samba-devel-4.15.13+git.636.53d93c5b9d6-150400.3.23.1 >  A d!$p9|=OFaq#LPCCNۗn\gBbI/@WžUCq7Mgav\@|O!G-Y1‹$U~mڈ[0oI |CJ7on7=::-%&~Vg&9̀&}>|pAoKs%tj\P( ko1kiM-.P0>s%cוAôV0]Kgsy4Ky#K .r[1GZ-uhjvrY~WT6v74/6j~Yg7'v8.VtO6YW^' eڊpZ@[(("}w#ӚH>pA|?|d* 8 f/ Ee|    ! $&(+F+-$0h01(2 82 96< :G B]F^G^H`IbXc\$Yc$Zf[g\iD]kX^q bscsdt@etEftHltJut\vvpwwHxy\y{p,z| |0|4|:||Csamba-devel4.15.13+git.636.53d93c5b9d6150400.3.23.1Development files shared by Samba subpackagesThis package contains the libraries and header files needed to develop programs which make use of Samba.d! s390zp32SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Development/Libraries/C and C++https://www.samba.org/linuxs390x( p=B!1N  aF$2jENTv |H)KU +d`@t2!CYW +g > v&HI!>,'I:l hb Z=1y<u .Y3T4&{66)w+3'A,;BG]AA큤A큤A큤A큤A큤A큤A큤A큤d!d!d!qd!d!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!d!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!d!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!d!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!d!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!qd!d!d!d!d!d!d!d!d!d!d!d!d!d!d!d!d!d!d!d!d!d!d!d!d!d!d!d!d!d!d!ad!ad!ad!ad!ad!ad!ad!ad!ad!ad!ad!ad!ad!ad!r57f48e6acfed5fa9841df0f458c77820b6e24ed8279bb23819c0698df22bbbf19a87ebf5c3ecf098bad8fdc2e0c08317efd3ecd4947169677feb755c5f86b325aa97c3dc8a6da5e8d196a73bfb4bae250089de7237665a3a6dcf5512c71503695cd7da44b981f9782081d3d97dc2d2f26726208f56b10bceaaae6e1a3b497bfefa19c5bf4838b4013a16d205238e5fa9819e04902a006a08044a0da795cbaf34f53c103d9d508de1883fac4df0fff12ac27300409f3a1c8edaf31c05c054340a1dc2974d9c574811447befbe13fc0f8b3d8906fa58ca173857f5b73359ec30f161766db604986021c872a81bc3e6dc403b8960c06edad4595f168293005943b874593d5ed89402648536af2b2a2715b7ec95b88308f700b0811d4e501124f76f2e3a21a55901cc3c7a46d6560c167ecef63390fb04b124e508eccf8156fd650dbd572ab4954abffbeef5c35b30e8c5806501278b70a08d6041d8a5685a69cd65ef487680f99891e461bcaf8245acdfac7964fa40fa4a298184528c2fe2b51b3066156e28d7375c095735fe583c41fe10f68711a286dd7616111bd0ba9a6c39eca72b30f0da89b141671dac7d0b96636639545a74f12fbbcc745e7e2597d71b4c7bcfa6e9c2d3666eaf6fbe6b63194f9d4b8991619ced1de631f1d7c854271bc4d7d6caed90f3ed522fb13effd5b3f9ce1d10f57b87a233f8b1cb8bb000a06b812e45f1d76df8d2fe7405deea4c26e6e1ccf3951c59a55836952be0923e7928b37a9fb59ad8153ae7466cba7121015d8ba2a3397624d5c86c144bad688c8009bb1b523b57a052b7faeb0db0c98b19716729c5617e60d14d2ec82d8501ab67a71e8a09b87e376224e944e12a2067e9fc485ece8ebfbc7d5cf0bf573e0500c5bf24c38a14ecb5e00e24e7947b8517b8f39a652b5a4a7cc6ed2dd04dbc35210090e571af576c5ac08f897ec08b3d0d2d5d40952aa94d082f5550483c051b99b33ee65aad7a50a60ccf805be82f6209c702e0e7f73a5ae774d0c68b57b28dd1821c1ab067bcc678b898c16d290afc34539c478fc1f6b47270a45b389de9fb9ec0042b98e789e2e76a17d01c1684441f27e27f5c54d7d8d1607fb9cede012344438922ffecaceea8800ef2175f1046485790f995229035a56992eb9f80f586460519b697827df8285c4ebf06595b743e148919677ae2a40442c80549d7aba0bc0b696ca55cc095723a52645cf7513c55934096218760deb28a607b5e85f82db7c1ab580e91df20133ceaa62399bfcfa07ae216642332bf119c5a28639f3e6841dd74e2dd515f2b48efd9117bd5054262dfd09a3617405695236094798559211d988a68effc888123ae63e8d2ba5b96004c14b3356dbf490b4e731cfc7a56467079075b6004265e32c0338f01e95f47cda607f72abd98a2031f32f45a1470dec6e13f4c8e17e93041953c7a33ac4dadb193dc843bf0dc47196230f74fc5a9c4ac198965acfb4a7a09b1bcc6ce465e1da70005bc20b1249c16fc62adfdce3f7dc4959a34f966b17d69a728af436e405c6653b76b8b1b0cea1ff3094b88f184043efdeaae3d696f724b61e1689c46ee2eba88d6eeab0639f5d11488e11115db167b2c1f9b0923c16ebfe2ac820e071af1cba5cae4b019dc46eb22b6fc37174d15ac7b72c723c10d44a520b2054944d0606d29c16714a4196910a433f607fed4e35d63918562c260077a6a23b99eb7ea40a5e790a7d97b17c8adc0fe8152598db810a35a439e0fd2184591f449c79b6bc5b5468443920523ea943440534df04294b940ce1c00c0a68cab9a5eee13b0a18e6e5b9d87693f25c1f804ac1878bf03800367d25438369395e7f2006fb647db68043d1590be759478e33b123ff9a54bbcf1dd70a038467eb6dd4dee91c9309efa27bed7b9d371cc936612a2998c16e815dca6ab2131a2f005b7837ddaceb2598db386c1d34c1a777baf0d741ea2d153c399b4b0fa22367ee1921737df26ec3e9fea81c7f525ee4076db13008901c9ca9f404a6db835aabe1a026f6f3e5c05cd08a28a339b762c6189d4af93a1b6a87f9d9483d5833fd883506b51ecca8ad6df0baceb27177fb6499a7918703b897a45cdc7605a9ec9315a0f82f2518db30b753b0d4ca10b18a94c382f3ec70dcc443437b2dc9e3ce610ac30bfc17aba981efd38215a457355b1f19ee2e93d26cfc3f6127d4e633b3d89ae70e214c6869f39c6eba1bd4d835c031b67bc5c4f908e60816711e8d87e6d93f84fea1eb1df4a7c2bb8a671480afe65f9dc7f671e0e15cd8eea8e37927520f3ac8ae6b63fe8f7aea81f7680951eec3ab67f4383db52789c38b254cd5a9e4766b17aab8a99813258ebb4b147bf98c9f0b9ac8e9e07ad86cc4811fd17c0ca05ad6fa67befb082b2cd23859d7002fa75a5794f15fad8157402985d19cdd5ac381871ab9010d7c13e0db9ab41f3e573bb00e22f9302a195281fb2863931ff420c1acf956f394afcde8741c7d3eb9c1f0d24e77ba69ff7eee8ba90786ffa6c5f4ec183f16ec4fc964c65b35a84e0be1b1f830b8494c8e895196ab132fd82e055cc808ec43d0bf84e5bcc059302e71c0e23a257f197463a9ecad24f59aa597f875a287795dbd2ce8b56438e84f9976bb4b587c364e2b03cea9ac7bfe92f670c4d88fc1b382789f66d991a6e526f4093a1972e1391aadde980420a1dec670f3549f87169c890fba90086de0d8498f0fb36921439a3568cd3a29c34bc8fd9c25772cff89b4edcc989ff5af4189ef2e0ce0e37872c17ad0196c4101f1dab6f2233d4987af03f7dbbfcad01f857b4576ffbb67ed2f4c6cbd9f0a9cd2192a7cd36f8201ae7dc5c1bb59244752a7c96d0bcd9f3e3ad075aecf96bc9006c8087a428c2cbf46832f58f5a9a8a1269d77685a6ea46e21b05e9d22e79fff5ff59e2f6fd5ef76604c85c807b4e3fc0dd84beacab1ff25be2672650e35fc5a2a04de281d9dc535f9718a0c12832630ba0008a46bdb263c2610acfbf6da60c6d585687581e877d06ac2587e1c560a57a924744d428603f832aa43148df878f81961c305f367353717bda17d2ab1d3df620a04711fd5a61149d16c19f34a48740662395d01a17ad400b8e6af775cd8eeeec7fa786bd0c1c686c5562fc60c40b7f0fb213627e0208eaa36a7262e7680bfdf38ab43a302de7a5ee1b18fb5e5a69c693660e5ab407d1696c7b4ac8f6ed075a178fc967e2e68e1bac448bf37478948a1f40401d26eab750f4c70faa63142713b1ca959bdea59f5c83e1d20b52792246b46127464459c635949c3f779518d0e830d9f34a33bef4b8d49477a4a648a2d279c88584caef10d814fafc233b2ed62e1b088b7b99fc6b8017b38dd73cf8dc94a4e97837ae5a7631da503521a5133a57f0445a4dfa2427eeb926d7ece4119a01cd20ba4acec5db90984ce61844ebfb044780a402cb880b08cb0e3b6d709b17117204b5ce3a21b987f0c33c9147e5197c8e52257325852c5c181908a3f4082b5520d1cf8599ee8c5ca7e8584f8e6deb53c1682692aec09dc7339df4507a69a44fc4e889663a695d0e42c4ca1819bd7e814f21ea857ca7a1cf61daa69affa14cb497273b24b2f9adc344da28391ae7e27ea058e1909f8fd85bf9eb7fedcd7dde1fddb48b6600c8b61eccc6409a5a5391dfba7e45844c4f2da58e90d275e42aac178717449816161fe77e2af95aff8ff703003f5691ae2280c0809d15386619c3aaf0620e8697c3c0d494cf0d6a2fbbde841699930bd1f5d8c43118be577f601d6cc6d9ea72bd4e42fa96b0bf03b1764946f28b3deeae86aea0bec44e3c3fd05afd367128b4e2513a6a73ba9cdc263d00d43eebac1c05313154d5bba4025f00fba9ada003bf6e08ec3717c956f9a10aa3bcfaadbe145f7723177bebe2a8119752430aecb7121eecb4e1998b5a24b456197855a143c84f2ecaf31540b1f5457c0a2fdbfd8f53f9b9b119b1918376d12eef6aa5248f7ac7d7deb71f336a52fac364750774f797c061e915eb24775ae28d1738bd86f5a5b902862b25dabfc4618da50b85e66272bf52218a6cd2e26338d04c25404fc53d6b230205d0351470ccd8809d4ec02d86007929edab0432c4386098ef7d1c09bdd8cbd6e9b0ff02a77cf2d3de460ded50b04f15ae58b86ce48bba579542df1b00f69e97fe1427fb1031f6930e7c3b058c09850bc72e8361579d8f0b97ce6c33df91db1edab5412d88550bfe89e5d34a73e8be26c6cd20a922ff73294bacfd6ab37123f9f6304ac62b5f3f2c020b7cf90ed8279bb84b70e146d0a47d12743138659271122b65de007d76a54634fb3fa657a0e6c8a3cd600d4be43800c4a74bb5e41f57bbf05d01629d0cd9856ca1c5cd05b52579c70d58b6328de9543dba02672487939e41e910f508c1dbb0923f0726dafc2b4fac411ed2b40275fe0fec3322730f62b84daf91fb23bbb081489863168493d1d893df191dd1a0597fa2bc7c08eeb7f3e7aebc136e2d47f375bc7a94c423e7e203c8b22257fa2a8aa4fc644d1584d9f32a56f25102340fabcb37aa04f2ff501d67libdcerpc-binding.so.0.0.1libdcerpc-samr.so.0.0.1libdcerpc-server-core.so.0.0.1libdcerpc-server.so.0.0.1libdcerpc.so.0.0.1libndr-krb5pac.so.0.0.1libndr-nbt.so.0.0.1libndr-standard.so.0.0.1libndr.so.2.0.0libnetapi.so.1.0.0libnss_winbind.so.2libnss_wins.so.2libsamba-credentials.so.1.0.0libsamba-errors.so.1libsamba-hostconfig.so.0.0.1libsamba-passdb.so.0.28.0libsamba-util.so.0.0.1libsamdb.so.0.0.1libsmbclient.so.0.7.0libsmbconf.so.0.0.1libsmbldap.so.2.1.0libtevent-util.so.0.0.1libwbclient.so.0.15rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.13+git.636.53d93c5b9d6-150400.3.23.1.src.rpmlibdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develpkgconfig(dcerpc)pkgconfig(dcerpc_samr)pkgconfig(dcerpc_server)pkgconfig(ndr)pkgconfig(ndr_krb5pac)pkgconfig(ndr_nbt)pkgconfig(ndr_standard)pkgconfig(netapi)pkgconfig(samba-credentials)pkgconfig(samba-hostconfig)pkgconfig(samba-util)pkgconfig(samdb)pkgconfig(smbclient)pkgconfig(wbclient)samba-core-develsamba-develsamba-devel(s390-64)@@@@@@@    /usr/bin/pkg-configpkgconfig(dcerpc)pkgconfig(krb5)pkgconfig(ndr)pkgconfig(ndr_standard)pkgconfig(samba-util)pkgconfig(talloc)pkgconfig(tevent)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ad-dc-libssamba-client-libssamba-libssamba-winbind-libs3.0.4-14.6.0-14.0-15.2-14.14.3dJc@cS@ccR@cctc5cM@b@b@b@ba@banopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords in cleartext; (bso#15315); (bsc#1209481). - CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users; (bso#15276); (bsc#1209483). - CVE-2023-0614: samba: Access controlled AD LDAP attributes can be discovered; (bso#15270); (bsc#1209485).- Prevent use after free of messaging_ctdb_fde_ev structs; (bso#15293); (bsc#1207416).- CVE-2022-38023 Additional patches for the PDC role's netlogon server; (bso#15240); (bsc#1206504);- CVE-2021-20251: samba: Bad password count not incremented atomically; (bso#14611); (bsc#1206546).