samba-devel-4.15.13+git.691.3d3cea0641-150400.3.31.1 >  A eڍp9|֏|ߤ1eS!(6;&G?ƍmwh>5 p>u7(Wi?XF=⨝!'s E&3j7`O-v˩E|F կde F5" ӝ)n&ù NOctJ ZIQ E+w[ݹ?Yj:-?kx"?Jfd#V'W:Wmf~\+TӗP(28V'l&s@>pA?d) 7 e/ Ee|    ! $&(+F+-$0h01(2 8296L:HFBapFbGcHeIg0Xg$YhH$Zk [k\\mx]o^v bwKcwdxtexyfx|lx~uxvzw{|x}y,zTdhnCsamba-devel4.15.13+git.691.3d3cea0641150400.3.31.1Development files shared by Samba subpackagesThis package contains the libraries and header files needed to develop programs which make use of Samba.e;s390zl37SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Development/Libraries/C and C++https://www.samba.org/linuxs390x( p=B!1N  aF$2jENTv |H)KU +d`@t2!CYW +g > v&HI!>,'I:l h_ Z=1y<u .Y3T4&{66)w+3'A,;BG\AA큤A큤A큤A큤A큤A큤A큤A큤eee(ee)e)e)e)e)e)e)e(e(e)e)e)ee)e)e)e)e)e)e)e)e)e)e)e)e)e)e)e)e)e(e)e)e)e)e)e)e)e(e)e)e)ee)e)e)e)e)e)e)e)e(e)e)ee(e(e(e)e)e)e)e)e)e)ee(e(e(e(e(e)e)e(e(e)e)e)e)e)e)e(e)e(eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeظ57f48e6acfed5fa9841df0f458c77820b6e24ed8279bb23819c0698df22bbbf19a87ebf5c3ecf098bad8fdc2e0c08317efd3ecd4947169677feb755c5f86b325aa97c3dc8a6da5e8d196a73bfb4bae250089de7237665a3a6dcf5512c71503695cd7da44b981f9782081d3d97dc2d2f26726208f56b10bceaaae6e1a3b497bfefa19c5bf4838b4013a16d205238e5fa9819e04902a006a08044a0da795cbaf34f53c103d9d508de1883fac4df0fff12ac27300409f3a1c8edaf31c05c054340a1dc2974d9c574811447befbe13fc0f8b3d8906fa58ca173857f5b73359ec30f161766db604986021c872a81bc3e6dc403b8960c06edad4595f168293005943b874593d5ed89402648536af2b2a2715b7ec95b88308f700b0811d4e501124f76f2e3a21a55901cc3c7a46d6560c167ecef63390fb04b124e508eccf8156fd650dbd572ab4954abffbeef5c35b30e8c5806501278b70a08d6041d8a5685a69cd65ef487680f99891e461bcaf8245acdfac7964fa40fa4a298184528c2fe2b51b3066156e28d7375c095735fe583c41fe10f68711a286dd7616111bd0ba9a6c39eca72b30f0da89b141671dac7d0b96636639545a74f12fbbcc745e7e2597d71b4c7bcfa6e9c2d3666eaf6fbe6b63194f9d4b8991619ced1de631f1d7c854271bc4d7d6caed90f3ed522fb13effd5b3f9ce1d10f57b87a233f8b1cb8bb000a06b812e45f1d76df8d2fe7405deea4c26e6e1ccf3951c59a55836952be0923e7928b37a9fb59ad8153ae7466cba7121015d8ba2a3397624d5c86c144bad688c8009bb1b523b57a052b7faeb0db0c98b19716729c5617e60d14d2ec82d8501ab67a71e8a09b87e376224e944e12a2067e9fc485ece8ebfbc7d5cf0bf573e0500c5bf24c38a14ecb5e00e24e7947b8517b8f39a652b5a4a7cc6ed2dd04dbc35210090e571af576c5ac08f897ec08b3d0d2d5d40952aa94d082f5550483c051b99b33ee65aad7a50a60ccf805be82f6209c702e0e7f73a5ae774d0c68b57b28dd1821c1ab067bcc678b898c16d290afc34539c478fc1f6b47270a45b389de9fb9ec0042b98e789e2e76a17d01c1684441f27e27f5c54d7d8d1607fb9cede012344438922ffecaceea8800ef2175f1046485790f995229035a56992eb9f80f586460519b697827df8285c4ebf06595b743e148919677ae2a40442c80549d7aba0bc0b696ca55cc095723a52645cf7513c55934096218760deb28a607b5e85f82db7c1ab580e91df20133ceaa62399bfcfa07ae216642332bf119c5a28639f3e6841dd74e2dd515f2b48efd9117bd5054262dfd09a3617405695236094798559211d988a68effc888123ae63e8d2ba5b96004c14b3356dbf490b4e731cfc7a56467079075b6004265e32c0338f01e95f47cda607f72abd98a2031f32f45a1470dec6e13f4c8e17e93041953c7a33ac4dadb193dc843bf0dc47196230f74fc5a9c4ac198965acfb4a7a09b1bcc6ce465e1da70005bc20b1249c16fc62adfdce3f7dc4959a34f966b17d69a728af436e405c6653b76b8b1b0cea1ff3094b88f184043efdeaae3d696f724b61e1689c46ee2eba88d6eeab0639f5d11488e11115db167b2c1f9b0923c16ebfe2ac820e071af1cba5cae4b019dc46eb22b6fc37174d15ac7b72c723c10d44a520b2054944d0606d29c16714a4196910a433f607fed4e35d63918562c260077a6a23b99eb7ea40a5e790a7d97b17c8adc0fe8152598db810a35a439e0fd2184591f449c79b6bc5b5468443920523ea943440534df04294b940ce1c00c0a68cab9a5eee13b0a18e6e5b9d87693f25c1f804ac1878bf03800367d25438369395e7f2006fb647db68043d1590be759478e33b123ff9a54bbcf1dd70a038467eb6dd4dee91c9309efa27bed7b9d371cc936612a2998c16e815dca6ab2131a2f005b7837ddaceb2598db386c1d34c1a777baf0d741ea2d153c399b4b0fa22367ee1921737df26ec3e9fea81c7f525ee4076db13008901c9ca9f404a6db835aabe1a026f6f3e5c05cd08a28a339b762c6189d4af93a1b6a87f9d9483d5833fd883506b51ecca8ad6df0baceb27177fb6499a7918703b897a45cdc7605a9ec9315a0f82f2518db30b753b0d4ca10b18a94c382f3ec70dcc443437b2dc9e3ce610ac30bfc17aba981efd38215a457355b1f19ee2e93d26cfc3f6127d4e633b3d89ae70e214c6869f39c6eba1bd4d835c031b67bc5c4f908e60816711e8d87e6d93f84fea1eb1df4a7c2bb8a671480afe65f9dc7f671e0e15cd8eea8e37927520f3ac8ae6b63fe8f7aea81f7680951eec3ab67f4383db52789c38b254cd5a9e4766b17aab8a99813258ebb4b147bf98c9f0b9ac8e9e07ad86cc4811fd17c0ca05ad6fa67befb082b2cd23859d7002fa75a5794f15fad8157402985d19cdd5aced15671514cf2eee92393f2a30b2752b0bc42f4b22fc9582b6227045b13965640c1acf956f394afcde8741c7d3eb9c1f0d24e77ba69ff7eee8ba90786ffa6c5f4ec183f16ec4fc964c65b35a84e0be1b1f830b8494c8e895196ab132fd82e055cc808ec43d0bf84e5bcc059302e71c0e23a257f197463a9ecad24f59aa597f875a287795dbd2ce8b56438e84f9976bb4b587c364e2b03cea9ac7bfe92f670c4d88fc1b382789f66d991a6e526f4093a1972e1391aadde980420a1dec670f3549f87169c890fba90086de0d8498f0fb36921439a3568cd3a29c34bc8fd9c25772cff89b4edcc989ff5af4189ef2e0ce0e37872c17ad0196c4101f1dab6f2233d4987af03f7dbbfcad01f857b4576ffbb67ed2f4c6cbd9f0a9cd2192a7cd36f8201ae7dc5c1bb59244752a7c96d0bcd9f3e3ad075aecf96bc9006c8087a428c2cbf46832f58f5a9a8a1269d77685a6ea46e21b05e9d22e79fff5ff59e2f6fd5ef76604c85c807b4e3fc0dd84beacab1ff25be2672650e35fc5a2a04de281d9dc535f9718a0c12832630ba0008a46bdb263c2610acfbf6da60c6d585687581e877d06ac2587e1c560a57a924744d428603f832aa43148df878f81961c305f367353717bda17d2ab1d3df620a04711fd5a61149d16c19f34a48740662395d01a17ad400b8e6af775cd8eeeec7fa786bd0c1c686c5562fc60c40b7f0fb213627e0208eaa36a7262e7680bfdf38ab43a302de7a5ee1b18fb5e5a69c693660e5ab407d1696c7b4ac8f6ed075a178fc967e2e68e1bac448bf37478948a1f40401d26eab750f4c70faa63142713b1ca959bdea59f5c83e1d20b52792246b46127464459c635949c3f779518d0e830d9f34a33bef4b8d49477a4a648a2d279c88584caef10d814fafc233b2ed62e1b088b7b99fc6b8017b38dd73cf8dc94a4e97837ae5a7631da503521a5133a57f0445a4dfa2427eeb926d7ece4119a01cd20ba4acec5db90984ce61844ebfb044780a402cb880b08cb0e3b6d709b17117204b5ce3a21b987f0c33c9147e5197c8e52257325852c5c181908a3f4082b5520d1cf8599ee8c5ca7e8584f8e6deb53c1682692aec09dc7339df4507a69a44fc4e889663a695d0e42c4ca1819bd7e814f21ea857ca7a1cf61daa69affa14cb497273b24b2f9adc344da28391ae7e27ea058e1909f8fd85bf9eb7fedcd7dde1fddb48b6600c8b61eccc6409a5a5391dfba7e45844c4f2da58e90d275e42aac178717449816161fe77e2af95aff8ff703003f5691ae2280c0809d15386619c3aaf0620e8697c3c0d494cf0d6a2fbbde841699930bd1f5d8c43118be577f601d6cc6d9ea72bd4e42fa96b0bf03b1764946f28b3deeae86aea0bec44e3c3fd05afd367128b4e2513a6a73ba9cdc263d00d43eebac1c05313154d5bba4025f00fba9ada003bf6e08ec3717c956f9a10aa3bcfaadbe145f7723177bebe2a8119752430aecb7121eecb4e1998b5a24b456197855a143c84f2ecaf31540b1f5457c0a2fdbfd8f53f9b9b119b1918376d12eef6aa5248f7ac7d7deb71f336a52fac364750774f797c061e915eb24775ae28d1738bd86f5a5b902862b25dabfc4618da50b85e66272bf52218a6cd2e26338d04c25404fc53d6b230205d0351470ccd8809d4ec02d86007929edab0432c4386098ef7d1c09bdd8cbd6e9b0ff02a77cf2d3de460ded50b04f15ae58b86ce48bba579542df1b00f69e97fe1427fb1031f6930e7c3b058c09850bc72e8361579d8f0b97ce6c33df91db1edab5412d88550bfe89e5d34a73e8be26c6cd20a922ff73294bacfd6ab37123f9f6304ac62b5f3f2c020b7cf90ed8279bb84b70e146d0a47d12743138659271122b65de007d76a54634fb3fa657a0e6c8a3cd600d4be43800c4a74bb5e41f57bbf05d01629d0cd9856ca1c