201225: * whitelist ksysguard network helper (bsc#1151190)- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shs390zl38 1666258796 20201225-150400.5.16.120201225-150400.5.16.120201225-150400.5.16.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:26482/SUSE_SLE-15-SP4_Update/cc249308f61e00752d1b1c0114b2fc64-permissions.SUSE_SLE-15-SP4_Updatecpioxz5s390x-suse-linuxASCII textELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=01c359a4698cff95aaec5aa9daa3f5b47b575eea, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R R RR R Rx<3Acutf-8b84bfb72b86799131a3780c439661995aa831e2aa34d97cc564a192f0fc7c479?7zXZ !t/ޫU] crv(vX0R%,tsḤi+RoDղƯb7#+"CkMd2`FY90U22]ak_g2J Z);1iךSp)TvV=Xiy`Q.;iw(6p5# jڐ?h=ݤ> ~γ2:%RhEYwyMҚKeAn#dbyLoNVJ*"AǏ6 `!f@~Nps!Q!yKHl[| Oݾҋ9'0G\^&) pTFPnH8!I}# <%B"1o! 9Q/^Bf4a,UۅSL+Bl?GsCIpS~Ŭܞ׺[B5>ś1Ԛ7LbS+JR>vv_LM{T(-h{4 ɏS\+W]ЀrUdȣs=#TNѽ\IzV2z4V]PR~m79vYc`4m%wwru'Kn07I;AO~ iZ4=/Y^00U鵾1Qf `XLWFgN:FYѓ@k"7iQ# XkS)T+xv`hIZRcƷtI<ehgJScH+"vn{sGFxר p6Y';@ЅK$&Vu9PSPM$ؽdRMIA幋:q "MVbZۆǸO !:a# 4 Q-U2]qSZQh>r+ ==NWȤn?x}[a~9;]A8/T$l[}XM^31bk]/='_ȫ^i{ WBj^ι;Jz3DwyPB۟{D@[$F^eiPIPUVX3#"Xt 컒; 6s5RKbS!JiHc( #蝨h > Ez&heNDk%:5ޠّã:`OW1Tj#;΁QKw@71[ϜtyfVl֮nIzSu=}[ L`,zXŠevjmEjtѪظE>^”R2o&k] N:g[:LѬo[agdȖѰ?oHkzwZ8]o4RNyE/9n&c9y!X* CZbzm(.-L ~WqM_6C.u =P@^mT]ϭh p !5#+oR! dg.++{B,qtup9J= U~"" O̫ݞTB$gz80?=<Cr=1ԸF,ޒb0/#rᜱw@B O?AR=b.LRm5PՒNWPx-ᘽjx1D=m4 }չ:Љx#ti^hVG2b0IdHܑ>βф81.+)cEc$m\uTP= \AMɮ(-ܘ-Ózs.EQiѺxr6>i6ٿE\Z ʣ|Ð#uQU_j0Zqմ(CMX=xvGsYe⍾|OF?eϿ0.;C2*W-2ׇWP=B4PTYIK0~0ܳd]gh m&H$|dt.B҈.9@]\I~#;n}5@#Ƙnp.4k*4.["DRȆFEpq ?N8mM9DVPfuDFT)ߋj~bjX\eNs­lJ#1sDD ^;_V=W+]/ jnS L~y7TA FcgPB 5DwB? ^Uk"Ͱމm/ح*n#`xϠZ4ⰃAM)9cK[U=AnƔ\&?鷭䊏d߇;$?UYO&J!SFyډܻ)Y!