- Update to 4.15.13 * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); (bsc#1205385); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); (bsc#1205386); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); (bsc#1206504); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; (bso#15197); - Adjust the systemd drop-in file for named service; (bsc#1201689); * Paths are additive so do not repeat paths from named.service * Prefix the samba DLZ directory with "-" to ignore this path if it does not exists- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2.libdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develsamba-core-devels390zp32 1679921676  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~4.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d60.0.10.0.10.0.12.0.00.0.10.0.10.0.11.0.01.0.00.0.10.0.10.0.10.7.00.154.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d6-150400.3.23.14.15.13+git.636.53d93c5b9d6-150400.3.23.14.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d64.15.13+git.636.53d93c5b9d6 sambasamba-4.0charset.hcoredoserr.herror.hhresult.hntstatus.hntstatus_gen.hwerror.hwerror_gen.hcredentials.hdcerpc.hdcerpc_server.hdcesrv_core.hdomain_credentials.hgen_ndratsvc.hauth.hdcerpc.hdrsblobs.hdrsuapi.hkrb5pac.hlsa.hmisc.hnbt.hndr_atsvc.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_misc.hndr_nbt.hndr_samr.hndr_samr_c.hndr_svcctl.hndr_svcctl_c.hnetlogon.hsamr.hsecurity.hserver_id.hsvcctl.hldb_wrap.hlibsmbclient.hlookup_sid.hmachine_sid.hndrndr.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_nbt.hndr_svcctl.hnetapi.hparam.hpassdb.hrpc_common.hsambasession.hversion.hshare.hsmb2_lease_struct.hsmb_ldap.hsmbconf.hsmbldap.htdr.htsocket.htsocket_internal.hutilattr.hblocking.hdata_blob.hdebug.hdiscard.hfault.hgenrand.hidtree.hidtree_random.hsignal.hsubstitute.htevent_ntstatus.htevent_unix.htevent_werror.htfork.htime.hutil_ldb.hwbclient.hnsswitchwinbind_client.hwinbind_nss_config.hwinbind_nss_linux.hwinbinddwinbindd.hwinbindd_proto.hlibdcerpc-binding.solibdcerpc-samr.solibdcerpc-server-core.solibdcerpc-server.solibdcerpc.solibndr-krb5pac.solibndr-nbt.solibndr-standard.solibndr.solibnetapi.solibnss_winbind.solibnss_wins.solibsamba-credentials.solibsamba-errors.solibsamba-hostconfig.solibsamba-passdb.solibsamba-util.solibsamdb.solibsmbclient.solibsmbconf.solibsmbldap.solibtevent-util.solibwbclient.sodcerpc.pcdcerpc_samr.pcdcerpc_server.pcndr.pcndr_krb5pac.pcndr_nbt.pcndr_standard.pcnetapi.pcsamba-credentials.pcsamba-hostconfig.pcsamba-util.pcsamdb.pcsmbclient.pcwbclient.pclibsmbclient.7.gz/usr/include//usr/include/samba-4.0//usr/include/samba-4.0/core//usr/include/samba-4.0/gen_ndr//usr/include/samba-4.0/ndr//usr/include/samba-4.0/samba//usr/include/samba-4.0/util//usr/include/samba//usr/include/samba/nsswitch//usr/include/samba/winbindd//usr/lib64//usr/lib64/pkgconfig//usr/share/man/man7/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:27938/SUSE_SLE-15-SP4_Update/2f12d28eecd566408b18037108163da1-samba.SUSE_SLE-15-SP4_Updatecpioxz5s390x-suse-linuxdirectoryC source, ASCII textC source, ASCII text, with very long linesASCII textpkgconfig filetroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)  "&(*PRRRPRRRRPRRPRRRPRRRPRRPRRPRPRRRPRPRRRPRPRP R^s8ʬutf-8e71d27f7e00c253eb75a5ab17e1be8e5f6cce53f1a7b9f9687747052876d3bd8?7zXZ !t/̘] crt:bLL r:ow:rYF^#>7ąV,B5T:Rp@~zs:;tSVbClW; ޺LݧظAš'my*<xHKnf]?QhA $bgG㿯]G hWiR|5`pw); %`d}%톶t#@o a.IφE]3hF E)o@2P@gn[*VWѓrU AOObO,a1L7ٛ?;!2O]k&-w+LݩiJ!Q,k@BW.nyR@AJ*gٸ,+՜Q`KMЬTQzc,Fg%0vDT3\8ʌߣf*:j@^4a+cTVQ YO 7 Zrq!5 ^OdmcՉi"&Y.M7ؑ|V-h$"eO%!avhLWlKfٶX&t.ugG8FbY‚R1oK }ܥo]iJ'-J>;`yLjUhm.ևa;gZx3I* {>vlV@*kodQ!;HßM5(SUMaä&mnkD/; 5WS.L/*&@?%<x$uXپBD"d4{9^Nٌ{b@ADcT5:7nԊ(tK@dXԳCwp=(>?|qJE-253m[0_GPYfW:HYEJ$)QBAQ+pR\Nbг ֨U@FO|d+lߘ ԙAuj $xtĂLgu ْ U1plzY=VQ``c7>$0zY-=3kmO/vI=Hfɻ&o C'1E D+ l`!P)6} XPR0BfW(ږRzsc&ʔ ] M\ xay,S W[sYwL,#9fdÙ}nlq,ڂU;yҁu.#C 2b7Ki1jXQ 7~HC>1hK_,>#BFY'4Ч|Rr SoAͶH*&"62=L❃DM7[YWOԧP#`h-ܭ%k7[+ag죠&lk \,: jr/# WE:δG2n74hOblm~ K%`ή Et]|x`j _~"S]<8+OvpRECm&Wf4£t &K]Cn{FH.h[kR|pPGBx!s`֗(үo'(8礷Fʄkܮ8vM*䄔*ƚ| $3a-],@ s~t[Yt 'ι>N[DRX2YK\p$c9Ƥ>g0:! Y*Nd@"ˆ2 FR'F/ޢy4/NByb\-#Ϝ0Rb^)E;E HʉYem)o6jkᯀogVdB X{J~h gHs4nizWT)u f'p-GJ#jEɀV7}[O\3ZEgDZuwW7}vçR(l=y66{CԴFVMP3%%ӟE;* JA?yvYYsJ,y>&L1.gdտuу>{YQp(ThY$ȪS?lVby kGǹ~̀bo̯pY]R%Hx4p+{%JDO)} .e(Bv<;I:یLs"}mٲWwa]%7o]ӽ@j̣o#ĥ4qPsIq$w&6%TO:7]beX l0s+C(,<ɠ}@SJ{dwV|Hb"4-HeMYxpx37!i%:\>fZ3W{ 7HL5< #  /K~ɅC [@qd^7BHm(2X Mm "@ a0ϓ].D1 C)CD1&EMn4 $P*d8]p;Ҿa >~HW[z8+ G"0swAw D-ai4mUv=w%²_v%VAyz 䅞yI_ALht{2CwJ /Sũ&<0i>@nXF~"_' Uwgg;\,1(FCAeP>d 48z`p!#YaBa}w ;]ۈҲ'$Pcۚ||LWynWT1$}@x Fޒ}*7r RvͿ>,^|hnmLptn `]ҳ&]^.h\xZZl5%\gڦUw ͝' 1c@Y=([5o8 ^ 0uu yɠ(,TsTN ujzxj.P,h*6?`n%Vbs8 qTc_1..4hJnW88hj;tk@:l-8.QM;"2`ʬ8;qKKsBMqNHir}AgF|*0bҸ!2. 4$ȻZ"ءLJ&)\ J&ﵠb߀!l4JH|v{9s{Wb GᾋO 1p_3@(S^"0N汔1QwP l bNH#XAj]^\W)c}Z<%.qL^AGZVD*)CO`mys%-υ?APV ˉNG.]=K8WܰTf]Ylw>֡8tV1ރl1"&xw8Ӷ3'C͊(WWSo^`qlЖ 5Saf2K KA3AL(u3'GyoHu z~L1mDqtBԄe|?bAt_=nģ>&\[+Xۚ ǚ{{:BLo 8UiE{Ny}=^L72 C,GD!jڨOn&`\= } +X mgwCn?/oZCVL 5Mց6z}@ѯӿ-?lڄ<@Ǒ˷*(L:_78aL[?KN?7H "L4@@1N&mqC1Js\FI 3bۃ)ޡk2!uFpFn[?qœFSI" a{h DO[op Q'cYtA_v>JڜKU!#<l0/FC00?E1Gyɡ)VСx y FO4gUyo.㪦ؿl|xڬ`P}޶(m|ģIWoW$\b@1rXw)H/߃%P̴ zJOjq(#%A@.ApHy!H{>!+ڧyQi;ф|I>=MMtG##LE٩N;Ggu5SF|rf:[p6y|+|ǏeXw;_ 8A=TVZ%fG`@2jrC}̧0 *C.jh}[Srh"j"Z򘨆L|gg|`t;KJHkVN r2)%Edb v)ښF] ,JIbҹBz. CuY.Tv N‚ngM0]uf {Y?y>{lOGHݑ\Rݨ'M#M+@[-Ƙ6qV5l?A/(H~9ܩ+KU^CU}t;N. YZaɎ& #lVРU3h{CBc)kI70cx5F3d5-ph]=džF"X UW9z;Z\ [= ^5)uowrw* k޾$ssўK$DQXg|M/(-=6a޸5d"Bhjlցd.@y+d4gm@Rq2,uƢw!gWxWF@r礅)#BCh|1aJ‹h0S-_ne/8(W#L_M*O~J\QQelᰁcbH埧#}J:oU2?-Q640tԱ-m5VXZ89 h>.Z:(9@f5mou.qϙe٧4~)vFMmvx H޾.G_&!ț xu#˘秓QH(m&zq؁r?t,t!?'Sln0pÆ(TvO6m`nԆ0}FD>n,#z0YvUAX:0]w9oHĕasI,!X. * yE ]gHYkcu=P` PX^ `hZeDk<]w_QV`hyҷWjaS| gª+?:G*@$'&vy*ȢrReQx>j|}e%ϳlO ~j8wuz\"C/bHir<w:|Jb cd$i7ߑ"}jE fi_Z7 I( S'`}^ i*rV xo;8t5YΏg(%fpGSxKJ22\0M% $3s R,4T)Ҙ m'6ZŰgǓ7)׹@gAXå G@,ա7[VMssUn<c]`U{2C5V`ق24%7+<p1:%M ==7bFUfy+d|*nST )Lk~dx.V/+QdStJbu 1i^ɤ^^c#bʀW<}(^UBLڑx(BsID LdKjt**%L}AG8۾VI-k\ YX\E?܀n\nPYCg=Ks`F| \sT+q0sE!;ĀZf#-ӶyWlBZ$Q% L{D3]ŒNKkX#Nwxc;-R*ys /hJaw#kwDzgjNFL\.k[&^N=ˤ {q>6A~t+x/t h 5n|)'>h= b9Tt%t?6!\\\n8~CtbZ&+y3 ÙĠDDCla嫩Y&g?RŸݓdދ̜~CG`JiidMzz)-r'!,{`{_ j<_Jώ-=|㑁Iϲ#rQ.A+'[屟JOe叟.!Xm)(~ܝ|YwCR7ok]AQ gCϞMrStML\d.z8%DmsBr=OfApndL\f#+A ͬ=fXc>it\:si:ЋgtmVbZbIX~ڊ̵1:آA<4е@w^Nb~y9|:7vbZ@1(U @;կ7?94n~~.zg|*Jwm; pVlf; *B6dIij\g 3ŜGYD׃[ǟޅŵ9D9ej NJg*e^GkLLeĀ{ vz5"}njۋr~D,¦6S'q硒Tbt2M6.-O^`,gk891,sog Oru}p`l!Qs[WnLћ]vmZTRi.*$}k؎a;Z'#֎,uD!ñ-/Ws+~JD\BUOKAum(7w,+!N2C}N[ r봑h9Ź T /ૠlUu}|أ4U{B0CMsQh+·J^TT`ɲἈD8^;2 |mTjw"I?KGسǜ8u~~Ƒ7e07XڜO̩ wûtB<̆*"!WҒDzQJ`+!HzwXV(1WL Jx@EWbckz{RK!Р+|k7 \ꚇU2ߧpʹ36R/(*in).y f@nޢx0B,dO^>ƒ& 0۱eHD@c3Q|ճRX+Bܩm,6){"I%^ 8)-_L e.{Yh .2,g "A*[F==Rm;ܿUOvKT&(P$r^k4PLBGln!4Oūnb|+q5ȗwM6*~K%/S&cs{SQ1Z`VJ9@nCmqyURn{zQnkJǎ}ky\S/s߷~0)p7e4r$R ~} *Z)ݲnXk91#)R' yZEfe1Pg{"?WjIS_Udgy҉CzN[\l>E2ܽā4;h{^/D"%pa ^1Xj @X|>WY}EZ˱v :el%lJYJ9c&kD0n/^K)*qׂ#V˰PEnА A)C?gofܺ &W2{JJJ#n3v.r/j9ݰ? Fk}iGq#틩cP "c"V &gaW6\>ڢ:+GѢ&gP9b$X)*udfjwk[`rm<6dXLМ` &WSS'f#i&"B J߉1aurݰaJ$HJ4YGcݛO rx[Inbe܊oDVq(jb͚kњ` {:B, ]Tl]&<ֈ~v~.gI$d3C{h!Gݛaek'U䡨E4 >8p]\%ב˕,&sXabh{ So-eL]4L&b*5$ # лqLPQ/yrŒ)ֹ.fsX?ZGMLK`MY2p215WtȺrȒ`쯚c!yj-2mlJݺ~,p= a{"0#d{LA]~-滤t :4PWgn:@WO81U.ۜ۱|ms;@>(AhqIl )\{1l tx@e]0%:3m3C 7vni 21޴,m"dDSv.^9/,28Vo{y7f yv\\iF y(~ǞD3Ϳ9< 9<21p%:pB$M/a3 [O7xy_3Xria*`4zR:=b8ꮗp be/>OR]ghITo[4D10G>蘔iU{9 D:E.FʆݍԷl@U1:O"a? X=tp[:{0Ql˥7&hP0Y=b]ՅPTk_lAm?.6^zsUͩÝS$+]rՈh|6\t]}4^I9sQDߕ*.GkKGY|dsܧoԠK|O36~u+)*P-)XX 0L+W CrH7{p~&kR IS,bІs{ ]G} -]ݨ}-(T|"1VL#n QbY({heZFX'4*8*3t#PJLP{?ZK+-d^KKʧcwkop$幵3(HoMt+טȲ)I 0F -A=(##mGxek=>rtZMV>;_Mȅ0<ئ )^lav`l@s 5&NCĐ0 4hmGJXaEjNb>VƩdRpiDDw)B< ŰH{>hZ%Cq|`N{Mj>мU$iyWMVY홊WEuSv:~B>>9]Qt}(/,._y Na+_˚%sfͼE "'.\ kh=?dawfyXAzDIh6bl&})QȘ_.Zg}˛((-DoَGc!{]i2рߨ,ZV%5yź1ԙ5Xt !B+? pD@&5ż4-ɇE^c-r,<8R]=cSTu(R< 2v{ր: wX@C^=n*5O=.9zA6E1m0xg9 ׈*zo5̱ -ׅyK\"+[Yv=_*pa:8&` *$uE?#1H[0gq!.TDP5hS_ .O)7Ԋ*L_JN.56,M/ofS)A r B ȸb?}ϰX1>?h)9(r* h>lhuC61oq>>)WH',^Iv?{v)O VJ8j8մIJ<3cr-ĉB9}\7)R]!}8\~eP!u 3ET~CnM< NĠu7#iEҩ؅eס{e EzX},/2迸0p1CHs2;灱U}"i jM& BE=[1'˟BǢN׵ =gޥ*0:!V(ELLLX%ۮtsױGEM"-Qi-:I_ ^3B^͍Mk V+#aTd)\Ҵ@tBD$㼰R6O`'IjO\xlm}tPѨKBW f8 )׽ibr=kBQt: o*p`e±sTv_aF2P?}qv(ݙm1\bIs^qNBEDʞ9ˣ zyL=c]_j~x(TVϘ|{ƒR s WA}Ɣ,{l/QO Bbv1W Tsҁ[NqN˘ԫh=Sf(dhs7٭tiI;: iXTˀT]|H2CgWbQBDjv-ƛNHuLo,D>,Z@]rB\Ӣ'mrRҘP"rZh757>6>bو3̙~5AK3 %.SpD\ j d5UrbM3<D,b,y=*lym^9.e;_5+waXX\_\7/vLX%sFc<4GCssJI{/סY9LM:$ɉHILBM {Z\EvIouC*(SwAQo$[pW~}V Dބ>!Xqw* I+IaɲW1Z!90etE;9?9s8Jڔ0ퟂ?Jkx1RVo _,Y4p zt9={ҦTԡf*$I=/6nXdQ@$GZ^NiX;˓68-;{H3^L=7 !xN*?5%aG+:t8FF> L] T6|17Yߴ!/]ɐzC&3o:S51 ёzeDJIjζlX82XR#*f d^gOVWLRXEs l`OMZ^}ld.5Kc`&<6h_~>? sd-d9nlGK5HaD.WVX U[Aw@3lZ@bm@soR(0$zTرex˶Jj0tٳȻ r[*]i(e&l.#+ƫit\kYm6޹1Bj|w`zס$Wbء8ҵE,.Yϊ᱙I=%؟F3I0 U4&1Q ᢆ#žٙf7%aH6307^&stc 8P"~-_˝z|K'59yf%"2,yi`e<1,=OsIzFw$LWS݅09`"OPL qxF9(DQ"4$XP1T:-X?l- Y8L Z8A/Ii $QGn S 9ȯw7Z{K2'w&=z_\ #\a?dVRlϬ#E+n}RiV%a\D $Yzߒo85sV~xHPdj"vbrJAoD\/%b?~?zmꘀ#9QM0̌=D.ܠi~'_}Ȼ ;nڧe0LLTɢ} VaT<+v2T2;+5Ƭ6<*ݕm6)me\d2Owh/Ox҃K[o½OW*6둖"F{3SI1"0x;WkNˌdNHEتP+sZb; 3 z-\W|fȲ@m&e)£" `i8y&{T%%/1ek01Ӫ0ky_(Gx.vh8FiJ£og1ՑW"EF{0}(gƖѭD|43mJ$?Cj~MSUn̋XݎqxS:=n)ڶ ap_U#(wx)B睚7pc|2mMw+߇tPEh A<4Y4)qoMMgk" êUӇ;x@~Q ,АB}ĘDϬ)ً y]85Q?xQ!`#X*r'x[;NsLq47ޛ]NT K?>;#ކ `&A4um'̽f ' plT#^^XYʬ&@ZV u>]@oAet/8 "ЧM`ki/Ά9fyyF݇< {ܢxk\ڥM~G+=Gt!{ɞUj-8]JH*p$HcGpOʀ ƀڤ./fV9ޖ#up'{l _jCWUQ tQE-*kc%70$<V񁶪[!ߣw$rAb]i+4z"wj,Rgu}eZ ҧ*I, 3)Tƥ8Ɉ Xʹݙԍ0XYuB0y.\3zV\*$g$g{pIEHLf+8#ExC17;N|W klhrۮ@:dL}ORĖXNJLf2m?6{F e5q8bw+1lA*mౣDRk6}#E{Boe0${j eJO+kzU2J_#ž/˨Fo†@`[SP}|kV6h;4u%&Y<)젶F3T/y,J600-Rcd~ӟ$ 4+yOYv(Hۜ)@n[KՂ7uCے)e&=K dއrsyۧROB!1)E_ќ :`` ~%#'[PW# *Ej?zUua5G2S~~r&.'_kF&X`FuҮJͱyG ~!#2XY1=!x{36 .+agJ+B_zGڼyY#3Ty M{vzH_E_T&e: E 6O꽳orJ<لfn<-*P 7ec2`v~v$7!djͳZA[gEӈxiy4_LTڗ*i?WěG @&\1L6S"?;4 [ 1[Vթw޲݅<߮ <'fq³ CtCMbP(q}@X:ͼra,$Nbo%L 'ٽyG~DCMWL^w<ᠱ5r֝|J2x Kpթ7v&bs-lP #g~ u JZNu+$ȍ$zQ7]uHyQS!B:8yŅ i\d,%wl # f dS%:G2fj ${=jqw (F(F\XQ萛x>Fdb7l1kR-lVY 3Z"+Yƕ)E o8Q`EyWJ lug'C _^ Xɖ<yJp0+lyi~sGRBʃBVɡmV3?cp_vwxRGS9:nGyF7 k<36ـ3,H=xf8 !1/NC r0Wu9~ .trxF(^./) \xĮY'%ĭѲ@ ʶ1qCKYYRl7)tVdTM|S,.!˷v{ z;&ϣ+vU$]{kl]FӒnfFZ)3 $13'${w|6;g7Fw< J2 H)UroR 'R EWu?KŚ*1ȄPHE!F1IZ~ɫ>@g}[G\1ẅ́ո ,xSozh @ytYsR(d|=+/mϕ3i+x&\*p,%IYUu&U7àDiC7%:B_L}qfIۀu!uCԏ fצs$_ vy9h++1aD~q*ZfA s>aE:ϨG⛋0j5C^XHA%k~}zsC@o8DD)za`8\GvN5}j3  T~.2͕C/|Xn'K%f)AMHպ ԫ"_/l8&p 9~C] B(sqG5_&р+.