5cd05b52579c70d58b6328de9543dba02672487939e41e910f508c1dbb0923f0726dafc2b4fac411ed2b40275fe0fec3322730f62b84daf91fb23bbb081489863168493d1d893df191dd1a0597fa2bc7c08eeb7f3e7aebc136e2d47f375bc7a94c423e7e203c1e0dac2fae60d774eb24b6cc6376bc7b5352391bc9262222b94235a278a91c4libdcerpc-binding.so.0.0.1libdcerpc-samr.so.0.0.1libdcerpc-server-core.so.0.0.1libdcerpc-server.so.0.0.1libdcerpc.so.0.0.1libndr-krb5pac.so.0.0.1libndr-nbt.so.0.0.1libndr-standard.so.0.0.1libndr.so.2.0.0libnetapi.so.1.0.0libnss_winbind.so.2libnss_wins.so.2libsamba-credentials.so.1.0.0libsamba-errors.so.1libsamba-hostconfig.so.0.0.1libsamba-passdb.so.0.28.0libsamba-util.so.0.0.1libsamdb.so.0.0.1libsmbclient.so.0.7.0libsmbconf.so.0.0.1libsmbldap.so.2.1.0libtevent-util.so.0.0.1libwbclient.so.0.15rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.13+git.691.3d3cea0641-150400.3.31.1.src.rpmlibdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develpkgconfig(dcerpc)pkgconfig(dcerpc_samr)pkgconfig(dcerpc_server)pkgconfig(ndr)pkgconfig(ndr_krb5pac)pkgconfig(ndr_nbt)pkgconfig(ndr_standard)pkgconfig(netapi)pkgconfig(samba-credentials)pkgconfig(samba-hostconfig)pkgconfig(samba-util)pkgconfig(samdb)pkgconfig(smbclient)pkgconfig(wbclient)samba-core-develsamba-develsamba-devel(s390-64)@@@@@@@    /usr/bin/pkg-configpkgconfig(dcerpc)pkgconfig(krb5)pkgconfig(ndr)pkgconfig(ndr_standard)pkgconfig(samba-util)pkgconfig(talloc)pkgconfig(tevent)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ad-dc-libssamba-client-libssamba-libssamba-winbind-libs3.0.4-14.6.0-14.0-15.2-14.14.3e@d.@d-@d@dJc@cS@ccR@cctc5cM@b@b@b@ba@bascabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2023-4091: samba: Client can truncate file with read-only permissions; (bsc#1215904); (bso#15439). - CVE-2023-42669: samba: rpcecho, enabled and running in AD DC, allows blocking sleep on request; (bso#1215905); (bso#15474). - CVE-2023-4154: samba: dirsync allows SYSTEM access with only "GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES; (bsc#1215908); (bso#15424).- Move libcluster-samba4.so from samba-libs to samba-client-libs; (bsc#1213940);- secure channel faulty since Windows 10/11 update 07/2023; (bso#15418); (bsc#1213384).- CVE-2022-2127: lm_resp_len not checked properly in winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174). - CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173). - CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172). - CVE-2023-34968: Spotlight server-side Share Path Disclosure; (bso#15388); (bsc#1213171).- CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords in cleartext; (bso#15315); (bsc#1209481). - CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users; (bso#15276); (bsc#1209483). - CVE-2023-0614: samba: Access controlled AD LDAP attributes can be discovered; (bso#15270); (bsc#1209485).- Prevent use after free of messaging_ctdb_fde_ev structs; (bso#15293); (bsc#1207416).- CVE-2022-38023 Additional patches for the PDC role's netlogon server; (bso#15240); (bsc#1206504);- CVE-2021-20251: samba: Bad password count not incremented atomically; (bso#14611); (bsc#1206546).- Update to 4.15.13 * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); (bsc#1205385); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); (bsc#1205386); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); (bsc#1206504); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; (bso#15197); - Adjust the systemd drop-in file for named service; (bsc#1201689); * Paths are additive so do not repeat paths from named.service * Prefix the samba DLZ directory with "-" to ignore this path if it does not exists- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2.libdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develsamba-core-devels390zl37 1696520507  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~4.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06410.0.10.0.10.0.12.0.00.0.10.0.10.0.11.0.01.0.00.0.10.0.10.0.10.7.00.154.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea0641-150400.3.31.14.15.13+git.691.3d3cea0641-150400.3.31.14.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea06414.15.13+git.691.3d3cea0641 sambasamba-4.0charset.hcoredoserr.herror.hhresult.hntstatus.hntstatus_gen.hwerror.hwerror_gen.hcredentials.hdcerpc.hdcerpc_server.hdcesrv_core.hdomain_credentials.hgen_ndratsvc.hauth.hdcerpc.hdrsblobs.hdrsuapi.hkrb5pac.hlsa.hmisc.hnbt.hndr_atsvc.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_misc.hndr_nbt.hndr_samr.hndr_samr_c.hndr_svcctl.hndr_svcctl_c.hnetlogon.hsamr.hsecurity.hserver_id.hsvcctl.hldb_wrap.hlibsmbclient.hlookup_sid.hmachine_sid.hndrndr.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_nbt.hndr_svcctl.hnetapi.hparam.hpassdb.hrpc_common.hsambasession.hversion.hshare.hsmb2_lease_struct.hsmb_ldap.hsmbconf.hsmbldap.htdr.htsocket.htsocket_internal.hutilattr.hblocking.hdata_blob.hdebug.hdiscard.hfault.hgenrand.hidtree.hidtree_random.hsignal.hsubstitute.htevent_ntstatus.htevent_unix.htevent_werror.htfork.htime.hutil_ldb.hwbclient.hnsswitchwinbind_client.hwinbind_nss_config.hwinbind_nss_linux.hwinbinddwinbindd.hwinbindd_proto.hlibdcerpc-binding.solibdcerpc-samr.solibdcerpc-server-core.solibdcerpc-server.solibdcerpc.solibndr-krb5pac.solibndr-nbt.solibndr-standard.solibndr.solibnetapi.solibnss_winbind.solibnss_wins.solibsamba-credentials.solibsamba-errors.solibsamba-hostconfig.solibsamba-passdb.solibsamba-util.solibsamdb.solibsmbclient.solibsmbconf.solibsmbldap.solibtevent-util.solibwbclient.sodcerpc.pcdcerpc_samr.pcdcerpc_server.pcndr.pcndr_krb5pac.pcndr_nbt.pcndr_standard.pcnetapi.pcsamba-credentials.pcsamba-hostconfig.pcsamba-util.pcsamdb.pcsmbclient.pcwbclient.pclibsmbclient.7.gz/usr/include//usr/include/samba-4.0//usr/include/samba-4.0/core//usr/include/samba-4.0/gen_ndr//usr/include/samba-4.0/ndr//usr/include/samba-4.0/samba//usr/include/samba-4.0/util//usr/include/samba//usr/include/samba/nsswitch//usr/include/samba/winbindd//usr/lib64//usr/lib64/pkgconfig//usr/share/man/man7/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:30951/SUSE_SLE-15-SP4_Update/8d00899bedf509e14240222c35afbb11-samba.SUSE_SLE-15-SP4_Updatecpioxz5s390x-suse-linuxdirectoryC source, ASCII textC source, ASCII text, with very long linesASCII textpkgconfig filetroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)  "&(*PRRRPRRRRPRRPRRRPRRRPRRPRRPRPRRRPRPRRRPRPRP RQ{B %Datutf-8af05fd54e7ce4926fdf3ba232be6c280527a8f83efbad060c86896af71668fd6?7zXZ !t/͚] crt:bLL 7Ͷ'k`!\+VwRQ 298!FSx^@cUZ2|@aK*mYrvA1vmJ W+@_)gyz;C'y{1Ov<`s0?B8rH.ROMu,~c߶!b3 >fJC_Ff1rO8G؋v̇NBcqE=HaCm LP L$HxyWᬹo;l9W o&E+Z7T_O"Yq3'Rh~YKpNaCґ!,-~B  }V<ܑF8en l9ܮ_H'%}RC)_ŪReKv?dS@$4S 2 ak< xN3FA6"/pBF !Xct?-[OsƎߨu_ +7#?Iǘ>KzBl ͛/X[n㌥oc5DS m% lA6q ,243RU4aJ(a=-wYL._kwdѼQ; unM3EϣIJmy] ΢e3$R$v [d~kd0uyO]ʑrz nxjťagBjIr5ӉxyXmmU=# v%z{WZs"2y}IßI;yw޵n0ٌ/^q}W^H] ;GQ6$x/dzwƑnIB,i(S8vy&((X3vWR 5DRa5O))ҡS1Z5r:B Fs v"ޑEPGh,K6&fJU,of6n CeIwV)K8+zF]>H Wn`oEWFv2X:@U0;QlD/<|(ʷM6{怑(ߚC" Z1s;Z&\kk6 |Gdm+1tXc5H忌ގn1T5 Xb {>?lJ+sw;%-[Y/癱_UpJ>I?(snȹRȫKn)NN@ s`('qlEgPT'd[=L9s9#H1_8 =S|hH*UlhO:h1_I xl"΢[U-=:r!s\B\8iCew8a\z$qy_R9QWFtI^Z߸vy:YUëBӎP"LjvLȪe;G"r!*i! "3s-Yw19b{#'cPL C[С!