/r_umU#( Bf"Mj @q䞈SLlNQһufN'tk~%e+F}%Ge:ceP]yT&uV{--;?6;R8&['osZFz}p(#K4o4jW)as .g>gWĻ\ ᅋWYtTXT^7k{|b <)鴬G̽wzqh~e~y(T=J|LE[]N֜nA돠Cݐ1CٞZEZU:@/I&'.vPY2ԬOb wk8Z(+ג, >S=uӱHH&;sIʭRć:RQ/ɮixZ☥ "eB&n;tFg[EtnvJ0^F<+;,7ӓjP?Uhgo %L+bعf|߮pٵkc[ ^ͽSX\~DDMp {8[4M){n!DJd MpOAxaO T.ػ탪:fId+<^a,(+˘3 fVK&1aPi[m%<ՒNQ ;TvRf Q>!f`K<^'b^Qp",mlV[!)_c /70973Q]A bȮmc Fȇ1+ w[t_טWܞqO}9/.mPE?d(:Νu5ŚEd_bz [+-3C^n'ൃf^#id!?\LOKbDۗu)~گ8؆И6 v%Y̓cm_n}>zS%H-6'׌ (,B#O"Cwg h<-M.3\1`SVgBۑ/~O%Q<ɤ6cV^;?)eEڒ5Hhz+1|M۴;u;1#a.nUo4*r^B,㉏_k%g~Ilu3a=pбUqfbz>*OEMwj Ax~L#1v'E.⎵1d}#3睩eg.B@YU(+Tn`|FDM;&s'{g.148HAN  * hЭ'/S/ń|<66Z( <ClZ.a‰NN*G}54y#DR;qEBy 7LKA0lRVv1]QVt߽gj2l1uNxtP'5v& lF!Y2:Y{v;3^C>qͣlDdr^*oIDjR.A!bftjYp<g`k`y,ș gcB^v CPYtgcX\WEZUW|Q:1Y'hȢqӅY8hؒ!UHxo4kb`G {\CKWQ9`u2 21_q{{Vj J l/iTgc1 jj|_ex@BiA {GN/IH B+6?K)c5)X|VT#oJ:V[~6jXÚ];T`QqzwngBK`+ ""FcNN~I[|Ф%z!2 jP0i/ZC- %ϫ>&$>-np[Q>Saiut_m?{b/j*ȳE[,2N|&roz^pJxc`c׭a uå [9>S-&.(f1\-?x XQ76MRxd$rIU7o|vI"?Qy1MYɑ}ڭВ-d@ XTd C۹S%P{ X0fF=+bSVҏo $H`A`GͰ{leJYA^Pd^E3Mta5"8| 8A#Z`融7[W#믓-Q1j8 DZþ4ʸVJsb{ BƘ뚓UtI4BteYiq.] SMScV6Yy9$6Y1d-@ Xںc3{M0{:_@#%LG sE{DtG , %hq96ӲS̠:F+.)K*fIyVenQӣA:ԝQn9kޱ(I?&[QC528i"W,DI'\c+X䧸`g)z<B3`Fk7h). .鶪S'@MWl6~.X ADCexR:rK3hf&]bGDp>Zj9/[9VKhhݠ P%:l-R 2kC T91ۼ  3U^ļdWw|7z,34ّ*>?~ˌFSr$/-,W;#/$ $]@Kd32dr꼌30a˩XzV@񊹕`3Җzqߊk V,@>:RLK q ')"- D \8mLk ui,Ms=!#-lߥ>K |iTF(-E8,+)'͏ζ-*FuMiWSzY+!S?JKmͽ$Gl(tKsZ +Fiڸ,|SxfF+ Nj=Eu bPm-xM*?BN ho3g)?$)J$gp8@1=OgaCe8*[ZCSWئM$K2:zSg, l6bXMV][CO/hp,ӂ; .Vq&a}WN ZF r߾CdqϸyjpRSoقR7=C 2Ԣ-F. g`p@以܌7؜a eXud. Yc.G/%s.Ah)uYNF@ "D;GT&]^H!\qu%r1`ts%8Ca.iEN{\H<^R /:nYa,i$Kb=l`F̨*s-H'\V/\8&CNsM:]X< zyuu=l U UA;\?] My);F3z JpCI؟ŗ!pq7vd\ߋ`WFE3L[a?ہy<=$&HN!6A|I1]Iz rQZ)#em7:f-3y\kfzy&|0z+[R:V69i;o5 :V">Bԓay_$䕁?fzX[,q N?