permissions-20201225-150400.5.8.1 >  A b[p9|dTjuD3?YK­h&C࿁͓~ NDI?]lK koP@۱ly9"6s ~p@@?@d $ C-NW mP t           4 a   , p ( 8 <9 <:<>;F;G; H; I; X<Y<\ d>e>f>l>u> v>w? x@ y@Dz@\@l@p@v@Cpermissions20201225150400.5.8.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.b[s390zl35WSUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxs390x PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system-YV1YaX9;@큤b[b[b[b[b[b[b[b[b[39204a3f4359b2d8f93bbe08f9a7532737ed64e7aecd66391c4a49eefd0331810b96e4d3750fa33e3589ef0dcfd4cde672c2f89b916abe31cf5b3cd26b20f8c9254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3b40bc5457f8417a01891da0234cbec07f74eec25256e49a044fb455d5f0fdeb045369a236fa76e8e4c990a83c06c9a617f00b0fb5a0639ffccfdd867945e81c67393ba55ac6806390de88e556993500465d2778fec0b9722c75a7afcd2c50176f35eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20201225-150400.5.8.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(s390-64)@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20201225-150400.5.8.13.0.4-14.6.0-14.0-15.2-14.14.3bVbby@bgbF@b+9aea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comjsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20201225: * postfix: add postlog setgid for maildrop binary (bsc#1201385)- Update to version 20201225: * apptainer: fix starter-suid location (bsc#1198720)- Update to version 20201225: * static permissions: remove deprecated bind / named chroot entries (bsc#1200747)- Update to version 20201225: * backport of apptainer whitelisting (bsc#1196145, bsc#1198720)- Update to version 20201225: * squid: adjust pinger path, drop basic_pam_auth (bsc#1197649)- Update to version 20201225: * whitelist ksysguard network helper (bsc#1151190)- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shs390zl35 1657887639 20201225-150400.5.8.120201225-150400.5.8.120201225-150400.5.8.