@o-]͊Q7O P|Q? hJK玈N1w /ڡ)p}MÐ^oOaqZҽ@ڣ<٬)[pd6k"hyf]v8eȴ9'T4ax]!._A~}3zz& m)?B.p[_ՄTd@ [=~Su#4Y9 >|.I %lGXj}[ŸQΨ= o)md+o^|L #Ўͭ?co=,d˘m}tkn"EȰ*NC}Gg ˽Jf/xҫW%pȃ+mK+H/Zc?Ij/qOibHݙ!I-XdXa-3p`l=:fᑌ3R -ɂ8pgBVdo垀Iǩ!Eu1HDG;~.Y.1?J%`vv䯔Ix,SM۽ٻ|xapgNV7 Ti j98]S\vMU+ܝxI20Xsbز$+ȻE趲qx:} |`l^2JUgd38dX3j'qUc4O`\g~ꠤ<`EraתKЉ.\ zӦ/zw <s" fə[/ky .(?YQ:2k`w{ǣS<%IЎE{ %4@v{~H{QX6j+Q{۩NT+bc6 xL.yQB]rNe L?gN5{m] +l.j]!Ma\JT1 ,S Kc?l~κCmɍaª߅gjEbQpO:^QJ A l[YGNR[=/q "TAk?yZ0]U1|S*Fn@Pk]F~BV`wH>}Mo ,ry@ BHj[ yzp-Vft*!(bs-g!B'q ' xY8b9haBH۫_Kl@/i8 ?r$ssR?KTi\`kGJSI9\71*өbYP)>.T莤[/"q*|Wz\Rb4 / rܔB;_HxMGdYCکc!eg>nD^4 >,9 :`̝x%Y˭0ZÅan w  ^&eÛ܌G2y䊮8*c^}~7uDT=c2Cwt!nņ`Y _rdI#mҫ4;=ͨ=X3ʹ$5bC=g?7zwزUPN_*x!JC ϝ1~}K&0w9}^tLmd'YEIv|^Cm<{@0#AI㛊-yQ,)r_ Y:TrAX:~M:Dҭq&O9a-M5{ɠ3GmW2^i{)EL?(a+th ^mʱٗ4,CPBW:?qZ_{XgWiiP0N}xKWynwWex&uEpTe}nhD^`B- 8V>x5BmǏn.噩0P^IwxIGIKbz_))Sq3rZU(aGJ&c'#"$oS%4"ZVݩ6Q[WE9O]s-"lv5=t=?l~{nʃA#;ESZE_ݒY d\ 3~fnL7Vh}e~#rA=]$Ψ;-xaS%M4$^]qBކg#Ǭ> 4" 8E^@-372+LmˍvLC>XVkoԟHxx8," &yspJߌ8'~7+/f|YD ! 8YӬn~ڬR{$;=~kUKZ-0m'2+:ԣB8/H"LK^??2{m2DջNvd07 "ݱ 0͝z7z4Y%N>iOuIt3i1HtzbW!ֳIzDP{{oW4猊ֵJnoHЎ{wJ:?LyV#l: nvu}\_ h~u}o ΗQE\D=))Ƅ_LU*l>>LxBFrs5%'nK9p3neykʜGCDe.ب׳'^ѧOz!%XCJQ1@l`=X X'Vzf:\H@)3}|oW2%)Åih{ˏkbclQZ,ʋm">/r&MHchL-[#8.|嬇ܣ4l<F\wsЭOP[?p -j*ŀ℻_YؕSE9}07⁀WllKAZ,g5$6;\UܲII|%I<fJze\s|6e8ń {ƻ`bG$˘i}t(g-wgZ.iI.n#^!G\'@gDP;k u!./qow.Ǚ%"w.:&&}:>O\B:l(u[zr_ep [G,i>"_leJXqEDž..3ߢٝep;ُ2rdlFQG3*sē A W\Ni_~F H+bG$?i7v|=#'Tq!bE۟\a=ϜC¦ЧyIl,VTG8Lͬ)\($CvJʗgUEN=t=06qrQ;Tp <Ծ4UmlTagIoS9"?]:*hISvnMlզgjVewcJscY?D2x[67 p:%-*ng0sXG]>IQuf'$Z77XD~9|E zDӶ߅ga kHELIT\OE ٣~Bw{LQ#قЇ`Hjaafa=F #EC;^i$6P/me0.F4yf+Cq (:<g QGqbB"Hh2a4;Tys'@ޙqfDHds.ԉ.k˟ͱ̝e .O+XuŨ!w„Tyf% 1‹JSFoK2W+xW3`bv ris-XBKP#h8[*~6Z- "||yHO狨~'HYYxM[sVӹflx[$-sB]b|=)Jv $tT &w> O{MM&D+9 HKo(նjg"jBF[_EQ_n"=V /q)RV};އ6$G ``X25ґ>FLkۉs;Bp1ԋvDub&ML(H\QeAV&q CָMN1G`x0@ |bDΦ89}ek)RxChR5Ԉ5pb0&-Ža06؏ G۰(La݌;\%ۡWRYO Ѐ,nQ%vç7 >vW6UwQo?š6<&GPw *G87eZeut;[vő*5T6c_@L&]ɼ-ˡ5.jCf< .ϹTRTp",IprTL34b\"ɺӮQs>q(}!cDj)yYnĄ~10Խ"XDojː xXC/9jѴ\haX/-C*,nssTg@g&+G& 2u"n6FwyP:|B`bP?14PM}Ecn@«G_`tĉv}a5]G6hPr~)l% egEP(ڱƏ hsH4,&O[MdPC@27^4| +9'e^l+i +m#5x~oZ^al6FW% 77+*ӆL͔9]6i_34)kԎv:ه:`X"i5SNyn'ti0[rAz.g$ \~hӐd/h`q;$7JhR"\Νg6qUӔ >v cœm2 +fހޥ)Xl_0s"wcץ)ȿn 66Zc}qZ](T)ؖߔh#"(ˠ` ]\#ľtB,9u~ bDH1ng]1)2jPWqp0/NWQ7n'&E"kwv𴸋Q5 wW*Y ,milgYt~cM)9Slە× 'oKomcKYD xXp¬'E<5 Ij24$iz *p塰y=qJra"u? c Ġ6 U[$qŎk#mIP>ҹXi7 CU$'MyW/EwvD:?lCIx!K )kg+ hPDpxLnlu % >]_." JqXP|avAMǰ c)E[Zy 7"v&7sUQDrk7Ak}9 VdkW(kڬ3&?9UNaLpܷR#5^i&XQ牥i<v$<.(mVvBt,.5KA}Q=E.V_ܵFG%ڙ,Ӯ)NbxڨH? 1 gW^C*dP]]8*SPV_R}Ơ#B=01C3r>d>yPH:T"YnڧmaNEJ܋}7&r0kEAM?Mܓ1.puMX YgPSrb!"=G2ifhDJK#!#g!w묾QL =$Q6H'B2|==P8l9%cI{y1d0QgnBtf4%]'sug 0H?翎ꊢeQC:d2eJJ:v㩥9ƲtӔR鞉b(F SڅI eXV7MUs3kV/R|rCO %'-K!0uD.(i:>6.luh|ـCE.wIt%{鋜.d7Z ϗK(R IB+M95oYzxR]08PeF@5B0/SQ_f(Ŋ*V xB pFͅ-$_  ZOCYJ@fjmGGi7 :r`g,8'/[PX7Lyo5О$ڲ{T]#;0Ģgwlb[_ 3 1?mܔ'_~AŃ(e&'EOMe ^QۣjH8rˌaD\a@psz- ë.C&-]5{wvW`b#g?9 Gi%l]g0</&˜6P-}FJwtΤz$WTo(ltbbwϬUB #9T##z+/[ӷf. }nKNe(bT:C?~lJ0Ձ YN =>\¼6RpiuYמ< %@R=Ug6)I2}Gcal/ЋXnG6rOgHN>'!\sYYW[eDN1Ok5sJ^ޠl]'34pQ4$ :MiBn00k޺q>Az뼟%tR<`|leۧ嘝Ӣs͒7SҩnN2B|֝)Q2y6CN.f0/lT̡Sڌ~4o#S}Y5wBBy+ ^7W FC;J?;>(c8%3WZܳ#%Ӕg78<ˈo2չa5M,4`UrRdqTuIaR?X9F1cσu$fh?jp5I ye#+).135:az>ӯ\!/C< r5Al셌t0eW4t0uRbl4Vn#}dP~ .  r ;A B4n݋n67 `J-! \Ȓ)ADrM'52 J6>kt67*|FfhBsTqlMM6vw! ev4 ԉ^fʫc}5~JGto6ϫ5XK >KŖI \!mC؇P=cڤM;f"? #oRRrFaNWo'diľ¶+?$?*<յ[sf ~6~agP1:F .FЙbXZxh,a1hϹW;El4yƓ1N}(pFtr\ȣ[oWyBV&b nI޳!މE~56Ǻ<$F WZ_RQA# Y3}ڌ} >9~kZ!DY[Ww@總_=L_R t Cc9U#mL<"h5į|Y{ZKO1X7 Ⱥ)̣O )%߆VH6a.rݹFބרtLi]Nн0F]Ya59KPݴshuv-BWwjL|n;F4s몔j9j@\wN6b>qϘX"ghӛAPG)EǰŤEϬ~ `CɲPl:@-=C9!NW6f@|uv4^⨮=4K$ 4Q'ۢsV1vDN]oXDԹK1 yNpO>(hS/^0OBD f1#44KH߿t\wa5l*)pQ(VYvZi"1`K{¯0H&(dR 'C,\*z03)32a mLu5+/݇"-קA%݋*`;6"ɷx 4ܼqS[6.cMk8݂mrVpq5gU_ď\`)ctJ<䄶A&Zl2JA~gBFl,=W"KaWz,es޿" A-{q*3,U~|\ʵWas,PLʬ<^d:D צ UJ֩#iN-?]YV+*_\uN|D\@[eXs:bCY ǍmI< *Oc;ZX(Y:E}Ǖ5٨wC,':ݣv,>2P賠3򇔢jsVrSZ,-(~=Խ:W@: N$%*V ϊRg/UP48D7`??U&V !E^+CS\8̸&,݁S.[5ݤq͟ Vd޹9cOkzO>k= %nP^Y<"|ʔ[K[ Ū C nN| jwYz S tC!v\q}WGn-НAcleDVLJO6_bG؋䢢g\YJr6r]|,`"fMSch+Aad0%T,S*Q TԘۈ\Ӫ*<){D{54xSߓlüYWnӎ,nCU fiiMlB1Tg $*?|k^4l1uikH,!iե[+iU%_#3V^p1x=yrZup@xf $o9k&+xf6j1i>Y~h+bs>{j,=}B/kJ̈́kMj!2XAjT3_V&>^cc>p"?DOi@S4}L}A#eOK>}AmH5ߗYLa SBa~7p: |S+cm]RsNdcK3nMB&kAdopm/ΰڣ&)!%"k.cGC]Єy @0\⠖a$|70XOËՁoLlԃ `rPm27'iJdO3}")01a!9mRQ u|] rx#mR%U0 }ڴK,uP-GOh5R9:clk.K۽& ak PDEg!,%#k:YЉBeOC:L[ §(&%.ni]/vb.T]Ufx\@gKR^߇r?nw5Age_-mf6P[-@!tG+=4=F"qyA-}vq+~VIn`Z Z I7i6 /})Wt=*`,ũ,/oC Ӿ5^b鳞M?Xj:{lc } #FEbû9qwcL'07i@CrFKZцgSׄw>Bb^)χBa_Z8B1B .]1,czuhA1?U&+j&zz, ,1#К9dX~>"kasDqġZ, o3*( TXoGYo EAqft?ڷ1ݫf# @:Yhw [?Oˠnz h3oR y?G~`&)/]_pi 7Z!h`(N*aGG.adNϻjMCNe:k-G`1 0e[LNd brm?C'lc%kXwJpUF*O"Zo0'ڦӦ\quqMڛd=%IG!C|D#Au fo=oCۮ "ÉN.mz{TzO]Em5WL{%}Qb;x ˤ:vi7&{ugQ:s,`ݤdbqX3L "4t- /軀hC5 6sp5c0D~W J2H C -C(-pMl1{<5!Dq5B{-qy~Sx*MlfW7{tU9q"K`;">JZal2aF%폆#2&+_c->'TH3wY-@d>ʆmtYciD+=vi'b&))K "e|o_Fs:\lH`m?Icy\"z;+_`pЗ{tӁ[ gvcb`EHiǶ1zL D`Q䩃0fVtfKl! V] h1.I"zMn=ܳD kf&~ rD} hYn f&T*'PlDLe$l33Ȗr=Zzp<Q1Տ[)`(`C \ʶZCg/A{.^Mv(fOo b+ht@ ]'q"B1yV/8w*r0+!òp\rt[l,p:[4(nܝ7+²ͣ.P-ujOňE+WlX;A_s7B;+lByM OQ;Ψ2 D=aڌGTcyAM|0_T'29s%I;ݬÆxS;V^Nqbzn])s.8pKf6}]F=\A3 G4i*i|%zQld S{Â"7v KcUl>S_MIenY~ݮ֞o/MS{#0;(l<ɀ| 1ia3p{gOaA5Jʋ#/jZY"EŸ_l BMiS;$>toV?%@Ga $%픓}Qs |,1II PP?`ǖr9v+F9s:#%>GVXIAV1/)r۪wo0ܛqۖtڜ੶qAJU4~`oY:;]֍()ma^}*8+-,#uɎ 6?9 ( 8I:`71,Wr>S ,m>'N+ Hv( Tx}L,7IXĪFIGfOShaFr:ұӛ; Ӄ[߸WA*?0I 4>,\^u~Hǭ_!Fҙ dYV2}sLͲ"91$K_)\1AL۾%4!wRvNŃTkC,DTz=m5^ hVh"#k nNwڭ-טJ9# uY PԸ e3BPժh/{Xc{M<~HTu9ϛ/I*4,݀UtzyI_+gWߩ[{3/Δ,i zXl"w9-Ϙ4ZPNN]⫌}PC%ֲ6Z9VdÊ{/e l9+) 5Q"$ߎ]ɵɵ P ތ6,mZ@ {IiJTw*2HǸu/?\[dgo.Ӣ(E]Z[Kͺ:"ZՓl(_90<~qb|&+yvQlfդj}¦h+K,^2KFǡEoKjV1~4^Хq>nf(uPP.0eC$i#6*a}N/mi_{CgV /Q:Xɖ'-r;`i,qS~*f*J_ L`Z ZxcX@ ]H:j13\1r=6 >mX Y -dn+l )ltR2o`L$-_2>@ wM~]泴^= ^DAF1VxޜW&{ lO<H_`W} )Ig j7b*5 |k-=DyRO؅^lbRNbW| xH' k@GPWfG]/;~Wc??>e|ܭGb"ǐ J֧ ZAMqϙ+Lw{pθ(J:@~) owPS6RAp.>7(4,O [G$sF$| ﮛ"UMW]&adc D_hsvWJ`!+ѤFYlD"DpD5G]2e#0}۰n#AQqNbu_j,".[OTj56 [̇L(R|$y=u͔L~S0okfr>c 㦁jn/&PC3E8)-h(421&~[pBy'YG̀ʷe=R׎-?nN׍ջ'5e;[iD岣YMJ-K' K3&G!*h!ٚkD' mx73/“$rR0iЇ,kToFvL7$6Y՘+4A;Bir*I{w{YpsC_ ϋi}5:T*7M|6| F=趿wr>ZJI.BIν [,ʶ(K8Ȳ2ȶZ649x'Zi:,zl51(l|$6Z8)"G*m4o0w 0%U:qYO`~Mad"Ё7t%:ډAP'ZٚqLE\pF ~f)K9h:lq"%TjV~6ɻDQ\fs%0TF^҂[=m Na}T(Q*Ϝ$ī..OT +;SVҡ,UDP$^YtM dBaW^z. "C!i@.HWm ܠ~v<=]\@߶.;1!Lt$N1O Pm xP>1| ]-53˾s))1f}Q *V"z9|7E 2}3?n,ǁzL@QY`Vkfx|G6lzzeaz 1o—oHƦDH; NXd)W9]ݴHhi6Vm̕yE)#DwÙ8DQbWh:2XP`xRC$f\r!YA{LbL (ktGI8^Q> ࿠qgj>؊gv෱Ɔ/= HCze"A pXu~x|1BB!|Jv%8+alHOZSKrn)^$Ld748b(sz1g9DjJ SCazi@;gh0AѦΎC _+V8UҌweFFc[@Ad 2+DIV}LXҚ.-H7 Ե6QMӵH2~)dz+Fǰ IKD9U!6LX"b%qZ"k={Ksxcgd58LK@0y1 X^~P~*\poFkT+iaw|FE%^Mpݩ'b&A8OU~"Esvߑ:-+`YbGӈR˞HZ_żrud_pέ)`ciJ)ܫ\y7 1a~E$|h)q%nW~79Dlw*, #94ʚtq/p;p+7P RMFd#7dp8ւY4zq*zLI-wܰ4\8îO#~ !5M\w~pM\+1>ߒЕ!AeŠօ\0G(!xa1tNRpse%;\VI{Е=bF=\{xH5|I[=]Yt;̪T4 -`RJ |2d( p9hSsn`3.cр%4\/-i,87Cʰ0TյıVfeVcSBWK㎈@πFIhb9m)VN$lS1 o,$nmvTS#8R>k MlA FZn$NȺ5Z2AEXQ@Omg |_˙}KuU홟bLny'f(p?JZrEn=wR4jGid%4D2|4;F|CP~k{{*םS }0>ፈtѾڼlj޴qk3^ P<ڀїM43dwÀDr]Vׂ""]A͑ɖw@n1II/s.:)fqVN='Z$j|&÷bIM?+$Z֔vtIlRԋײAJCz8(b˺CFN8Si72EUqFErxm m134IOONu@ -jv.0]mf~\*D5"&'=]A n]nyQ%3 m4ݗyCˡ~'"×ԤPfCyz7v76{!Ph($I|뉊C S@ scF Lhb\(!`53:1:;}W5(r˪_fG̑?uo7G&X9;؄@x̬2OT tsZ],hy6Petk hZ9xv1cr+UHeߟBVWMuynl>Lvh-g Es1hOo*dK*HѫCuc ޷m;9ԢzFE *X1AW:Hot{Fe$ޓ>vfӸa,̏K&І|![NaCSa(~4z~+ lONivEm)GW܍ɐR^0Lq"\EDŽوvFc, IR#4^3[i$#Ph{ǃc%,%ai/|EAcG=Ww$֬w Ojxh/aNk){'`C_վ?寐?X#MC4ϵ5Rq P K2 A==e0ᠱK6@tϹD.m\'j0́,>wgSOz+J.n!APK `i=K-WlԃuSͿrRRyPsS2 s1E}J w4d6nC(H3bCAp&8d 0LxX߷+On<o }T]y}zQ.݀qk Gzr3s;V*"J%41ÙQT4r)~ƞ~ U8l|&ORY.svAa6ZN&3O8ȅ6ٝd"DoM:m7ˇgҁ(Z,suoP4=;#>V!gNdCUjz5LY3KK̐T\)yAl# z>4N*vHgnRR`"߀^?&1( Z.sMQhAD*SorK_0Z"mRǭ`{?`CO %*FA@JGqWCwl2kde7Po#} [?buSNz#r4*(!?J xQxxq-ELtƕ}~#mmzU.L@>^yM)7K 'BEĴC' ?c{ia%V)H$WN}pDKw`?5yu9%@T7 $gfFs`b 0B%-t}Wqv %"5Qs~34eYtØ`a Iy)`ԱҰNƃSC yJĉdZ-JAs ;ܮáSx %QpN+1^ę o{8;&YLP/YPoZ8^IUZ3 ^@9 +Xꜞ?x@.*3b!4|FT#`f~U!qf$5( D&\] .3K;L{>,5o7zd8Y\0tdKގû^xtgKV 6F=4%f@@I"7)ʔ ?@9:T4 Н wD/ٍr]Dر!>U &H(d3P.c[(@,nDN m![hEe_}E}O2;p^Bn{mˑ .+:6#L~FI uqV]QS :ÔJOc#noZSV=iB'PI(оw$M;Eq _K6#U/Ryct)2}}kLWcK#~$9wA^kOE3oKRA7\~!W9ۍU>4j92ܵNз:gsdsگGj3Bs~_c}A&03LZY@_;un0 4!{d2ݑ/T:Ar똲Ƚc\ $uz;T~C~ (2T6oˉAG\nX Y{\{=m=L*Ȧfp+qm~H0dT8ּWϋZ& 8iG[#ZgVF=|@So% E?Aa[[7_A,А]] 7Rt,=tO0.GR#|7FZAy džL]]L=7"|jHe3fP5U8=r-yyȁʽ QVW2M 唸WxXuO(;O rF haK˸!y4`YUOȽ-.j+#;ҊP GC}Mzg Ll{;N.oʕ6B&+U꽯#Y W4{l5*xzY1&.B^poٹt0.>rpWefg< S8Fjx>[ƈ0ydTacYF9?D8k5G<#tWȀզXZ\&bYS T 7nJב`B[c/PۧS&Eڤ7-"wd~oE8iЛQ"θWP*D]'|~*w3-ȑ^RL.a[(YWK&b]5$?p+N|1jʺ͑|*Bi/⅕t0M} $OSLBΆp ~ 젥\ w~cc0>;IbЪ?>o[ ]ÿ#}Iq0n_2٭${j/9uy=w,.oZMaW򹙚U470U7̎|*I|K!]`Y -o<##/s vv.Mz(tF9\tdM鵶|SpRH&6{ RͤX4,`Y &e|o̗V> Vsp%Hݜ:ːsMlRJS`'ЋȈ_SkSw"Ҍe|KRқ0(p7f>|n^.K]kV*_W'"‡m -c|RE']GE5h nPȰCgM[|pHyI|N6蒾Txdd^OZ$ἱ"8a $bg *83*JLj]J$k+/s U-z9AW^ΏCYe<)!0C܄C9^v ;T}eҏeڊ^u.K=]l~3b°eO@-@k(UcyQIJ%C0R4UvڢB``h,%zFO}Gq-C'̕\A9 {*h TM|%ݡJwb D#}X1L6mj@{'zP?CHČ(`5!ܼ&WIxPŷ];1d``b4Z>tIO*v:ߗ[A1 ȻeH G3]3kDHiEpm+kрNpo"{B%mn$ci;UP 9I5NŘ/?m(oG"9/~eG_/E+s!ţPk+QV\q6Xcƅ-o8'@M7,CWEiR.[A'@NgF/l6dSniA/?M7BxBܶ/H_ ~HvTH~|sE֍Rҩw ).R% \Ma`oua$se6t;شŐxӁdHV^iKőpOv fbju,Vtb=Y.QOھLA ;X Xw9M#IpB;1 ]P ^=Hy@s=sYCq`0U0o=h:CD,7`KV!8[E:"'gzw>ZVd}-*GcpChۅ]7 /]+S zo#283&D8<4$]ƣvnN%b̙?=wȼqm>|U](h/xbگUiy|UL=YTiDoE͌Y!a>Kb4ft31GJLg6!F $΄ILbI Q`HT&N { W )HLc0O'p1_{CC']T]ȏ#2hB10c!!4VR+*Xp  0I70gB*za=J~8DwQjhSE&{@4\l|)Wf݆\4D7 h=A⼺e'E߻jouGp ӗ G2pn[u>+i 8f!r]8sLˉ m-{ѩ}h#UsCd.!Cѿ( 'F& _F_*~MU3ފn"+?'Җ S|˧e X L6*ኰuǑ']|p#N-YEFKRgb1[.W$}U@bqۖEOyu=Fv(K=k0b@uߢJ=^'2ݸ﹣wwdW'š_Z\Z];3 ]퇈*Z0XpY{%6Vc.4@N U#^.j>in.v?4j4liPg.Q~{}ʩ/9ICl<'D'{W!(k޹4E6uY$U 5[Q#{?2χD9=ֱV1O*`4xd]a&PxR4e˸闈-a*>DJv3f ؿȻb$Fo67 ]Mn%eh2"8z03aGD_3ѴBxfᒱL&q2߀ѧ0[q Q@;z6n N_~"I[YMo ]% K!c17v[kO}%k8Qe˕3ϸ  Ffi[g ~"T۳[Cuk%;bԚwi'E*!7yYn!w$;m*;@Dhu®Nԥ'(…`o7 Wp|oW:l[^eƫB[:Eo`a{"WXlI<x8FتO$3ngoYM7SR}+>L¿HqM65ŧhJDS{@t_үMul92MDlVۦ'Im~ٔLKDntHMV>eqʆhL<].}*CypLbyR/K5! ۸Fxb_ >^z4UHѳj y7}QLl#og Ůd[ij| - `x\_88xi @bO-}d ֛_!, !`Lшm™86vah̔:~!MEx@dV*0'ߟB1Pir[FE e FS,]]tR\3p62s*7;i#ڏmXT3S {fTe my[^a~CQEV(l1J>'Ӳ1yawɬ2V"ԭfKm'QC׺7@6ۺylYx"ׁ^k? }wLgcɡ3f;xgvȖEJG+vzɊ8 g0 %/iϞNnd>Xn DN% KoZƉ~&5W^K.