¦RXW#ߝu2A@~&0ўo 6DCTT?"4㿝i\~ 0ch䪏%R"aQF6dEw=hߞ5-ة6Iy Ւ/E64!X YWV.EHh,?QMPV;7R6aɱOVmFƍ(9)Pqbqp\kp6wN" syz"H\l %S[xMnh] *~Q#/P1 g:\luշ8އa(X uqB+XWf,.CqMQ3+ugGapfgM g~4@ށx60Q-~۶t Q ~z6\Ƣ-)k15|*b\rBu\gut+YA㡧F}/77^*V!sCX%n4[Vۙj&M)2Rwvwv⧟NP{%UogQWW -v|a*> };;Z ˷'c ~`Ӑu\ Eh.Ty;бi>UgL?)^.wSm9#!Mhk%lPֽdca c*aӰa=#Ø;*0Ë+핪n~X(eu K6e/#!Y*811[HW 2Ik{TsO r(ۤ\$<8Iaڞ/᥃95[CZM;hL8nZF8%f}&V<#FǁôFL4SW!,(3Ԝ+JgTT/lZĔK%CI{̳xe$sSV#AHgs~$s-Ue@R,*AƋ\2 YB HЧU: qa}&>a96Ra>:EɻP+;*5ʽ7nx$_PV0$1?}GMԝ\$ih#!g Ղu蟋N#}y'7ј&?⽩eƫe:$j#IܼIX,3wյV/]`MnpOʃȳ/`D.qJq>" k wN)%tW AU H0vR( 0\ɻ#~` ?Oۥ (JI *'Eb|bBǷ>򲱭umLYpuBRuK*H2^=4}Yp|c_PZc ʻ*.~ +[ͥF.6sP m۲98bP[(} yRo4Ei"Y+_T~B,:AHG҄^ oS4'|!dUs'|}g٫/#ƩM>%Q֙,,Tڈmo@y sd23#kz- #`ץi#scOa3[T༁d9^fVQ{'qtlNcKg@CM̱7r@ݶ$FuW^y|ƴ;apߨFTu3}_J#%_п/SF v.!kURA7. J㑿opkj9LÛAW#~C_S9v_cikUb.ih闖}j;.]J2k>'Ћ mKF6`+Mg9WCqD m>S8nne(j:}jM)5 -w%-`bRJlnozد;,$a"҈?qY -@^2#i/X[O\~bXVy0uU8> Z};bC!ME+nY̮z47ĭh8foUEs98ZDveF^_RK N#[L[Y!4`w}햎kM%&55Ru| If2.mzE+r}>d2 E2Lf 1٬2'ə꧴rpA{3ms͕:݃jWWA72P,DžRVo{NGԡ5iP:ā%TjlQ5r`L/'lLUƆGVM7lTꈩ= O-~^:C]f[du#| 6 Y7QzU)\35=.2||3>a?:Ome.Yajo|tqҸ ,SvN!ϒi3_l?A@">]fUBSS\Ea-MoY(_x*NH?[3R .s+gϋcV+38Zp1ŝmVU@Wh'[ ))(+\)1VO>Er cA#xx]Ƙ@HХ>Ĵ=̐c_&գ<tZtc;Ƀw<˅\,hW/+LU82 Ix~myh};).2$׋#섿yJu*ֆ(U" LM.{3i\Bz;4m>Ls|0̛nVjI17brXNk­sA~zOethK,K1sUmyutϼ<E ]R"HrB{݆$&s$jSm%Ao <{5L\3Cq)L7v&"׋ґs'~1G -Tm;./AED-ҹCyYѨ|v} dMTI~ψ f:OWw.Y@:jri~KxV`c6C >eG*$^ &@"ؔ]~9:Bn9l) Od}+șTHTV?=Jy+H4<)z'"-E{jӅMU\SPy\ѫwvAF}%aCUO}o 8n(-%6*H7i1ر9iBΖhnMFjPjIՀ+-&/t4דꓖq0h.F)m:) ͼ5 *؃X0Jrae S ecLo VU.tMAMmYHFE=. .T˿,3sz]>Ih~%K^cA95CPK BEwb F.P` ն=Ni3HVIyT' 8ïbJWWQiX_M<;m]lIBQpQ77VVc"R`7^WiX>sOYZ_#[1捗M{B Y}"6La-~r+쎍`^ rH{4^*rSkon2/F45|:&+bQk茓AZvO%4 'K[&aľe(?g.J0l 7IJ/$νZEj[%ͱ_T2'ĶY[U4: |LPv*lxUvN'y_BO{3(v ͋o/>w܋+Aέ ]1cU)c>N21VkԷ͊w&lnzǺ sICS4URP'X ^`PQ7 ##SblvUrĽ&%7[?޴ 6-K5wcSᲶf%.Y8o5mQ$Rl,ǔ.b8G ?iS{3ӈ*֧9cU6fO-%B{I(q`¯OpK߫T ƊNuFW:}6DNWD߹/YsC;O^IbL'4x$,KEp6Tr-6LbbnP;vy-ܙ<;w3 pAvG,{'Xq!J#H=|х'GA0o\D]cqDhTi^%IP\ތh;)Ȳ,1| 5jw3(zhڟt a.g,QڞSd'O[ݖ2sauRWSMރy,$4/b:@ŘhV۟b\]A-p £%|[rVhVŖ-36Z~XGa=Ĭ&`oܸ)ڄQܻ~D4][Isրpg(hͭYMx|J`fs-6'CS6: Nr/(>(a`(in9~,ZoMZ0HoMi5"6AۇFd w]{ RˋV״NfHx!Wnb26j[<7%Mvӹq |'S0k3p'jF='"\o:GRÆ^Ɉ==z*6>S}U2H0c%`'Y˗Ty{Qp _L"kʠMY$.Q4q±Nk!,+ d-ЄƂyӃҒZaX8Zi09'ԻI@&lI3-Ҭ[ ŃAC9LgT ~؇.g.l>-ģ6p^ہ{+E}r[0x8+q^C{+,I}}2&HQP(V*hBm[0s0L<13#O %d| '}Щȟ R-{ġ] ?QEՓ8f90P]V>Y N=ݛfFNRwQKguPerF7w[]Ѽ.ʠ.ؓuR+Z2¨޺ua闁:s[f${{71 v4IэQV!E(qWX~;$ڧKP4nWEq!+/mWjuuBǨETņJmP,Ѧ&+Jƙ(_,c7׿꼖Gd}†O ,F:ЄW[E;UY=]&sٟ}9ev9k6 {NZF%m,( `SȯM(U?Ȃ|(}_Q;c^DM=r9 ?`9jWՆzى[a"?xu1"#gv;xJ}%+a{D$Ю50qA,@WxȄ`[o24.F>6Sc|*zl$\ iae2O211r%ǪS۫R~ TݧPqDYuPKѥ5lr6H!;SW0$5$TNęo hLO mhL$*W RiRR.OzQ+qL`gvJet:#|9ѡ=%޸)Qf3'Nq)TvD$ [ U%D,d}g\h%js|CS,xiū4 Kt'7zޮ95j?_ zaܟRȠVTN-麌#ɏZƧ(<|=?(BIÜ1|aFJHW΁mh5w)쯺^'i?U]sEI<?e&x%KiaѢˋI >oCm!wyȡ0+2iđS9 k@]$@ٜ_MRW͈l)aQy.ejn1Ϻ+թݎh/7nck MsN$rYiSO69C_ѰJC>2a /%`B脳*WU1s r?qыI CfJ(,cʈw}iKV[pCL>W5A0b5DicF؈-A"u(]׻lĎx$\?ɶSVD;hӖn"s,av ,{_!q؝S)ӗmy+Hwۢz9x\&yR(R0h8RwW!kw+DdP` py䳶~d8ә>(qPPRBQo0МT\O1?¿W uH\@ͲK"'占C )?_"w+ɉ6"Eh_6]Q"zKr.sQꑸfpᒨHX8a9؃{cj=xL&&"Cl"ЍK[$I;a=xYwXtDOwM)MT;s=HdR*^vݝBPg]wUxD%iU%|< *NTX`PRq1rp&"OD6 r4V<+9jLnDKZ+S qY;GTZ=M*_TIǣ JҒ{_CVWjvLtb3" P ~g蕃nt.|73"ɒ-^@V (N/?d\H5鯁>o\lۄv c7@dcIhT)xBg z+eΐ5N,eTT,A`,90[ƹ|& r"To¥;\ My6ӆ+68Ѓd=JIkH_ޑk(.q⡥|ςȚOaz.jq 9 ?h0[ȀN_k}3GOc XHiu̾: G\ۍS ֙s(f)"gfq5S-,W[Z/;UA-ADOp˖${r0ծ:@skN +pkZ9( \sCRMj,#bճ+iFce&É2>eiiT<7 .!QʥiC1*w94.+oSg  =M2Fr+O^/WTN$,g߮5%N9 @Kw5|FCGs fs*OdgB7P*riʣaI*KUŹ]Gme`f ȴWC[^^!gQ42^+*ѧ~liw&#hNv1}zUs"w̩3öAXD)@LʅG噑{fDܻI=q*q[ݎoLJL}?#yč'pż0 %^hVg7F6=(3Խ'U2F\"Ic53r8'>mlrkΑ,W"iPvZ35TrH͟I܌位@o:~-embz]ދnI;oHd 5/G70uTQ`ō׌ӡ߽쫦< /o8Y1QTG qXaEmsZ*̮NPđ!cm%fzs" eD!3MR9W9aݤ!UIA }Jglg@M#T6"yB\QSJ(s?ːөyH2DtHgljuCN$G~Pzt@53vC2ʿ@[vۧLH'EP= 猦v >gAYf1;,&!~V_''F>Ij /*2N9.k9u;W9uWSYHxE㥁Ϝn+s zk.8Բz*z~8n7+Ԅ΅[1v\z<t@OwvV\v(+VGz+M@F B;ݬ-!1d?qvy P0GQ$oZ# ~iVRNz4Hl݁n~v| ]Hm8 0hUYP[ơoB eq527k4NWp<([]J[$B>bz{Cb%}ӤL&Lcמf\Uda <',1GFܼ@¬%9M(R`ĵ[E.XNo!{AR3 iy-qGD6^h2TFx{y2'"W!'+-Sv+!sD(b~$Q"b%I;\[, rj:U EĀߐu`w¥9sc`33ciC}p"hd)fTI YY JK:6`Ebq=XȶNMJH:IZ¿2SH]ƤI~yD1o4 \0Jyhi]eZ1{R^T Z>W1eW\ΎO͒m.7ȫo^Ьo^򑣸TDD Z Lea@=C0"=vzhrO4X 9(nSe44&jZ_qY7A'Pt%u(,&qOnݛ!&*5r<2~}΀z^}U Ô&1K/h~q$hz loY3G5aMZ2+&߃1^DEt՝00=F|f&JSD[p2^[lMY;'&g9 HCkP|l`ʪD쭖,VfGDqE\m2cU-=#h 7"ɛX}2bxNi7gό>*%Y JX^JTҢ3"8{Onn}@H\ޞ" Op.䒷b>,Zu"zO~+ tV![~"既c "x}/̜3 `W K&l*ƭb+)N`-j.(P/^j((~7nmdZyss\X459Q-8I`:E"j:F\M 9A#yWΆo6`vstOx"Zy#7IyRkOif(;Ks=1nށ6laT"-F&<{ ͖X |wBtO p'jply1*cA)^_ԝӀl,д [|m0ݝ̧WHK ˃P>/#;N,mr6727E'r$$'/Ԝ ȍr'lC&MMVӐ;p j'X~t~^e|V O ѧ8 &I璲_aZŝT%ɱMoq kJ Vd[S@inyR nB:"cf2hqb--a>L dVaG$#>cݪT̓A "o :yV'?_ZWҾUB ,n3=3\&}}!tv/%UK+=vS:1Q:bXN8|/Vp4щ\%sE LڟsŌ~4AtdžnTq?Z8ŠI2OtժU|n@fZ tqţnGo0qvk 5'=S/ >#|H,br/A Ғv[ba әy&uJx 3,<yi96a}Hn9ŋZcDFQ*JFzňn& Pj֯ș$pIMqmH́9^ҴD r(F#1n)"5/eh1a)a|g}~YzL}ڄ`blmhF+C<սf5nTgG;a31 eʲ/N,U_-ew>;_߾BoN3 "S3я6ߛ={ʰi64Y! i76Ib|  O-])=p$tvx8|7bNo ^cc$&m:5E=; %nR7D]wQ꽆O%vh4Tc]IJ5E̖-;V\}/UU'RX b,5v87I)2ؒEGYi „%|p[01/b)Ѧ \_GigH7Z|%C6b .{{W:,߲" EH>!Yr~t~37FX,6-vAu k†7n㭪Xzlc6^kZ-S$z:ATkA{ ĤGDܯcuӿ 8< B'M$sIQD ƙ#@<vc&]>07*+r`[ $Rz=r/Lrk^픁%h@KWK#toz'RHޛd3T?~xO f3b.v2F OtV.}%}?u)l#> Ic2=Ѽ <%`{[]+C-뮋Bhe92~'-.`X؈CX~4_ju4í01wFܤKDT`+C\dfA@t#HEnmO8jrM*V{%{@qL@xD\\] `r?mx`CNFg7xnQl[t7q2vҷ#fFȇD)~69(Xiz^NO 6O͕'4(Ԥ'l?Zeax"Iɳ`O*$ʧ2J&oKp7: Pap]Zv#yB`7&j*-C'帣8[A4[4Dss@V"d7)e}2 $cylu2JAӃ# aDgi][wLPʕ!i8.L#ߍ} m=d95lmЗFSiI~"  ?vW*{_h47l3U5Ҙ=p!Qʍǫ݀ai e 8H G̑Es QLͰ+}l7#%^~YcV\jɩ7b%a9ŶU㌼Og6 W5:7v~"̰_ޒR*;Tg᩵_K mٲفZk!>hԞ#0ŖegYi]K>eB٧78hETv-ܔxnuX- bӶZ L4MFFٗXKڜWYpW\d`wWjwŨZ D^֑tD%EGDo|$( f9Mߎ4ح 9Pu$QQ,ϪC'xZ7 d,vyQ#-Vr &sCƓè[5|DffCN]D4&V_Bj`k}bFՄ/p5̩rVuld Ҳ,<+yW./ȧ鷳;/gBr-V x[bwp{8~-|[mUҟna~`h1bjHJbKhXjp7񘍴% a8)9، ŗXV v@+EDIVf\#f9kp38PaE&jaTY3 YJ}ZjcqL[ q!PM8aBȡ3+.S kКL-7] Ak< ݄Hk/7<mTs<ܐ6'ƝlJl:6N.`{^)ŒU,WQm.怯Kr?K8K,Ǐ@ mpT7a0ܭB93rj %? {58ө ̼1oeU~ cf8nx>\jH oƮkT{(7DI󺽘 L'9l\I9E5{sioF;Pb Ubih5T]x>D>@F9xkx.p#Mi=m6r$UؼiL'\)<+6mi{JZKfn&}@l g $SɌr[<%1-:M"3VeEv፨drpR"P2J0${,#S˙f҂N{NH/ TȕEiZ<qO bOO$ܒG9\wa/<CUf)׈7ߪG\ h hV27~6S7<6-E lhsq8BOw?J 'GgJ|HIGG7 iYJB܇L@!ǺǮU }Ɂ$k0x+E]AWp,DϜ<Ѣc<Q0 QtZ.u*Qy蠰MXډ9Lݭ׽m~d2*,2L)3ΔA6lu>Ōւ~EBk}Newޓϟtw Bg<$)ٻl+:^>_.O'-@B>kGW_D,@l0wįSધow Ɍzk3)oYK="'e˽~|`'W{M2xxCڅpE'#p deɋ˕ߣEs÷KGWMJ\27vU)W\u[./ 'vĦrH_U>GQծ,3pS%g i!/B\6BAtIhF=u9rd!/; 8SKr}֢^y0A}M{`BJȣyGA^2$Dre}?? Iܐ͈G6;NvN _ ( Cإ?q1Ez6[JsM1&ʎXlF.=+/VO Kiu포IU>lEÅ=W.-1B)` }9>8$_җ`y4#8HײO~pwV`" nCfl ):U/V`-,J^D`up 8h": ,Ӗ)Bk,ug'>Z-bi8 7H,b@pjorFr\ hQCNujA%UW7vFk54v.u$2{BDh}fVa9]JqQ)CM-fBZ$MERz6S=͠x%!59&ǴE%NIuhOps|\c֟҉\A5TW" 8J[4q3рIi절 5)x=:jb9$zEHPƫARv\pv4)3W0.xjK\8aI iՋR9zEM.[- _#V*,{,QL\! FW*H~6xZ *caͷIcTjmhģ35u+j2qk{-8*-rbSeoiNҩWM}V@Sթ_k1q%G ~ G1j :Aee1 //P0Y=8NGM"N Q鍎t!WƆaOcs4`kv^J%m~+ xĞA 9^-f,'oͼE26]9+%aU~`Ý3'ʆ6!U&ע 1uɾHp m?BoTyVH9Nù{>t]"gğWa}> %o:^9FbK/>.7ržN|}f *|BUw0iS M KnkMWB]cYːoh|( Y'},RS_+ihv &m8HSSdV}ƊMp#H0KJNJyىT=G;N2 kh 9hj%'U~ a4OC\%q/rh 5_?)6vLDVώE5jMJpbCt-fKBУWNg}Y)uDhqxD; V2wX-u ua7C-AՑ'*B?`߫X͵DLx*<B\"x^;řk.~DPyBU.)A1%fMCv"ᅾ.𪛟df$ֆR꤇vszheff  }w҈`uz%Ci Q_otA=~wךm{B&8vCXfMC7>go>V[f0M8Tg>K)5(!M6۝A. <`p}]5~R "OɒATk;G-DCdån *L,ѕ˞oNonyN]ԒT>KSmʝP/*ؕ/6-~7Ώ+I`eskP{sz[JRFJI:|qK0UO(B# n~A~}fg SG7OwO_ \d]K^TD#a9 < 8/԰~;Z9Rrmόe{<}`RS6@(_ƨ0-QGorѾړ'djF .(G8!>WݪzQ2ּ` X4kHl,ȣx25\(\2yƝ37w x~+F&X7CNj>mk{ApJMufa=2}D6T̢2a d\W#X dE_@+#̱{R",Lu JcSUK ?g[*NC՞XNvZ׃40h-\c2r Ր7%fk^2o O=C_5?U Dr"8?_v O7Iw|Fero$|ֵ̑ٶ?>V-UO3oe|" 7+Bn߬fq: bdpEQzjҗtDXtMb1aVäSI>>o65D=]@cu5X%aGgX:+^7j򦛹kSoKi\b(IvTRwahfMlRg}{w|)sO5,xW$T kis̾dZj| QLmh H4gͼ@@wa7/qܖ#I/y6Effc*"܋z m&|.OC0" Dt+׍/{B5 _ uKp>R'5en-^(=tG4FvtϨLx#5Pw4.J)YU넝ܰ8>}W3AYKY3h;67<ܩ:Y?