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:24972/SUSE_SLE-15-SP4_Update/627e0f8c39fb6567e02c6c02445010cb-permissions.SUSE_SLE-15-SP4_Updatecpioxz5s390x-suse-linuxASCII textELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=bf113ffbd2f3ba6b00799443388bd507ea45752f, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R R RR R R?P~TG#utf-83ad6ab870018657112a09b23ecce7cb41e3a827dac455c049cdc282601151d79?7zXZ !t/U] crv(vX05s;=6Љ!U&H}cECrkגȞ=ݠeWAߊ@²2 l*Fh.Lۻ5FNO2;=~mpjyT ҁ%٦j*2li_0B%:4(KJ1[VLw}¶@ԕŷj[W֟4g(P^6,MqOyz2d(?Mo(XG0zN4RH^u.#D$G E*gs.•Y9Cd1}eN mn$}|6w]G>^>|JkCɳzf*~Ė2;'z^RPÜWeo+kCPh#D3 ʦ?jE;Ӂ$feǀY9aZ@B_fF@$ѺWDžbv;r i2KBi'7Rrw@⼅Rysya`83fϾ+7W#,yGBLg=ZQkd4vФ&z'ŧ8G "VO7¬廸wf~> ̏{&}nYWekxIbf?pw?P\FDON[*g%St/Kz/΋ncw/+*+R) 9>)M5KAglG !$71?{yʕ8i`4X|,P ]$g lg1sLye'Vh<W hsE#jFY."q0:Y^vm}:Vjsj2P >4 =IϘޚFR6q}enj:8G;dNr*ŋ_t0H!cC(fbkq+)_X[%+H=Deueq;46]H3g[V}&TKEׅNP2m]q! i}f)6ҒZ=8o:5%"xF=i@,p;胻`\ * nI0+'k=#)m@[ޕ5:[AtVW311&I/2 #6s؂H?%Z| }+89Gje?`?pSԴ. N~ojǹ9Oݧ?EI,_aNuo4q7)"U4jjw d`xJ6+%M¸Vj\3 U8 CFeEo1>jC ʨ?)|Ŷ6Y*^8B'={?[}v:Jr:B}ofj)ސO-49.lG8UjY>ck B2A1$РB9;.pGt܈ǥryMm( VYL~5YG]L=<ڎ!˄B۞֞맡sOjx08P匣H^3!V*pTNR5b%vbNJvȋ>#,QU*b=nKn} ꤑK`L Lq %fۋ߱cg>/Dz>m^qKє; DD2g0؏Gq䎿vD L$|L>r85mX9aױD6ЍGN g#7c`[a Zr8V.e)g>pSVJoɍ q*tar0ɾs$ Є@rTI]KvtA.44$*6hN|x{hڣojrQceCkîgEw>*Suy]o<w>+7XYeՊJR[GcpM siqE` P2OQ 2.42ĊƖ}@M&*. `u:ߺчȰjNREHpdi(J!uUc+MH0kVWIm*HaJ% lLqXCo(4T[&ZCuJĕbv$kay9`D2dq0ߑ$;q4t ffntIa;ŷw#lST&%8ɨ ՚#f .N5N(Y'<ܞ(xdsnsﱫu22(L~a};c$ "YӴsIl |K؎`ˁFUPC}TLXm(axIGi6:,^>@0@c7*BeeYgΎ/^[ayi<RD( λڞ Pf0,2*/Ϝo9 fQRrS')\Cl9v,&HqjUzyG/wvw:&d?Iy$ vp%)-ҁsTHje|h{"׎I][wǚ;̣|>_2:nj˰}G-_Tp穔ZyDͶ {D!Vohp5"󍒜!Ƕ+xS=nT;MםDòyQs@W!0 xJmp3 E)_[8ypQLeY^06Ї vJ[,>\4W~{Rw%a;I -H-(bT 6}cd"hՍNILk%60 q_dʹVbcsEYL#&W!ע`QۈB^^ӣ:ZOXա:摹4n5Iy(H.ƭ-ᒚ5xb3$IfX S\`%o90[IaTew*YYE6n\}rg"/SU]` -66.v+ekϾRuu_ffKDIz>٩/nw<]O۬4 1luZ VRv츶Zd l=+9A+GXoO-r.}>(q"s|/^/ƒv#uǥO)٘1ױZwЉ\XoEd\MT@rF8{֝N#4y%W<&Bew 6(t*e]7q^9 ? -*FC a{A96D!7De=.