= [tSҘ&Fi'~x l =|%z2".Q@&2@&95',r! s_f,K}7IhĜy:Н7Z(qЁSe|( tvp)ТBzdM8 4&NocšXs̄_nL\LdAALI .,CVskb 9k^ 27E + (/oxS7ͷ|j$Vհ ]=76{oބm  Y4&D ">D Z%K2k!BΔURKi=Fw[^~cn4?<^ 5c`AѠۗxӅnƏ:W%.[dO0ŗg/VcY>f@ 2fzwZΒE`ͻ?`<1@btY/3} WW0:U{zmsXLbt G  f0 =5"$U[&ŘNZωZM;/urYS2~_@=`WīkRU*e$XZ=iS1PU5s} uO0@4ۊ`M=˕ ; f9 Ԁǡہ,YIVbA6iR@SyauUg 3&r8$l}P@(͊~NQ֎w{1 Y+Tc7 vVt15MY mKJ CM8mHCRjJ Ƌ]]=j-Qܣ<'p61jdǑֳoUBٺ"${6<yrP&XG4:؆=tf[xε-O|VK Dq1}#Q7tw3,[G1IcJK&0 xz]xe]`r*1墜S=[@U@|(,3N~QγVj]6 df* l`u+Ö 'Uf'汝>#G@]Mz3^@g:QeI?{R\13 ?ˆMh] `(}ȓU@g5>0TOP [tw/ F!8a'Au)Tψd;J1 2Rqx X(M~v7 B|'ca#" IR&Pdl1 䟡6Z/E oYyBI;r(y]4tPY0LzS4C7lwtDl hYY $Z~M4;qFhfx#bB6+,B OPsTh q1 /̱9iv @6"QgYyoM0_g H# :lNޛӿ6b7]1b洁8<dY< Jmmm`O%'le2?NY_3fNk6yW|7RʣdpɅ"rb1@2Qd~&~Tp&y"q|調E:5+D`N޹M&W ;bм$C#{Tku)y(?w{lO~ P;ƌѨ6Ok-8im>lhc˖Q}13P;c9wHeg5;қ$9\lJbJ (#I>$`3t5Qc8Pf%296(Y^㆒eY2Y @9^bм)]gUGZVX@14_0pXD">렒B= Eb`aVzKNt<~;Gޒԟ K'8TL'{3ϕtB^" {'8pwz<)=jA]}97=d+VLnүcb396pvDr=(-l3Aᐥ\('S?j U!L)-\ᐮffPx^~D?_ "Aw= A 'r0T9zwyV*oG\܉o0y>$ NW5,\(8ώ+xuqC,ZH;>NpUi;ju \qRz|،+K3d`CVNzhh2Z1*18q{[>迈֛L!vBÉzޝo5[GַYH2 Z aoY{&jBB9aH#2n2(mt(5tɭ,1ht/ܹUL̽p~Nmi 6.ֽ Lfۑ1«~78dtҿJ6I):A\$fFg}[JcI jp>eEa*#ѡ/8 +8Fw_{m/L#{o׉y9˷L:o3Ss5@mYK"we8ʇ6c/IMDr Գy{b(\-(?J\1N$uřeЯFHYX攛D%aI=D+/d0J@O@s6 cÐlO%$3cfIk*%;Wtj=2'Kv¤/A V1}l^ Ga&Zx5am-؀5{9:<NhMyV'i( OMq1mO %B"F57z97ҭmE&4" JqQ'bv[ $Ěޤa6Y\ˠ=Q+?v+3KP4nl Py!MR6 FZ:;b$6j 5I6](K b'OwYHB(I;W`hh[@ c$8(ƀ#Kd{ѧkr)2~&VD,JG研B0A,J[W^!H56o?vNYe%.nQRz4ξ7W(p\XC@u4]I iG;Γ&P.SaeӰ>F(ǀ &G Op; )vt*ܦc ۫V4lVd DyצFZW&&d ;.gDx!&6H,d i!4}dz_!sI\p YpIm] Hrm9@R&m&tHa?g楛ҖpT\ Cv=h$U@=KV <}_Rٸc'v爈a2[IA! ƞTS&΍~NX6^}6(6>޴Yj^GAԷQN$,^~'V]xNXz2,(L|O&o3pMckO?k"n; Aۓevu_RU0HWM<86Ҟ}V2(H WOjڍ=YU=1[\BlR^LWootQ\BipL!