/m]g ,ZM%ڢ`;Tk^-Yو3k 8V9[aE@2۝Fk{87v3#((!6=dnWxKӔLAmݓVK%>vdX]Qw ?<-F)%kM 3]Rpd?f'IȪs1 (;w.0lK)IV/\·7;VVzB#$C r7"՛qMH~jZc bC8~C'|AGIh[ gBk\Z_7Wki=V A2u/4⋪se$։|>Rҩpɏhx|5]qkd>ʥ="q IZLoof׍ ܸb[$Hg7HT“y[wҪe:hnT^Cw"`{m^tG[^uN_'=$dg-+=^}Z ˻ɛs!ciG9ꁈm3= >4Y+,oF6无Nk3zw璹쀈q@S8٥²65l,Tv5oPF;HqHW*[(WUmhxiY!j΃O@LtF~VV˚sEZD A~*֚J۷@73)8}|Y$(e%,$kcc䟸?RH`zDJƩ5r Д16E&X EcI:=}gbOm?]ڼkA@9+ȫ?+Ұ;) XeaTgC UoJ䯑cPlNlpJ~E4u*{TZ`lȒIpQﵤQs< v)_y~F kªθ]]jɣEQۼ^H L*q[PBQ%́G;3 r33ݺp_ؤi{IE_F.֧Uͤ^%N+T3#LSc /%0`_q[ҿҮU4oTz" -ȡ! "дa 2;WPBJJz@s.r_rRD,A#8cJfKcʆ) ujzbEڝo-}Q^r<-Ktv2JMCQ|(\MLcxZr3v%<\2Y92Rê98N/+W>Ytk/f٪Wi؛4>"W)ˇ`hq_ϟs1B H+ aXb}?L(!-'c:5F9|BjˡJKy) !{.΅E4p ֩;.Jlc-]#gg0H۹1WDd#QWcqCIB7~X}41,u% ȇgmm>9bZ)P֓g8$ȩJUЭ>6P 2 Z'cݥe43|&1}Yj+p!mVCb/Dn[$ [z܈E+UI'/hs<\˘@d9 ahEݟ|ѺI˅5@@#xV挜,_ЋDÃ{!Wk)|Q~`V׊PwpgjtBp.a25<9A /)%kk~.{b<TtY DlUIẏ: G8qp5 ۆ6 éHh5iD-tqmCm,%aa* w#L*Ty䰱R}HcőW"N=e]γFRD kvYBM.2x?fWocnA#2iHJԿeNoUB:Uц6s0,8yܽ]+>p2 z*Z$.fsKb2SN*Φj[j~k,W53SWP^*nn6$S.klԐFKE=F8z׻/FτQt5́ݡg8A8Lz#%FUP t9oD{ѻ;)P)Qci`C\W,C3pgj0{X`>7H7@NDV*Myѳ]*~n6@M頒p,x4Ac`;^Wݜ-$OەR(hu|4n.+yr{fzqv)HFI\u2HLT G_ 5RK. ^oO&4i 8fRیz'*p!V}3! !1dGr%l9BʼnF,SnrN 2D$hw"FC2ϛ}K@vm j2[lB@E*eJ9kH })sؼ>URk2=uFDg@@)U(U/gďE(cjՐO&<,8c5%(GJ:ⴸy&~O*Gc6xS,\VYB`xW+pu"mo"!U#A24ʄE>/s?/up(kSxLaN4+#oR_5 EdÂG͜] d>y$xmҧ(CyX ;j:z<3ہiӻjvHE[ϼo07^"KNEשfߌi\%|C@}sy 塁׏oҊ$# 2I|eRA9OS߲c3 #06WujXN5JxzI{xoo5/>Pl[|Kȣ2lZjs>?S71[Z+`J ,d1s8VQGwRx3ɇla+ڽ y'غ͐z&Q|׊.>>u@n(ڃE5bɵ";a%\w8dzG`pvŅ5 .MgZ0]e%IsվUQ/Enh #ϧHݔ cv܃T6ƫ`z:GW9J u!-{tH)iEOMRqJ>{$A;oɍҘ/j vy(CQb3TWcB`GZ53ԛr$k5Bm ~(enC^z,-Ŵ*\_H$313Uc a" Z2Ѐӱv,iB!c ^zQA#,ܞf,7zLjR.|BAl"6޺at~K>kikq*ds/:bڝ#cN Qjɍ*r_yZLij{>i}2 q+"/5 f4/ewxwnPp#cnHawz7G_1xmmDRuWE}~p6^e'"i~T#@Ҡp)#3qJ _}UZ0@ٌP( C vݵvx(8@p~īh}'$?SK/6ƶll q/su{ۺŗaxKQaGT`K_%!e!JC&YᕦU[?DTxP7tTO%m:!6MIgkI!Skœ$<+CϘF[~ jɞMs9yh)Ta27GR";2L1o;N jǟlѸx ':+C/_?:2u؅`r^WC8yK?U~JT/krqJp#3"R#3@֥?VWJf%HdtV_6~ݩդ]KB); Y\ L 1ZZņݼlĤf-|~&x@A8dv| xx/fT@4RIujD.V*A@G3G1BЁ w OZc4u3zx4#Qܡec$nK@ 2#9\bS='g_ zc{gF/;C[#A>$^vy=t B>%eb&%_=[) ޛ)=<^6' kk*Q,ҝ.C&o-L[' &2J/bqpŇ'E 8iA+=U~Id:;\KzHй``,h{BAz:`RlvAU6ho.KOQ,bM~D 2?JP17$   UpT([i,G-: -@x;%k2M/6B@*Ly˯DSeP&سq*qn@O-W`WWH$_ { )NUUZPOW HɆEHIfTjAI&Aur` uQ 9o(EڲL6E*dxW73<')f’ m3>!-PUFwJ0zc=:M9&yEYΛ>aZ?@//āqf=MItݽ} JvD跆"ژ9q8`N0!?*cH@ ԜⱄՔ(~p OEo$)$BbBEsR{#6c ГTP8+p؊􉹏i@ 36 .3YDB>ih܈N5\.;Wz@0on5lŖ-Aaf/C@u|6݁Pš⁲' zWb&WsdGaQwI%ZYiᒫ, AcoU^RֆKFG es)f9'Ay~Spr`BFS ?mmrN&YDB.Oqo3ݰ$%VX#mNQ{A~ǎק^WY-SaޟX{9Peb aK0:KR!wM:O"J:~g#5W(jSt3: 4Y!ۀV [RMhT"1%:b2G2gep W&+vW5ڥڋ3 f ջp56rix7_bsF b &JO1tUtubP`,uhGMs~yg6nYD vfBfM'[Dt(]oJ8= j'wuͳ~ i?OT&{=QTSQMr;HCˆS[q%եC6Kް5Yc/E@sK!^i4˩-,]@R&7io,7oPc Noei SOנ/Դ?B^\Ӻ%m*.wYN&mAkDqp]1o'`vH=F.:lw7LNkRxm9:.uL 3*r(6VuHy>n;]sf`A V)QP6;! R>BN1XmLU!1!6燼K~ĥ<.#g#MB^ ʻm$S /fz(2yƽ?^_N^4=Q'CuA{xWH9rrvzZv4ȩ|Y֎CXi󹄶G^( 4L9#Y+Կ52K3nmQ{kHSqls&rd *\KFuᔵ0r}v^dډVJY'7K&ĐN΄4ykAKFJkR cFufw5"Wb2F^Vួ)5[h%@2A @9W1n f%l8ߋq[\QuWweJ5O휙CY AM.q]R~PC܃඲\b1U.w+q$*;.=EE TTzxJXqR0g}|8+ꚁ%~ =յTsf"cu1U+r~!dڬ*/&<#=:ôJ'j6 q$ nvW=c#IF>IUrS+ߑ,Vb:^ L \fIML'vdk<(N⸝+Oa/DmWb<vͯ7($D藠U9W=9 Qp[PuoCN9= J_>`ocR^Ur)z(T}l.?̟i ?0D5_ x-LCq8C;|FcjFmhq.)UW,j)8`hPT+QHR57:nEspX1fm%UFl4c]Yjkq.r Qꏟ̗)VՓ'z[1"9DuZ0Mw͍݀dCWm.a |VvK5P؉!38^UbAp )R`gXǩJ0 Y״9^e/%[ n1/Aܣ) $܇P8lPM!-N~WT[%b{hh\U$$MLm5^zlq{>Y+NrN i  5 J^Qj[Q[T#++kk{gٯ/- oΑwYA5zRΒz'6~l\v`ENdUZNi+"δZ 1~u#_?˺u|=N ]]ó$Q@ e9"D wcU!t aj2_T3Cz*ZFrWBz3řA)-d'9XUf2Rfk]hu-ܐDFcq11(foփ^B Lqу*[]^_|wPpY%cX プ`aM++YK'\GV2"ء7j@5r(w/WSnZ|6s&&Ty-5VqDZCoL#0:ZNרEӬj\.:86O_뚿`s? ~E  )\5,V:׮UWןPZD!t10FI-6`9HgUm'o(p'tⶨO߶τ^7e7_Z#UeyZm=hgTӎz'FIG}*?QuM:딡.ץߡ^#+thB U)*5UHteok25Y[(th (a% ^yiJvO1ҹrK^xM[(u١n|Q Q3MJݣTaOX=Ky$~\l"т)`o]m2)sL#ꏃǝ -'&- yl 2.+fU 5M 4$>aChAw >͚TQx 7mF&zh#5*٬SdZ ؅y ,a<`>׉9}>:Gvb84WLDxL?n|8\k4 o=3VӦ` 'f~Z"gpP y)sb1P1KKmKP!U1w ݕ"ms$!{[NO6T &~̰#KģI;L2Mk^woۆ+3tKlDZ&4&f'rxuv8,@bW˒|Ņ@MDWwޘc7&+QƑ''ۦ Ĕ6Q( /iVP59RL#ZfLIR5gyG&6&/ءM~vw.$89@,_0uf\TI kq¦5A{DlJnM6)sK_ZuJ\GvxjI'Cs`VO1XjKQ~M_Hc9?}SU$QHpN"ʄ-fFF/m/CGbyS'5lܡﺡg'j|  !ݿ˜qqU)ża#ɜ,1h &$ff~&r&b$>WOΣM1҆ptAD68S}*@vqp*OPո+tL*l$NY:͔>ٲ%$6'삢`0^b-tmUuU| [(ϗ?c8h~fպ@8m/Z:X[JɡU_T…<7*DyZYhѪؒ-SB-|ͨ%"jJoȑde PdRdȱno K_RU;bRrk[iږaEmZL V%!D' z|)Ls_(LsV%n]7{\55{5EHRz 4Ceŷ9^+c!(\R4 3 .g0w-,V &ޣe$VMNZ7g%Gh~%9V3oD "&5\w),9KXm׉ܪ廔B'm2V'(|VaLNu?D-0qY32_ǎDH¹ U5fS*R*96-=Wx")*"|]0lnSCt.B^fW3zsŒ, (n|·߿ `Ɉt`є#SˁӰ`U7&v0ER#YdS6t27°F9 aY)PN_Qmo!J&C?l"hc7Yo/w l):_owf7dHYSbȾH aImPP[ODNSYnƤMR17>/Rf SF l)l:AsV&PMBnubA-35Hg;XD*å!EPL]C7l!,_Hclm@*Bs{e#ةP;nts#Ir񮀳zr 8F.8y٩5g>oE}Z*zìDtKj4座|;P~c+Żghw~3~dW9Cpۦ+D*=GQ r|)@X酉UDmX bHĄo5FrBC aFl/9#($KO6'}>X Jgͥ{{;W;FN6,|6ңM.nc.ǁSrd W8GU>G+&:`q'2xT0b;eH[g̓_ -~rXj wSqu]Fjҕ.K$ti_D/p/kd8e %YmF,-"tUvJ!|uzziO.΋}4+& #e {~Ȉ/qH2P 5>wOZ!Cvo$7d;Lc qۜ}{kL0 J`#&jOt^!L^4< !=r@(&w \vR=1Ga6xR^Y,Hя-Y2YScSl OLQ5T "p&XNz$`߇5ta5>*U9AZjUwu;=ph/ZlH)t+)8˨51+^K)l+X"LDI:!77Țfo}R`2h`$w_uU Fyl-,A_L7@~HUR%N3kqt èWJc\5ݫ}60i&⅁vlǒ^`hjRց)5s# l jloS(}ʔ^e| $UOY"ٻgXIHg\f'dj;v/3O-vV"  w vI:TG Q(6E"hZ R:dR%~NNOך"CkدJY׻3͠.]H.mBqsohWKLh<8$ r6bckܾ*DCl|G-xſ:ohH`}b6N1g@px|7B?^HLEҒBkpoI"(~Y[NukY9lţ8x]e3_; ͫHp̟@b7˷}xoAQ-S뽍puU]?QK6 ÏZJ^?V(٘[ZMW.ܜoJ9Z]ѽ6ɼxKMK\NjTZ6wf #Ss @GFk<&|?٬徻=n.a`/?QCGO]10vN$Z13萵ҸYU-!MR`F7wk>eyxNq|ZUIӴ>a#!|eB/1}cXR[ZzHu_,>=MÿgN[;P c,\9kLJ6^zs2H zxPx=@^U@`8L٨:[txMO!`Eubc K4=]!Ɩp4}Q:k[1܁p>,&F?Eï[b E*-$Aq{VH 2>pPMt#4Kxư7#UWU|~ni\2r?xb іDwu L(YK\ZزJ(~Uc"(DД W LTl%ߛxcx8з)+U$ʿAq)^9h(zt*69f0)mVk2ͅ9( ƞ"cVsl:2^O)VLYΞbIKX<΀  ApX VH$ר/߃Á6#c\+`y;.IN}|82((#B.R*Jy}dZ̈́Q +)~8EiwPJ41^] .^槧-j֊&{X/K/A}L2bmF>L1)s :.VekLF0n| H7.R yZܪQ7V~+:JY}.̘]2RJ_Zˊh\@8!쌬9a@i٪5o@lB@h83TjSS9R YƘ#r[mFRaFMjϲkc??nЖ,S!HE ޽vk C{}5ĆNy?pMЃ98q^na9i2>p-@_O:U#bזj `vQԀ%p6}|k8!dĺ7m%~ o: VJKv#A0 pP9eh4X1#B37_ݹv rlm6wX8`&aJ?-!G#3_zH=LԷ7=txW1Z3[[fk og|-ϱ^A rh=_ůJf$NpSa_:Rr *5?Etʖ&Hiet#< %NNc guhyoCOWpegDANV)) ~-P頗KAJZk윅v~1_"xS^,JO3 :S?}S6) 'MO/xlʗB niUH-SUS>B_M'4Rc|b3He]kb#]?jM=\.\ B:U5u:FxH/qFS|"!W72XTU"}xIȅUE۷OI[F\|^SfIYu.xNԒݞz}찶]޳7/͇y̭&xbbc=:t|7.Ǜ{TÙ3㼩Z;#\Y=f~[=(;ݢ<=I( غr8 n-k]1 ͙l!;a}I؏> Z5K"ƻj8n<,۵=D-C_n' e2ǁfE@`$$ BN; m,D 7)pʔ-*+=؃uO*9@a_H9b2NØF}Z`4e\H]SQ-ddJ@j\UbjsS[QO7襒\af&H̏ K4R)J+>mѤwg=hd~ș9p( %Cb9ھ^L9_N͉W<uwe|nhz鮗Y'Ft~T?Tgo/hoxX?_iИ4L/zlAim7q۩=^t/t At&(/JuWsK_֕ `I,caJmLD軧tNj<žOP *Q!eBE'(")`LL6X MOܖdY[d `!"Aô/z'O?肓`2bߒ8{nC}#saFQC9ꟸ,VE˪skB?p>2.LpTOiGC5`N&pwY=@@{ڑ:`>G8~F!%|C^yG<*jV_ȑ_. 0A0q7ӐTPn|c^akZJr.^P8yV+KC KE[L3!L=yc9($:굏AO083F5 j)8T*J8heGG Q/a#@MV{^8=W0 ވ HTܶ6>X/2hj5uK v:Su~'w>R^4 %5 ̢fM3؍,xZE|1]hMO+iAL(#0u®ɲ\q(ͮ0 1ɿuo}%o9˔ciB5ceص",I2g͋Ѻ'nxfN&JYʮ5 2/K,&ƠLm?S}q-4~ j@tI . Jٌ}~ γdŎwʣ#M|$i_mfxEk| `U- fxVd`B73v&%/'_mί1Mj\ eEhX>Qb~divB?A!|Ӗ?1 %|Gr~Ѣe}¹ p}P bfhfݝL8 v۰ 7qi{}mL 8PXڽ)P_X֑^̥_~$raN< 0]qh[(8OfVS;WHQ9x oW0v'Q/D!߻orpy5=ͱBjX P.I}p&[O" a 0pkK]n8D,[SGʝmY" ZGQ JhcaG(hqsPE qQu+@FՃmu6 ڷV(2X$Z"@VKݞ6J4kz(R"NS bD N f5&Q3qDy&x,Ĕ ՈNI*pQō-W;i?sHCΕno9:ۧ3%VlEz sWq"m>ؕHI]Р]mkJ9h>/o] "->:~,}-LWJ^k-N]54Ă|*>Ŏ^Ā%EFlaptˡ>VS蜸gN{vBb[&Ynd~[77Q. X5XJ@:F{A'’+ޚ> «/\[ cU0bP:@sf@f=a@ȏf)rs}.bX֥޸?#cKC6dyЅZ`; M.d t$ PyT^lj.* p Is&Ƀ`6:K.C_{?_I]1; 9| RM_jW8Hk̻1UCbyԊ8s*:WQ ;@z/);Ą)n'V 36ϙTn50M]Wץ#(iL]#Gr@=ʪZUgԙn c ozеG?7NR 3tݝݭ8#h}A(VAp_ S#K9?#"]$KI,nJӯ5sd( qL4DGɗfZ-r3,"+ݑJ|VT`ɘ&_^-+뵇҄I 4ic͵|(thUޒ%ϨՒ 9hsBroԐ?zSB*NVj >Ͽs~) U_3y6jdG7Ez}!:GL/5sZPzPm..a |eonn\8H|˄EjXo!sl~gRX;ZTC f̙ːcp'ӈQޥ"WE *b*Q'9CEb5fM` "EwD|VaQ}2mKݠOd2l!RN<R(rߦRL~ڰ>$X:88y/75;@@~Ȼ]܎i/gB.ЕӾNf{إ"~H BVK M)wm΃ lV$WOrx.b۴Rв.Nf%43hO?Lʔc'Na'ߒ,$G̗41E)IL`usWd4 Q:D\ '/w_=0䏠ؗ/-3t|wHc`%eõ7{4P3w$:-'5yr#  +V{M\2u!=OX]M>lc*.