(pAJ+ɣwQ6Za3(xGev[)v M7wֻYK[pV.AÚш>5]?KqPr)eje>_Z|?pʻTA`,Mо̦e%!uU%Jҵ =,$~g%~ey`+4:k xLNT[S폡h=ta?כ&:~ [\}l|79*CoqQ7fލBt28 (HEZȍai,w$tI\Rg]7tA[H>-ol!p/J3Pd!$71mYxf\tXTL#UGYN#s. +]q#1r{O'RFqnJT"UwVh[/ "1vIb8NyW {:Ej3@8hv٩ɬ0rɬ̖&sVE Y6<{:oł ܘu Զ c1h\|9d_9, JI/=c9iF i_SxS̗U$ڲ{9Pp$S̉k-UbѢ!r1:8Wv xXkddU X1EZe(+d+syM't.XY?[Cfn~y3cA.`)Ge<I֊͡](2.T0guxMM}wuisdD]&<?QT,ywYK1<0ehv KXꙡ0x7eI !.kNnZZ6 BܕG݅&g2fycovQ]󻨔M(HL3LW|b_$Ds: {2}MyV+"˅xT/pLVNV=̈́.j,z:L(YY4xXwmx<>\ggOuOwk m ח՟[yV>/xa ݥ@,iN %д9 :Xm1,7pT`5cãO3LӽS|P󳦒=pޞ+dCuhS78"Ub_($I`5"_aލ~j 9%{DazlXN?. V P˙OP)45 Ӓ])?̿S/b_G(6<>K"cRp rũ>eM:HnLګm,.FZ 'j\) U B2F1Iv3J!yUa;7Ƹ̭֌C8,¡j{7@3f`V&iL] q+R@Nat8ulRis1/G+2(eJsp @͸gӟ؂tA@Xua@|:عkY B1ҧ#N DyonJ^V$)T&CAR*X8zʊ&i`H\ftv >Z=k=¬YR&٘եÞ.h\YALɸ Qoa.E^.ClY^]۱ahkn|>Ne|p,evkqCZgW@⭝"uR j]c$lvs2hmϮ:e 36Ns?ķ6_ec>6\5 qMؔc'r@F`D0^=Wĥ#Yɽ'sl!,>rm 2* WS+Jbucm%Q_Y涉.@5dTqFx(0ܦ G&R8~: 3#)e -F_DEgAM Y|Vt94EOb*bHc_J븠n4M3m_ux$ d!Se2o@J Z})4(\ "eZB˛AZN&sa)_(FEO+84Ed+}iV+z |hwl/#몺puFZ:.h*NM/TՇf\GYMs׌%֢h 59X 7clBMx5AXәۧr¤lG85A (|#ynM0ͮ{PfC+M_t.VEX<_c̰l5N%%9*#:2kerg}/Bz}5:'K(C{#5kW# CQ >Зv vSX5wslD$#j_) 0cڟ:sq&2Zq NY]GT/Cmt ?J V(`$"CvGjb6{tw6a7* RUp"(7\˹Mo!?(K0`Х3Dёv؅.dYE4D7: %(3j ,e7M L3N/2U*L5nzc8V]{ɸzx6 x=PnU Z4sg 斍H O4 L6@ Pxu}ziȿ_Z n#kizl8F[l-8=͘Љ)^-T?{7L[V S Ⱛ۽Ĕ@cEĕ탹Sʞt sJɢIItL샃H {pjCVFY, K Hg30+MGt?bv@bEYs6pMMp` 4f;"6Dz5)GYl(jVz:P=t=Urbo C܅#OPλ1E0lG"}KA_#q X^m^O”J}2k(([N7NPܚtqS%ܱ J|S)z@ ;/:/%CRu)EPg.NO D9^7Wjyr(OGv)?sGMԫo#I1D2@0Zz]MCҌ 4:W"=_{ՈHe~ cFRJ]M/)K(IFÁ}qk\(X=~ E1R/LDx_'5 yn[%7NWCb Z iQSuWBYEjOkzEQd\$娯! &cYIuCk t6wAs0cf*Oz q.n6//JK&n*kT\㊮^=Њ#S`$0A^78v8eRDv!VT7.4WL<6riÇERNOz||Hk 3{Äd-e1\7J OL<"bi;vQpI+(38{suMUtL_]5YWʆѴH3qb.GoTRJIHZ1Ԍ[k%!>:qp8r=~k%`b o"B@Ǵv:3ĘתѝSnfަD`4`xg'qaYC~N}l(%!YDg nz\6ė>`,4qjeUJR1̛i ,~iu".Υ?X3KԶk/`wn7߅׳> kJE8Dtf*Bn_iUܐg~2e-El ĖwV/;ar >r=Kx#uBvJ Ydyp䔋*t(jtr|K&YNnCLTGԃeՙK12Z q-ؕBӻYZQ?˃8|""n7IsQCh7캭io߶ۘ9U$_pwN~`KΖMa^ݷw\rW5VFCW t[ŠٛTu ,OH*]DE0?k!U 3]}Ć p R&d6UJ96y=/Nc416T L:2EHgvVtA]Q%!