=\Gj,MXHre6Ѕy\#&(TF=?6MПODϱ$ɗ$Ns>xcamZ0 )Q;LRgx2%C[)U`GxSAa; %ix j AOў yd|*eI7¤I]̡2ς בhHtu@qⴭr6能dž:ڧqv0|v ) 68֊1C<Z#I)HIbO^tFJIZ4yJgmJFeN) \ V=.u\GsvS v]yv{Ǎmb IKzg/M)Ԛ# [y'(AU?~Ugrd nghd0za2Z^ȧaW˂-g|mü$2=61rcd —LRlo8,'Hw~,>|ێt&Ct?n@LYاGZz3ң͒ǾL_I7]a-QOr1$ǪMG~ѥb= ;IJ2Xdƃ\:j["6`P@hq~S3C?/zUrܛ`_ lFM!*LBRYCaL3‹;xﳡK7"f ?3LTUktCR@tbt"͔- B7kڶ]\c|omjjɗDM5}t ^!|T_,m@_"adh crCniH )ipCI+BLA&K}fcG9m gtDjS@eJ ^Rm¼@4=X ;R,+?2t0>yN_/|Ql׋^h)8zR)i~%nU;18l=tnF\ֽ΋kFqqJ)*W/7gmtu5KM9(#v ýi3S#!IJ-j=c*pxLq ucsE Nc<ຜ̢f97]y)>qY/.Qɸc~F|[F;ɉZ6!z^Sto-⏂ԇÓR(uTo*A(֍jf2M.$jC53L-Vy̎: W׉`EV"(J5y=Bdt)okajbZaN'rEZF-=a Ϧ\W`rH~u&=bf;⹺]40ea:x2);-uC),mIQJ-+#@^+|Bg.]+r[EzN7xlMv3X>;,M; hA~}3 q~4`^>F#|w14Iճl[V1ՌwCYYYGrO~0L S@de-߷nr?.ժPXäߖψ;:5<%+C~ExEA s:J@d!˝3o78O"><}`9c]`Р|xf2CBoJNMMsjأ&ғC ![Z))a9E~'ɺ܍PI'[2GqsvVxM`0flPۋN1K I`*"dbON`@0 zk1 t낵uh)0ⴜcMCV{'6 #QPf{LW;PqTHi/h"r2o=WT~*/5\#LpzSN”{ؘȽM^ ' O#MBL 1kYz;AU18P;!7#!ok|Ur*Hi N >Ӵ8dD&T"- - _#d k^9c!E  ~VP'Fzj'%YT[Sl- '/)1o|?3qX.\mu,9Y Ð ,qkȪ؂SMl f*7֍ ^&+T.~WnTo{l801pTm]X^SW N6)E5 >DE:-im;V*"ʍ99L6ϦtXgQ>>֦R2E#X~YDi%aZuQtvAxiĘA" q't(c_>J+r삠{b,;03D A`OoM (-܈Wh 5F}^|`2V:֜=֚U9ahҟDVʇ@yW #.iBgs4piJHoB W1S ^CWMϻCsU'@tl~:dmA-S Nfm|{eM3y~Vͽ$S.0}׾t%g}^5Fu^|QVׂ;0flryl2;4m U$=/NY(q^ ,jhQ6%Gugoиz# '%*DFZaxscuˠejAwX&c(W @7TU TnVMÎ2>(s =n~oUt"%wG5r9?cyίՕ@I;NH0]>.MsmԶuܑ8ka$v`nDh[0"]JV784׸|vok+8(Osx 06Gq.` lN8>|ktatei$q}y Ƿ3+,qq5C1$1p؇;"'#W2ybvkZXR>sYBK8*qƘQ:: 'Kهmy:w5%9rx1bӵͰ4I'Ae(:X91a}4"pAXM4)8hYBO=q12~VMIƫc[[NAC\6)iLM?bYyڲfBoNyb_D6M]]W gBƮ\0',Ae 4Pi!d6eBnОtzYKƇ%SF-'v>sjii݉f}q(vy!ͺl&I [ a{,ӻZuX%-UdV;Y)AMjh_n§rO6ZMnNaA6="K"ho>@?l[(W?0)rB.SҵObYCM׻@ n!,3F\{Q>c5G#ކ6}i&NˇgcgBZ21MPJ#M 󾓒T5XB&4oL, U!zDϬ$$9!ѕi0 N\ f 8#W 'bGz%do"S@pBYq(3\Ko?^ BXU 4_M esƆX"6\YXk sKchjEYIB >O.}Io:}ǀiz TNk/(Žl{O;΀Jg2Ao<֙4PHCZY Bو*QkcmY7e gdjC vmuL8{Ng5yȏ e)7Q3.,  ɋ.^& i[:pxDR_4ld5!uӆH%l=g  +nB@!ԸpAiƛ[s|bJFX e\FiSf;>$l}ST^ʕ| zn@N(*Uv%ai i%`b7MO C߲G)iϕ Z+=ҳHؑW`QCuKr,9(|o)adWEoL>negeӴiaxrxcem ӑ$Śpᵅ[mdv{+H7~_zy}J9k9Q'09񼻔rCD5-)H}]O< W->*vGht+ljQhM}.eizPW ibEZ)'AQ,EOGy[U]޽R%MeHJ\nj`19 S&MM7@&09Z鱄 ]g/u_˖j۸n+ro1S_3Й6#߲1.qk <POlF|L.̬L?~,cߨi>?5{A"Jc]Uf'09?I4x+Nkmӊz9rl_ }(q3qtf19F v/,ˡH2tEL)n-f&8EhLP pW/z{шyᄲ'Xx~a"Ct/>NWXNDf)R4mvH%_sԵ"ǯQ9@F2+jqtœ1L6W}oD;6}F)Q AA ϯ;|ZMv;E\|妧?%]ˮ(g*##cD4س p,(bq~A' 8l^G\=F]U\ M^{}5e~v-P.p맢RWr M(kT0 u/e޴x]3?zV9~/4]vF8?7d-QNMNB*OH G\KI c$EXsji]KE4}|UeZ3v,W7jFwL+\~ Y6AɎdݔ_-93³}PsTvGiӬKoə[!zFd'ta*A8_$  |U -ސO\R5\mc  dŻoή|`?8k_ ")ԃR=UcVΊ3qO:sU#)ʩ_fi5h5ipK UcǫDYQk; {1-AcFgߦ= kU:ƅ>ԶLoZ3ަ%q.sǗp6EդǤL3QrxwN1l!7DbաK1|84Ґ~ꯤE@M)p'K[) +V^P" AAbq 2Mt!$7uRw;a^xqb$ōK+p " "0v̤Iټzש|,b!{n,N@aK."m`1"t=>;Cc'Ei*L kAW|cGUә ;T54B'J_[yAy 6ԷDqܸĘƨMcI^dO;==jE6gjcL&'qo;P|`F:#W"_+J%Lhp .W]{+v3o1J: YD@Ia4੾.KehCu㕕9|NgE;bZq_&])m\ ᑯBFJWٱمeE "}QMg57FlҐH=WrnRtL`kN6`6xUINp$+RM#Lݺvm.g=>!ۻc9y(h܆؆ЁcH\mRzR M҅Hbo,V4P { )Jih/g1ԸehȌyq!6Sj-~ J>nb@ f8_IumAro >m{S󱚢P.-#X}(b2%4ehMnY) dDh8g^2 cu(m=9|ȣA:ui8ھ3\H6)='r6d G_̠mC=Yk뒹 R!cp}?UKG@čb!' Q*Da0VNV:g%hQ:sSw΂tHrG _v7't8 3%K B,PTh@/ӤlI5 )9~w{juQQBCwzr쎏)# n+8|y'jswƚ8-N N/#Ғ.}wHO Re_bj&DzCUkC2c`Q@fZR+8'm=|-uB젶)$o 7/. (vg}XB:_mֺ6FRʋp+?RDּ#5$4 A7h]z4* 3;OZoa[D-GtT4Zc(2m,}#4|;E4m*,_Fe5A).I^sMp x E"ьEaA1+[T_yV~A~YDA썽",Ċ12]/ OV"gqt/(t#'~x2kK FE8$ݯԑ1iu~%ӪDk6특jXyhM>^KP$X6/w,Ybgg?{\H(0J5`_j ]::\ gk Ni"-'6 L+$ޅqtmvlg#j|Ƒq$Smvˆ|_b!7q6џ%3_[fRXT 4:PїCŗAۍkF :pRWƸ@y?\`K1IRq8HT4\t0k1o,wMj2s[|OC_PVB&$-7ʋq 7+P {IiE{C}ĽD`uh{ 7Z Rn:9j4Gw5(f]M (0bQ0-z4(-!hF KE*@ZNBkQ⿨ 7d oyqU_Q4fP:yEyީR9@EAİ/*$>:C.T$WwL5>kc5KKBlI$v֚jj_uKҸ:LA t# s9:A&Jwښ8Ƒ=5QƲ'i'f(@#>uVu4rRͨ]u%mІGA dGW#tkh?P<kUP%F)8S4-AlXcͱBr  DoJ~o>ќ1Q~w FG}B kvaˆ%hnh4څزm]Fv}&5K]+]& $Pqگ" qarϷZ-Sㄦ'z%\N, :(^kX.{@Ņ`0Q7 3@ m1ȩُS$DTTGC4!gGDAxOqޘ֦ g]ˣBN6kHs c`NfJl=+7e*X6? jƽ(' Q) \Gyte.L f[:%~, L'd>zoܐׂ w*Κ!H~fҩ94m++^0A_vgC.a1sj<$E&5Fh$tے!I?9s$k oyvzdQfRאyX#_)gVyK/ /֚CkKء4P=DE,MZ$ТX̡9, s~M8]Z8"cuy\KX_NI\ro~/1T1fᗹc:uQ]pk,Za^(?2oHj(F_FE6(0-0]޺aΓ5`jh9gtAGy ܑfUJ+m|"$q^a?ST) CVX-[?Pһ 7 :^A(q/i7{hd!RZv#O $%ضRn3\!o!jڄq)s2=vR2qE.Ud/)qz!<>iwX"r;Q Q/-EGT\AVt1Ԭ뤎sv\ nMC$Q;fWYLBf"7nB)% G|yZiROo싍߉bʽFFu$1?#{HK}h83<^8AMjOc4oy2o8%ѶsG.k.(Wf'Y&̜#4Noc97PE%.$t1F={ qRX&t{y6@Sa344iD65>j N7z]-C;LE6L HD~*Y]"l62G"$l}>b|rU ^׼?*| Ǣn dCsnG@BZ>M&fq.*diIG*"od0VIt7Fal*)0TPK˙>:01n0-YFf&Qudž2&.bq)ifn}c^e,h Za4#'bL`+tj6Y^%7]ssULK~QP-󶼥Poە+k+|8 簸w\Ɠ"qYBG9'!ٿj^&"|Mf9j|Jx=~3h,ԝ<;0&LKn5=;kNz;xhBRQ(L"m+h~KNC+=^A?Wc? n<qC0CP{fwKLp9@U 6u^uĖlR2eD R2"v6)O02Q:G|BL 3oK\E=Xy22YKaፏq<jEoJncۥ"Qe6JQS3S(=7l <4|gtV V͐>(ᶧ 1 _^?ł(<cbO.onMdndO3V-΂rZPdZS3?:?o'(55GZ˻N@@Zİ%^-^Vyl>N#\'PZ8>sW]fԜaN"F!<'pW+D6_4p|X ]vRuSYʣRbB(aIwx^KGFBæ)rVZP0prٶ# 5%eW 'uY 0w.n=zaV`;ec=Mz7C|K\ 9X%+{T<틖l4.xG^Uc@]A!YQqhg[m2y;>EYn/Tkʄ_xI*LXNeԝdF% 5:QL[_x}6wuHZ3JD~-g}(UI!ZHÝ(QF@ }ͯoٷ|!=jOBgnZt0ލzOBB9㭎CIs⃷sշn/ln('PHjVJd!?U{ٕbҡSuyB"gK,K|Z'? )݃A@Qi-æj&fϴXsb=eNEӭ/[H Dj(nNs2.ŤaAE`zFB~:Skq9z|P 1z~64fu"Dx aҮ37k0CUDHDU fE w''zP"6RpolR(̝g=^zm R>%(dMiq-m}Rp3Mmq-ⵚɰh(f9smW^%s:).|?<%馀@ #/^$0lLȨֿ0dhxac2ԐձkK 々L4aBhk:p:8uIM<Oش(~y@Ќg: |W>@6I, B pg܎ڲՆhŊ)7 n/I`j9Hb%Q&|&Ɩ;ZΰW6}Z5 j~ wTy/jc$2e|,XӨ=޽非蒲Lvz8vL-F&?dzf+ [zoh͢NGh>IsBP V{9r+#JgƤ,%_9n>ʾ2U|N:hS0Fnc>zW7KLT-MI+T^>VTFC[L /Z>1LSh<|Sd(r3ѷ7ZPo1♁n~ؽ RAA?A453M^\MGA .}gqњj"mhL/G=)7r-5C-e(ҙ\ST E8+^y{⟮7W;* $ ~CIi8W% (Jo<.K%duU_tEaF&k1WW@F޷%fדf\)%`wB͌')0)/ s5N08+N,3>ږ$Iq(RN|ܴXĔ ))[NMYRO.}}pO@n~X(w$ \ucc,K"让RӼ1;;f倣Fmا^ ,<WI1dΖX_RLQKFڄ6?Tў!H $K5gŗ]ˈHs` gCb*씦׬} &̋#O .b]>䮴(ͨ?H$p9lL.+LߝVfĸ-ZxdsBtc 0K(W_*A >z`6b1ssޝG3*æmP*0ȓCgJM-^* m{ir88ov #u =s Hc!1DmHGJV@ N(K5{DzX[adq\/_;d,v[+M抵\}ݴ(okbE@z:Ƈ%ivͳ:[m/1'G-? ݻ0çzֺX=E㶂s B)XO I_ʶ[`9W {ۇ:chEb idt%oK (LNb'\V QMsw%pDֺR_ċ_.FDlm-ڞaE`_3%Q+N&*]ݵ޵N]cE"ˁD x;cƟ*)2QuP~<[nK2N|/k"\X:ţر D%y=BW!{Ri 2enۓm+@!z"/XP-i%YA/sSvM踗zzj:V6Q)9j2j\L10z^0=y[!޹0pjT}NC˸xCmiGI*E1,E QWo-n1a^u*w0$Q )ضܬVY`L %ͭ\pbdvB֬wp%rp ' 0Se !9WL]o1>PZX*nlE@yc`qcn9~anYyC[dw|w 4"ޜ0_tR]9j`2 btRdEcII#Cq Qy~}CxWSz[ ryP`V]YONR]Fwru|;EnF'@ؕ.:=mZKb"wmn\Іɓ wA.zR/dX2=KОGnxv&Zݙ9y%e(桭t X8Dj*콴ג;C'}̪oYP!R U^csƺ '^ٰ{XO 3+Հ37lމ[N2& 츺+t[ Й@\ǯYa>aǾ*gwRsZ9 9l_՗XELўLch . Ud2p$zG69?YMw65)աP(T# Ce8ڦw|&aWyT |v)!h SX3!9ׯgj)6;Q֊J){#ċ>2ܭ5ԉtK X7|kɲ 8rǛ<_Ve8*OB!O4}Pheo)-Ln%尴RGn} Y \Nq&BGѦJ89kA͏E=ӳO9birWӬHs4&ЀI#t`•jD1Il>{ T?D(/:9?]p^ʯ|SW,}Dl?c@k|br3ST}b &L!b.g!OkzdſS"Nѷ&V*^NpD vn\UZ.t; &:fG.L]1 OfӖS2ޛ#.P|_N:}5o0./Hjź<n9$ Pi˪]*cTI(|E jȾK_,)?pWFM I:6I~BV^HMx;x*oT?0?& >2L6-1GthtVrm"Ixyzgv6g}U9'cFSj&;q/~)k ȑ8C++Vw@hu-Z$an"Tpnt9 O=c2!>N5'6p -SZo?Pt T'?(BGy|ݡE6 :Gd)-?4npOՄZbO\ $@[i՞6) >Iu 0AoZYMƨ "'I be(4"P]] =}rՅ<=(Q].~X~VI`Q]׍uW}'Ybe JR{WCLtTpEw/}n ky Zt `kyz^j~1,0`>s\!FˀkMgr/!|TLm[F2(6bz&TO0$LOC؏Im)RN;[ 3[Wʱ̄n0+WۆjTfru[PO}E=-:(B>y5nO}{*xy _k6YW(7ָhGUSĘBnf# O9f|*JXM,אVk9rVVA/0Dm-1{]GO,yzƺJ3!LlibT:!.G +D2J@I1dQ/_kV@<0¿Nܮg Xk%{R-Ʀ_CrϼSPVA)G7p^T&9(+4St늪G]Ҳr QC&[ CB>W%2[ ױv#^WۃWi9*/BDƛ!{ $$N{D Aif:R'fA͋Y2ʄM,:0} Pw8%Z>%)e3%ztPZJnN(cXFH9ͤmr&-Bc ת@M"  <#Cv>Ϙ@_?b^W6)~j6ykbg`Vj;+uFB7 9ݏ|K^7snC%jʗ@-Xő4|ysbyw$#@ũ3M&Ij` o/BhRI6G'Jmx%z~o>LHf"u7R֡>.r/CU,HҖNTaVOiDI6ަ58(%i\QdVj~4az 8JEt7-I7ǯ1xP1qidNd xbN# y [lUpⳍt@Wdŋ;^>㏨뚳-ʅ^O"}"~<$ ?N@2RW,["q d,eR gvpG?S[c"dzIM~РױX/!6CbB~< P A!|a-dml!{,! b K>&/U;U WH&rB!&rgޝ8;F$h L]cZ֠?I!䔒Jp wJۘt/s4(ORlwY(3_&G\/r\,a%8.-%v6D}rYL=^^LpFqw5L/q Yiܞ"'6ضl#Oo7Sh_h. dzQcC{jWz0A5yXhsQh9tOd(B`չ2?tGJiN m͹_){{7JLJf۱gTP/̲MKk`wNBN"lӬR'd'MeYHaHmU#[UMP m!"Z(LoIŢIdb䈭w [ZG6~ eR ios<4O(M,?8h0{ o7a˺lK3*w5b[ag8hdeB Eh8X|c@$#25œI Skj;2wDb ~x0)t BVbf>l=9ZdndVf>s2ajGnDGU<,F(B@pG]_'] Y Gl{<㼁kW&`ѵ$|h^-قX +ܳvb U-HgQ\D@ Jnk!|eX|넡cB 函Fx^`d(p-7 km !<*Cv( 6tt@-| =  JD ^BO68],ڈ{̺牱Cj*oQdVQ;Xl9BYyqHnڼ, EZb~ /2"}= c@t⩶ *!}oJ"<[BNwh2D`dk[j@Sd5`'{rxgAz򭜱үб2 fƼjL}ß]P%hMҳgC+}n8=,fF P pFZdZk 9Yf%te7՘Q]npH$bKme.5-JME2>p3=aMRy`mP%Xg6Bղ' |ܦ7't!l=7AVP z~/EZt7"ReG#Z$l%#v)`+%❇e{aـ"gm(ڊ^0~4]b'ux*gl;g xsp,װ3s?V; :Q+QŽmASsVU ye?AKa/gU֠bAځVS^om۳Wև,2L#BsGtap°raڢ-Vz/{AFAP[/%v&}7x}݋2,[T 5͔=x=U8~o:eSUbT,Qx`ڽ>4O~N RA![kY~6q_;n eS#ԿF!A7aރ &c'gKPevP/iQ@yrocdyұAtKy1@sşcӴ/`1jL|I贡'rTj&n_nM%IgzmS~&a%"ãiǑhCoPB?:#r|ÇXJ._Tgy~_rR Y/p++U5ȖZ7u}oq+b%5>*/iA朱aG gs}簬WF)nD۳)HQK@3DZqG)*mN_ ^T=\LyPr aR0v3[ %R>a+y en$n6brLEhgH92ȈwD(jz ݸB˸3 N\`vq,ԳSj(8$;xeo 0~GkڟJѺdWU/6OkaOR~v0{!z; -sP]r_mǬ,`֍D_,/@\x:pn6H0+kd!]>ql"’S\eQ#x*ːh2vAIbVpw rX'|m$;Nv[4u]VqHFRWDQ9/ :fm!XfENWVLYp_2@ #Gu`vC-,-bDSҗL\bMg Kg!u+PԖf#v{{mƈAZDe#iO)whbY)j Ax>2oT˟4^~+]Z` DNەA̷ki}Ta)}:WmHF*5*yf٥v9%UK_H5^XR3zNt1OGH;,Sի=BݨpRӯhpLjd&Ft$Ux28"oZI2//G_ d`ntm'*rژoJC76]ެIЛDY |#Lz6.u\ " lw|ToGtM[N[/(.gth N8[eR tg DnS k'$n7#{`Ptt_82 f3a:.F]jgX'dφ%}_gA+5qslGªtY(K^+$@?3#ߍEpuylgrp-IMRXBneU,f4Co:5ytmFVwCٳ3"%pW6h?OCo d?4q0C׵9â53C +Bqa+vw|Uv׿Icؑ Q(<-!SYx%O2.6GԸvEbf\ֺQ,zXT.7RB3X&Hdh$m+툎 w8uAvw)b)c# n v%znV+ys} l\tw`D}Ճ+$9RL"ǩJ tEž̜u}SK~_5z3uczÀbc0{h _duMm4KasfU. 1dS lc+[X{&5Bߥ*RxeqCfX_أoe*햎0)[JJX"sp-7O[g{_D`we)KG(Գ״K\s@N/aBbӣQ%ͱ6%bӑcȑTU"%qIEJ<(EJcl:{m%Ph͆Q>|G.È} @`,T=aӇV3<2HtZ>/LoDQd)&w9`O6TCgJFz 'm/mD--;[wLmx<'<{EQ%d$bCs7W¿,;Kt@Mxv.<ٴ78`Д;_99 F;\Zv6nUy+j/%ULHyZEt]oCdtEiou#B|+b/8 0麅3>B*S4!B=E,6(\d@Һk E-vAz}(Dr6n!voЮnn8c4U2BAjPў4$cfj~H$e.tO$Ji A F'e=)@WP?IѓJ7}ЮgG9K,D]淏T22!ρ Zz(fTH^H@vՁ ?ZⴻY+LXMxtv%ke<X&~\)|{f  qׅܵwEo :<wI )@3Rp#=4pBNYc Ϊ =^cF|6A>ޫ-PhBx흴͇/_6FH|ҙ/g,Wpc[ٷ8W@Bn:tNe2QmFvܘD0 jUw#)Q %6N)D:.5mbno\RBy(GnIZ{պ2&7$sfEz15,>[,p#Eї6MpF998\Vkڽ,P X! ͑w Yx8`G'O)Me;\𚤩4bH B*Ӽ&ҦacGC"x\ʄa >~nY 8VKs(=Ň]j16]q.,w0!n-clsT,XA-d-*bT $hkYkix[Zf_]g9:v _Eݺ֨qJ//τGKܡn̡`PCD`=;/Dg4o<}^Q ߄պ`ϸ n'HϲdbVs*q0u>\ dn`H A?hdEd¯y_}(&NM}Z垞nu?fwK 0y ]^I@y~~#;1S:> ꨠldrCͧXd\.Ro`|v+eypP^!mv{PZOޖ{0 }̀I/iS}!̴' !)8c11"=PH`\0QWI.r:p޸t'lh24ţiP-ɡi ꮦ>:3 -?C(YAAtc RVN;r4^Xdt}g)-#}*#/c܈jBٻb/⋞#K$y*%ې_奭`yG,FDP J axN'dcu[UhޝF^ 7L U#p2:& t'lp쯦uy??8=?)%*EIv.i/:1k.=GpDߑi鵍?_dlTn4EQK侍fIF ?xTX[k/yOCxf19pѴ)ge,=BnT+4릸} 󼿼M#UJۧx+r}-V]_4.f,7&0NmHr 0|Chlu"rlR}n[N>{:t08Vq]Fged*o4]a6 q5hx)^1txlutWcrqYI܌EpA>'#8h/LXϘqz1aI̓D4 -ei*J"榒oLw7je9e#"zPGfsZ+xTIj2S:[%5j[6J:ؚ, YH}̀T;Hs ?0Q{aP((U.jhB:.Q NM8w@iZ$γ{ZUϒ! W0z͙Ė!A9fR 1i`9O. ر\pA]2NY_-H֋)ko 1? %iBԿZ/QfX#\EMм< CtҶXcU]a½lg:$ʼn4NԤ- ]ν(4^|:(WDimHF6 0; Xxւ}[iATmzV5Vz94W{YL< wH.߬20t^AGځLz&qrL3#Zvߴ0gLMibG\':HcA.wWr)A 0_on`Ҝ*d-Bѣ9يBT<~JL74"-Wa3t4%`\Z_c/ 7$0) 9]y !gy)3"$"6 4~EM\>`"}f˥e 'Be"mc\dFGdX tx7mC/DH_GK]`?^%`eB4ዙ%Kϥ]=Nv}m7YDvc=4-dKc&Ēǜ8*6ٌ,p-\?#4aJ3o{ {KfY7)Tu,qԔxx(yҽF|T10Y珃󓹹saI#lNIWDadCTuaT(Ÿs6DB yChlBxR\^әu'-%&b_]M\Q6C77O5,{rU2'[q%^kfEpV[လoxIHxJvXu~R}m>~zt&|.X&4:.