Ės6K7 ˾%𫢂6i$mT hΓӽRIߞUpq1~D=@"[bcP7쵗?CiJ-飫TzrwƳ}n9Ʋҁ&A;1'%f5 cm=7E* $z4L? Ssjhٜ4uN)#\|10ـg5eܵrJ *$S@ZbnZ5 Q>+!EA0]xe|Bo[?DELod{`EsF)E(oMAG G6PH;%żzܿ<&[P"[x,uԐzV MnV=fdq9K,~o@շs 䬈*ڌTF%>GLĊu<LR7X^rF*oelaX 'OYYNEo-\gdo,e2{WkQ1֛Od5?,WEP:E?V=1xV9LN'Alm2PјncX]_^'Tu8{̀K}.B@YG`*!%4H -Fuղ[i5_d*Z'rFiJR7^ +jbcʁk~!VAe:[Su#еڮqn%ih;AWFq=G*MQ?#jel{Q~#hGy$6RAUY$6b%O`k-ݏ5 V[?h;:i]$[E$3m!:Ӈ*$Pmև $mrO霨=} S;u=*9gZFd`@b>9nhGd躩|P/ZY+B?G_[ 7@kD"]гob0' i@DՎJҤ _ ]Ƌ9OX?## Yysp ‹A&Lgt \(&CCw+\iZ3 v؁6ul>|:`s+Eɂ{z<&&,q(7or:f05! >]Uj = ҦQ7g`Iv [& 㣧7TP=_J8 ?,NMnGUnANz@lŝ )&ۺTek;Y9dtdF%^<B&>%,딂iլ΋DEb\\'%#p U«#n뇺ƭ0VfL5| W&݋Lgf@.ggt:Ӭ eHz5opu/nnC87F ߨ6MG AYgI)"U 4}AF X8kdg/꾝Oibn z|jR c Yt.'kJGe!aūT1$QbE#\E2@ؐ!L°79VL[0~tgP%.}cIAGeZ0)gOSxi/||(T`Bp|=)>>2Vz~ $D*0ǣ)RQ%|m1܁L&BH?䈭 ^Dž'ĊE<R$sw =Q[Nɴ\ 銞'V+rRP,ڲY_~TITpгoH,xϸk¨4x,(@HF!xiˎݛz{t;.ipX}TLRjjj4/ 4\/my%md Oqu"E2]!9h~ pVTrZ먫mmVgE/:nnȠ|`;uDŧ53mm^(9Ԣ]o!bAhC)!%nCcP+P.'Gq!#ugɣwg޸;u;u"q`J!kT]r~=yڙ9I##i`ݎ D)]M{Rx8Y&2~uT@4\&?O EAxi!^&1m #)y= &NfMD5+5\vUc{ɬ@f֎oݞxL 08JRg%„Rm6>0F J`:5o惰)n`B&Ş}0)eCz:9?_ 3K^l-QnKU]2ܸqiyH K(r]ؼTpQ6+qim)'oaXƖYp@ۢK@Xd)q_YH]1/|t8ͅ% Ul@l h&i& ^ۊP-/fU4zb-"\aG|'A`Qqn r|^f3k,u4ĸ_Jwptf1!@oS\J ǮoSP*: SFS 0"yEѺԟ7rYK ǀĎHLs%&b<6%Pt~ZZqۻ6԰ٱZ]eg2Tfw̆^Ҋ>}on7:#!ĖkG  Xܗ0*{};Wc9Oxrٸ+6g|Fx߰T,2"&,%qw?ePWNFˠh9oG?ʧRՊBn": ) δV}/ ׄ,S 8/8TdN)X{L6GR|L]EP[_@6`# ދiQ3e^[u \( `E !j5,~ ꭙ)s?$n(NS -|.XB ?2=SkmwP` u,]:ND0j֚2pyhf|TBz޼<|k3T'5ݕTQa=w~t(C7uҔ[aZPd 6-v;]z^LXW\;RmڃA 7I?^):w~^%ڢhx-L1HS{)tBԠMt&W+`Àh ,מBN3.ucz8$y]q]7NUT"#HZGt:~^=sHǩC@ 6 6h']a ,d[`̃%,=gvY!kbQw iMt`rw- .R~*/\j]OQ_,eқl.]#;MW#-JaŶ _jwy`ږq*џYRQ^ xrZI܆`R雙^yҧA|Ya$ԸMc>v{7uJ\Kآ* 󋌊*ٰ T^[wj:! ß$Mp%^hȮ\e^\_c332&QJ[aje!)fySIǴr4AgSXfEM]soh)BcA8{8ky[Y:2góm~'ե¶weVUAʾ)g z^R/AH V } ;F0EckV+{sGXdQMr 67D|b'e&LJ[G}qwv{a#i@]fvPq5XQ*p%#0[Mi'tNh ԸX]hRմ o!bXQV4&VhJHylKu͹Op0ݙ^ Oӷe:D|9z!2&iTu_-eKnV0hMDC X-osyE5dF@n>D,kG]2+r\"oryz@Q_s}g<}ƁIqj3"@g*+;AGq˴%QVtCsF;aK0lЯ BGE2?3zScv'X:2-a~Z$v&M}kt_lA]sg60qp/j(%d(qڀVUuCغzu}@ZHY"~ݭ[E=CHsa9h7hG8,| LwpUMW<3Յ dWMw0u^6oˡ f U=m#5 5*WyNuGG+l=NoE:r<]ͧ ?FTNe@l!k+is?K`Pw㈳q:zB%(=\{UvTmUOvF.\ 9gv>v;hGj_Ӕ''bqǷTN .>C5N"S*#uZa.ÌQ.7GN HP*^JW$z8Lǟ{2 44'?"Yd,$#20e#g-mǮ4~٧IzFA,e7HdO"~@d #y4_^QG<77B=*UzX~o|YfYG r ;,T }Ӌzd}5BX' ݏ_g5F7=_KRRĵ+cJ=O}-`HjˍZDͳ\N=JPӊ 9 m WV1%N=x P$TJ_=|a?Yfv6Ox#~UBIFC* xE<Ծ=83*yQDED|7ID]x wy3t9 ]nfÅ#^!UK4bHxXd7ύ&@V#"(3㷦6,CK{=ڃKG7~,7[&%>Ӻ`ؕpͫw`d8Z)ȭ~>l]&ӎ,ԋyBG^`|ڇb85wt༱pN|rN,gybR<8k%F@uᔼ-YsY)`IJ 8kZ/ .x1*t'Z1ʊP^xp2-JFa)Zv!ˠO<&KES,24yS=d3Tu[y6(tФSBYKN<ʷՠ{p'U>hjKY+2C'IX%-B\ /pYCQKvp 2ˡ)*Un =FB6Pɫ ;f4%(ц+ph \uuhAOY𥔴1*# oܺt*U/_#QdwdiLv ˯D} Ё8I( Z[j33(`+Ix&Fg F{g-? +v<ƘwlQ;%3Ut -Úq~P "d. +!-k%j P*yu-=őFh9}Brm)iM2XSt҄m66 tU[Z:+d>f?}7E+Ja1㐋pz[W\^:w$QD+ HVa wH}z|g^{`nєoz=?N%]/T~ϸֻэ]Eݫ-ie?s0P@JԿY3rڡvNk[}?W`IŤ%uk-6pCj$ưƒD'. +Jn:BB:c(NnN+SZjZ&~|צ}A-^\p7Nd*{oJ[_o:fDf-cj$0:v+SD|Jiӣ P5#u'P\f:uَP,DGV~uARL{&\6sС sڔGVF`8`MU>9jV[S%Ou#u7|pm`KSC6"RДC7?ȇ=$_̺`U\̔tNX0#C^5S Ng9BpQq[bڤh֤|2iTWx9{XDHC$WbVP%e *;1-m<+҃bCdt_̔nSL8_S}xzqsrXN&=HK(dzFǂ< exv*|AV)HO^f܎9vw1edΜ}xFAӠk+'Y7a&xWP2wzNOxwoQ_)MĞ4 HQgǂp\on&|<:8ViqGD;Ώ5`a83H #:}HID>fV3x%%ŠHJ7?ӵ9?WHēJ dQv3\5C(F!%k=o*x[hD=f!:^Xa0-(_H). AϦuu~G^w[v[~Hzr)r/}C<ۥ *vdOٺpxJbft'e9C{-%17Y{O@vT&Vw47EY5k: H1c?vr9}/P^[&R|@P4@пG@rF7"iv"f@LػPyq3Rdan"xi[ 7S]/gS})_ᥓ%}Uȹ|$9r :oKA6ꄻش{KAA1{>݅BD;yze> %`nkJ =uR ֌c>S^PkWBʉ2M+C NdDjL\o\-/ ;; ՌzJ2I=lfTfe&.+rEWl7`| Gk0Е+2EcBFzW˟F)o>Kը_Q8pmfY`̡) /V2k0-Zb_zTr<&ʤ޽&!޵(*iB'yWTL4.Kŝi>F*a\ر>[@C<{˸.cn_t+v416ϢDi Ak#ǭ1ؠ C;  w.H.J59Z6XMk] U{P EG`.öuPX:uNv^$Y7ȜTZ8Q~⢥8lg3!]9F@SEz3qv[ϞdO=^8#@zG-~yԈu L>T嘵R'`wd3l!Tϛߤ/ !hBJМ傁VGlY*U#Kl`@ &\rJ( 10ǚeUDUn^5!І DΜ8u# N;x:ɱT=ÚS?7㇠E7@+h,(K"+kҹl}G Mڶa'ɯ8ӀAX'4P^[d, N!]E j?+r.!rԹvX,Ɗlk}%X ;  >Μ3ެogN^2~׎_i!==s-}E5:2} u;kx7e#ş#6fpnK+S{޸:&TWN ReU&[GVTydH?dT >}@򩙉*P&p`iuכ^L69ʍa!s  1ѶM{ @ε`877ZsrrMd^EGyg=y}.:xLeԠF9X /J9'[r':Y4CPLدJ>%ju8Qe"_.7F0CxnRD$P9E}|vilzm6DRrהR.X3{|r2:ί<'PAm>ל9em0VYܬڨzR+J1G6Jq@a`Yr\B+8LkFk$?pD_5 O z嶑<㩘4Q/G;H6#ػș;O35o 5x<8k[XvO 'UhH2j LBE"ej1-;$\Mɋ&Y7m#j]>&@h!_.N4Imy_ΠHxߓ+BuIR._aWN<G'&w"7vॳL\'] zB+95'?ݶHYlD[n5s'u4Ah3$rp2eu+DdXW˵G {D熰@xք U(-|I\^G4z=2ꮴ^u'+d7~>  .v<0ꔑM]%jrbu( 4syF+",%sѲx.dǽ*V7g!ˠN;z紟hG!2*rnٞ$Qe6# 9V`JT 3QR2cW0}Z#ĥ5O#4^bEUqS"/?t%TB86զpW*J*O8W_jǷ&2|r)RŘ!#6 `1yPi clxphd"u[-ӑXmƮZÙnW&kzۤ.w<{hDIa"μf`K]gu汲Y\!Ol]0.=4]*2VYo' +vK aύǼ O@kd/ ޹6 m8BC].]˃]23Rw o; 5$bT=U]⊬,v|?@͘R ?܊G˒ov`>Ǜ-iu>g/g79c*F-Uuż8(3q3]mw]q-?> %X6|&)ؿWK^żR1tz_cdFŌ_g9\M,5N3I8sxοuna)rD$Xa,*<4{HeŲ檄ؐ#:kUN{% rEcԔĊS:gj޶.~I>Ec8j^$U՛LuIS̵1%cB/ W_}8TV{d(u"Ui8XsHB<ͳcCA٦{ڼ4#(mK ^ `KB P H}{Z? 3>@N~ʣh&_NcžN|: |M-OFbP'Օy"q)~ODp(Bv.:g\VW`%{5^,An|yFN_)JΎ>iZwd Ũ_ص̃@aqۉ Uetb5_6uWN^odsܯZq';Z%wtGm!υ]s@Gc6Vvɝ*kp+D *`HAԢ@7ܸX^yG`E1WI׾ŽZaH=d*Ʀy?#-AĵhåNS_<*.`>^fBPDQLQpm 9{GAs"|t!Ѥǽ"*[c-dhL+++p\yHDa۩468͜&=& ]oeRrPsyF(4QⰀ-[j 7CU?.wGE=MޔLX\Ҳ>ZXѫ2rހ,se :[n;Na9p0'q y$= # R%iVivD@=H g>>=TI25bWP UfN>uFMޙ,YsK88 nZͅO2=fxJt1slxEs*)+`)jrVZǐE܅m0 IClv̷QQur`{<ؑON w&v3dqOj4>̀7AŋJ4e Ҟ + sb}IwƻP>Rqʰucyep?&eW78]㉞H"@ EscC =PYauYjLdqv<dIP'(/"P?\\" =Iwث jW"(Y q;GZHH:@@{ s؞hI]?,@J V0V<0'ϣ]N$8ILW:h,"i9Kpjqf9Iep[ ?";܇PXW*,r2s]np8ƭ*FaOP$ A:NtDGUbƪR} Iˑ%ŷ3UYMcRR|#J鋞Dج0>ND-tĖ$7RpH[`:lj`v;DW"ћJnԋ"`S~i7߻ِa!:R/B&۩xV 3wp%7 ٸ$\DZ7P1zPs\+,udPc'cN&V3y Q6_{L[* vI4P`Z*g@c E(a%Iy}[rM&5"it eE; x2ѭ3]rһdPchH9ci.zUOG4UKrxtXTR@aQLC"KyCi0N5chC6Z윯I3yل+BglrF@zȶ#Se"-"il9hEV R1Dv c뼠hgD/煰Ӕq5~`8_]JBAҳئ5bNO ~έf~tmrDY2/%":mJ,v.@GY$ ;QLk7X nTc/#p1u,J.SYLɊ UPf!lModɽ$w{[@aaF>`PwCI"_'K oMK#}yCg}Y} n-etҴ*"PhI_sӇ+~"I$QE+*8å"Hnr#S.u1huqV$,%J7<\{HE.Gα>Xi Ʉd?RYn.YtÐdßFX)r.I-,)>L΁0A畂.6>eL zs0b\)omB]!pK+̒%lV ()M,EOtJ :*,0g+\$6~__|lfB(B{6w[~ĕ5pbB3F]Rld @Ȑu /YmJsln_c,[F:mE)EeJ` Ne) 86J2Mb}Nʳ p`s7(̞ x〚hV1~s@c!EJhG]X uAY¼J=/Y#AvZO;E&viecuD)/^XnZ g 0j,O()鹓19߽n>I]p&r MMs}ϑKl8sB@]cd6Y5Ic߮o= S9uX>A )ȿ陉ֺ@%“xhzmzO.z+詏K۬ha/8j^tR\Tuؼ!V~.r&xHvaoX|۔'Klf]a,j9ԘQ:B$ ئy4gdt,@:KNYS{P$Y0V5(~ʈ2zhH }pFd<هBbK]y|¿b|{c,LO]6R$f - ߯:ʳt@(dY6?(aGJ)T9-S <s+WH5Va/<wf|;hqQԼ<Mpߒ7iLΣ(:"&V^< gO]¦ʲ,&Q;ʁl L)F'93b]9~fտ2O9^;8sv|Z.W rEN,b$SǸmd{> ,]bx$&f8/.$f=_= NE5TTw锴Wt{ߐ^6k|E1 dߟ s_V~= 8_Nl20P32O ݹ5͈+63w^kQoh]0(RE*:|lx C^j 2D c97:îhkˊ2h:VxݥdMtڦ!%Yzg6VW*f}ځP1Fn9c%ca%y!RRCgK nq;pkо"Lb\s@5)qƖA,ѧ ͇H 2BQ¢} NU-"F}7IWJ]XQ&> ͙roKT 9Cr8` C9`bq5xQ/T2OsZ驑"tqq]D[GxYGwq7? }:3.X %bOo̙N{UՒ.h恋Sf=zH` ds\ !} 2۽a7. ^Q:q +" wx>8XfIv0A<85/eB"cΆ]4qAo,S ;YfEomIٟe׋2-SM~YШw% AB%zj?Ѿ[wsR3S C`-%unNs<4l+n;g{ rHVcFyZH<&Nwt0"v_a9_wh)p9&KC%U1( z=P'hˆ0\K࿔/@W pzx ),ƻ5Ik! [ܤ~uD/gUjTܑ믇eBO'W?P&W!A85**㴃yrcw(4fXƘ$e}k{ݝb-fWy}VmPRy8H}@(m@< |ҳPOggAW7ϐ╎X^N| ' Ff7 G=y0'1.#KzL@8# :xFuzGjB ]Ɍ>tؘ?M~QqJܮ2dAև-!*s)iTAnPH.,ԯo`` B,1QKE/,jx.ilO ;ui _q|"*c {f>#QGD}(\dt{6qD0۰%ŵOO4s\+싳ȜXCU5H1#}"0PʾyV QTiײ +:4b%h^FV] L0ns) )稚 &{(}ܪܱO:TJ_=fŊk(C*:ኳ} i0 =+>NXou:cMˮ#R&ewϠCM\$n<⮠RBVz1;6OJ=UY@+Z3~Ľc,2RWʷԫP~ւ2Dؗ}TCٴ职Ui5@kD%z;.BW#1{пbXL\_P_C-|<J*V$ aޭ6nh{P t;*}9 FSAv$L mPZ4_(mDOzF=$|>seR#(vFr΢Qn#mW 3nV2}J4 M#O`R_l\{ W:_\63rX#qv+Z6uD#l9*ꏞ؈BYPa-v8 LXsfA 7/;z7Ak\5+"&7s v kЉ6X`g}m0DD;%2o;5syFɦ=vKg]/ DEf}SP|mɜĤnYnE<}{ 4IJ3b[{ʉm7$1{aY?;w8wjfmcOugEI mS3?RRi'{]?l -+5j[B5Gcd /;8FiQ.m;˹Fe8o~/TqĖ!QzZQ=UX}"p>N2*)cTMoSrbO/I$^ok씓1 ϲ?aRTֈ(B/ Z!t$zb.L3EW26a]R"BB3{ :N"s=^1O0GPpXYwx̓.V-Oe4++NEhfGq!=v)#8!NM%IQq(x&@Eu4ѷ\zG"( aմZw%"C؋0l-2ATs[^u>~Fw]ɫ.L@7eۡ31CtPyC'U"$jIShpl4{ wȺ}/mhj'"J?2lwdzU :2x} \ 5\XǖL?!7֦8mphBWLA8l9|zLxR;T=᳨sL4sEIx!-iSAycH\! Ss/lMd]yNS>A:m% M/KnaDfKk^vbvm'o?ۈZ[ίy![1 g`Иo;@Ɗy?6ȄO֏jiHg|\{:S/?U a\P˹³aAS1ȎiJY*< yNqqN28q%@lx jlu3W> Q*^pkKB ~yT*arpAtMvM E 4X[2ń^1i0b-Aj)Tߙ$S2F7UWJZ c`PU4rvv2#ްjim)ORObΉQ݊HHpcKRu LP@@ݵp3շg>bNØƗX tEU9PkU4vҦv/l$!QAyR/eRz |2AISy_rXqk Mi)8ZVSf`i0pϹ.V.Ɯbyp^4nzh2Hs`bXWHg\ a؍UGflCsP4,蛟9--r{C'|͵&H&`RF]o%C.