$8񗻱^b9& EF܆`:[㰶dIFyz[C#`$|֟!djT V*\§t NT;I̡ yĺR!?D=$z3W^x: ڬdFʧUHY~6M}c@7c a0A_yxc7R^D=ژ>F٩5jęRqEB;ðs,yV@R[vQq=ýJ]2s5m |j}P p.3dϘ-!}un~yX -ѯ䳯 u%''욹^oD:P }-O 7C/#/ hl>!'^\RA=vRW  (agDƷ Z˃p{6vۻ[ŷwo?:KG03;8ᴒXv w0kO D KIV9Ns k0,^.|*dmL0f~ H%`.?\?\99̯C| ַM IfrrBn#\nؖQ:o~5W#dH,< 8%> !^rh> -bpuO* !c>>T8T jp)Ų3v<#_#)/ەq!A;d#bP< a&1.BlLnzHvY΋SB|;>R=R\.>\x` <*њTy͉0b2?s7v/~){^='*':ѷ\vͨ;K2:|z 7Aۀ{h|w Nk1oLfZ'x_XXs}=qzMۑg*-pw<uDu'EGD#c ? yPj&7't TLf SԚLuC0N_SӝBo SS@ Ǒ\$Iߙ?$ŷuב)BY]~<5 f۞ibfё 2.^n 4rIaoF׬C:cj!ڰ`;8HeK 9?/hG|t$jM6 }u~0pW*!3 ܆2/ ml;ĂmY#Lv@yȠ/ GcV]頶AϞsib9/9&ܾHﲏRbAOзTXEH 4F/* 13^ᬀ^ %u͝ީ<֕ k1<;񩃱!W<ǃO붉5~G WnȲ xW.4&SdYGJgM *DJb5vZ˩C`gitGDʖ]QFs+h3ELZ,z/1zN~(@h H1k $t%J|=־a4@$.LLVqiH]LzBh}]oc| ? ۧTBV-6KE l-,F Yr anά̦jmg9׌,!F)xP`-Q}j4͜F'Tδ#&7#)(F$ RX)TqS˨ :[=uߎ0|pN%FNyCN FKeCꖁ&ʕMmꈱLG%6ѿbK!? p@ob%MSZV>>¼󉄿$ض耦fЭ h QB(; }C;㴽ʧy"k!=P!`E ˥(΋OA31|46ܴo;E-rv;ܭmy0]I[/7ssUa#]nR->_1M#_д Ѡ#KS~"yFPM ]-}P&e̷m+r_ug4{2Gu#Y5v,F0=L|x'(z ~:~aV>\MǷC~!n}Mm&.\CtaعKck#= m,tg伄-9J .Rjmj(Ԥj=DR|:I~sLR txr`n9DVywף׿kWDV&0žyg7|n an68eЕ'i.D0~/=پc1|#@BK"ŎĆ'"*2zU!8% W/6珺%5Z=uM`<^U7|zo>^$SY E9+}\< ,Rݴ #?s|Cguuzcza(j'-!#CBi-*y8C)Y&J"^MyTl I-A.Bqw!>)y߯I(v9͜E/Y򨌲iq?+pɧ*)MbrB81={,iӸu?Cf٫OYn?DͿ@*pHhC! 3RG2#|7iBޅ#7`2vڵ b !eGKOH<}RuWM3zwtS''žJ6 DT&O%@ hLVl<_ aGZ,%-;h5ΪbJz;RQ[ V\#יkg -EK?--gd'ڶ(('S*<;HLWJ>sf4EiՇ,0 MrlQw8)rCp9ʎŀum@ÓB- @'$p-3lJՁE0SB4:@zEn3[ il%z+~")gD%V Mh,9ь?G)E O){&EwL__?Du=% ^i_O-b6]KcwӶau t]jJQ:"gZBjFqOITp0Aȉ hQf =#j[\uc{gHԿwG#JQ , \v;1fA_s[׈6ul]%w<_\ d49a`ջ%6$7җOPE.ӂ=XCDwwF#r'yGۗ{ች*}\0JS!9@ARz#1 /̲H;%ӄ1}IxB*1R6 PF-f-wEV 2Ip\RsKterHvR"sPA08v#6PY66#w*chQUS<٧eSWie2A`xpʵ}c@ك"K:Ts &Jҿ>.WELmn:} #B>(j9{GMH^O Dި2\yW^]xP-J&g֎,D5X筫H'9jċ`^ ۞ @mZߍE/qEBz{ }zc}cfkߩ>W8DG:c =@ .1pY9o?`_oZMD07JblrJ2^wcSG/W-7=OAZVb"τi;Q\͏(^sM`|S)`t(+HK`,tGb3 ZU#l_&gdʵu?OЗjvp:aop/*RSur<5b. =f $ 'q}:ENq <;~=DPIӵ/[&%MQ -*yCgZ.8gg~M8];^ǩݞ GMyb&zQg̈|"r0+ži췻#"U1bISY+f@0 (m& f {jB vH8srhȽ/Q<2R=Spy!ll]Z*aYVɲMon[n݋ X; m{(>7z/vӧӬ!