`GS%i']%5#\+<-Fw> DJcp}l;v* udjX:|6$+̀ BTuM.>=ZR_5%I O8$͗'y3b+ӹc/T+ Pa͝~UFt)V2a@ D@q,Z˯u9V (v Bi3d7ܲejM%ԃ TVt#nPb5l0qR,ߖݧ~r.pĈެE へnǷ '$YFm+ ,sp^CndUo ɢ޴MJt)->8^07ڏt~F3ZV@)56R\nG/8RGYq^Q;)]3>~߂~|dPQ2L2{F\_GR !hx^JPgqeWI+4ry!aq!4/$YpO22NV> -aKsL@ BgA*1?zFQi:\NlH:[sN(T!&Pn@UGFx>g>C>~n4̟]^a*YO&yPm(ikB+vVq&@nfy{%nauE fZ,`YwaPw)wω1z00 uʨ˞畦3EM("`_'|BufR^ml2BuH([֟9ӗ!CG`Eg5RB8=ZU}} ?@efú}ʘ640Zm$'#ͧFi`@ ]mJwkJ"~NxD+x RѨ;BRM 566:&iX7@LGDy8 $.OP^M ƙsvw~%wg ~% z15 RSF.t3BT3.!fUb**绔BaywҸ\`@f5yKkh7y9?#f\`NcWQI;E㬃tQYvVr󕨩5zIv, Qaћ')*4UXPF!@lԲf ƩhPzF2#Rmeg{p*y-C(2-e 1)D+=U zi#&GYbbKɌn1`Vh Yx]Ȅwst,j2~h#Kwx `hRLnRT4/نtDaMκ9Ә' bӊ{\ d‚.%/aǁ0q.~ (}.cjO@A^,BAjba* 6qˠ\J6MM۫bqݓRUo.+q+~뒖vN~()+yMP(M(Ճ-=;3!kSv@cl3<ޭA0FrdinޢCU)Md<}@6b=J)qA<5>nF#x]\fl/ 1E䏿:G ;b) q;ư&AT]wM!Xe?1#!-{Q[.0þjeKcx.tG3וX24>ڧC5.'AaBAa XQOvD']$Fu$$2Z Cv viZD:rqP`mqj?4sOH/#JY.0 P sÓm*dW1찀--!MУ)RjMsM@s5upf{hi-7xέ&ހ9Co_io+ @cQ y-#1uztM~) Ԡ5 Sj'\A)VI@Vc21Z3a*"gWXL7lsK mu% gȆ;a(oݝ5wj,̤r~ZD<}b nsMxKXpqJR5:@63f)/e`VvۀX"ѓʱ1%گPB#^ V=B6uVn ;pPp}4V@Vhik?ֈBreL܃af`XtL3X_tUYEO`d@b=^_:iNem D7Vt'’dB?5k5?η^QӥN tď֣7_+- 5JyWOզGUCvVa(6!%[B'Bnia#{-! +_*XY9*S9[ȫixÖ`1HiGD[ 8))E0 p*ySPV@{>%hG-NG] ^(/z?[U!J=x`0z!zl\.˭4ӸrAR]߆(>HCzr+{`B (Xזͱ\p lB?MR\k#|k,>l"0hee$6dW}O#@7 l߬M!Ơ)#(snDٟxr^Ƣ֔})+[{Ը7{$=*uU#Qe<)׻~!C :+pU]M$y:/^ǖ Y,C*J'.j4r? յq7}p6.[%TV݃ո *sfC {ROs_.,$c#wj7>t΋Ƃ~~lER꤈'񤀽1xf}\DJup{ee瘋C \fI114ﮐ{1dsg[zjx1q[.oHQk'BO~rzDAI?J^ԳWZӲ@rH p2/YԩMn8" 'O^M]j*5クnX_} ybJT1nTt0釻7iE(3_ D+^,u_>,AX\d7Dwi]҆Θ' і9G79 v,j 7\isNT'lpښ=PƑf| $ѱa}9즢HIJ(=1eg<n z,JYK4e٫^̎vyF> nĒG` m,ϱ3SPkVz~\?&$ؗE[{B v85 Bn12Mϔ< rM7e&t<ˢ~Tא³. W|ud0Ҡ4[PٽX ]fdvDpu.a˖8Lߨ M"^O!ζl< a0Hg;]Hu8λr~ but,^z~-TP_RO⢷0#/k^Qb/2黑iv;$u)[mk$T}B+V9J\}$k,?])yR*Cm[J}qc|gb@n $S ⇟ P]'w5.'S}roQX&m] !(ELQDv찾vpPю.>niF r=ᬳ_zEΕi1oHt i@5A:4PSn`o] ޣ7觘 , +7h4+,i4^vwn3lbΤ VQYA"M+^~Z4f8U"4k(t=M'wM{ x2Q:ѮOM8>(<Ӕ=ߖ>03=_:uoFtMD)7_2Lp~Q4yzպ3a]ͨ1y^VC-EX#I^ H"|dV/V)pܛeWYJ^ ˏV)ua A'GPZ}s}415hA]!.ͤ3Y=aC wq$^ 2/. Jܮ)2j)K'l[=,MLAaJ@-z|W@/c^q] 6Rf[iNiju\-3 +QgQB*z3%@ŋ. 4/JC]t;ĥS7x"# z}=#:ڋEGQb?"t@ vH _@+'LWRY:*~s61>f̝(u]sbo޼_m&dIm eL;uѓ?'"[&!Xb 2;W$|r20zW&:onvYIU77$[iHJF8_V_(2R"7񧮬*^+Zoʴ]*P}^W.KLDTBT/b< -ʛQou%it!ϷsHc/#. PܗF%P̠)_HY!;~MpN<>^ҕ7y'` ϯ@:i0xQC]$ǔOM7G4qWuR3Y0;"O]W==%$ %VRHE#=oXI okYɃr#\ wAZmfl8 ~_Wr.Hs-5:q#Jw'EYk",6՚+ct ;4$6ysx*( =%77&*',$C{At84vP ǖLF+'. :9#cWУƪx Q4Lךf.H Z=F ʉR>*#tEFhQy5_Nwq_1۳vwL(-5&XN:y3RBaO=nT` NK{t#W&q>G 5 -ǐ4u7 9"Lodؘw|WZgW&vzb@8ģCBUIrー&Jq,.E>{~6R<6zj8缅aFTcj`?W:5CudW|5~+vV"h[`G{O4G"vEp ICY{eEQ1(B#I]Qx!a5D֠jѢ}U/pd(D ;4E|%;גU,0x7;M3Esee1\^nu4nZۊYq!0rbU/qn7L_CҤ)~zK]+4btŘߖHW\+;m>O䃂 C'Ą{zų=ܑ3|6/*ZM,gK-P_S"-ǴJ$kh`I/wjSrUyX\37kolKa: *\^/ǡ d f `9gs՝vu=IfmA+F:|PD>kvr`zqNgCEqwSvDuap1e}B F&x ܪ"pr<°Q@+%)>I>dYOvI&leIp=%%dШCA6`X_VJN.b۶ɶ g,a 7"9р>4#3xlN{V}1еi5'! (ӪK T6w, %MV<(L+@66k5mg 95dpw_(D(ۅu/>[2qIC !Ih{1u/8H sbE9K?o6dD:Xm R Mrڑ*݀!g Et2$$4mui؉D~ԯFk4Q5ýX[M q1)r e6R=j4aÐTaS; o%O*tͩ)TW@VVkj4E DnƢGxڙBWH5n|#`5ig%qQv,gBn"J\{G n2;!B [9VK3"vk/uWbrrr'2[e87eP;2xxTdDWy"qPu焭G#T;ss׭mT4Z `=kwqxTۺVG~oDˉOL7sA$4E27P*ߑqdeBǥ;"bd|iʨPԡm8omfvJi9Y{%RLszs4_T#%x/ZVPsJZxjC?#AOp ÖLV=K8h+A%q x34?MM1Dmxd; ծ9 A4-T |=MGtgq'Z)2ԐCO8QrLbcWH̏vKp\h[} 3vB3Ol{ kˀԠx a\5֠QusaK&H%ج2d"EޛvjƹsWYnpHɨ 51~ۄ4 N,vQEa0ʙ _<9fheNKfcO{4j̜NFRZuDNҰia5{^f* OSOv/x`Sj IgrZ/Rpj1۰\3@1zuU=2%&!!NL4L:N|*芮$4P:}8;Ӵ(hǓQsh/J"yྍdYaYdod ,{Cԍ6ʔS!2ґejTv/vBI# g=W^J_nS+x:턖To s}QY. Ӌ:Xq5VgZw{'. Hš2dӂPUoL!d5ja "p'ҡZMwm$Z)dtoD+p}_.r"^"ѱYMCmeE@=Bw+&͐ntpLq',gmyܪfΚD6̷֏O\DEDX1,{J,b&lnsV[}̨T봌M&Z 1S{2s(?Y7dg&#jϏ!H |8s1R*E96WP1ZMA|`k2u_ _J)8'=OfD_I=Zckli%<ki1b{/O*W( ثU\Ru/5|ureG~ ܇?a`;|Ll_q؊d7';ҡbAZx~PR5JSϐAX*r)78 "<7! plD7c>ɬ[b."剪U}fwKW;$.YI՘&ĥ )WKRXH7#ee=bJIm4R U8 'mAL%2TcoR > nE AGAZ5wN4>!/i\1oL6DOL>T~rLFv2!CiG79#W4X%#N4F#!se> J& rcTؕ]gZ$w]\I<@` CvטJG%V ^[=w,``U($wV]\Xѯ ;iӨ;~/aI,[;N%:V&jL!7IS÷5_}0jWP3",]3gR}_zSIHQ!gMÞソ?#H)7 UTx,c/G+7BP WMY]]FS|X/Vss'Y҉GÙeJ!UȮc]I S8m#|Sac(ZR:X>TW)GY5C#=~H܃"vx JX>>eLF|c"3$, dNUnx:* 9X1bLvJTL5 vdU;z[؇RqCzrd}{4t\3*"M|nrgYϞΫEBWT!}/$@d @<%&=DG]x >ك@e{p']H}5$ G+>-'s=vEd><Tag0;P#P rj(#3V=ߢIyl oٳa v[BKp6>Sbey$YڜMqfȒa:랒rj"v5zBi\Xu/<5sK"5Ύ̬ NjY6U~ߙ3gl&%= n8 ö 0|.CwyaCeO;yq0Wuuz f' mH('c|>joƥo᱋s@)Wu\y{pr/ e6=6 '-,W(|8)dx Z?";#ΩZ;gN~l4vMiDF&jXBj3ʧթf>?A!v ]p&X2/()CSL#tRx4:Ab MY%g`.Y%;ӣg֧Vwy`(}*1X)+EYR|Y1jX 4Ř"fshmnV.k]+)qm1XdA!f TFP+(5{Z==I=\QɃ|E(DzIPѝEM_j tA{(4Rvdco#wC9n;@FD+[@d`$l*QJ{ YMFAzʐ`{i5Ή7ğ>햌G9.O8/C_T`rG9o'(Gfã$I8A*dq˛gOe.K!܆3+:P8FHPܖ޵q*=gkD ˻h Љ\NfbPKRZ Y7l?V6{_|ܰ^SM OiqwٟeW~_P2^L,T {'dlfo"9[)8$!/qjF Wvv,O] 8Y(E{9x]movȢlGĔ;g.KfS1E K4O#.Tn y`pb<>MhW!{D~{dQeԎʴAC=:$%"b2.zq:"i%^"M;Vj&(n(?̯W|"ƥ LLάUX`r(N0v\jl~BXL 0b6Oj#~~ýR3XzQj@Nv ǚJSH8W"+ dE+ ?]' ̷fv;ˮ\}*݂ wΪ~q!bEU>% Rm8FɗtjOJז%:bSdR $r|MNco9Pm{&gy*rϛ`jIwPs2tu욥B@&հ&ֱ]qW Na=6)-yb篂Qdlmeo{$ʯ'#z~$!lMyx@,T7FNV,KoLvP O' I' l׌E}:`# Ub0Y>=gq%ZюHDcLBR;]B҇?;){C~@~uvcm XI?ښI@NNJM n{?ޙ~,UIYURwt#s0&$kOY"h=}z"C-ASΫc?ݕ/Bi $|U@$oJph_mJB-hRAb8@_12/)SB[E.4~Ε묽C!ѽV%3'U騷wwJsSQ_<`u%3䏴}:=wO넦u<ޢ߭TlFˡcO@$^(I1Zё^nB9m׊_gd k^Eq;ù&E2'K$RRQD>pK6l%4w&d=BuuG(pLgL_L9~HE̸iLgӒRRE\,C8P^> P x' lg5eb ae"k@{aྡྷ4`7Oip Ot=spNe6*Q}2#'49Ibҷb&\x{pg9?WN*8o~\(d7[^7 J_ŊUHg4`We!u."d)KCI $QoŽEb<#d8Eb^:wD=F'OE^jA`*4I턌M|Ea=\A "4}oFw"UCFRi_ɂ='_9hn gcfYUj ;'+|C^!_)l%6_% PUt4{D ;^|>%%D9-< A6Ł>[veqnM?k& r1PS( 3R?p¶EM{t]/;3 A1Zs2ZS淺$Y(H1<4Tn, 'nt4?jUW=EFwkZĚF$=4ߣGBx!ƔACVOI9co1ZTԵ!fʼn83,̇Hp9DHXmZ?ܠ}7qYڭEEa%=ju&& KvN֞ )؝hI3-PpvfGWd!7nwYp7?ԡ ɯkixkla;(Jqq3!l$jot >4%PlVZp}0T q(_^vSp!f\k זxA&|G,mx6Ja?3zپR9sI%X+>\^nXR)Lv9] cEvN${@\淙Ι頁=H?]m%̎C|gў ʢ?ܗZAW톎p۟6 $UCkh$,Hv2F?)Ǡ♵Ŗ*ڲD{ l^}l0z%7סם!&=ݢYΨ/јa [J빊Ud8(A[K!H5_B' ZmòVI"W@(i RѝP>*%kv/",֋~#*zN7xZBf#z5cw4^oc]Ōڿ=T'8ߪ7X^e$m{Ga0̕7:`O"C߽P](qz=>cd(/ֺEAܴ0"meӥ(p]PؿcPJuaCvag&?&D6YH+`іG塟-gYQ^6Y?@k;G7Qk20-|`KAk{ VH!0Fy|e;O,{ 򆘻fWШ0FHy uq L4@Ӝӷ=^lpl FyF"=RoS(s ÷[ذѾw_&o%ԝEC+eц0UHuO"Iڞy9ګ3$u=X*آOA1b U[/»w4e戀 8]Z CwZ8p?p47/6YvA$@=`Cig š6)p vmd":i;y\.W0)]OU]+ ] ny ݪBy3f.w'Ysn 'ڝ,2;uv^UӢj6mI5IZ<'[FH0|yЎ)$tV 5,Q_Ug_|9ҩZ}GXݱ&R٠M h&|AXi*Iz\Eq@kF(eӒ dYŸ́t?kSWz\ S`X*^t4K[FZ|;B3cH4"5\45c]bt\ TpxUFA9,LDR9bN0ߒH[9=DZ2HGieq"!>yk#)Mv)˖~zG\)Sς~j`eE`uZ/'Jp_->\.ԩ][^sMpyʞ6Uğ}L>[}"[Syeey )>nX"ZIm=7r!k Geyؕlܱ]bٚ]j6^5RޯcX>ix(3O,\4äE;bBμŽ a+ Fu0wD `=/XLhcxP߸=W:XL ,yU!X5rrJ\bU$ _Tu 36\U,lc1?*ŭH ca*Fza2Pc Ix2Or}'Aӫ"'#631h9ʭ _yKyN8jKYm =yׅ+pQP%1NXϵ -%8Vo&zefuOxw\ jӂ;›@5}~ЎdL_v>upcfI3!Bn/t't^WàgNzB6)毧]GRWpu1Q b`fWH%U]gmפ%$acGxߝV0D)nڏzRYF/A?$T qqHRC saWDr{9C?3>9N3! zwCmNm'Z܈GSfI!ݷP[ģ$2-; ATјF0ds%F"^˗mڰ&Jق!g?be@'chjR6CBloxuT먴l\s0qn7/T_f6}(̹kkc$׆F!*L;Ga{=re1[[ujW 8` øF6*5 D|9j~a`B6 m3_DɁ77l>Z`n+*A`؏1h*-ެLbGdԧ)8M9AꐯiD W 7]p.Hu}vwheAxql8wC5No%N`i,Lo_HI1F2fD?iߕ9iӣsfӊe<\d99ޅʴ(!zU3VGt>9rꐆl;W6–O^ac5ečpyʛA F}/U@.*𑩭\F MPܨ7C^,vl(}BvW"F:NOF~gɛ=:ki 5BOйIa9dM%O各ɗ $}JN d\U⎎_i-|Ff 1d)S|k?^Kq6B:+ .[ajqo#N{.L`7PpPAByLݔMGyɃ.hu4&>d>zǛc܊fgF Mu"N`{sܓb⁡>s<|Lo[#Gr;c!+ޯtZ~ 'a E;GoY09@::5KAsI,y֏ 'R2ൣDc}kOgOQn;@\b^ձHgی1|6M@+@~+&Qͺ0BH}\)ßoCVwy7EЉ sY-ڏ|0V ش${wPV^Ob(`ZlWozS]9sa]y{w^0ͪFz* |FODFKθ+s Ujn/ٺiM?vt4 Mjrqt&q7jә7sOҜ {`9Xt"D S6- vF[25X.=vW*e[bIvKVdtS-ud=+;Zx%UIRܜ{"w$ѧ5~~$) ȦeqG|{,PG}O]ӞXSbi9ԦnIwđa ӶLg ͕n gl|dݹSKaL4{\oywH\e ؇N71m+@ŒPjDgJifsh}'M9+Hf"UNٙ{UڿصHak4f?E+U*mƿvvK ,$8L?Iá0 q>f<<5sAb /<‡2\z&[W\&Uu̅cY3dӇ^;=,.&D*z5vu t }O\BXr>y`9×eƽ2GJh |G۠[7TOl20|Xp! DU^ӌ-wEWP]yjZ跶>UsXg>c=#Ɵ΍-ۃ /kԱvJ=sωrxo$^Yc(s8_ԞЕOt@zpYc#Z~nGM,k)xd" ,s69>ƛ;FN# 7ץ ZJ Svd/AUAʻCZ7XH{Yf2nzV;x@:9hjt7#(vi耰1wI`v骎+fkߪ>"YjAVDOt,ے<@nyXHydzxS-%O[W9 *9ʏ%&/USlcX~bRIKK7tcGz*!硟)9 t0/8vz4 nDSnfU-کgoj4. q A&PB9]RCR 'K~*z˖dcXW-C908kgW" PUQ' HKMgQ*d@fխ98RCb4bDDXy < EuiyW c~ꙃĠs7nVN]XPfu9ֱyeCm2EgJL9hRqM۠!wp}:gK3zP8BeFJB{{`M~snJc,Fb= NCËױF0@l^*jHӠzOK) fjIK ^5(^J'*UpَSYX L+.v$-#68kgt@ 7.t}}=ew)敷sbܿ|xe˯3@."݊e/{]8]ͦfC1j/Hݝ5Jes~ yބ6Hi3; ҖN3 L#%eȯ/&ztK/"$`;6;G*3s#(un ɸYcJRAOM_utb`\NNn,v4yfpWk-^М5_&Χ1N.( G4uw;d/Foxv~Rʪ. [0]$FPtp/GLÖ+gި_Omn۸m~Z47r׍ɩ fNI,g>*㣯߯-ӞE\4@#$E9f_Kh:  3mo=xJO&[ %;B偮LqWmw˖AA]7ҷYE=6bK]!\7dH5;=*^2}JYl#[-6-(/t钛ju­Nw[jv?HwA)aT\$ЫקuQ{ڲ&}wbB jFc.iuWCbp6=,pS \P=!A[+ JW"X!|Kbio|ˈٸo;G ߬TX.0Ale>DHL2\DT= s2)b4[wגz"r]^GKj\S8*w2v,~7-@zzEUzEj:eKV 릈bf,`{ }iվ@WY4MhOŁ9 FړL+g )ζJd(\ֹ!v i)ӱrXEd6Dvpb%|* '|Ms$]}1t*5Lp  UR?I`@бS1[IܩvY*\@QPq;Ѯ%VҬ[0}p<)`r6 e[F5 @磩qqOFSf 40^r Cn(yoe[p3==Mg>uDe|Ѐ\Xxeǚn0͡쮉VZ{PuSTym_++Gy'8 "p4ѥ؁,p{klZ¯vEyG@5Pg;D-H*Z'pTJn2ʅ0r~=ZկT .x@0c 1*y%rRA5pM+"LiCY{X.o!et)q@yNU QLFfPyᝅ ZK%6Ӥ?aԕ@az%[[ ՃviIh!Zj<?%AK3:H0i,_jL1G5 k\g܁1aݭiP76,MUXܯ iP Jg4$;qzXwf !@؀Ls?%}ǝL{~-Vbz|ecƠW?q&#Zq9b1`P7p>ȎE=h8&/=Nc̸X)>_F{ fkҨʤ\jɓ+z˨lz ⁩9|A–%p,ʺ~KZ*f8<Ĉ3[Jy$-L$-iYIc~+D}_#OWEycX;&Uгjր.=JcXIB X]P41CĞ|5bӺ a13yLq`sUi#I\@LSByHQiǶmf8$|iqN2JMI}˸rD4D]'R@ruö'õoob1h:߄VYo|Ȭ".5umiڸ(ܾT4T?K^6T72)/Z係-nۋاg^IL:qwc=) 7NYgj$!gDPKKԥgn,t_eڡ}_7}R5piڵ=߉rΓGݢ-T U=Qiiͥz܌ϲɥWM%cv[WL?ǨtEn4lE/]tXCc^.Z)L)Tk%K\vkWS}7#T)gx5+)+ P;_ÿm|'N 5G JŎ"jޒJ$*7< X 7eΪ4e ̀{' RD1q09 G|~:'| UFO9r֓}x?@p>l *ew ˵C "sLؤhHk$Cf]jC?øvj߳΢f ^P#PWlޠ?9<| Ԭ^L ; fU2m(Sոk B^<=IJ:\/R2玿GILp hW5eapz|xhl|Ę>Þ_Z" 3†W%n^%3YCY8hOVS]mC[ȏz_329r~- pKu*RA_k8gy=B`I_~ܕegq޼'٢@=DnbX\.xKY>w T¼,s<8c2ƛ Φ)`p܋~)9Ej0eI"k9C*"FFlEarCdᚧnp@3[3p dmȞ$zO"v񆆈G6'R-,8cٳzM2 [F`FL^q7EL.MZʄټaN;cH-X(W@6X{#ËƼ ?ϷkO Y Ч)bLZ)'S*-Rww4LEf .!^+scŸDbaQ~zWq#7G9H:T#SO&Jeg.B^ILktyf-?I߰_R}OZGht87hh{d>"}$ qH^\).]Ұj#9mupsdP:QqlzsԤc":ژTjx^ G٢Ie˶/gz~L'Yeru l|P20B24k1y }9O>'L1z=7gO>"i!2{LɤЮWB*;U@ $M~#˽u :DoZmc>c!^8 $#ŵlgnx )Q1w%mDA`jl}TA("_"dܜp| bN\BAhBcxl3BH&wO(giLjPypڟs⩇ \bGOP:$%"~|CÙQ@5z*x N:.:`KBQ6 2!tŤ^U(!Z v qzԔy khRؑM ϳfೀV1oa: -=^FaE>Ak: .; 98# ;T!e=Zh~4sfl;~&q`^գ5?XPrrk>@:gS{1JH &=gq5(KTOQ@04H|kmv_cʔq}yektvLd34im~9ϫ]<:K2#Yew#N\}+2dXc[tW,@n3 ,dAWˇ#C"0u$Żϣ?~Gwv61 wP. B.ys*}1oHL~EtsmZ߾ZFTscre6&ɷbMB]mj3sU+xnN%J-=4EǦ@x= aɐ+YÜBGD'K(A?+v #8U&gn){7DvWTEhe- G5@^%+PP5{O ydcӅ_{ᾬq;ٹVraq) _-bB '^`n^< sKJT:l3$mqSo J5JEmv#+|/qHA3$r1CN1۩DmE<~T|8rsH^Ҥc,CoL_F %=M%q@L-n_F&$@^/暐Ǣ,q{fNÖ<$w,q394Jp<2#⨒HIĵjnB]UU`SDbw=\#_f 6p<+$Գ<Hf?ό;Vyu2O?iR `6rEV dw"^XD-zωi;${-n`G`rD)< YJ;=S"_(݂wymPw=xީ%4_ _F^KhֽUG8Ѧn0GD_Q{/bia[bt0ȫJ{R߇q[m/B8 )KTOg4Q61([!n7ei |^WM㔝 TS3Y5RɺOMD<(bCtlt@pk T81ό$H`;1q vvsXOx}zx E )IC1NEivf,*x Pw*2ɼɏckR @\M3A(&DeV8u&vƁ}4;ܓbZLϽ%QOجS[]-iFf9yzW g^k}!_Bki w3&W΀9 uBnP. nH{%ze'@㩷bZWYG]z3 .UgԼBoֳl[\ *} 7T43AMjǃm_Uf0M$E FN 1O5C^+ UҾSt Ècxnk0dӉWH&[|r Tk|[-PT_σTcn>Kr'̮R٫t!QD\Ft 흞j6[XPz.Ca[̗ ~r-x@TT.2\Kv#jg NWN 9R3H.G\Ê{ ^'0 xwzDǻj\1s5x[S56r?'pNV0x5oLA_^Dz%:4ݩ=?xx!