`B 8(,_v\H0ZX|Aݦo}PD*sF)QiRs,u뱛u 6,ؿ NRBnj|Ng~b %cRTN9.d 91aWɤfG=X+~UD? m"d)8e?i֍sQ~"0o,OggАNPK1ͨ֠]r៵׭Dz!$=Ha\}zDWnw%nU*No8E.kM !_+#􁩎Mij=EF&plrg9L]GM fVϘ_]܏"k a"X—'l5BkAM'B8yRc'&i;Lƣ` JD9:Mw~ddGoMw=əT]LVBc:Ѵrbq;}7r@Ep0 26+Ԇiʿ#Ct7TɋK"T;]E)]I[^G^X+Gc=[G/jau/FQѩ0~\D{.RL1lrþK1K4^0NE<Y:Ams|#0 eTƓÖ*oSGp'\JvD3 |ij,$OE0[ύj`~҂֧\A߅`s |j堻 \MZL?Ft%'Kq6Acp,2z >m$Lӵ?:zd7v#~dOh[lW Ow)J3ڲVJϘ@&K9Kv 3HX$ob+| tM "CJ}y(ՑKf/#xJY%ͤ:e%ý9L_CC{@>;v;0s? AC!D3 $#*WSH Z"KN9ȓFTrKL0vxo!^ hy\47 [2dXZ\u>hVR4%?6@ ղG*">sP=N LKZ_iZ0kNT5p%lQtڇ q`47*kw\SVcs$ w7'#QcVIcQ`]Y)0+[XcKHbB49ģ +GĮ4;!:(!"q-iv =c,P(zW77s bBڤskJp*c `;܍ϙXiƹiVj޸RBλkWcV07F5bVc2VsId^e.T[:>O\>E ձ Q-jt\=$%O[6(af (91Ϯ5 ;(R!Jw@G2ۖ]^>R~ dv!ty@kc+#"Z6re2Bq U d(y!W!Y'0piUf|#_r ꄴ <HCP:yGl[Er7 =ns:_ceW_ m7㉬ x㨣UK+㌒@]ysj,OA)#JYMwB!ϒkj}#tdI+xhDU,gMK]If"2C:Q*^05ܵ^N5riqѰuzo?0ՒL4/G]qX rQ'Zf$It5TiSJY)xv>%mlb?a.5AqԡfvHKG[aLk'W7; |1(t'yVf!E|ԣHmtSMf>VAQ [hFFoWG>j;vb"AmnKȜ{k$@4VM" -Q9¡El1{.ŴFZw-(?xm𳉤Oݹ{t]$/Yݲ#5d<-&+3vʴRZyL9'!EK4?h礷Kms&ž`|G8cJ0* 쮺ߠ4z\#SKQF&qifbHW {/Z eTwh]lxz:!=fLLV(φhߙxxrA^'R-­'-9Ib߄vo֞5rM۪@?`GͼrMI{G@/pfPAحIMC-FJ? ߧ,#OC<"F /A1ެ)9t-T0.A: {`Cj'ΘHS@ <[K'2R o-f )?8L4kU'w!4b":_LN5FaVvU2B`[k2 ebnu=y:}{q΄xf~5};J@;[a?J_Ю?R 씏;Y'9BPuY+b-1x)Q_obx5k.MCU6T@Tl3PYE@/XމW8U,ާwh3o2R]j'JIܛ5&K [cߗL31kt^dc>jg\ar;* hD][;iotA|PN[)!B@hz)*dxv >T4zq\0>x W*3~fM'§B|kBʗI[17xad[+׾%/mne2Lby=(}U0|78QĠ>;^(#u~tTD ^~Ƕۓ8*%ff[b mHeP=(0.de$V˰TgZFQ>j]JW#rk)k<QPx3j`W-1g+ y.Ĵ+)™`ԆL$jjˁvD1)\:&|s`.Mԭ!' 7r+\`%\EjpTif|Ӄ֯\8r.s-'{$\NL#;p9KBi^ݡG ̢&/͎T5ӟ2׽.f;*= aS^5 V~-/׷TNtSAVʂPT˩УVfHK uwAjqqɊl*!]WNq=*h ~Z_@Lnyҩ/2H-cढHJV Gu~a]L@r#U8bP@ߙe}R32 ~J@yj(5@m9i00V 5KC!J T\11Ճdk2M EiȼLg87|(H$ƼtgɯC5 g <*\ ֕܊R6woVxA^s,w k ^i6r +1Ȧ4.>K_􇝪Mp; œ^8vLrq$:=T+w iE6Cy{_EWG?jW3Fz)7n/ɊZ-D}D@ESFDPKoƉ/l2.UEpa4Z1ջL083#HHvsl?úf2/Ds<:Ѷkw509-Ƨ`b58 Q/а#Ua?.5PB*$Nى6s:m ]A<|O%%#o6umPIGD!vCXû͉5pL݅|z>Dzu>Fh{+/9[$7'IHHqvNݷۛ/'Yo]HkK1?5U[={T#dVZlI[췬 Ү!kUr28.go-qcqV Xsޗ^jiK ǜ!smsrpr-X0rMvW&0Mћwo7^Jy6)[M9;h %JYT@*:bx۰_,YJ6tO:/_q;I &Q ,+bS(7Chz U8/F(JV'/"bȿW/Y0C_LM^H0'lZ@|V &m}hbX䤞`E^PRդMR~O硲>jT_2{k7;`cLqtMNNvq͒yJ*o Q,; 'ߒ#H=9J]3l T^'Q9Yb{mUO_W Nv:r+y쇊F; RBu0z=[OM 5ZdJ9\0(7LAcCj)򑠟ڝyVkD͋Yz%V*5NWM4A8@I6TPGW,El]IN\xH$D9G 9QK> VPx*0WiBiTJrNZŽ Ck#l7FUIz"r< j]P#\>ς}%n*F9Vʹtw1nr!mT4FTזzm+z Z幾 %׃ݓ[bt޶` !^__Q tIB@/'\x"yu7ĺyPuGSQ~"ܕ`v9/k2W*60'. n~5i\R[|~3I >VN.gߕ٫9$JVٛJrˏjj6%෇L2[ko̢lr5~kM9];۩ưAu^/ʥAtXbpWwg?,=ot*)\ -f$̡\x}6ak̓rg}W:X%ܢa2Hi̦j<ÀYm%J17uN1kqX FG)YaXaA"7O%oZSPDZm,a}`T7hg>F63/g]BϭT}?dӀ.fȠu؊n|p?KeT|-?ЧG*9Cv}џu3*غxZ 8|G] 9y1*ۊMK4a8S\:PSހK$9*Қ>.fr=P?^d7u L_HڽbS?t^]A_=Vb&ewa ¹܄>Thh6.}w69]FY.hrv i1N\<1pLaKX+CA\F,-[&9Mf$L/mcu|Ɛt@n)5^~Ee ]%9v_Yl ejlk-Q|sш[\g,c[>3Z~H@ Po}HE-՛Ⱨj]Tr)qEv=wRL)yE@)yWI_.8zāQxW .@fR$w.CI'Dl9%Y]ᡤ6R84f%v!.b|Kb_FCR:Vk␉ƇڋOdzyDF2d*b,etG)hPH)5r C`U5C g|5l\>M'3!p3`ztv%Ӑj^4]k{|%&D-ɏ4^,idVT\a H;.`:RrXCl8 1*[[LUi,+VmeɚޮVSARUƩ:n!HdPh_XZz(wF|h vN6%ܗz>wOZR_21ܐN$GߞP6UՃQF76Eb18rx"f>snc0 WPMƗYM5<_:|MiݶQO$2`L 73v6 ğ 6Ym0/EÇBUCvF$Yss#rZk ˠ='{Na4S(+ZYLuv!o'wS O!Ψ A~b'mEtzV]?N#8欹V?ɵTÆiOܔګFV78b㪂b&A7Kne-B՝5)SJCŚ >Mv<9 KjB-TewTdB`MrI6JjTڮX?ֹ >ppϻBU78E[&?CoEhh}' KfgN+)縠ic+_f,V<~ºj[b{{ϡ468#gJgqr cfpe_S@ctLeKr3g,q1meNAq DnG BX&(S:=NJ/FNe^nj'oJoLBiGAʁN_GUX ֣F3-s gY5t^@6A7\.j/•\Ū[AR8<֬NFq;ײ~v \'TcC`YO|) 8qch3ZJq."lAI˰'ֽܪEy($@2;7lanAT? 26e,hfe&xHش]b.[9M v uO]7hkU-Yڌ ^]%Bq0&[iW>||pggE+|ٟo舱cLA1PUg~k5]B+g]tBI# ՗i~IBͰ <Ao*F*jeCFm!I-ӵb]j=_0n_%-mՖ'w!sMe$ҴYQ~݃+]ؤˉc Rvv[9(4g3סU 秒_noRř @GKHԳ֊.AD}ݤGC4ԇJ|wժp-,Hd(J1GO a,B.ݏ ^lT3M0# qON/VS1[;K,Q퀖w:k;& ȅpc<]8R;B;pe~?j>AJZ+%znZ(x$kXƀk}=$g\F^+O'䜏\) rD ]Gӗ[R0;vǚ ߏib`O۰<,arNY:Eֹ$g|b8Уx|Ly2QMuEBdn_5ep='Ccb=Qƒ7dg+"K+|sY tV6?`='cFv`6@i)_D6q(FlubV/lE!_;yOTV(짹ԁ *f>z2 <t~vhXpB'&!Z]'յY_dι*UYiq> mAҮГl-mJ1H6 [Yُ>lŊ qgF`%?(_F!㫄!XQv8o$ AMA$ʼ FtVt͘oa`iNe *%ߓgn&{?hۿi(|g ^=?VNU c#h1 _hoʼnEM ]ĞN5a4LyosIY{@ c?hr g(+\ kr H;䴣gjC pJcWuv˞-Q9s W6^+fЃEL~&J_C5g@Lf:vgѨM4E>%GѪUzZT Gvjn{6+}Cm3c (! /"ub*: av+Vh>K[dʛԣj;~tᄱ92{@Yw0\=XPηp$mG[ON+ӟ^#dRh5*4XgDT?4?6$^ MVa}[ ոz=lԺC}92Ueϯk%Opk3bMf] c* |yE԰ƈRa]H gp 3 ;|g5kOoPv7lMBI2,(3 5[3ZQ.{.eBn1>Ԝh;F;TA00GMCKcW0]VoةϮi!kx3IJ@;&vߩfqQ@j_u(>}d9i]ۑ9j"Y\f:+A8-I.h2Nڅ=En.ۗz)"^MDf0l1~Mon~>Hy[}`qTdBclZY\4)Cҟaiڄ&֠&hvwu ?鑥1XjXM8 F8~"d ከaz)ْ2H"!rb[oTč2u@b(5m$ >Pg[%O=WiXM'Y cm5! vGY:!{TSbxo|޴yYz>c6R$(鷠f `)$ERgu Y)Tp-$יnSh;R.Ґi>+m05?MwuT8"p ?¶1AWʛl)6}ܱI}yI8zbG+Աh0RP)JX'%G VWv~_^}^_@|G opn0t?N sź\a8Tanm标鰴i,sdP~T,G7Pjg'jE3B`MTA+>nBڕ *3P5,X{^Ϳjȗrt<6mlXiJ! z~&6~zS~9jqvQQ C1M-:n5D_IPp_;fJxs@YRpuf%KPZKø* M vU<@uzVn`tfE925W_pM{W ¬kFΌOt!qyULVQyVSBDv bvOk\]9c0C Mk{46]'Y|P >~ڄnN69}C -`t5qPh,RAIdZn[[ghMI`,hOl_2vOmaׁuQ8nJ|($X! ?@ɧh jYQi(ݒ) :ދ^(`1 qӌ7gBr.>4 ZYPW(pBe{m }K&6 KW8W<l8-d 3JEKs06oFDE [DsO0vN岘;=;~`)i{`eRק;j |נT>gG(<å0l*j OzgiIy ߉e#vJ'2JeCI/gD",~7K-hjӕw9xeIW|:0}M҇hiM:%ZЅ2pٱ~c~[+cx]MκVzWUH-ܠ_Y%mY_P#qܾs%D^zƜW̡@sZѪ[e8}Z䬓Й-( o"OZ$tCJU |]ݡ_b%VX}* >DDK-KQFj-1d;əDܪe1b. v0p,Rnlxe!oBlӺK1j77TTCnTX hBTä-JPQ,I#w\ |q,  xi!lK\E*~ % 3Hkz(;j1r%g1 +;1(%L?S@4O'b,:U<㕥e/_ 'E0R^kpjpva,T0=b;"<4V~$NoSa9蠜._ʪnd?V'T (""ftGP#갎3r " %;Ϡ|z4jԀ~sjb+*?>]ˢ-Oe`BGvqM*olF; ݫʥ/2tC+H㯂4 C3c]65Fy'Y#a|Oޯ?2,t@ eDQ^Ώ#y~:+1}zk{Fb;jdΔ;`_wCl W.cj~C,s6 8DC Zː#T ~lGLPpPSፑ终@'j;WBE׮c)5ku|]T7{S (QͺѽG21%@gy,,QYRNpx PAL'CGeoH?MǦGDeM첺C:ڡ )Q[A;S]tk DV)hhc52M%[Z!9=rG`R*o^Ff>bufذp6(ޱ..TyptgpkC籱TLHv8+qvz?|Ds6in0mWuߗݵ(~ wTF^/>Oi*0G9>BwNv=LC6 څo[ŐKd?6$iuIRqL_ 2u>G@j򿠋<2I~. W[ pJvQ4/"xaA{)w+Đ/ׇP:3Bw+Цj/ RZԅs8A)hIlΈ{;3yc8v=Ї_ Lm9k9N ۰9a:12/F<*/>TVRtҩc˩KLbad6(h:m+jl\b39*)uat|,r@cHRI!JAe.Os~Pb ^R缁&WAvPSchmۜ?FT\9} hr-ixİBllaHG\EN}rte|N󀖒jAlB@2 KN9y >qҘH`֠*=Ũ& 'NIicj83OWBTL%PO|ks$Xq0囤Ay2FXBdOruur?,=ʛ,k:]gu藺9n&7!MG}Lv[d4zF*׳HgiNJzGe)nǹy}\vt,pFR^E\G`i~.omRɊ^YܠqBXgS T}3h~Rp湴I0RKz5;2'c}Ds/9xbv9x@w1*X!uXWs(),WNT{vֹip"] > [A Bc+WM !YYHyOwhR~xw$Nͣ̅?眍\Py`KAS#R&R; 5lG&o/Lm$PG$aQ0J.pR;aL|=$g=(|h*tMnnB O4{*KT&GBи\XF[q/f?q(ՀE;Ak}NS`G>tK)_,ڮ %Ul)qw6p˰DYE?{xL1 &Kb$i (a@rʢ^50,r:Q X Y_-8+fDʢCUǴ>5o\$3w{ !Sȡ#AԮ?Y7mi&q&AźNZ̙'/R8\&[t:?.e'Gl\ȷa@ g3?7]t\$(z2ӛ{8 eoNO+V|=';@""N%f_n,/CR9l bT>HuA)%*RW cVD Ur{h F1vyHRlh}ZfXQ jKK7!f…PC FIdg25U.bJl+?U%МIۡxVWN,o7Q̗k~qɢTejc0,(Jw[XY37->p緇h@2y63 F6l$@+1 ns/Ӯ>;ZwcƉgR*wS{7ɿ?7v ( ~3F_T 'Ajd9>$҅)is "O; }fc}TG}$gg G*s37KS[iH%ٽbwY] hu͕G^o_ӳ[]u1mž\+,}<a{6@v(k\oO"C9_ V HP|mZF=(PWAD@cf]i^8/6[Oq PZ$Mz.BALAD*!>ֿW <9VB )Ig}wKĖAh'(]W-qSKv I~S5ʒκGvfN ߂8Av3 n_RUħgOn CX=1C|Ltje+Yot?w*fDech񎬍$OK6@[KP]A*]DijqڶQL$rDq/dAT*y:6Sǿk):kҧ f=θs(*o\z4S=vOB OK >|ST/'Oq`pkJf[,2Լ8iFO츶AF07MDrV7&.a(i͟_F;pIBTDf0Sb1[t|<(`{=M:)sRvOdB#4[`ސ\w3n n^&dgnեEބ8{ H=T6_Vӛ_m!rQ|D "I'tXst :oĚmxOqb\!~_@&"&l'U/3Լkcn?#wP:l%븦@ _=XUpB6e]CP/knCۚ6O3&:B|m{CTҶMh?C!Lј]MjwpqvG{:wJ)5ߴg6B7.uxY6 v`m~Tbr }n4?/k'G3$O*m7t( q"㜮xI¸.}KXIB+V\:Cs}񣳺~fVP!@q6huYu+AM/N}$ "d//|&Hޯ,E,q=xDŽ=3:B_5 $?兟0}ks Pp, ;)z8JyK_tfǏ55ntmVMϮlR[1eZZ:B$HecK8Eat#e4H=W$#-WEM ``djEM,_нT02~6ph5"xDvsf`嬳~[93IYԢR"dD_"@/=m6KpL>[7> {44ž/7IVcvZ jT9J2ttb _ nkhabf76qrAHJcbB~nG#m=$qFN.o+WG~,IS La1VDt@!H+ ã:(YU+ T,ȯv^`(B]a>(>ZO}לzҴ$r{M2cbw'63x »4DnYm*‘I$Q=z~MQN^xZLG.*1Y+: 8[, `ƙo0n(_L@2 FOVq4"Z[ n( @s LZ[H`?'Fm5ZAφ!̘WHm64xf-U"#FdMhm( D eN~ݐTz<d/o&>6Hoy{ә "&M,#jcWHxBO-i*Zr t?h9*2CzP1Cvkګ,>+NH!aJQ)]iJٔ4Rϒ{^ zYTn;-? _REfc7e.KM.I%0*jE.9x/+¢LgRtdtT6V GP?)rk乎&^e8C K[xΆ]"bO1[>K%ρ($@O]_?E~P8J*x0şCC\]Y{/_E Yq,oŢp= %1wAK /P+=d8#+u=axЄM}C[|.BnFrAA.88X_dT0U|ĽD)નi/DiPG& Um gX<˜ֽYDtm*7MGK8e=~+lY:1{03c [\Mc_)h|NBnSpo mTN=@>ggg SoEv5GpXDp3!de񕛙x*l 5.M3 K;jn[*8A.RcEqټl2@* F^C-Zwݴs-,4>*h Suڤu-X1Wg #b^,06m%a*KE)4EO `'^JZ!s%w9N%X;e qy{nC%TR9m ; -FPTii,:M8xf#K[,83?)MKtLs 7q?xԡD#bt?