>$SG3 F&Agge-Zu22"gg =, `Ƃ컁9S,].4Z.(J ׈\۟OVgJk>Gh2P^P7Cgd(<ϻNfbRZ.ѣYјr K\ Oj4z:\FI#2BH . ɮ>8 i]';0iE׹EI"Bo("RI`~h|r3yf>IC F*gOQ|G]3џ2=c9%Oz5DvVx(h2 ~1'x8snN#;ٳLU"-o6^Zh|z+h;-.{:&fNfʇ(:7t(pћP,,J!W`?3"*%&`ICXB+A LdBė8he?O!BT=6?RC'|.OǞSi,w)BJ&MAiдj% =we4+!lx<:/#SwOX4 EzwZ򦐪("`,wqc5BP%isU!% V'P|aقK3F'k`oU5t_FdֽVC1HlyrU'?>Mú~ǫN+wCQvYTgUbU&ܜfSҕ&CU".RP~˪21tk%1RkP|-05㏼;ՂF{8 ѥ ~ΐmz ;xyd=sdQ_4IsbP&bv\$]r7LaH WCtPE~W_YQPhiَ TLWW3W8&PߚFԏ 3\tFVPg-AFy~6 S- |8[(_?țY*]q`x1V]q,Hif}~gCPz00cjUmdkZ-#ŕ6]IgwON կO"cbpED"Ƈ*vx6ɓ1)/}z JU yuͰz^EYg1$HW=_[/yY;e&]~6֊b"1LHj4$crO=P]Ef"G z Ήc.,ڜ$?lvT|=ISޫ7Iv#+^"hO :|E_M{a74lǤWߍ|O&bvVV^VlHŴ(~w  ԰m`UT˹Ί`QB=Ԫ5vehO2[V%:dkߣ ÇtTrܭ YnNJ'cLg$1wen!y2ɪsyH m\L侌nz>}+yyM^J'\3gVsPOƁPI? ر7{o<yǻg:c^0Mׁ n|o#v=@j s)2k?zS8f}^]Ƙ%P Br_4B}Z8Y>_jtx:08GˡtmL8k>y^a^\J}ubmĖh\;B4XW!~dɆ?Hlpxr-a&L] Cb>LS\y#V#6+tkyylUZ"7:ȁ"tЮ՘4ÊON5Js)Q-,9q;ALgY=Jd 1L' ]"rU{;BXբ3`K8mtiZU1*ȀWOYYw(>T\?$rP)TO(B46 eeM2-wߨC}i.f4%3̮_Bv }t9MrKHѩt`/^pB/?LV9qɼo<ڻbENƮPi sym\.v|-T鹏iA (qZxaVkS!46)/q.LJmGZ? _:Y"ԓchjGX:s`OڅOC2a ~1w)^Vόɓwu𤙹6&\eֱX6|?Ans.Yz:ϫvW{[11$3kvv^36!^>Y#!4/T-|;%)kHi%| WC4b;;v DGOb|U V(R:%]UJ˖ s6w~G+چd+ch–%BAUM^֜ owsI$mmZ8No2*ߕc=a;%F&Uu=?ր&f߹u %;\CC'3? Q "R34ST!r|nGGrv`5t{0B?#[<ŀzrMDg7a\~xAڒS|ke`gb`zNsfqK?Ao}jE2}l5WG1 hm`r<:\tZoʀ6f`Xc[浑KNyw@X[(l-d?5կp_Ӗ"CìAƐf+w~%9s  f%keu,sġb`ЛIoGn 9}.N ǑO UlXvf=3؁ eJSNQ@/elg F J)xDy[ďHmr_.=,yh1]lw'ǿ ;ԇ箏p>)QFM.yܺRb #ȴ` AN|6]vLְon*giXaJaQdcc䲱. |֯uUr;qgRr&k {t'`/6SLOA}p|ς 0xɧCP貝ඉ4٤)z~Wy*V{´SRet9dqxjISFQr8"OVMw AEQnZY(Uu1Ut( {ƪu)+Y͠^‘> ݼաqgmv)]d;¯逗P5.[Tn! ;E~rSm_ g!Kńj%Ig~'V?2,ګD** U{jRўK!gƝ&5 aX VNR:>>u1 _8'}6X yo g!ˏKɎel.y+ٞL6\wz`ЅjtE&"m$5׭A83-fHyzwz!NMܣlR_7`o=یi$-mB\׏ѻ(qCLËxFdl;Iיn~"hTO= C^lIyˇER_=':uFK%OعOQ"5 c% e b6E >ǮGq@n[ mb)yb|__B}*ӥ(~CnsPP8[FdA@`׀0=&~W/w7y ~a hrԵ׸"B{ȻJWj@:Z5Pݏ ))B*Umܟ)'-}-a#ZߚP2xQ &'ѤEkء:|iMAww|&zow;ѭ _f Hq53~(~;:{QWRA$De6+ث̻ YZ