޳:?55qjNY\Ϗ&6sC'0mt3)dҔ^TՈz\fAĭ ͋;kNLph`pk"%©MNgDVLP\!)%Z) *K :ق7'U9>,D>Xa S/U[FŪ[m$5>̥y9JpUKCaG$oP8Cpe{~8X=tlm QT~/0gm7 x"ElbSƀx>1,{P;Hp ~;72"̥eWGp:yHv!:mK]FJTì%br.O[d 3tOpցH(t&{5*[[bU;GʄzײhOL"޽Ϥ:$+`(JހA2UPL^qH 1Ax ɁGh'DfO7^v%㠞Z~6LF9;1V`|l>UQ̥Q*Dl~(Qfq*׊EP}Pf:bb~J2 ul9Lz4rF@3j0H5& ii:\E(ӡa$GzLC8i?p)BVNLoeQ&[U+93|t]EN_脇MXH \ӌZ޷ClNDb+qT\L#fM;"[~XX/j0H%"׶SCپӇi:Ց\ VH'c~40>Hw-{̀ѶxPUlv UNƽa.}\lď/\ڥ54f;,솄E9hw~'#G˺ ir3wG>-Aeŷ]xqݯ/:v!vc=6fxI0 kYG,shCÐUīc5leVkEG KdJC`eߠvThZ@?&Wn"|t\ 9 wlRh`ZmmZo:vwn[eoT ,XJ˗X% 2xMe'5]&2',Kϗuzd 9gߐ!d)`eƢ&BZ' y ]J}XG]$^^"O'Oϳө[4 '~\ydx:|OҺVf)0 vqu8oڂKUtڨD?"_cRX߂đ23MBQQ*°optDƠahGZ~H|7|D ,q=be:) }Pwo _P;m>j˷/v<$H.mG-_3FA>n5 7p7W{m S<,Vm@< iQ(162p _(SI*`Tj\.71KeCerk= 7ZgY՞ʁWdGI Qgz~8t6~^ϩ˼ ̙rZ,eKɾ!8< b'#%ox 7 r1M0J|+t=rs}l:f3l$䒟 |{t qxn ~;k0o=Hk{kgoQz9BsxgQc_5} [屃E r Ϡs {W*ʹM"Z ր4`gO%(U# 6JYFeφ~h[ (Kk٘"{$#p 'caؖ(té(o=EKV?Wcg"ӸHvJڕڠk{w#UJe]ָ@TP gQuvOHvD_Gf\!/VvP>ŖC~%HӔND{L:b'I1:N$$ZY+zէJk*[_NE3f""b _u)s$1QK[^HCt~ \GGtQ7{{c ̗+)c۞[.WVA:3CV~(w~V|0K;5E4i{2hζ=?lRɇvicvDQ[Ʈ>.^bV%->MkR6[m ,̚*V`N;LjX(>Nk^l(5{Ƶ@ i-;AH$8TZo/CH{* Wkw`ZLe)ZNca2b{Um` e]WN]gr D/͒YW/nvDBQ֘u@_o0bk#2𺋌Iy}0ww sX/DHEC~tg^2?I=T)RuC" H{EuBF+!L;e/2 Y|jnly-(QM We&„g@\ ؄}&MR?^[4S@w5'Hz}'"-_0M;[kFD|Sp|p昍 g(a<Zj|X徲qxmjxS?by@a\@۞Q TQa7\$-e" qTj3]>o6eCU0%O99kW*89F$`3UsHa]e(UQ&Ɣ x(#L dHIcI"v3y5VũLeSښ^îڒE}J/ly3=ta Y:n^4 ~~oP7;y${8֣Q)W,N@ˋt_~ uH .Uuh|0vɥ= wY'XD&6+h6|P{e'aӢ4-R2¶1x2krr7>ʐv,s=x1PT=-v.dF>P'tg+QX𳛥_?eׅ*7/E?I)ksp͆u|iWjhbqQշkk+~qC_lo닆ѳҬĠPJ[%9)$>Ř S!Y6s.h)AFÄ @ݠ,hMxi~0ɳBy>y1(nNR`a/<0G:WpTMuIWP#%QCXZQ!6Q`WkJ[I Pjz^?Q NUNzM@)]yàJqË]tjtl W W-A]uM?縼O~gjdTHUYbӷQLjS<5)oOC(•1Wzx##9;/; 5oYhs% >-#H+ȕ{3)(`{}R3ng|Ilk:JudBBZHe8R캮m(M<%9CLcwaJS_^=|>˞`~W\:1@0 +-Zb eҗxHxMiE6}g'Hv"@ѻ[ `[o^['b+ NJdI{5S8v_`jԁysЦTxE1}CQSB)x0;=&[dk (pNzKw@n5:l9Nh#f@(FIB0Wśw\"dm4YKtO/nB={8^d@0 ǔiַ]ѝ8)+ʏ cd'-0Lze|D]ƩD<\i :ƕ5a?8NH:w@VigG\2( =*XoWb*%ta;HC$/U24 JZ6;_'?_D-iiRr_yO,`:Ev&:]j/nB's<3D{9t@WY<̬;{n`H>TOpxd#QY^L]i~JI/K}xyҝMѽ yѝP=YSA}_iR}~B [=QXFY<_Lfl)zؤtɊ;cU o{D!džzCP21< ~#mj3ڵ~9iOj%|$ymȟ}x߉I_2$o"ՓN5X?w yw.u=;{s؄ԭ{G vEw#S~L}j(D0-cG-IpZvTyUXA_R$mg=B'4Qw~~,{ -VnCE_vf1`0X`z=`VK9ao,\G~=iB=[FQXF&fQmL5 $ӓ_U $i,p}eΰ[fqeL0Ʒv-EJꎕ&3 n͟ !E l갬o&6B^q \Seez;.$OgS]> l;0SOxivjn/ |? e Q89:nWOX[܄"٘|Hu&arP#h|4pƚ?PX:2,g$A-Tj}.V,jk0.s[n@&Lv $ a<*[W~TѝXX$}3Uc>~=pS<|/c[iϙ ڐ 4嬺9y{ x 3NjIGU|I^8 JE+ޜJ.'AFX2~kITt!]5`pX蚰X uHon&XgkL{GB oChrʈ̴ƑI)2׿""w=8XNh<C]#%YqYD$}4 ~%4Q?$TbDq|αIaGEVDvTjUxyXO%s?t1EF8Edz߳b}Tf B6bhg`<Ed3"[, s/ b L3u!g -m}c z)n9N M)ۆ8?!0x uTg"g*`0u4"A$d T5G9sF0 |eF'rs|TַwԌh%-Yg ~x+ƆLlG0ZtR@!UR6RN:*QWb)͚qŸC¹ӊSvWAj b:\̀Hh#g~P; ' sfqM(EKuc$RȣE9͌غJ BB/F{; ѯ$^]Of+@x }bv\ x:/VR$ʩlD mՁ(}@F-u9Y=5[6;d7LݙB{|^~^yZtATp="[cex}]Ő\}vu"@_*`Ek4+^FG Vu<<\TJc-И0t vSFeq*,SG"G ~tH3<ӓ} у0 rBđF\>)0Qj2Bт23$=ttW:?-;8&@Y3|RK]or4TrLnq^.Z5Y#\) H|1`4J2BEqmݼ"Kʌvt ]>j皱MϨrZĈ$w{R%VڙT Ϟd fzΎ>͜ p(dB3+6/9|5ơ֎#iHt ZEI+4VPK}= <-ˑ6ps]a18T ߬~X4VNsk>,dxH5r;#HSS2JDip{M(]da{ܑOҥ[(UK|Q: iWһ>WPzjАרRa xb:^ziT*.E_8W;sD-8UޕuxaNW Aܪ'/-2TLHc `ϻ+C%=,2ֆ^6>eéFJ"~Nud7WdJ, s`DG;Vj$(F{43k(7%uKO`VѨwfhuNN"/X'U皘< H/spG~}uU IJ#Òt@p7T/fF,Ճ V^G{=%3/aA A <Ĭ^d6>\SQQ Tp0꺋DsX6*[7K*Xf3-s]ct} 'SE^pp[wgUih~bG[qmo6ÆU܉2y(?&7I{[g+T(zmGʥ - Д.ΚkbR H@ge1:D"b :[.'P+L4 U=@7֊8D;T].E ͠6 LQm(J 3 .ǛNrͭOsM|Scr^CR_T(ft<ҭr&[0Q욘g.9I7??Ɋ_×k$2ʒkhS 2֓>;kjǥ%.{mi?'[P_:Xɟő+0'-kmmjgv9苽Tr\cy2QDg\q nm>se'H@ٔ2T; Psv!U[cswĝӠ,ӇF_4j'La41W2֩S@6C`=/eA ̙ɻ[]xL,U|eD.XiVWOa>w ˗F>B-Z*%b'l JX1FT_h«r4P JGi$!?dچ&k8]^ts#h. 8,\g{ѩT?ΥSruZ@_!;}_5^=NVP?ؑCq5pr J,MvVLsD2L,FTCn V%}lh&uQT=봄iぼوH$Vq} 8i%AȈ6ɵ{ /B%xŭ__07#QCXbzoV4pSv<.0xj*cw}=m4##E1<Ϋː\V֗zdIDawM7 f>ߜC]kMO qXw8Wo*}ʀZc t,B ex=hvt!`'+sJy|,it^ GC(dtJ7o^Q?"> ou= %Eܪ`@_~(jC U-Kh'3k;&oRϿE,IHCi*]o2 ԝwqcgUKG}E ]geˤjϥ4 ǃU WZ w2n1 Sdh.CSulr5B*Q EXc!.hBNRHݪ CZMDqkx\N_j lUC$j9*f7jGGXt9Wo/q T:@W&Dq=dm7%bC89F3qڂk{ ZЇC,9FRWᲳ6r6Ox?Ef:PP ~0ϡ`FMix6|ɷl2Kڠy[v()A|(.(pq=ʪj"w{cZv<՞ݖfsMm Xl}!BV|{V,evŧ}9MHSޖ F.39/,i9t?_v{|qy`AX:'YlB.lWWŜ1F9yCD,{> -U&ZU3hY nηsy} P3OH~IZLkoާ9CYXJ֟}qy`;j*\Aqoh0Kt_F.!&7B |]ܧҗ/Aբr 7}qJ*A#7P~O)mJE=}?ePtME~iS7{JOeW-eȌT2SL̷v]4aXZ XP kvm\=4iN{MSGㄭvV*MbSPbm]g`ɨnQf [VC^Pd\0fXs K d nC+j.&Ϧ _!1;M]sH>B}T"Jk  \&p<\RXS[ȓ] 4}bП4.)atOsοt7EQNfiOຖ#V! ԑ Y$]zVbf8 @^λ-W0n0m4ңkI\{I-^3:8J9f'A!dcѤj?_zB#d8Fgl.C6֨{Qyz,<'~|5u| euFSbΡJQ㾄lq\PϤFr\C.8PvGl7VJjDc@&M@fOL-A 7Pmz3ؽ CZRಸBb:^[fQbQ{bH -|%bKtmp3S0~f {YyA0Ίئҿw~ gohJgxZl>ϖH+ V{{}8GCe[6<,Uh^"9K,3(tF\H3GHH0Z 6PfEFjUEZh"M=[%=<:BWҰTCZU-Lke0OD?'m{'cHyWDM2'ba6 '-/&JÌ:i>@.kǼ@3g5~{G߭S%` yS$骔:ƞK`鎞 _D#3œCk0y7h$k&b K|$G_RHEʗR)wXՒp i9=_!^yNf>W 6ZWB,BO4,83uCz3|ւ1eq#Оi.㻡얂+`:}$P}/dXzl:W"~Oh?e хk0`I#ʦ&iS B Z W{ߵ?X"q'ƷOǃl+3\,f>'e[Erd<,Z;VǛ$j;& @O8ԙh3-;T:Sj٘ӛb2 w[=bԚ|nܐ0;{ p]7h}{€UâeMs7.qfG\:IMj ړvPklgbǘg}ϔظp=ÓIG2Oȹ;sQ/U~;`c&Eo$HAn[9rnS^]ěXܑe-G(Ɯ2-pム PyEc sӳg<9~SK[*8n+!9СMu o3>e1WmQ^8pW{9n] Z@N6`%ߪ8^;%:Y eYA{լyهuoãA5DПJ2OYf @ ȗu6$w }K/͡"Gb6+J1Ze`6ێ(_7 ֛8$?8_>R'k}#x, \`g po:fK 4vGyKt2 gpPϣ܉OOB}&)LlrPSD ޟH3 yպpŌQN#gEMr(7QtS-B>ZғŶ3ܡKaV9:ʹ}kwnT,Em/ָZW:`1*53Mt9)%Y R_9z)}>O]S3Px8{M%-~Z=7E[ap03y*`'p~܋'I}|VDr>lVزzpZ :Lvc n̸!+dz^Fl&w;oC 8guQߕgJW,o<@?5&BRۍzD`PNɣ?KzϢˣ4)(gJt96} RCo63%n؝ߤ٬Ml^ Yw LO`DѲ E/9FY +D[;!fo]7=oLje23CU ;NLm# ҦKշ4xV|Hnt6׌doʺML擖̝V]t@3$Ih̎";9iu1_򗐅cg.Uش?/JhZrnI.[4h%=&m~e5HLu2`(COB޷6E#%TN!ppX `RL5^(Ӻ@˻@B=+*pZ86:Bvn;8}c+D6N!5'Rq 鶴&2jY@cG#XL&]RM/ /9%t;7<] 1 XѱlȕHp;Z;xIbOS9{pbw'Ѳ()m|\'^pC(确kFFU\"~qisE&x'195 QlI.jC5Z`$]JѤDNvdP|˃tH}{_*B=U! uFJF6/={e~4m۷(|Ῡpvb\p+ agno˙'&C.yz"ަ>-;"fUgֽje~w0,X!B N 8vӜWQ)ªKeZYOOyt?$70D/l-YזS' 5?#uI}}Wg\bs+_#Gln߻`+v1ӱ9532L|N!3mO3YSkˢ>Kpyh))H5l`2>pʀx0h,NeG!S9L~~5gКȼg@{KaA) +,fG\F:tD>%|/C0`W֢ 5gEieg9fh#Ə?H9~eQK,OAaz3\gUW/jJP{I\9^e._;"S};RwdBHB80P}|k76630"%\݇>$+Ҝz2>pkah#$y43ݺk#"Xՙ݄Q[oWWKy2!i4c*6qd Wk$stgV1)\vQ":G''#ȭI*LLH* W~MwK@>c X L*h}dк'da/\t}z`19) wt1ۤlAۧ_Iyf VyDֿr27B!?1gjs3.L*'ykF!5U5/N+g >aq'V9aO}X `ѝ6UN5ICXoZ+ŝ!>2|e@=~)[%'BAfjc`؛mizFQmx0O.0Ԭ W6=}P;HʆbLl,bQq hv#=#Kw1`ڑϴd>\v$\GP^fw[ dK9UԵrmSD<0a;ȺoZU0J}Jf0x+2C͖\]D3dGsqQRʡCxy6Dd-W$]b9VOeQA3$&`ȁ3\3/r FSZx.Zv~\iM|S%MV>zru.q[Z;i(֓ Ü @{ՙ#SNG$$]̐nwsu0=hO=ʝ"^>6s@nB5Mn:Sݫ,dtu?f:[׃08+f 2W2җ_1G489bݤH¬OK4n ] V:E;HxG 5!]U$o4dBJ޸!` f/K`B:nڲw*@ j廇iv oK8 %l ~Tg]&]f9ܬ.BЉ KRͯ#||cڹξ6|򸌥K4Pǣٶag!Sa`nxWBBGu+JW[-~ԿIi.ՃAߓLC7M^7W 1I.$6I؊5t$o?+#JŸ;H߄-!ǿ2~P+}CB,#uݵS|>sxf1/Qv"@m5yr ?NI͸S;ʕG^ %'QLi+JG)e.l44`.ί?Ƕ[T$\RO!dF5>Kg#,; >]N7@Xo" ]yn oiju^yT%?'Z%hDUU<`6;,6bP#GY#Ʌn iG'umMBz bfo4Y$]Ǡ0 ~m%:F^1c;" }ypfz(L7m nxv̫Aw :\O(dcqv)T]9>Hs!M,~j=4ɧkFueXuX|uQ(5VUUBs6#$#$ 8D-sp2/q_& ,w4\*uXS ǵ'~T>6 ;@jV/5A9wxv zݠE_apll~^?~'3~IT'2" >  si ,wzmuouEEǾ\6}1O,0$Eh>Hc;%1ˀ\v˯wwADזor!"IH;|~: gCl.!t"CXUȻ~jM9oGAlBT>'훎 5@}_C\bFt_y`p@εN(uU{C "(V;~ ܴPHcqt* | ' t=_i,sH\oD/]O(TnH#ea} QX?#]ȯl++QڇA`$(@DoSw>4ݪ<љ"Eonv__-QM ՗feD,`KXa'Ւ(>l{w=շ ~^11菪8x*ز-|?/=Cj$4ӹ R;=A8{AM:[1?tQ_GRZxG%mك> }~=q.B uTmFF95`(G,O.嶜nx5 G#ž&C pFjnHKvWl _+ )9A8s /DDniP6tͷi|76+ckCD>?+Z2`GL ߟ3Ԃ`!|>)V{L|WV ! wqrJ.tEJ=-CL Sn5Փy*RPmgPbηteaFc]akEg#ՃtD7Zi-M85U-aDS_uFzw=/rRc:M=603 #F%k; gD~R8sM?FRh Y5|םnYtC9oFܚ{Bx(_&ˡB-}5ݢx݄ b >R #-y`R#6{>'o΁?56" BH*<}PhJr[䄶=CoZX,BO:?ʊ?xjq.+zے=h!-a͍)P/ʣ NHGyr 8iɦ0ir. HWɊzbՍRh"X"نܧKVgn"Cx:;Zcٵ0&~!#`bҹ=X<TZs -(ҏrNucQٳ*OpDa$BVZ:]3%lR+h'q, `CJ(jwgGm/ċSO.73w ʃkԮHյ!ǘ%|Rf BRs6ӊkP1/<-cӜc1Qcƫ!TPnvRvz4JxCƙy`UCkq5yV-eQ/~d+5Hi 6jPc-J$-TzvL$W[F =>Ś&$UN}"/ *ixUgl+r<+xB4<δ0ĨVaiymK_0276soSe0R˒s½7}'W4"!g8K['9TIB(7;)\-Jq 8P>=)>l,xGrpXbd ү=bcd^5*3 +|@wIiFF.Xq^BDlڏHPӔŸE%x0kɳ+͘ˊsWHTFO@(U080nkwzrXRӃE <1&/&5Dӡ|Gs41yF AbhDO8ӻN)R\c]w %w8Nގݝ7-m%]j4De^W bܤ#`^R4J 5h)'ͼ) @c]qiXS͆bOt; G&Pʌ9y6Շ!;شxX ۾m}k=SRt^YFߊim O_*E18a6bK.n&Ξ+CdlL?׿ XFGUW9ͯɜU@Ӯ'E% %(FR}Z.Or *%$QR ,K<$ӐV~v#&(˲iw$,%mm3,L²CK!ȉ|SfX}HҮ^q^H5Gk^OT)o&1Ux?[HT%2_]IF97+}C29(+dQ+&#.>9 upk: ,aJx,E1x=ʨ9GZES(;%>Cz!.SXR =KqBLjVrAn7շ^U> ϭ}z( fdR[JeohXd`)3I#gvNS?.#]SOCV_=갇/0a8XZ#(L6;^L4 S<Y,yلkD `)Q.ycIB{"Θ1G;1Ў<3|?nHM,Im +yeb(א ?Bc]*c=368zdW9{t_>.*흕}SE:/]^APǷw@`&0P%@**] RB`j˓SL(e`p񜼦)(@i&M@|l| goP`s\H?,2Y J\pigH%zg{+Ma //k/,C;v oQ޶7s$DvLRH֒=rk/9_S;AaԕRuq/KH{^{1 )څ[jI'CaDoo)L]#+fO) D < ;t4~m.\u0(RecK~;VYwFʱH$;|Xs,RR6_PKM2s BG)8$NS_%y1נyU'D"5磐Pqĺ 0~WiL8Ju6z=iVuHpf!F֪1ct^c{qbe؎:L (,5f!FeprK[۾bc[`Q}>j"5B6^R;Vxh"H 'q9JndRWUY}<%R f{Z[yD)/[7-Y:_ݑJ.^-&pW}-j" mBP ׹F:y{Mvԡ !/!D$7xY$I x  ` ͧV$qL\j UIN*<NlfQdZQ KtvՁxW7Tgx([ .hQ·Ч4bEΪ<,ɂȷ|bE,AwT |^s+\}JzRjog,WG87ٓ@"3ĩj\d(1c2k[+]76l Mk;.eU*C%]FĩV$9 $œ5LHI"đ9ʤw}\]6gvx9$GtF_ 9Ȗ;t+{qv_?) "8C7Ԉ@(}$}\xdž:ţ0@!?@Tgճl<2[T)tݔ/BqхޛЪ-9dx1 t-M&σf$$]Y>2|ֵwͥ%#Wmrok0 Ҽh 1=CkdYmN7L!{f4׫P-`R&Vʷi6dg7Û, Ȳ&""N|#ohg4?֠IOUF,ήވ6'{w\煶MVqsRm6sDߞuyELJL<9Yu,,? cq~*g9.:]&=7<-XN ŋF ε?m݆@MiW̠ڰ()fӾ=Za4oբQVG,<v$P(e2DlwTtcR'bK.2|q*a+庠&F2 P /&^YsaEXti$g[!g ~ Ko-uą~Ӝ"ʃ;D%\wr3֧&U37AWa2 pT~ 1ŷz᥈Tw !"%\pJtȨcG y伐W0@Qrʣ]<@18NDɄI^HcC$t߽? z€ UNUR4Ad7A%RHS;[t LPvhzscƾ 8'zb)'۠KLΔTg?g/V6OcӃox۽1 lK'4c9ӵˬ.ދ`}OG=&"H'6s+ϑ .sv@m =/d aޚmb $<5xJyhwN.*HYPsY&&x<ȱq˩,%ZՐcTd, ?S\ÕL}H<ۃDbYRB盆`k"LӚZRZ{}!mFXt#{ƦUogRy&W<#+ջ.F4>tK|Oʡ SG,K/Pq5z ÿ aYZêHJתp^_-djDY[|ѐ]£K2Ԭa|̭zxq7S•q2 >DgG7)R QX4S'u R8XIywq[ڳF5X?&Glt[tg_fyy@ja%&bs Ɨd?]X/_BTgP&\@_OPbςZ'7*Hj]3S-h3?+A*=m(e9z%$ZZnKQq|hVosųrӴg{ThqzK6ԖY r_( OQ2$H8T3x}n7B-EA!yϿtc˪A*0Q2ӛ{7O 5ϥZa0\:Xx)uĭEs$"$4.ٺ=j9 N1 Ɔ>eGrH"繶|0X D*2e|5Ni+#O\ R+e>_߷+vs:gDl0-sB u?KygXB#Y@$-WFb㧳*:?a ?OWSlLAYz1I\%D+˟PXkOptz'CYMIu]NK\%c/Iw,$Y}% OI_Ő  Q(dt(U79ka V9€gi@Kijc-Kx*ଡ଼jP!ɚGD f4NVLǶDKF^Di.1;dG6|?o [ Aw`E*nx1caŹ6?w"+^4yp72 և8җG~K~b6 hLd ^4-(⹊5`/3/@*m(Nr"0.Gm5 q;ҵ~}/B1EJ^{3Qzcw r;RZ1 8Z+[&J.E7W.D Ja\5JfD'9cm35OWbVfX:hn+vAC:{Ǿns]АX_uV?tuR|Oo4!grmA؄&y "ɫPEӔs&j^kϏlREf뀩T8 vl!}0Hۈ `Xu =LFαN-Ɇs"h&96أ ( c#"# uxToSlNek TgF4B۱_3'koz )9Fn:=hNπ:V$h0Չ? ʗZt]BkcCMnh s7tAQ_Pv|5y0'dJ17~j^킽Iyh⊄m>#u+=:W4<%.OPw a#E3H6[fX_"&~ kt \zГJ6&,,[˂HPc8(}Dz k1y]@];6y%aMZ4N*5 iB@9ه8aHIN^ZH/3[ZC08;ӂ o#3C$?խM=hZjh=&ɯڦId^:|BƳK=r9Ak` #=zVBbi[CH=Weo=!g.2jXbaoxn=\ʭr"pX~{s*E+'FrɰwE vihݤ7ھ-zl_<).ޑ?{IHt&X7]) "ιJ.2ow6쾢ʽ&?mmf궤>oO`dICLNB77&C0/x{vquVs,2K[G/9Z'9YKu)_wiZխo8>eXd'`2j*~N(!exZx>ũӪۺ=-uf^z7=77addg_5gt7#hKϤ>1WфkbJN #ϧg줈 r?s^ϋ_X`ƾ@/ȃ|'8=QɷDmo @1  zk UXqN{/F6jR+y aLegU-ՙ$"!\~$pn Rۈ='[:|Y_H@ZUzn>~HA/)% =sØRP?t6FIe3ˢź !lPfIPյ;]̝3ߥ]^'0UtwFv?qrw>VTOR螾x“>1r>SEn+\v1ژ,ʚ|m5k_$$#M/ Lf)Խý:mFؼ 0DNAT+8ی!=&qRݝ6]H~l5=pX7Zo&IF4a&Zߌ|β`ْA*xl77#YFhX= 5or: FTv Pz ?z{& Q?;L @g& 5xƤPO9gYRdCHV=B.f|jB(_Bi`r]G5:  SO:wܡfD3g,ٿ sHxc b}7i2ӌ l-Mf,U Ȝvg{(aDgRd&碋 0n9h&7|XQ 8%iǍXilα j+m:yJGeׄLo*LSoxPi¸(9Hf˖bt'>us>@iwqĢ;$WPZP)u&кDO=ӤjC#]Y[y9ゲ lS6it(8esJj9cmnnJ|&Al#rt"w5Nk+͏}H}!բ eXO@x_c-LMHvw`˯γFcoK[Vt擬`XˋSQ5YbɱXKM08Q/&^;}Dm$/ W`@ *hV~R'=Ϲ;*>RMY#rꁊ`-g]Yz8&?8Ad!ԁv)Qci&Ko[r`m§BB;X(rHTQL8"z8&m2}ckV *RI)ڷxU#C\h4nÄEI^LjWъSSjHKoRBw !RF' ~lYh$XJ[mfcf8rPDݏ^L[ rV,1gfx$PkB$$(|=hZ(!KM|k]z$C5ԛF7]P&ÆXrMb񷦖et9ݥ> @H}+pt zRŝ$Y LL ml҆\c># "}J65ڤrB~GoCa`|r5y%QB ER\(v4?kPl&*e)QO,UC'hQ,-c +o1Ha0hP: a&,[Y+tfk|Ռ(,gQlT%#P d\OhȪ"k.?ZS]y$Ӂg,]սD72,sWL]`U(O@׶\kk7-u3+To-SQdJƽ|W/MgB|ɗtD*Dx&7 tOFN Sd4:f8K-Y ;ojLS^)c-iCgs6m6$fԃn@+4l {]סgMS@P)kx8 9GT}^?< ۾@,͋TlR*J[Igtm\Yɩa85 !r@W)H@?\Ehgs&buCY^ ۙg'å_pt j} Oţ!ewtn-O6Z!>"i=2Te\iEiy:?r2qd$7.&R+)A?1 ez :{nQ?` '2V+vIWrPlU!`,DbYؓ|̟ q~)~sX>V1>В^S MrvIAb7IǠMց 㡀2oIheյ2ZCՊ=>L+lLf9|XmVz0Ɉ2q͂ĭX&Glg6e>؊w@ _|L}gAYDEg'_6/a2^`R%cvU[62GG݆a<+;GtG?2I$#yg3ϨkaL9G= pMVاW7V4𛁍@Ӌ`, 9?-%'@/f%Ch*`u%]&ՙdL]B[ mդGwXaP{ rɥjkLƗ|b&ntDcpO:gʵ{iBӘOy#'eJؙeSB1be{"BFu QɃ,ڳqa$i ~ WkK=^p3 mc`Z8ogUڸGH+Ƶk2w+OS]#( GPt)p^zZ;}YlYD;z41hKm~aޢ Dp@Y~@$/$l>cMm EX+rc L4lF܎ 桚U/5rad6G,%4+D:FTW*+K!| )6 PoHQv#[̪});@y#ԅ[7 o(2f&Gc@ ?]YOS4Y߽%֊#WVP@WŮDZt7l ՍOu#W˂ ".ƈ)tT`mxL.S{{R 0[v#$+dCt'5>ӆHC=EyHIh߰My"gJ: UEς QT%RNe} zǬ7>u^wՆ2ҧvNUcY 9:Tޗn֦7HxCT>8!>pPEx]೻S`4o^jۣJFUqKd/1NyДQbQ6:LC۪(xsT9Ao;1[AIH:Y'Ê,柰pg5<{X[Xm!V;jz=KNO "VŢVzq昆smqGAKDmB$ m: )̠~HwKDX sb%hoYL @q~:][e}_xO1/.!VE]]O ZYndh4F]Fvș=&`7$1H,jYsX܏UZ.e\-Ϝy-n61\wS\