+麠-hxdž0/8Cw1=۾ p1>Zrю-}lb*WJa5.?K}iZϥ0'SnFD|qSL3nɛk#׸6)1?)o4~o0W+|D\"dT]HMa["%(6w h:lDlT%MP}/r0C^WH ȗx?=Y\a2`E-@ Jh>E_IQ%YwkFa[8;氱8Z@)\F6L.ul=L ؟tXawK Ah Yww>+МG~IhO{76Eo '݅3qK l =nk.ӕ/p}s%7(xX_Q/?O |4M/>8MY5EN~YW1p|kr%V8P 1H SWvJi'=?\)vs d#Aϡ_p> x/oi# xrM붙04wLKy%|Y@NY@j^GQ_'H8X9K{qk|\yD{LǸvl3X 9M&o0UvaH;;GҥBo'JaN] kb *11>MJ$W^uGs 0A4N!1 ѡ/%6x HɅ7P[j:N쟃;%N-=Y>Ų(׳>R]"R-gC@Ϛs \U|b-Q:g(3+%ߑެn!@<Qap"hkPb&SC8ڰ"h{uJOyf*P1:z/G0epIGsi-FQ7c>VUӰ גԤS3c*c4LCcTw/*+_561#prQ'H,ZUMT-"5OѠ(ߦT~t_h ️Xl5( RIίHUtQmϭ#c(GR5<4n)[^yFY?zkrU-zmNĭt磮 tJ[MNERj"V%k@pvo$g 0+x Mjsg56eUraԹUb-u?^}]רq\λIHI4 edMîKTSu>7[/~-|UF%+#-@+)B399,5˺ʲX;(P bVlMzji{xdyϳL~Zb7̉m}[[yg$_ZTSEVۧn5_֕cd)KٔY%QԱÒ"+sO6{=57SR%ԣg6[md{v,$G\/U4p.HCMՋ/6Øi'3 Z*[væ[hи{w UM `AP$p?:KmPTM`$/ᝯ+ MyXkO˂Ybu10x"O8vu?0PLYJ$iz1XFH7|- ^ݡ@ѸSysjoA[&& UY[J44!)>E;VoXGJT4jI}m@;?Kpw0aE{s)R&.?ZD)Fvӎo$](/=""/5`?=0fp *$ՃRdx>T9+g3%qݐOS*sH'w;q p<{2cm&Nľ4ƀ 5mQ%K4W*ѣ ¨~^GZ9\h%VZs7-O%l-2ErILJՖOW 6GϵL8zppc% KȽǔ"ui{mzrTg&']kpEIS UfM2=̄"Uۡ_X%%{W+=##S 1E̓!4]?SijP1(<d^<W\&߯ҽʵs!ӎFPdF^`!Pc)dj=b\Q)qEh1&(_n,+w2+>{tf XgIU#zRCqI*ci;jr@.@uP`Ǚ>~&HeZDv!aW糽wδ#(x\?S*Jmp8mdM7XHnM>`gQ"$&d9ܿ ` cw+&a8Bj%ȳxrd9~0kS/'imj>P)R)Òw( X0x>[/[L?_N mI0DJhO"2OmwfC6N+4Zmv= 3u](v'<wy+-~wˋsa?Y hd:id<,k PY C/85Wb5-1 LEe;LCㇰ鵋K8UǍ/6u~E*N9 )QbtlbFB`$htr1C 95ܚq T7w1xk4Yإïv46c#JQ2t8 &QS\7# bޤDj:nߘ -os?2,p̖֘jܙ.~\֋hE&|s͎ ^ \˫E%s' - jks*7;ՒI녂(p/R0[+zN XYKnPB+[Ը7[s?o:39+5K [h3(d<V Yk&qޫidv]3aju_vUݦ?-A#2.Y/dl I+,yQ$#z>yCThD=H:xQ9$Ul0(|hӬin)ߌjh4{dhS*ܪf=YrD_ tV+A[ Bo,zKQ}0*|]qoUsaSZOx@˜' p”qa9@ JD->"0NJJ RRyv"ByqQb |y Z^Fjm-s  pkqr򥃍hc% oSZe=^2pNFMȝciz sƪ{FSI4?LvMli̝ުa#< ="*Sw@ܧI ^0N6clNSud@Hm@;fj% !>pĕJ|˰ѷuto$Օ,2|0"''e|C􌗍Mu}[sԹN^ᐕgU3-VY$λCP&S}ק1(6}*y,E-9͞ow0GL65¼zسb^>fei"Ǩ:'a-GX!1Ȳ60[!vx2mC"j_Ow,TnRw0%详['TGhh(թLsh(Jhj~odM=h#T{gL[#.F/ jL;X1$[ %g.*fť ^b*ry Mv=ܖUS$",kqGϒbw+wqR|?Lu {-© 6T/l& 7͟{;>?"v?jEWKO$Ayu%~X2Hvn\K+KIGtխ+_'*[T:HO¨[Jby0x+(5!GOaAIiUnKb tq[>⍪?ɝ ?X BD֗n[$Yxٗ+!M6諮R<sǫ^=齼WZ˛eZV6dBᏨeuJ NݫU?M54 ZtқSN~}m-NϠUnFFWNƴ̴"߶`O l`lcr}>z{xIUԱki`w Mא4g(oדAP.z Y`Y[m2CXeҝBidoIW#|q<6?itr*3gՒyR%]_ROtPf2@aBN-q0 MLKM3@$Ŵ'@ҟ ']j*M _$[ u}ݙ"zj~80eGi3|hklfsb~-,9d;g;gXcһf/"@%zJc`^5RMCeqqŒO_':]u2dxtk,Jîe3lV2^M[m,N@ǸbJ]tuψ;# fJ|-8qƺZFB_&sá$͖~gj;1j6AT^]LOd L $W%}gNb^AXė&QbJ |S!ImW"h,]KokzI_~E 0>ew斻ZʷnB9cGh6!Iϲ\\Z})_[w@9_k5U7Ht,R/&O|tiHy|ag__p!S5D#EBh\Xx$/dUE10A g"eq":\GFY//Pm(yJ^efRc*h)^3> |V'o{ПkRf]*iic*ntȨ4T0(|j@ 斁COfHRU Y ЩX~`N04sj 7B"ϊLXۄ&jOI<4.#Qu:j1K[x~~`18Vʐ}/ oeXiYN`Mĵb8ƛ汨mu^nի٭]=b}E1/QjA*ȾMnUWwnŚm$/PpW9J _4@:}xIEf9bZ9GŀS5\z[1+AZ7& UH V!@"+Qx'`$>JH # Gl0Ot4Qs z%6? tHUo;MҳXu[[d p*O;S,槆^ 4ܔN9d Io՞, ítjRgȪѝaMejv rVg<پ)t%AoQyIְuPtyb|vvs)&U6áD9\Q"۫r;]}9 n>׆)} pB~NuP7_F͋ρ`aVB aH4Uuϒs0s֎;5$]Ebڤ: x:zap}]bME{fPau5䮂prNm޺}C]c/,hُI%̈^}߸Y>ٟٝP砲b 5%qW6K6&PUiXjF0k\%fpYxNW|[,R]/YڄBMgh(A )W\ 9cىyO3cDzq|*lWIqqmJ)u0:#kͯqZIxy#ΞBzKIl`,1ld岫qQɩR KhҨy{@ p@4!L9rjby1+ LYժ#IޙB+_j}Z#ǎo(#RUs4E N< -{!"{QYLVY`=Y4NT鵷1pdp$Ad31D ~3CFTyKz+סxbV>n b=6/ސc T1gmQV}5>ֽ͔zB.0v('LW9Sjԭ8#DU`Wb*ƄEt Ad>xYp:6s9Xi4U\*^-LYStxꍜÊ) ,*=?ڭ϶$m৯'vpqc*@OS׊ m$2˄jImM9f$b1\D? $]!љt4?8-it; Bu!1aM5X#XiJ8K,`ƵB5$Rk޺&3Bcק/Z+E\rjV3/aU׋ -MIaKeU!ןfʊ~3foyNȴ~LʵD%_ T}INm-G vlcEHb5`se*/wiFh^O~HO׏$kG<]rݮ U]73.]b}Lz8.UX1p,x>0h @ݬ?ʨZ{dG|mXՋ>z0 esvZȝDuǕe ~s w$*|ʙ&Ϩ[Efz׾yg*j+( k=xDskE+&0f[:3ShrMO{l(o^`4R̻|jV|]4ǀBxf=yUjʇ3{7<}HcET<ȘW(cY S!qVD,v .u1~[B\^bQVNC}ߦC"#nQmMb]vtY=& 瞃X?ys`r]i'CIFvQLpvU!id@׺bw ;[k^%ϢA%s `e?GvRR&9Mp`aa wF,i dv+ va.gum1ϲn-N !8YT0; ρ;1YeNBӡ7 ,_H[g[+ `:p;k,+13)e=a'ǕqK*M:ZqsC݌*49 fECҐG;AD;\POQ%XӗrbxxtkPý0 (DM^Gϰ2_LtlV<œ:r+i-<)a0`Oߨz+*xowb/0Z]biIIGmkc3y_3acgڈ1GF)XRfTM&IRG]1Dw t;3 Vj%7_в˶bDpy]OemrbRH !(6׮ 'ø>>erȴմShz bzh1M*?h|>?n.Ԓ# J _q롵:+H zUF|#h va7ЬFeIZ2dDnCu%\]sQ:jŕ4AvbRIqmQoCW̼`-*D(OiΫ;ȎN m-HODA?-x% 58T+t9L YU>pپwUajTWV_e0,"RUM )XJNEm/t-bLNnD VUg^{e]Y{́= (UayzG(Z"tH8<Ʒ s@DtxDC î)%o7Zu2iH4Hr{Ë >}-|(DZX7W0f/ʡB7wVcXq5 ?Kp`CD6vskΐ-'Ͽ?L8pHfGt'&}Q^yjxScMc'֯VzV}tbΧ[9Ki&Xlg'j ʦW!:-7AǶ*Vѫwd'9* |pa~Xza)æ;*zd>r[X׫T>X|Yap|'H8M<AH4s72zM_4l 5,K*vKZ'T&3=תؚd"' "yHҝƸdG Hj2,6wAJb# &]9c0d8KیQ?cήɱTu2}EsȴPmm IL<`9o3Y`;TW+\F2NŦPw:dkwJ!wiG0U=Yx6? w ܻ܈?l[ "U:| fgM 5&hѫ|7ͣoӟC|t6ߝR~-|*93 EVevYچ6)'PCGm@Mp{(W)P=L?$h_({C_M:HqPJ霟H<4 ԫ{;Ujm]6[Oeb foSA߆dJމkP\eO+cƽ80 ]bBqa4o!qwMd (94躰jL8OKmM,-[j#vA3x f0LwqZF@@8e{lo[췥VhH(~^l?KBĪf>E%AOb摓XE'=Ιph=Q*{wEQdl:U}L&.K> c.n'ͣ ;"пʕFsgJek(=G`i5aX8-r(7ʫY./ke=|$1IX +KeKR*F܍R˔9 XSn\m R J|X(~:))òK^7I@빞_@~`ͪ2J>T ؋m(ERbeK_[S.mk5Kap|iXm t78sɓWߧKwNAA+'ehꚪw: ܀8~:!vP5p9s%ɴT8L=ĘR2B[W;&X,lMϛw" K S0 ޤ [m_.]nV5R,97#e2K^E?N&el d~R⪈Qͯ9C?kAN]-%=K (jW5{ҲWDz~v] g1+^Tn{8OL{567Y,*'n k-uhP(l'"]L}P/4z)c`p)#yf-ؓ`9̕ȾZTXZn)-n,UkZ GR#5Rm4ȯ;C5"/]D9@WX PE׹HLԟX@aAˉY#oz]\5WV^ej|p_G6{=qע)1ےbgAIA6ٌ֙&>$OM)DPw'SxTHLlP#ID=ki@;Brb;/ 5<T9Cyxң=36]vOfз1МT:K2+̯hDt>$&(Tur H9Sa"|K:t)[u`1ATEz9c]FV>I!*A-+tM@Q,6q*h"Ȕ*$jEBʍdViOqS&R4L8TkY7^K/0DPʤofN}otE;o$vvwϽĄE xpJɱ%Iۍ7,q魴ܵNRP:5$kV^kH(.EBPeOaYN&J(Kq'm`{8; p_ %NV|2a2gĀn(Ǘ3U0fm7hFOTbPhe W!(<]sbE[z&Jw&.1Vv_R]{5lSo˄Mpc[bjN1/n#*zO%(b\h`>b$gs[$Kg䑌)8(NpAq]&SI(WOPˈn<3 [~ɾk݊,V[#qa0ѤWrF39|x~/9 1kÈAMvֆbLўLbQugwzͩj^WxhʣLX{v'Ǔ,5UbphbɡTRzq_! >}x k\BɲM]46"Nͩ!foq뇚x3,5GxJ̇?u&`sqE#k/T^Qr{*uaFw#7u@.p1Z},ws?mu!+5ȭ>E t7`+Hn;zf Y Y!vu௮)}}`łۜ-w3=5ocE,sRxl Oİ JU~ׇE6MNi\Uh`)F|~:[ Qƪ)8Zu}V훢Lm/D0r K(a؃zފ'Y-)]e0'oJ'FQGbokb7snh3x7-4[<9۷xDoTCX8m[Vx'' BmԷ'i#"扅6#,tnqK<*Aq`\;KACiHxBOI3`+u=%Bԧgg+vm>͐46Dh6dh }%+Pprxz^1l77̬$yt-{5BC(eB .U/W#Ȗt"ehM4R]: xO)GT( θK@n3e"," T1T+]X+kFߕdFfmӎK(jpH Uvo43+qf/'' 3b[\Dq,ht.5ش 9w1yՀ,C`ןw6dIz<4 zrѣ6ٝ`RAHmy0yƘKMʛl6?9Y1_}kU[W} ŶV^" DʊXsAϧN\aszLoSz3>t")|pi~ ?9,ɻ?g?T<聲pU^Py3.5Btט}<СզÐKnE(TbzroK9e}9OרWgD6oyi,vq2_W{ xdi0풔P6`375g {QBdBo}\\qegpWƤjlKeDYzIXG "n ,\'$soW"D& gYk7 3Y_no"3X17 DD֍=%av^u=@z8sf>i<︼cw4X ߜDhl>%)hM՟}NIwڊI1:/guNK }|"Wcl]@BAZva,.QW!ނj D$hMh[d,l>Gcv7^ܾS;$?OdRgüě:XUN8fHC2/8!)2]^ gY:UIW7pÄrIyl0%/Ʊ\`F1̢P"ǜGT\\7'IwWYN^K^P:cL PvJAw{1?v{eHd6^mB_bf`=TyOEmC!\,Վe श)tT:DNA>Lұa?1{Yگe Uͦ"8@sK o'Q6|a.Vy[&rA0)9lVpyA"V?5 Vܛ7l+qٹD;WZ ?ar.G|ZqL}+S?;ۈ13x/629 o1>W%:j ӵG @caLۊ`N=]bɲ/rn'a"OD4Zҿ esh|CGGo[t'nAhvq߇;BB$ aFFdV`o AK ZJxg/Ze 3 *RM3ǫ_DLx"e(q6&±:rA+)5 [lWR#ЄU"ϮJ0-fPڬΈ3%  3X5y[RMY:iR.zS BIkh@U]WplUSy/F;jE*6b?ÞXE#+7\d/+1MHr"PGF͍CT,G=IdG%Д ƃ|}N E*J^$8`K%{[\6Ci_Ë @t?bȶ#7ʞ@gfLK/.Gnyz ڶwɔjv*͎c^z.IE.wis$GFЇ,[h#l- E kݟ JZ*qGB>Ջ[>0$Iڎw=A OF)2gD;Z)%mKw@}z5MShQ{ܚfw-|; 3j't MK(}69=,; jNl.A+BFꓽ"rH炎ReGY1򐰫2;V'd&eNC䖴U@gy.XkcА:tߐpg4$L?Le dcj6a5`Cn{eeX_',d _guNQ$]t]cwzǝp 4rb'^ɶZ^W CCz/LDZN #@y@(.\wElC?Fa j6)`\{O/OtodG^fv? SM6mF~aY?H(Vp_ ~WS/ wM+g@Nɻ>2,0 XMG)MFUwEaGPt䔿*~zYnOv6Gwhޡ&S3n5JXcҊ#eA΄ zzO5FEֶ7wAGVˢ$OΪIz@$^Hcݲge"6vE4$'P#buV889H5zb2g)Gǜ1 hūP-rzz?e.+=ޕO zz<" -巁k =i F4܁7 lQ!s(QLTT6~M.wU]WK:. '{yDvc ͬ\RZAuهrMtcb Z>e"o%W(ym<[Xg+7[4D?AoW,ŵJȽF*ł]_v bc:i Z$Q,Ǽ Zj)qܦIަtIڸNfHaj*3ו9N@/kg-`yfwPLl5hD kabHoCx2vFSߙG=r"N}ϫ* Ȑ\F@aONgg^1@`f PDT|H;HCXt&O]`7e1IxSEdo* VӅ-{-I0Asw?Zrw i078<%`N;nut%:/~XTq7c~ݨԆ>qy Fom c9~x[tL|{DWP"@%Wq[mE)!Ggމ{O[|;΄v&'u}U*(G@C!,9j5H=s^jlNrob]A5,Atl|K8Ÿ k휼YJڕQ y#z3}V6֧ VYCN΋F OU uZ\^<ޒ|&B} Bt!N8 Vfn{ 50${e+Ȩϋ+_T"q`<n*WY>=c=vJ%nb4f߇(E;mAe.$P ޗOׂ#4ѵ3APua u9|V]\'﩯~%‚Zy& x::s{d ڴ,oNyVrBm &#OiHpJm?π&*]cNLoocFN 7"ױ'v 7TYlӿc2:)-ڌZ\?wh7D׉Q%qpf3lk`pƙjRɢ11a,.HdiMmR0x6?rP3S:@f`}KV)ϗ2@k*@;8\Tۧ5GD +媮.'7F3uΦIlq4SDž?)bZ =Ji=^\̎?*|9*=!DxZ&\XIИV5!b (RE,Osd6R# qj: AB!rk9=?vNDw [VYJ$ w.2ٲoGW9AtE;@,L%ƕ'p\!k3`<ھ> ނS~ "P=&#_7H잵#Ʌojb SW+=_FK-2S|KgC`;h)aq"HbEUw:[•ɧTEJZ<.3\sqt8^*k%bu,fЫY?ŃQk,uY]14 H)x'92_UpڙKu1zB; l)?O#~7"HḄ:-tw&8/|2p/|V~T؉Xgj5 JF M\X Ec߿ϼ..T#KVI-i2FAoLdtMon͎Avb0J73c6{*i6~) >P seSԽd%0/FY=;'uNZ,,TZWPuWC@H,, fp%*>%Lܕ>mRҮ7_\:9`>RWոejpU{tɐ/h9 6u]Sn2k1|(%%|`uxˏAexsxA9NꦅԩUzY{EK:r 9I;cT9{a! v$Ѳ{ 1+2gӌ6dӎ,yJS*zp'1[UGox})e*\{EJlE-ğ!M`7bܟ֖:PLz$)B0U$P_8l HB?o1Bap\3h }LO2_˪Hȷ1^dWHߍ>rtx_>wkk -8?