>_VP$d?!v#^rm5ھg ErJ@zHA J;T􅅬 gTXrG.RBO\XߎZFBc.6Uٍ!f8^b0=gX!=Ew X XQvbUsu1U%ub?"{Y$q .‹yC:l%0?YdڹtqH3>@N;>N#4&I%巰6K)&GfȲg=km uρ9#.ub13]K}/?F=IhZ ~Cv,d\ 2M%(c{pCKF05+h .I둛3Bݩ4[q N4 qrY;ZiZեA-,{=-Z\`t:4N;P 1<=S6)E֕{ V~vlH'Jd]UGӏАVAG2n}oz𻬈` /Ȋ!C\1r6@^|\ϋn"6ځx0q7 9^lz_r(uPC| ahgg_|.꟟>O~wjCwT^ aU<)6*@ʋ VhY)w (!G0\&s@v*}t.|'lFPhz=,oה>ޖ ȼ1~)Ҕ" 3#[e$8ѻ:؋1^H'i9LGTOsѼ#2l* tO1YAx,ZV;k {j8IsIK`^/$.#JDϣAkw]b gvs}"MK[ҠhՋ@?gp 4۰Ɨ4preaYnm}w"?ZducZ!R^sc5 4˱T&]Q@%,@nR~` V5m{,+%Dö^O]^U_ҼznZR4p9`tF: XYb"O$/؊-)77R[SMXBB\d\EKfQ G\bAGT *+VDsZpp_pXcKJ?wBζJ<<45N|*-O*; Qhd=FAynToP,Ki6,{_d9R;@̫ Axۇ92¯Oye ;ӻPLQBNџ g9"dp=ƿOU}K,z1Q# Ua)p  iH0ײ[ E&b@YgwBr̶34R"O$g\]^AOw/Jj_“j+̇s?ɇpΪ~<.5>բb](\HdשUnCF%L,6 J(|/WdeK-SI&)%|<׀#Q1L;:Ck Dwh1H.~eJU{0cDS^bVC;_֊S3܁˯7$t'8*U^K-x1Bx5A08R.kouR,wLUaasN0@vKz'OFl~JtE'yNB iy ҕZ-?#F/q~ܣ0 >kMQFx3.1Q=iyKOwһ|Asl޾4ղ kH˦gr?y ysնԢ]`?h82=f,۠ ,(@v—Gǩkq dBۣƕ/N'y`P=V?qHS;FK+kIjb)κ/C,:[U^yfM1Mht"#?/JhT\l' xg\H ;Xd".cVL/[c0v v_mCo$+NYa3"¦(:x*Orz}ǻ4;FM_%E72#^%Apdʣ sRo"' H54]UT]N}Iy9L~܆.ZkK8RaR7=<ף_Jss8* al& =2}n>79CǓ_)dKcyM?ƃ|KkQ=Q4 H S ,)WOE>[2)l.~c2p?-ěsq@w!7#7&A>Dk+\jP_I+جC R?.)ѷ;{D{.SFB^MK)z*Nj7HcbqĹcg~F~m|eHG[b$9tk:{1FSlxk_!3܋/W%!fҶh,zos{J1}͒S_\x)h GrBSG 9FԄ\k&ˆ&V=A.n|T|f r{苔 Mawv ({u1~i+U6qoVr@Kuz9 ”8rgI0$uUkQ!\TN򈇖ZngYbfv_w4$]PXVVYCKAK}8z$pJ}YSBĎAs; >*3νXM#J]1CacybZLy\0ad?ZJqW5Z@Sh\*|6!"HsEkk5b:H1NXr .)jH9T&[6=BKT/0MBhLB79M@?lP&΋kF؇M#C!,+䝢 (P;l[twQocXygG]Lr54y$"ť7gcrFOΉ6* &Fq[{Ji8p5?=>Nc+aBPH L_Ė`KM$7tO3\yY2:.#C Zt8o z]/ wyq4I{(h2Kh)yw 1Hwlqw$٤2Т[h=υF)uxhcObɷ |t}1'ZS@^*h|LzEAa&Y#<kVN/UUVrr.<֯xr'i;CBPn<|u_9 9N}Afz%Ȇ0oڤǬ\E''rDOpF'hF2ullYvdT ^G^H1<gG"x[|G 1A_OP<0Os^NjAP.بA8h8椃C\YyvJ!tߊ/jN瀯-u7/Q;.zL4 *6/2KmWg c|rtiKg?E[Al=r^5[i#<̀Nj:@ւYk+~O}Z9껌,d=N]Yl}KGS$>Ml@vʷԅ(^7s8mVAlqe'fh