.')};B{w7ou.Uy11]PTC R;V˼b}M[_VM&y]L{TkF31r&엽&L:&`7^t!)x0#<_{n*wZe{y-֒=Dql2Lǎhr:tzߗP r208>o y| }rg̎o-JR-WbwNP|D=H%PmM5[u1%Wz o;cb(}a5NؽėKZo=arVrV`B}~u"@(Oj蚹,!e"ˋzq.p$|X ee4OH:F{'JP5U*ZqZ^|BɛW LI*ܬz*{q 4,ܴ@| 0|耱WJ(2Oʌ5[OHYw?ˊv"L ix_.8tXDlFT4 xr$!yKB] a\F VZ7ixjHKAGАѠkw̉ .{\iשIA{+|_tFa{'lf.,+/dN*; Zayg!8TE-쏪){d8ҫ%̻V=~ğ4Ncc }yY͜JQ 'FG|Q y\i4%пF-auIX }џA[H]OVM[6cFl>O< xg39lOۨҀl\}śzEG>^, j4HYͱhXΌ5kۭW9b US:7X4?ðG . KXPP'-rpp0Gυ+ɧw|NGiU`Kȱ"~ 4(J8X>#dxDYA7j*9t 3cA\ѱ~&sgm3 )zEkglT3 @`) ABQl7T}CW8{vӴ`Ȫ ;.!#EҩC7kOhp!` B:WU-;`gʛ%XSuGϤCM_vQ\4zsKJ3Mrf 0xy$?7$b+of_30z@ \ (`uo3 ͚x{q 56~ Iq`4WC6r6mxEaӎ*ӒGu"^GNT l5k6xZvyrW!w߯?-ﳡŭ|dK7 k*@52.o72pG-]٠l&XTC 0`7&6:@YBc&J =LV(]23t%}KЭ׻z"U7:l4c1囂i$B{Z3n)|  * n|EGJIgH _M|>wNp@=r gXhq]&s*#(K5t+̦ m]pd} Թ{?F&,A+'2HkBXƂZGD]b_fΣ3:"/[$P§9 [U0 ڧأΛfb#h@lX?T%WS ΍F{9sc]ֽͨxxbӬQrH'nko-cJ0Z>i{ w"ȁ9ę|$J]a7r% _B̂{vEG;^.q3朇`h &H  Cy; O~Ys> mCE@){p]bBx=Ar} Y)=}EF٭dbGKج_JL݉4fi:5iQ ʪ%l !J^|cJTvN Yd*)2k|_oǮR z^H4US$oh1'Fi'4cYM *hV,c޽1y蜸98^ьH̦P[Tknl B8$GtVNrL=.BKԩu%W]d.doT_Uz>Xf^Ӏ~״w8]HMqCD}2fAGOŸB@Rz _9k,zIsh\?WS"MdZ Ejmٞ0"c N2\,9jn*dЋk@%QHcf80=]Ik~iSAq+i/Svg{uى5TO$2c)DlZvw Tr3\pSHHl0a9Y'%@BGךP9?xx _!9swia7UPNpg0,|<(j Si/1)5:s*W_탊Dr e\[[-kQ}刽=鶮eO(5>7p,,TAE3;z$\oȋ#P.`g) L8:]sIi 6L C;zjBL}vdݣITBN% ^Q$ne" &9"Kx]APA/~[UYxy?3lth7j7;;o"̃IsiIIK'ZJנ/][[ސV^ߪʼn i/\LZtykSd˃=&'_4jiVt.d-Pd&.s7:q1<)"BЫB={8qJg:$Q\cãx T*ok][cL &c>% $ Uֺo?]m||of41Db̳'ђ?W pZdeV >zI 1O1HvŖ@}ȿN&=WӃCWVĴERI<[FtJ+(dĀ_.] _({_6oMS7*t`վ2i'DG~[a;$qZ1?a.Er-L{Q74: sVʈtmTu&-(ZSq<&(9D[LuUO<,]j&B׌YpT" 0]V %nsT 6˿e4;;Z O6=Yk_CFLpv%Ve`/!!>ע]kLaJ*G AOڮIT +darohh[45c(.A! !$7rddnOHB#Y#pNS‚_9O >~5F ;~a-!^s~V* Q2Z云ꏶ7BlQأS</qtZx.Q RtދUn^ >18 F/`hm*L $IoK\RʂNֺx{ EYz{IzFeMZޢB~-0e?Sѻi>e5!:j9h5\=/#[D%x{}!eyiw]R瓎ɯ9#0{AxY(~shfAFl{ی+C BP}p,Vcߢ[CW ʛr99I=x|t>M-<&j*%Y`~P(8!ڒrpϮpl (7HR 9QѤOSğү^__9Xr{2ih^~ER: f戮cc$3/s}cRZ,/# aj 6ǎ:cN `b7~ɚK+kNl ku#8x<Ŭ6\!`*S7Ќ.ܚ}굖ŝ K{& c&Pa E'>qKqӖn( w3l(xqtzZL& ٽ 'j5ř%u%_cF)NM4Ԯ5 !DKgGײK%t;Q 8Bjd-g݌%蟵eUꍥp2W.\+|Hj ɻn[K(;KKEDaٟ Vt3/ũ?uBg@tPL]R8FO. zB-"Dw͔vk ۇw/̉71<7m#?yյT@Y}bZȃs[̉Ō(8M@cѡCkTC2KG;UVt d>:Ԧ#9sߝЗv^Z.VsirGFXa~"лT[۟r[*M|/|&0>WʝX⇨9ҢU> j~]OrϻVruH?#ߚrGj2Ќ,Y"pPWj ?ge!e.$ComY TCr @7uѩy "oH574rY$[Šm1М s!{?Je\h\z x0&9?˩</+s)3blFNu a}p$)۩WjKjY|Y$"kA!y9VIӡ~s`֙>fVdx-T $ϛտTR\l@LI9o0ٽ[~\jΥRw4E?hO,꟨pk0o=BC|} DġP*T,$JZvj.D^9ٺd/ral7? 8Xȃ8!i|[Q XZVˤnt-1|0n,TGqv24࢈ʿPzMC<-i;IDT^4i[jb铿y,9ֲ8#/}Hk1yXatj'46 v "U-ptTfoV=I9u:OupRqpRs_y .wiTB ҘT~^Hs1]oN&\WME_&)@_!^)S3S$5#cY7i7R@p_Ǝ* v6XM{vHP\oGVa6]›WxrB:FVi*Rf=jLC$؜w{ظ+aZtvHm݆jq@xU%=M0,'NDrq6,p~#:dL >pQeL/0'gxH@6Рq_p³{B%V zus=^rWaOoɪL\)1$`8Jp-(qUG7%o|{[p )Ynh!Lpt}Ԟ_F57ԭT W?._2< h"zhD#Li3Fd?'OrY!-$j/8(uUY@ENFάJ3u'I]z){D851c1j0lx+M'Ck<}7|,4D{hjy~Qu-9F4+Q5-K*hG4fd6ņ3;VSQ]nwHо f70GQ3׃E5vh,/2h fTW8'5ڤ2(|։7xG<%EskM+*d7N50X{7 V*Bl(TBrcT8̗z`[xL_*< _gNUI?K͋W %Iq{I"ȜDU9q!gY6mշszGcM̻RvpepKXgw}娣1&pr6oaܭ{Ϗ?H t@$YekJcFݠe/_zw6©X޵etԥ0EIinf)Q吁+{sCXb5E(VZ:48iT_NC.ݐvA\ݾ3 C̦%9bEpd'#N0a]i0rF^O@ږ: k凁;BJĻ*>ܫצq;iO"6AUpSVx"s|>Q/d@%VqcUW(XPVM'%jq")8=_"xk]Lx?"kwN€^xOv}`zDpl\G 5`?dhEN ~4b,'~~T0 Md;-}xo[2˚VS|= )[eR-!P(+Y,W"`͟V.@T &]ʎcϊ^ْ%j2 m {Ք 8FPzK>2e/o#>0l~B%Kh$yFj`PEip^ۓY>ЕPO~jK|X]2{A^3OUa.CB΁ѵ~ث^+Ão0ЧbqaS~_-8hƲ!mo7ţ m4.LEƿ`Yb0jH@F,lD$F5<Ķ̨Y8 !("JdS FߜW % 3sMSXuğ[B. ͍ nE0v~3i2~|Hv`QV>LV$#?#̙'OS9iRȵ'iu#G}#F8(4S޴]2]pT;,sa҂&A$cgu`tw-qЏ"'gNAg7Lc׸7k6K+xRixqQP]~kl y/ q姯-4' eNt/ZQA?XY];z6W]daTb)RsحT~߾yV&Lf[դČ:}M`_O_Dx(H̾uNBtjQA+t_ۏ2uyvc5:oA/ *8YƖaut{mەz(:}! s~-HJ5FvMq#eKG ABL^@iPxly8IdIisxF 1?Qz4}uNtǦAo\E<~O+77FTʠY-$zz8ߜ5Y V\.ƳG:)R$y. `g~ofTIYf"ndlDeDV\-:%&h,{oH㎝zO`~#*5UƟAUli1V|Ĥ(dF@o _Ƌ\n5)Jv xQ^Έ%P*GSSb} Ƹ-I C*(cuJo.rBK>Qo0tXj9 y; r3`릨0Lq*xs,͕Ǝ̳G>qK+2M(QDG #\w08<4;עV{ :GchR@qKϞʽjsc)JgTˈޓu> FȈk{J ԰@OkC9F Zwd.ϵ^҆M_I90S/yAkTM"/,,C]gb8^1-r-1-C1a0 M3:=i)|3M@z'7nײjUTO2U<sACOd*+' :3;hzws9g{XL 0"и{1 4sKda^t2ZYc r(OfGdF-M!̓s揤e-cŞϟʕ$P }S7unHxeuCv ³ 0Z63ԛJ>*^c]_G,GHXJIPh+52N.S߬4*4z. gKWMc@xOWA3*B!ԽFT;xzo+ϾzLhSNX"|5~;AX#2z|,rﺒ6LaXӚ4E= ͤ\ v>9EB$;L٬'B?%R~ g.e)" 'ʥ gpS Lrq ҃aJ\0Ax<ɓk#V܏_IA">^iiUƄF]!]z(mML,1 dJ.JS4KS-Qi,yٲpqׇs6*icwLl>=A;8_%:^'׫i;0>c׍aWP%QAK7=]O9$RXo/}L+@.ĺvXQs)LhSn,I\ 0Cp xSJ+B7DcJQ?FV1ʝ8ybOL5GتXx,4^=+T]xRnJh8u"YI7A6h 8d+LlͧU'AV_(~'qʣX p <V޼;ułA&! twysQH&~ܖ&9_FXJF͞ 9 ]!~DdW/I2j#Ƌa:i '@flG6e­$s*PȾ'_ $Tr.U\yH- )dGQ8vjKu0fHU? JGa/+cS)*}[#ڰAun}'Z#7[".Xu<2m?uzD*D,NmVᒚUs4PKw#$ynq_s0@-R)w1s~Y)nX2={>5}̪3L_aJ&ؼ 3`GQ\+N%Ȁ\kE)v RLgzyi3^Ɗ4GRiw q{'&DoirfIBkݜHY8&n|#HrpR[ X%jq?J>8`VJMGg&H&KbUlӯyA&m2#MbG'잀|8yq=#!7}S.M hڥCV\{-gDw.o5'hlwDݯb/M!]n[|@t' ]} Dr6. eW^p^RI ZK6CZ[g`Bcz:vYc6^i@ЅDB{ѥ8UD<*@CLap1܊h,yTWIڒWAhRIt7ߍFZʆ,\Tό2L'ywA${PfոLXQ kN]Lu;8r 71FWd3-Y V;@ϕJhS#.D;4*w3x\Q1wnCD~Hw0#|ܹ,'syZXx3 ޿ ڨyQ `?j卥!q6.ɪ=hMvo^LLr/61lJ+py< & |g&1z@86U6O̳R<KLIF(@ .T/۽)ԣ^^yy@u8)Hnz|NEt ۇG$kl_ΆZ2"̍⑒܋1НDvk bO3O=1JzA4mRQjP.9yG[M1@%&e<}!gF#bB[<tZ㸺\Dj`@m@FA4!#Ks;A GO6؜wIxsW,{=35 ;ہOlc@Os\|  ̸>J{B 3rJ bt#QgڿX5JmjOi{^d-ܹ];G<Ge7 ;"bTslp{6mhV֊t/'9E1~/*/=vCQ?ֳPgAqkh/TmR YB|1=VGE7ۼ,sCB!8:\lslPA vuv\TRZg3fzlծ^ OX9 l )Jat]{dh Z l*Nc.`rB< 6-N[f]NB (V%}`z5d0ݠދ5+'qڵ9d/cAt>ځB:N]_.b%q {6_o.q)E yJz7%}DeT WR$dU yDh^`80ƠEqo/UZ?Egѕ5 |8ZFə'U p!_b-K98gXzbc DouZo=B}+~3y9\Ç}1ʹC,Ze+usYֿ"yHmy}X)`ƒKp `o+ !M(>Z6lUےw20Wp@?IxĜS9,3b #jTD/5uH.[dDz;gJdK gJPZpX2@#i<-鞁쮑!i5^Z^V8%.05N|8e_<ĖlR%p zR UurxbnWA>B#yrY/ժCrKNR[忠'E3ʲ`:^-.%2+ٜ>︂S]:+B4Ь}8/eTrzf^Gvm_"r d } j[TU`/QKo9U UTYߔrn<`Ӥ8`pghy\8%iVRb7]&۵Z%RWUa9k\|lSdns](^?(wGH֮> IQMt);یP'_]OџOV;VBvYd5rH̪CC[2"ީ{5>0DJwc#0QTX*`CϔV;PO08*o![ @4,Zg[4GDd5z'b}NMέ)^ϿRHЃuq^u5^y${k"^NeYy)\[ u͢l 5䘻J:rǫc`Ng"bc]#ePQ0k9ډBds"WUPZtԌ%@{4[S`̚F0A.IUE.ѦݝӚ<|{ ~+C5:!zE"z%+ghA?R@g1t4U-aH|``xX06k#LWMHjf$#V? Δni(HېO)/,wM;yW?6bgYΔ a!vp5Q*_@cdwHcL?m F$'Pt9w5JI,;%V@Hf4-196iŹ8¿V6Τ+ZUj|eՆE6k Z]gAl OU;1+ڥ;Gvy Y$~1锰RuÃG.:N:ͅv;(P>8<*H{ RHjv"kڋV'Xo4p;0 \KߤB$SDauwb-ɇ+ښB#af9l2@9 |x~Pq)eY!A??)- ijdۘ蟷0O/eKp8:^.ӝL96A39Vr3 g1s1Z_/Y4`b%ř9]x4sCn`I'RkVyq9rfp"|(>K?3^gd!<twi`kē 61x&@d9ɐB(С?l[r[KKb򃓔inS=t1 _fx mnq>57ۓ=6VGsAhX|,}o$`h/%pEJbr 柰vLҥFYk[V4M/`Cb_(o%6TFi@C&9P ?` [+PR *#C_lB&Z j;m-5ĄlЈS#te0`1GX6_{B<$Ǯ+ɔucߵ0s } ;2~-ײXAPÈς$m>rb( f8$osEan2$wKvq $p [ra^0Le-#@5& nc<=">ИP^K#\)-%TM1$nܿjГ)ZRtYQƫ)}:4 G}'(d I+,kTE9g2֨NA=W p;CyF$!5&~JWgݓ-y{[cgOn SDtß|L?e/rیKBW{yyh0A53g58ZӦ⠏-x@gNx`VC! dEyp/QC$[F&X68ChHXr$,_!{AO56ToR^6uI?0Rr7VOQ8&GG~0 fyv S d نJ^;Mp=_["S12_A-aoVcwzm6q¹HV/^Փ`]X9#'QR0GGP8s¾=,\]Ij= 휥%"Teď>ާk1m7GfrKr#&u=+ |.CRK2.oI*ŚsȠwGR$>zhΎڿisCZ]7QO+e1@VA(xl5L<6ŦT,̸ K x/-Jb0^moKVG[K+D1mdC RJa>\/7zoM~6ەaw&@ A_]AlFŤ]2=FpM% DkbtL GNRFu§wDeF+_tv{8*a{j\2*߄W#p4_3xo2I HB?͵#e1Ko}Zm}rJmpupe2?%lͰ gJ7<ݓ0v³s@tE^S? Z8o;\JBsjlBsXFE{|֚U\4L S(Ё9fއncJxɒrӉz$eZaOhы*5əTݗ5T]kڿϜ4u]Sq`?!_*ԊH]η?Lʡ:NT}lo\.qMT*,oKx #\is+3;S3 RPZk=kQ}m֕]zEM(B3%'̴C W1NTrM 9cIL}I4jPD>K2t՘!L D6ѥ5C-Qz&ZWw]Օqvdi6JD nV%*^:LGE0A͗"eJ PmmZǰp=R}`U|G#J[ (ǙW# Cl4)G /Run}B^*(dktlUN;=a7 `Ċ֞~Mm! e%s3X]$,+n4褞T &ФGx&u݆+XJbx b#[ch,:D '~$ }/[ +|L@q3t6~|e m5oOm,4d+c )So"M@Sd!CbV^54I]m|*\"'TUyxFPs,zvwci}/Sj ܧ!. 5Np9+wSC V_6 uoa B= +ֶfl{[JcI2ogUJ|´/#lt|3lT,?DL'ͪ?mu_&e1ˍZm ٽr?v/ G#fNEOqu<"RPr6ꓫ!gc^/7Nį!R7e͝'blAo]RJ Z K_yʜ/lRM{TMTbe97֦a|Tl 5+)};蒌P_EkY7RNw( 9:xCKq1Tkg5lNP0;Rv5 Gj9CT6!T>>Ί]w n\kن!6Ix-U8v`he5l"+/?!L^FUO%Ɠ&ֶL&$o*h=8 ϑxlsr\K8z窒ۑ.9].'2eeb"OG&\]GHQb 4)]uu{ Gܿ9Bq{Jr/޲u,asss@r]:fu% Txo0kԻpĔ&-5V;<2&{;$qi( s$8PiuW/l2F7;VP`q"EHM0| dod)j7Ў[lF &1μ*!BN9"x2,MKM&;οx PYAyEkh@O1m"bM#ChuV"$ӏ"豋3aS'ӥX0#3!>pp:"(q}3  U.{pd;zD W^EX[q;Uo΢|8Oy'Q14]mڶ#yFdJA$&4lkq <:8rj]J[AK92ni4O37Ig$oRErEqFM B4ŻRWEoq~>QJR-ik'keVi ki9sq>HFV]@h>17[(#@9Db#ei=+7!;`,ZHjpHck*1-EAf٭ t ?_qr-(i+0AF^͸_lrW,/\MY4 OO3AF 3ň'56gNU֦9].T˿w@;*cssmxyŰW33UotE))xQ@~)X,"15*a (v\~~Zy7Ods%< `or(IeXZiAnT\5\ 7tyWelML 5Cm2CRQaE/ xP%f6 aLp3X$ZߙS%m𑭯լ5TC5wAN#b e/;H_÷9b08BOO[SySvd/QK ?yW8-0,yTcOf"DQ\X6;QSL9C_7||3?hߨ&4`-m; >9$pb׫l)Dɵc01!L9wO/8AȻ}ӏP48^۞7M~* )DJߥHZ;_(UH"v6g\fEKOV['HN\\kAk0$k"I px^$`vr}}h7#<z.ǥǼ2CFg%IB?)ku2W[čB-BIWcvfNrH}zE'ZcIi;M )k*eeGTN fe&,RPZ+7]2φ[vr"ᢆ}"AD9O{zPe`qL%m^; رc74tĞ=-S#1yʞ%6EڬrLՓߔ'>>1 FW@-NDD2N;(eʐ=ˉ>R}&p8M;5HA'YiǶ%j]mRn >aXiFm -^GÓ%ΖZj [b涝l`GLmYuyO6g`>hodsDz_YK⼵q;@Kծ5_vPuu ?ay/d|L!*ے00x3gB5y|t]?;e`fQEw.c٣( M)*A&Az^H~57%DyRz/'*D8YǞ!r`So PB ug 0rGjo1zbdܸhnE{̾XrGߢF^M[-E_~#XHc2Oso}a}%PT-M1nèނuU`s~ xJ'>I*%nc#e+JQ??]Uz|Ļ9dޙ^4#葻8PW6- ,YD d͜  NDh;r_9'_C:5 VzN1(7)dDgJ|֏V{Lߧ;<[-4厮>ʅ9dWx6[3U2[{. rǥ#. >pmR`X(m'Q)CL$"Φ#f~jvpZ4[rH i RB*aҷ +#ύTA 3MHi)v" 坋B'e=.&*fϔi3^kd:28Wݜ7UDb]ޜ֌DAvݏ;14e[QBdYLYģ{BH\FW[q/#tbX> LsMD/'|_QnUjz&^$d\>A@hc,&/@kh`Vn2ԉ ʴ:0hH'Ej -@+2skR!sW~gVS; K|hr}*{E!W&.m36gtixrz`$[C=uaz)$%X^%{]ԁ-vق?2A5x 2ėݎ8pdI2H} _e8@3* $'7`Ap8A]|!s89Vp+!vv wH9‚ ]آӉ5GLxW'9h2mӂMے:ڜ0I23?pűAwceMEK٣~_fkl~28|j`>+5s*IN؊x"vߨS}f$P #ܜRl{ tgy9t\W5#3n,у "n[vX>4І$vzs/Cy%:Xx*7g ACppzEe/' +#!vg@0NCW1dn'6آ%'EW'7 .@qS~ЩUe?:[oZgidңHe +7f);dq6YPUM۴;F Cȅ4 ` (!Ci \q0m,G M̨̗(Ny( +R' 1 y G*coWV+F [ #*yoEU}bϲluQ1޼86&r36 #JM0K\пg1AS远t Ys|mCfaqT*H݀R[١R95XCwR+&K;;bM4=  gS&7x t;7>:&R͹f!%^:~Q }7o_p$m[.6Mv<<4 |Z3"kYAe-\qeg5Di:*㏽MSjރFd91fY_~ ,Ϫ~HɶͶG-/"%͈@xN"9Y=hEi<!9m5uOPV\?8,qM#ƇϼrxR/Lh#D J\MF#@wfzPWG|8~ CVY5Xa}\ @5ܯ'NC1}⼷߿m쁧i y>-.SEE{L$^_ /W7_p-[ `v\no>tY< m||;}7̨vd4ft*2-8avf KxU$*WԳåcbR]釹9}PvS`5?^{CJn]ɿBϵqJ.RnB4loV-Ľ5E$w9q41g/]<3 ;r$72>Qn'bgN\Ԟ?.e''u>)# C`a3Vlfr&42F4]&1#R~iJ;6ҷAܸ]OƟRR>CYf3.oh`_붠镤nW<ꂪwD܍ N 4zNHo2OtjE_Ldz*nR`(&.)Nv<.٦/$RNJإ*zm#c³?XRݵB j]T3eE~kɤH# ;RVdoSlTAٝ +Pe!\=0t+"~gx+TjpX/- B0gLW["TТ/C ƪ'e!/lI7"UWOr. {J#C+Sږcm%tE},=)}\ZWm@}Bjh;]RS!rPXiB1_H[`~4i`!scOT @ڼ@@7쪞 ̩$H +?x)BE0"wC֭csaSI禡rhNO:L;50  wU}A'>:gbC>OaVYfE G~>%F7{<_ kpI\UQ5X6lڣ|[K YH2tEaﰕ@e0 =O{H/Vߛxy8'=oGKK0|pxV{Ѣ {K0(n@j G!L'+OݯL8Uӽ2m>%Eƽ5 q0AE=b&}dK*+(ٓcE:dQ\6xBlj3Y nT[o5|-fnh'^?61fS#D|1[@17 i][.di3ʓMaLAB[lG[0˯ (D+يdNfFH1;-f.cn%:g ];uCL`Sbw8eR Mh;<?luK o43dP&x~f$KIwWUnn_ݻF"i`Jv y@=(R8&t>D2 _v<$M9<-6\78,.G:o9s)"=pĒ *qaѓ\I. XݧQ} 2'w4NӾ~7so!Cԣ *: ()B>-e[nJD~ PX63H/Ef?kJ3Oy2-yQJf#5.^o~x-Hm \ C3]> 5j{ KNס˗_5U/vKgrk_nrvZ EnݒblmE%Deg[C kkUk`Jgl/7C=4,\ Eyk.(lYg#ͅG/-)yjnQeҧQ )\ma2?e,;`WICe@ef+ )IIo`@B5HJL> $[ BDRp$"tx̉gS[9bZs;]6voٙoq+-+`6cJ=Jn]& -Sء*-C\ƭxaN|L%DM@?h^P;b⣽>lpl"fD=/&oJfl^bMZ ]9 O7%ZE!L'%J[AeYQZێc=l4Vk[-gHb !}|gJ(i`Z 1} S\[wbE>B^uǠ@УTc[.Bz5I֬jz7MW/RvjhAfHRkG[lh?Ϯ:#&}1" RKm^{{ƀr#?uVC(38ۘ>pWR9[uHY 4«]r&<#o|FLUCٲY Ai*M^.ءBQÓȰ,t1!h?'Q&.UZqO ۆe V!NseV%_FLk ?dۊ4UNsxSxiU͢={KJ.7xQ xJ3&uu)[pN=i-.֒#3>գ ' m✺u }kgwkKAkR£bمf!ӿ{@֡HY09oL=p3S &?5%/5qkտK)iWaw u`˗qðU<-ت >ќz~_C.};˜Fr@φv-$=|*>,e5q RkZ~ve*bo!m$ܟq+=K0ߨXXKA5eKxr{")jE#652|cOGUc3ol;&qŽ^o&amZX;7ʿEPzyVKzM~/\cF-2YjLlڍ)u/NGG )Ƴ[_@V́j(TH6:h"WXCp W-Hsi{q]J3(U.QFb7`;,-IRG:"x*QGJo l,Q!J?#hx登 c =f\~M44j!+"`n2ʮ7G+=Ae#)('1F35M'D_Jh)Td{fG;Kmw߭m\FW~D @90p<.D.":>#[/3$ `Z&)0m a #G`Rvz!;4߷k$J"Z合% ~#ahǦ!]Ov7~Sob]stO‚|"Ľpy6 [6( qVH]Ū [W:/j C??|_S:}j;8wsgxE2A7Zz` pqCՅ?3SZŶ>iK ތ|/j++MFBSb)m{ge[`!*O6L0@tdk7pvзs59TA~=!PT`jL>f.DUn&TO#>CT.Vm+\%_6ZFz& ~ԨOp0}rru.mODsk8.F9&+8 %O{dǃkj6y%$0:lzb1mtߒoH&;趒2)<׊NGĹjOiAC:m01۶Z?o $6/EߙG3ԋ"5"l],^e&uK0 F0sUVLĦeU_[G\81v<xW`WTͭL[VF ]D<'\RjǯyCӘc4%RB= '8;bN,-3Ä5J/[^W\Qr|$1jB@х|Y!%6otډ۫o= Md{n7 Etn1yI{WYWqv!dV WM1zeNџ!q xVɾAUQ0`Ke-aqAP*UZ4~ 3KAd[k(<`oz6NOJ̓M2v!u2V-, (Ӷb?Ar.T&o>jbeM 㙏y[,yy ƐvF1?{2RE Wsth }ٍ6 ǃvS:AXV\>&}p *o )iX[&TuAg["McԿ1@Zkut`{D&3a>0~wn]d4>C+#sDt>8yMH%_ :ڸ-?"s-J)30 +:J-ؗBa3MA^ti&sV4juP VV1\~RМyxJcTG?F*kI>_ֵb!.=>dV|0ɘQ[6/^&X)۫zYT,:QG#[vY'!"+7ÔEFXͣrʚH {7b^, {m[V#Lf&ifBSIM@)Wn? >M:hƫ`}膵4J̌ tDNتzg FRk5;?d"q|O;׎l(!>*lHKLǨJkK;PNPkjC /w5o2YJ*TV e7B+kbbNV?Q$j($XR[;ҸtND4U+ yVHcCJsW>:\n51VWHߣNKKʼ6E\:#y}a )HjYiDN{'aH5%!ku=8weHEDzS:a c >S8]=ckqr c`Ӎ#~SCӳ8I{'M Ңo^^&wi2V7.kBltAk~"p"TϿ5!"n޷ec4驀%&$477P5~)BӨSD'rǬi!y]?D qiiy^=2<$*p71:GvO3t ~ /Ǧ Vmlj8 )'PX 0zX,}G~"V𭳀VYVvƇNI uJIGT{J~$eRëd>!埳0lu/j9pKag՝,꣏jiCN2ps|t%Ih2WCE EXJPWΉ)X,3'-[+"+_1k[,`T__JTg}/h&ضx~3/Ph R7%o(W*}ﴐ@Iݘ5eHnX¡=(K6m!3G 7Ҷ*CtVE"MLfy}}>=G˧cn jf D_y"E| [ƀPn80C8|lQ֐[QF]Mˠ =Y`LBR9=u#(~X(Վ>n-/Dй.L3\1 O@/N=d );rw9E{.! 6io ՊR!!L:fhg'vyP^ dN |FH I_IcUC s9AT͖j4TI.tЬS /uW'l|z'ӏ͖8Kӡ3!3 )IgP+?DcoHf 6\<=K$gȞf+Xo+潟xbUUηF,\?a,ŮRfi O )i`-4[zkXRЀ@JS V*f.9;8ڇW#Ks8. 5 Ak ۑ╚WqO`Љ.uefq=ZbvpYJS_kIRCTAuN`hup V +$: 9TVB*bxYн, -x @ rk(t%iJBfl8YNG#HOk/"FЂ#ox8EBxcP?`J%_bΈh\nUؕJai>eFxPoC0X"x4Irg&f?"yIE xڤkϳ`:r1^9^`A[3cok9b1X9%f溘 D: {=Jtsc(*?9~n޷akO~: F\'}? *]# W Z/*W6ngh#Ņ5JYd&T.#0 ['Aԗ3a?5 A%FVJ0hpzKڀp-cKk+CNj*$4ažm/ceB,.dLr7_ljOcҨ@_QinQPTNƓ or#]5Ӊz4ħw}Km6/(|ٯ860>ZJu7:F>8rFEpvmt+j:,t w.1$5{gg TǢbGFy̒]lLM!خ,A @ !CmUZٜ)1XQ: ES? qjC*7PT}Ή[*Hu9ORư`vQ"$=à Wڬ>?7 /Kb`MCEvoAOPK3nAg> ^9s1zbm&DzdJV #cpH;,ҏD";m,XW5rGh Qmy'jl d^C Bd5HxFH0ʖAYpa۽ɂtS[z%~[7Rx48 Ai;:B9b#ˈs@[M\zɵRح/INXSx1Q[xF!fA^ErU]O+! OA⎮8s($"Լch, ~[k,4"_l"&] }'@QPߦ;oO?|jYZ*?TLlqGpR[1R<w2c-e|ڳv)koG #7ȵ+݀R:EO޻h D`ffW]Ŗry6#d FK5ft7exGj<{ I]nk (aanD@hŧ'ͥU'zBxvHt]Rʝ+ՠ]3ߓ;fڜu {a, 9ZikwXSF|b&i!>3+M*oJ_L`ffΑwDmzP!N~TuNyjeqZ,:vCHE@P BwueQΧV#D*IXL9r'{L.3ݰ 17F|TyYɹcjϱ=`aBlbl} Xx_VWOM⎬5<~Y`2Щ:%Ud Yлdi&A,qCv?-sLx^6%A Y.DsL(D]~]V[{\X.ՙ$ 4s 5Q5B~uFf/1 <6e?jwUQNzn,?΄|y0GA6?J+8pChcz.^7 J@#C@WtTis;#], r.03ReX6FelӒ/s}B8#2g,AGwcmaq+ YqD3埤]pVlQ -+T0`9%/!ȰHP#kAp0Ybw<0) H+Ѓ k{YC 2aԀ.>L '0|ЁY.*P k5 ばg&N,㖩_wZ7R0MÇC!t -d&] MOU ]CCd);00^ȁfwYCAH jzXRYw_%CУKwyU x nfCe 0X'֧LnԺ;uI<Hn s!\+al@ @ocG :U,yVxOP >1 w"3z b w`di+PXOd`,Fn1W}l)rggg+'!yX_խ&]pr|٦^ٵ$+fj}AE:rj6U }*EvSemf[7h34δ:487\v*à_ꦋXi&r4Y,{6_+AT FqlE s! 8 ToEQrNQN[wԧR<7BXυIn8~{Bũ #d5{ óD׉ٓ3м+c#g!$ {1TF`ъǖƾC$_ELql[*g$ⵦ]Q,ka<᫞| #S֌O`5&,> _E'nAP1 &!)fp##hw+6]7BW~13 SiԐ(x_qzD"Z<=MAy~6s(?FJ96Z "Pm ݲ* V`HkƋgRkwQ<[0@!U z ff4{!1; 31\$hΒ@92V68:g yS#(iZc%w b(Ghk*+"2dΰE`/8.S͎Rs{W}ӿѸ8 ^6"#>8V4#(ɐ)q'(Ί"'Bؑz 4!'!;dԉ7cu4H~cŇ Xw[s$О/Y;Xd)Ζv^v=FZ}n8]ӧR J/zvy 7nJ)Q!ceR9q/uc;=l5p׫/4l[Plt[ZzɉU3/Ҥo|—-@צKxQ9D"{`}9ȟtK{yel tkӁlC3m$ۧs), b~pck$Rp ǥ*4 gxըOBKz:AiDD_"YӃ\y6` ZAuu$%Yq4w!p,,)—/ |悮+|u:KDY:3 ɡKMDŽ?4!  ?WBgr ` 2ǿMǙ ^~z&͚FJ|#p5B[q)Q`-9u~z,}2."Jo3VLl^V-L(dgAEڭ]UL7_q=)q X@b4 Y?&h%Gs)0?ω3~MU!󄒴HWFD{oUWEq-qŀ͒&Qihlw|.VZ c +ӻmS+H9ǂHy?>W_\ivB{vx)QřY.r<B\t>@Oζ,.LqgZBM KhK!d b{e-wk lj- lΚ d,lU$m1 sX2N!D፻X(1$7bwχ}RFc #MR?Al[!7fv6dT3t[{4ӥ\ "im'x)2ԯ>E<s=ܳQѨaDn L}L3օ"(7?26ZR]ly}bXHu2 Jm,/em){c8%MAFu ֪6g+BsaS1y=LXf@Ro&`? -u.i:c| '"./yAl;o+feܵEKJMϝ)uGT~x1OlEP^di>_;ՠv˒Cl , AzJ0Hw&+\63GuPnp_'ף]EX!Ӯ2RT<ȡ5YcwqE6-6 jxʵ3=^pBq6j+u )9#Of{THmvÏWη}JV#"V` _fO|{ocr(Z8A3(c-1Yֲ eX0AQN ysՇ7@c5%T&_*㻓}Ϧ/5s]h\3uuC=_1;|lcz}C54hL9\ kqO fFjCd|J_x>U] koʈr^mRإED1l5O(؃|.~@=)^ŶiOؘ*r\*p>` k<{x >,I |DWR;$ꡌu.Q%ׁ%_U_n){Wm; (l 8N-< 2B$+چev#,\Sx;/9"Q,ozqgX'Ⱦ$؉T6Ppf^:bbTo&J>̡떕h(S2דBm`c\UpD+'>qo9ѕ:QL>460ݨos%CWY% 9O߉MDW7SO, > {-RQzȐ}VT H1\31Q_|FC+<Ӗ0AU7\ &O_fg (I.LoɊFs"[-`$QJ<ĽQQ;OnNP֛~|}YR~b+fU7$D X_ .5+)Ťcuk *oPÊJz-rYAR~ f>]Fd(i۪iƀ|b+X<|D.}>Ӏ`΀,dZMmIbpd~1UՂ;TC$7 6Vj’ zm*|otHR-Jo䗵vclCUwݹ|ݽ6O`Nnsa I6sz}NJ6g5mp6 5o67V( |Ev LJՕ!iUjd,"޺Bj ADϔd(RwV'(uTN77vks:$ҫă .K{ane4!z -~`!xPdl >)R8,Qr=5u 53̍!V]1oSe06.'T$]3Ixh^`fcb)ׂrCЖ+Zc&{;@[ ?TSòW[`f.%˟C^~"zQ+֊ &őZ[A N@ 9E`lWH^nDAM;goSݠS?y†a9^OV o SJivyy"l 1ML ?NH X'MsyUeszS]m: WpeÃ?H,F3}& =FǑ ۦju/S1O"?`^X|Q|Ku/ܽ''FM\Uy~ Lo:c32H!YhǞ70Z}Y-Yo,|M4ͣUTKq{-kGK7sKhR~^[NҀK}\\FdU!_l N>5޳mjj00t^tЭi 8ϨđdTKWyGA6|K5af[SNϱ[KS}+U]g'&:S3rb6-搝(ȠMRk4{u)Zۜ$p|ݰ<\)Ln zf,j4%%C)c$+7GYS'ߑ1YP*-Ҍ"y%)% aFy&.ڴ\oZ=W>)`6NZ{}e&[૫iZߺK8(jHOAT:82Ҷ䣙{(2v[UE(+LtLE-nX3-`uZ7F9p89 "}i~Fi.Oi'ɞЪ`=w鯯]f^cbtٽ=nOtDŽgww:qvN"m sFsF-}_#FaPpb[1%~Ns}F`B~/rIBQ!b7NfiJ%VIsͰ9;sGP?qfwefe2R7`-v1AF|LJޜu9XR; G?װ"f[ +ZWG+Uc=YkX H·>z4pPcİXEgr@G @?UEZҟ#g~]h فc $O=~; 녧 F`C`#15f'lCSpЖJXj_VCulHBJ}ϹpBv=sb Mϳ92 ڊL =5xjLe7oo :fh{n#`IB6Tsls6k48s|6{2Ka,Q\I3H*"c͚V?fAxE 5+oIF1+i|TL)"լ5OcF;Σ^z33(!hc7;N "V!MfT';&a9WhSum#ioQ Zh盪=mr\VS:ﻣ1)|{(jZ9a4*Buua%Xj:p.͉X;\W; &:VLp"xT^A"vxPhY-|f?wS$w[s]>'D+}_ x&ke':DZ)kh:X6J]5@,r!tB՞KcO8CSun}>^ VrқGB$K}vspڥR_^e®;fn B+n ,8l)/9g8WMX- )c 'q0,c}tg҃33:,B(2# &ZEqNxA^KZF={ GQ;6` u+ k/!o1<0g^R8#C a*KXJS7,Ч6TTبu>`m lAWnm@ {+X~?)؈m7{mZ p ]_;U:}*䏙Z$@XD,*S.>u(ި^q/+cݯښ`3RW?Ǻ iN1JWys|!5~:7ϔ)s~ȁtLk}z!RnJn}*F.(kyDnCX8Z%VBw')o[住͚ _\EzNw⩒S$}o3{au2ϻz4R{z# x-:[t,& UJ֨6_Bj|8-pkUUS밵( d7Dޢu i9{ʛU47O?r>9B~%;d 40='H E42{b6Ly)y46O]T%+Sg= CPʟ5P}IX(@SInZs a4:$.OX@ g2LzXϺw} afX90M*1M49R<Ę T) 1uA 6Sɖղ/:Yi1 9Eh?h*9'Ń15$F2"vv\2+6GlFIJ$1 ůPt} Z3|K1{5sCV6%(<9ˀօ鿙pzf, A!I\ŝqoR VZIe'߲O<=v,4BE`Y-&hB-$/Ztomm} _Zg";wo/I+_ F߮^ Vs䱣 $+G$"T x^\$ȔYr5qնض7 8B9d=9a:"N8׺t$b6HhT~в9 KaCݦё#o<nazZwpkm&?y \G[d#Z-@h.eFqM)5w)B*-N0% #,5jh;]Ps}J zq/&}lfh) vRz[xfM!AEZsԑCލ{:a6RK5'JEaBK`K#؇E~َD/_;äJ:S#=^]QR2q&9D7b ISL89R: ~qfm(LB/O CM.H(qhS b{ jCXKѴxqɻOװuRWFM/w)mkedH:yn@CA*} C J@U%^2XI& <?ۿbd Oq%rGpeJ2< : AϤyM@N/9bp`[=I>GQ_/[fu7C2a-'e6L5ClzyxBWY^w7BR-^>sܞyx(40pϺKg;PR};F`yfvG8nyOgQǛ~[}rә,h߭3SzBz1G>J)O{ 16wp hSib䀿/|twQҥO[4O013s/șn۱HQX3vYG!~=v6 VyT!)&F>rt WZ~>m/qhZSJ J?zeC<M&%E?8@1X_}N`PI3-BԉD B+B5Y9u% 5 *ɱ K  >p@\~FkaAylم{vNfCM A-4ԗ|7<)OdTZ/\$WK8)f7:j}0_Sȭ*;i>cјY3w+Q逺Nsmz>V##vu5'y$-woE8[}DSY82xÇ4ۢ p]r6,ň<ֱHQO n,KDa3h^.d,aSH%xһ$Dso0$2E sE?eEXZ|=3$uD(v?tԃH}_mKl4Kxy#_ vs v`jшDFpb~~[uK`F=2udEO*8xL}bɻ[=$O`A=$6t.c+_P -?eH-s RΠm4T网¢]Ђԣx^ZZ3oJTֳr_ va&o#/D,>jR?GUy嶵lD.fo@ a'1hsm_G噚*JY` wabRQCի,NJ C?NN}ѧo Vw0$V$"0\SdSMH]苺>[dA" ɖ- qF.oۊR\`vo- |3 ! D*JM cku9 n]T]_"ITQ eSg8/^};cb>bcwىcE?KJi©PVKìw̿bڗc6rsZ]r?7c4iV<` 'TcSvqQQIShpeA4N51嫡agj4zفA~ y*f…+7P ;HOhJ-PM ^ {Z5)L@n%ѢATSx92A?9sx{]1r GWAGJ߀ 0Cb}DzU;HdyOr Rp&D$l}s'ĩ>.Gabe>] RY-S}X:t`\DvXአ_7CPx0k]j呣&P^2<'>3k̚[w'c]BڤG- (Z|u>( 5zU("P-ATځ{HZ~&wɻ%&J{f:hh-?#y l??rV ت_:Q#1w;xSF=+AvW|&0w]j?lW 4 ʗGP6 ȶγ\u2?:юL %V;sQ4W(O3%>C!(20}"(!Niҫt(lT9=Ǜ2#ʠɾ.2XYb-zZ`d W&DMS zTB߀hkѺدIV7sYd:946y\uiyȑtӾif- ڋk))OoZ Ơ5#ߍ r -g1ΧLjucI2H OLv@(Nm5t!moqzFB .# 6[vtLI{~g$/ra#!U ?vg 6B+aNigG1H{N?Rmڱ:* @u0rqOhT_j[ުb?S"e xxM5xѰ!8pB aO ?;.ەiWu˪j7VM塞 r$q4gi7u-gX6ruU7akFsC $! Iߎ͝Jm| Uq}mK os.vnC_sQ7ܫ]È|^~j crX]8@dڽzʬjKJQ|!pXK6Ll[`KʂˎHA@^HdU ` C/Nb'Y./tt )1RrcĦk I, l!¡@ `}19KѱsLL4z:R=xenNvD=T1Ū&5rW ^& YHhGS&`ƸTA> #aDo!"SsA6!]H@@DzCP4dQcP gL}aql5Yp H3 x | ضP3(kE]ߩ>GRI@-^>UkwcxHl"I e/7ߡ: e.nKP3M!O7oYH&+'t* *.矨M;ɧ͌5l7zk_{)߅x>qX=߰,ON%أZ3'tfk $/Rظxu#͵m`&<.iQ~20K"#+5N+.ngdOS( 2H_z 7!?żg忧8[U3VLW52h_W]B׊ޏ!ax7iK1poCLBcVS ZXW-qs>[߂smU5zE[tUC -k[3Ԕ*U_}v<Y^/GPiӎ/tmۏ#U"v Ҟ./]VkUB0>0~dBlvW)) ˔Hԫxu=bj+ase+n,օ8ڔؒq\=tp3,ZZ3U_ jam5:0`L53p׃}qM 鏚l@rdrfӮD]r8)>`~Э**>ZOsp\];(ْ<1St>(sχ HטM|7[ ;:AlE2@7O&ЊןDU14[,UӜ:  eMh~A5ϤC`'"_;$~/e~6RRйJ͞;@/ݷH_jBGF_֘ą1nYBpkUg!rNU_Vԉrk3DL/8̕E p.kMa^m6W!Z̊Kg%򪚨8JAjtD0ǍV9]6v^+\_L&-};R{r 1NE4]Q:km:O|Uu|Ε4rޯe F0 .W`뻏>ij+.A{7g\\T%FC/b;N#cv3މ |;lħ+;fj&©>h ݼZr}xPK77qJ{n)xJ,[2") ٷX C8Tj+l9y.i7N\N!/g}\ dх }u)' +d~,ݶso6FeW!Xc(Za0_O=h=Ho(YsSʄZT4%w*utiOQ׫C雬%Qk-._yB"Ͳ~`PI,6<@[]S#OYY2[vY`Im;xBygWB^`)`'ɥq. *y[\]!ֿBg ئ^/RGngSL$?v.}hIk#5zNEb8\Ɓ22SH M8)nyQ.#э#tc#~ `|]w`ٔ8M Y@0Ȕk4LuQX\B}팓tEU}Ma`t{i[2ȩÌOit ;,{D u c {컔"C>DazmYvfU^Cb5jyE"c*ycpxLiPXvC:.ުחO>[ kgln%cwERS<>qCʈjSV\wʏi8|EЊA?Qhg~za P?:v2`4zy>Á`x;1"K]AMo"J5; n(%m)9I.:0o\i>[PUp]4@md>p,$o1?̷&*O9Aw'ZwPcKAY<~R;\0bZb6(ю6K]tX$LAjʣStZQl@b&P]20 ҳRAtBc`Nc/Ukx8b*=`/N 1i@IK OP:haAM/|8ضx=87H^Gy;}QJqQqRbt kv.;^^>_8yN<*~י9d>#{&2!Ds z֊rͼo d?^ ^Pm@26Y ]Xo'UE?-@AJ$A]-%iFO‡)< Y0;a=#P=bL$Ieۮ Ȇ&&?B43iq6'mE=Xa8^`>KZ7Gu!Ϳ١Wj֙ Y$$VeP*3WWa[=i=&H7.4%m]$Iz8='Fk=m <@RFh9dv՗ДH0Ee̽^[X/t?t١s;Cc%*"3`ؤp0Fc>8A ,6^qvkCF\XE7RN#*%)@?$,nwG<%B>-,N_k[3hV pWe9O~ Aypٕ.BpNQ5k!]6Sv{7 Qm쀷$'QGQgfU%_..K6٢<Ϝ-ldyJ|}X;0H ic*CAbd?~oGּ)Y<f<.ɶy#bʏ2\C,3,sVC^0tL08y"m+MHGJ\<Ė Tp (h@_$ݧK= LI Ƞk|̶ YZ