}IIdۉ~ $lGQk]kCW4˒d8Й[h{s>P}#_K)؀ ux/yo&OμT[b ѼJZeǡٛ 4l3ѱng~W|TlL@ᬾct g/XZگg Z0 P aϚ@!!V y r0+^ճYQiti?bTbQ6*a }T?3Kb_ uLeRC] ]!DPEX?wQNad)}ό7xe謈Xd^fޒY6wt9=wWbEݘW.j@ԟ.\'Z܇6P{ J`* ըJIΈ`g+}GGJ=;H}tC{Qj7jΰqt"PHZ7Db\U o_@gF),<'xSTiE-mUgDZ`/|;+`䑍jVU<*LY;A =T@fK;qQAi(d7 q 'n$%w@ڻ$7}?Z^0x`2 xNu}VfWAiO|+lzCTԜhZ7W5g<Р)z39k2W^v*x#Q忍35|j(h uA6C 1Z&t6;o|.oƊ T0P.udM~q ga<0Y ނuqGW5QmdNZĒَ3ox*O@0ZIÏLQdggmrnX&t_@(㸃!\au/WfrmG"ClL64MҜ(W60,, S}R!0bDpqoSdl3Lʑ:dxfSq]/kbSM&3*J3mh% O^͝`xVr-ko(S`(?Vœ®aDѦO,ly (vjUʫJ!n+zrjegfq`1^ ,'>u5F T^#>z/Yngxr;AJ-ز0MT|}F5$*ǢU΢YI?KHN5%ukN6Ss`6DwmJkʟ2=\ Fw(CWo>͞aK рYkl޺uw7[X`~{si{ѬV1Uf%&d:qEkӜ+ƩR FB=I{@4~Y-)B֟EϹ^lQdےBwzC(uޟUX:~m U@bWM3˽3HKtq%&ǥdH呁2%lq @hZÒ@DCp'F\ne<?h%^'oEZ9^`L6hϩh" KQc__8.ރ"W앉E8$m|NF(2?:ky^E0+ؾ SDC!kº 2bc1"Y]r*jedX4w҉|Lqkl.P^d da/-J2/bX-mh3(KKnPOv/Ҟ֏+ 3joB)_L+ɣ}67aSËX6ʮwn~ /g4IK^2Nb/6*?M u%T;cdꄐLf^v¡ DX2I4ƀ;ıDKȣa !݇dZ<\70 8}AbSWFt9O?\v#B`aGGdW![+[jt3#'D֡%E!}dpGT G <ϣl<.r9 LAdԍZOn -`C7Ա lO$̎FX7i g(kÜo10Cbla7ϗPX~-/{p"@_3֐kv\w?Z^m5i[}"HiN焻jJ];DZ;-]Mzȯy-H k;*s= t@xZW w}b[^њ ~ w ml{rg*_(ĭ)cKnmcr{R`bG=Z!vߩuKN9ϋ7N bךf 6/-:Zt|gXY}?9ʖH"ftz@xGdHI4b ְEQaMjyqW]鶮'T)cZ5}qYw'ێIl[h-8=<P) ~X ieR WJo{ =c5!DfzD\k{-flz0"s0_u%lRT_u1}$\bm5څtE-拞#A i;:ApAC0E 2](MaLԡD 47LS_U[T/vk9$\Z{@4L^I8Fi)U=U5^fxr$F _Ciןʝ-+U3?!w/Ѻc YP"օf) Y;r,Pq!lh=V/V=BCRk2FpQ:_>!DZb:A=%I"|5)Ԫ^yx 5 ,G˿|7go@.]Nl(7=3G\_ ά;W)VJ@Wr7qR2$`1&a ZL@ƪxк^ K9G6"ANM1eCµۻ] 4$( s*4QTFgi2p61SizpZie6[b JcӽZdGv[v/ǭEnt< f5e{R `W+&j}(?+ ޟ+M!676Vw)M߰P;H&% Bb(v}r|_zSoMdXB VX>sglWu7WEURXdN. [Nk}-iړQ3%HІ;Zz0(J,lYcnNj hv6Z5tb! %E=b-@._r?篡4߁X {ǻrg vUI璾_5m%a"z Ɏ&[<oirvXHY@Īt!6o|0s?/=-EeMW JaIjFk2:8)t |ylCm0J뺾Z͋vń_WbuWx:2.h^VyH>5XCЂ+_C[} .7bRuvU%Ώh#g3*_W Y=<°]:7Veκ"bw [ek?Y.ƻS5K3DQۭ>5/ml'nH_½N/ 'LZn?3±7°z ׸nә J ؀ejSkܨW2\1Wxv}%}գ|K,BP нNl^ـZߴlІiwp؜1If w&NR!cř/EMenV]T@Iz?Ge #=1ۨ-1̶fjF懬 XEYm,>v]P4A9"܋BME8.wdU mtxoc#MQ?fmE/Gd1,P,i*,k>л;˵H3;h;?9=KTS\)oN>eIrw1H-#;/_Z{3? x>6ɿЮ2S0.}hs`(c> xMtccHA+zE! M]>m{W*։`4v"@~-`Z?, @tgMԛ %|e0 ,!|*`Q&BJLN GTc# B.ª[ݹ BS="S(3l+K{jW`[gZ5RjO/4 / >ӌ6h#L6Y[PYS86Qէ LŖ]_%VQvHĕkn'3{d+dNC}0c6LeqB1#0wڳnm.ѮKK`)Wy{l_"a#oK^JzZY; 1 ^i_Sh6Tpf UB] ק+F6g+/ha^^]7DŽQ~eC2/[Q z~:-͜h[ rgn0[ݕK%N&ZR! Xvľ-c[^[)5dE˛|zw ʡsM9~Mh[adP]m힅ue*Y-XGY.^B]ЦXqw;w:%uV[J8YMh'eP}K U#0ƌqۢ%&R$BXȯ1~)WJh&fQ$sϩP\ >k:;\$ԭ~*iPr9lFXwwJC&3[o[9^5ȕOB&:!|% #KGͅOWU|^ Or?JiP?|d IP=UVwe܅NZ!p 31a`=P/;si;^!̐ o_2hA .*HB` ':x{es*/ D-GsɢDjeu+>΁U2>``l"@ C8ALAR&Ac?qa=F-Y w`2(EOsxᖬУcౠe¤m9Aϖ:gKhԭbQ<مiIޏ+>qRI=ެC#L5t+<un>xPTwoZ3I6v 'fYGDC. Z+2tXiD@HB)Һ5Fj%sYNET{U> pX oK_Ԙ`OuUBbUQʈTѷ<]3D݁>F҂.h K(tԻ"hX쮶^O|>gm`̟TACIF81fP0b*DϱK|t@^)F%K@eku:↽_YLM5#F9K ƐB _XMrp:;@/ `і WYQKo_ hzsfjZ!=~9nLo䞁zLIKɘք^߯=`(7tffYa VBGBa-&'VS5]S\1~)XrydAT(^zoRIvy:(UkH%/PiYzx j@󐛱UmD_V涥z&NɵӸSrBĞw'-nzNͨ(ǶT: &TnOȶÔ@엞:tX%qC΄0/Rfgk11.ۆpGIkQ"%*%ՙߵ 7V 4:;Sac)bQɿjy18 K+S*Z;-0/ <` 24gmzlW50 bk1q _f-tV9IC!7(;"@Mo0gvKM`M<rn`م5 tC"&5z|ot )yU!Zk VkUbO½9I1:- P0, O >E)v (<'mH}z-ܓ%Nf/eFC4@?aB;xŰX3*;!;? V!g#_/_xP0#־Z ;{ߡDM\3 C@SJōN{-#sXo/ go@RK1g<]Ak}4vj;TO9I#ˍ)k(CYsn9Jglj1k~з/xN-+C̆]NKl/\b%h6_ 9Ջ^LdfOi4G#gn~yF8_79CT٤i, x懹h[#Znh3Q'sxILI͇"CKģGGpP&vΤ8u $RHb&C\u% -q%3*U9,mJ%3C=^7V.^_EG&5Iڝv8$IװbD Zns5R!@FmmP GRo."Ͳ<1 ^a:7 ɞW `vlnoﺟ?@ld{s#!\GdUnBxvhJx- J$HHSt> ND|<ʘ{ȑrTmF+DIs!}jSboBTspO}5:wR*u' [i[Eη j@JfRV.j\@qu$J vXAƣWl'|;B1bܗSok `>O$CWC܄~4N"kJ;;Fz@Ζ:WyXe,oOxvsy}K|#k '3kMME!O!e%寣A辰7h1E":愴k NӗZv\NDLP mS+פZs*8Y^  = @v Uk8/%2 VHDR Z!jEB G*0tr$Q޼jzQB=gݢ_ћ8bЧ 6+N@ۅl6p}6Yz*C$DUh뤴jђu.6ցP7Jw1>gQLevm+-66[5 ;N{ɺd@ۧ m`(쉏U~c}ÁyY3Q >kg ܩ![&%9esYE̤L?‚V;$l!L (DZ$_;!8"c) -9 ~IO[_n:Q*d-98ve<jIJZ~Q@1$O \ev*>@vJ \q,(8Dv?W J>ntT$\cټ>a c7ųøx[G?i1Duj:YWc ;]t%MT%S4)yFI*#3N%J.MΞרKZ Ad$sJtS;ڲtc0i4BvFB?4E6{>6/sWe>w=…;D-bys's {HR"0zߚBna>=0Z'c?oBT/`gm܏Wcgwvq}6ACՏ@~B"}9KLUNrv0gCNdF 1*L[L;%=4LKm;wm 'TcE֏ec֖EEϲg.1~ +ގt|*e[zȰzW|_G<3PfPm84j "uUdWhq2Y^ƞ%\#qj}(Tria+u9ț8yTnBcZr]!kV phY_5DEy5Hewd:YC+ sxR%^9aUda5h ,)j[9%]ӏ>S!$8(pk8,58jzβ&Wbyq,-!G9=aj8NyapYPJ1-eU ƭa:o 6׏U)Bߧ>85V50Y]9+lctd;vtV)*Ի~Ez/Z"[= @ˆ&s'_ СGb.$C 4!|K &4#a V2ڻ*WtEuSďJz5;ɑ [Zu_gK  fk~\Ù:;[5I~Ȍ9tA"S6o6ư[7PXm8`bl;\=L&붛@W^W4scKLȆu tmE v<: Lnh$kC!mgKi(]NLA<ӘՅ[Ҝ,8t-aX2[^n\t{sKD23Bp%?#r0Mxw #CrhbKN"2a;NEf`tRь g,_9dncCv @aDɘO/2eVE F=[_yr֟dV[Z< !7q1FSTF=>_ -#}UBVw2PΕԽ~shG%+ުLs8ٓq@Oo|)fD̔8OS]21!N8ӆUϷj,:vM T/Qґ%(H'2b٨~hHyg'W: M6IO$ m_pwaK "{`9St4A,%SpӬc ;RʔNT@4;V ˶+&[;e (" p/h~Sn ~R^{UmVJ&r'z=rkN 0&<wPr/QD>/,_6VxXI(!$]?DooH2gJ*isҊYz +46_UF;umF](J0OSG9қh\9?5Dygq8sd|c9lTywxf[jzl*/&`]ӈZ;Vi+Q`?P+%`G yX=/x;&<ܕ3,EՖSN)-IX kbI]e~2[̞ceX.RxE#pS2"xFn/?dJ}~%`g:; YĈۧk{] ?]d@/Ott/IĤ1Cۣp6zY>gG.-ml{)\k3g`G#b<{4R$COuO5,/c;eVLR_OWg-9JjŢv5 Fi= XV-4i\aYCgGE__M*A6NWT@iX`'PTII.v~XK8W=eIL \G 0D>RxghOΏ`9˱FQ7qt3XۖI["E>&)_|wzg͈ OS^GSeYV4dsNȞW! hQ^=kX5YHls*޼{U)tlQ&4?GZOB~O ՀcaO:hOH9qa i/o_$?厨1"E-f@3:dRB"mnxf7 Tt>cFy/i>7VX&u]) xp>a㐜wa܀ Q٭C`ƫɮ]Puc#2j  !p{k Cux}>CNt t*'wIZ[)j%)cXt[P͚&ܑ1:`V헐BDE:eO?邙ڪ>G?vL%<23#d?DYp<Ʒ܁S :O+5Or ftsd&i[¾˨D0^)>jD;jqBv.ڋjG4#r6ߏX2[Gwb,్8StW4vo2D@eU?&rǭkƋ}o+'P|(ES_0/046{R ;I$I@^ hx1ξ X``(XՒ7S\9dlM5$os^ɲ)X5W?L+~)Qj3i- rD.WŁaBKC.v&&z)bRIgUý1>N5Q\]t'm4 VJ d4z?\(1`yUwr̰E., 8k L庁= .|E7\;6uMaK-6\{h}Rso]lUϔj?JhV&A+aW]~ '9=?THDffLsH')5(I|8Dmd4fyfX=E@ Hoxή@ϴ|ZX6  I/|ͷd_'>F?曆Fp> H9< bB!pWh5]׺4z2|IA iK:0€ҁ1 `цwr'=ּ,Ϩ._$n|Io8C;d SGdʼȥ׎ $Cy ?ݹL$t("SK "('vIn]E7?p wc ?˜LIT`ȡ{\fn*q2ԡO~W q0Lk?+yOH_ o Ql_ Kn$n`{`Gr*Mw^Ch7DzL <aZa|J>ѐ1yl-\'ɓGUsB!u/[\>M{Jf7{o8gF6q8!(5`O[iH }&sicNsR0v&J2'F8\Yp91u; A˺)S#h&RSd;\xݰ)ylMq__ٍB|#۾8U~cCigʯ*]j&~18mRT'b-nzqTѨN 'hcV0t90 yӻ_gU}[23MT  F,9ʦr~xpbsf:sSN,OlVɑPz ۣ_O)4bW ]9Yp?v*Vۑi#z* AF9z?"&iW+l:?' ʚhZ&Ŷ&W22'YA;>s-Vaz5@@hu<azZB5 P %EwPK,KH## xXIȘy꒵;:*dAXCE-seHgߛvoP"+#K=u4Tv G c_%-'L*2]7~͠&K͍+@\Xt#L9aWN H YؿePKL:oa9pPYäGMW1 4Z%{neM(Ep*"u%Ⳡ Oa9Zz?7y˽[8}v=)(+@Y5ثH! qN7>WʁO&T`~'L϶4Z?+Bhͦ/yKqaˣϸ?6w7ڍ/.$mFUoQ5aQ^@gFKw 6l8p n"cB2=.5\+\0<.MB ɯeR'|Ll(:G$eRpw{%.=`o!m{qA^Mj# X hetV~"eZ+׈)C!}5'n-dsυW/`-|yI{0ɒs,F@:}.H6t]11lV%&=GVS7 ga/y4+ߛ?֊nHsa"cw+2S 4-Τ.Fy^ǦFD:nh1JzĠ&2`,rBc|~9Z.'Re)%5{;Il /1OyYs&7K1 W>Yr#C r7MLi眗}I8o%\sg"O\ FuAaA' ,Z멌ooL!i"K3p USSy']@k{DX"/;QժTgMH(D(i\a#K}OqxvH)~츙 Q.BP;7kMv}---Wu3ʤ<(gvqEG iz@ܤ3; f ^5>bG]S97[3Cho}ί)߅w-БxV8 Q"cE},IM6 SSZ`a~6N-2d&9_M-%܃v3߲ڐ,p%dl)qd[=nqm&}wK `M*?ktG㐃XJa(N+~B|q9/W@-piIY`x:5RS:),YkLjV"%A3bdߖĹ!Rxo40hm<)*Ԋˣat4\P7> =G77N7ڑN3CDp,=bԃH5by+ 2_ `rŤZT0CgA,AlWv -2:-9>,4?L{ri¦L\x FHkt(`nm9]P(:9s_}Xkт C&.A 1濲'409Mի^Q+HbA*2hbt%CfKhQ]Һ,<9dzL;˛n:ۑ|vNWKk,o^@4sqL!#Żw+PqC9ue%D׶ǹPj'{ (d+EseHw)rWs[ˈ#\8償H%rixIDyTA >):LS]|+tԘa' d\i$<&c:UI|tc9??hu67ᜠ2GnG5R;fKplAfBƯ9n^AVcڜ[1v!X6z>gAM"PEi5y0UsS7GƤr+_ʍ=:}w`'8 4P tB}9X7;AENMd*lr$eѸ.GvsDz.Q4DR(W/J6(AXYK iX!#-1YNY2Yڤls1e3iSՇLh5I<:LTK) ~U0.6hF\--#ZƿR+YoV1qA] sgMm3AZGW}٨jPȵآ`NedP.f|m(꣸8uRA<^S _&- DHƆUn=lQ#(g4k='ax@9fF~ Gw_s6}y #X⭑fgzPF.0yjK~GO;ځhqKFզGO$ێѥ,}Wyw'[=žwEp^!B;m5ZkKD;5kb/ X)#cL E7sT0qt?Jj8ZVu`r}k|X&_X`w;6+ =5$\hkaj@[8xл00g@ʲd͛aEh_ews@,qjܭ]fMS'pU-tʔ={JIB0y BOCr( }k{l&8"y/vKew34NRp-ĿYWC%ֈ;嬒R|LŨ sV<tl d,va=Q0Տίzq}xЇ#ɝe,tϊZӥ6`:allrujg+[3P / oQ\51fTƣs%|7'joZ4P5f!H:kn҅hDQh~1~Tjdi1:m'45,܇Uh,Qflܥ ҝ"xӺoكZ'_lߴsp7ypnoVj8(!s`/G[̹gYCPYJT h/ &=2mKdT C9jX8d:NQn%h~אk_Vay;}؂Ck؅lAzʹB&PlZ|J Q1.IJ)w:5;"mv>. ~C`wwt$a>9cev'1P5FΥ$BBU+b+2yku8P.a"D@ )LA{04#Nw%ȭjyW|Š#q] `<^U-#GH e:"9*= ,5!>mƠmOzo2ķ^dC !|:Ow0NSJVõxQn4d8>ݽew- kgwIZ@&˅ (~`hCnx/ $4.ܖZ,^]Z\끗ۯBѧ!+\UV<FL%G/("EVї[=u|sS#iMg"ɪvgbKՎ9a-XYh`(>pl7V\ξr¥̡f9E!p}j 1.mS?׆:*5 4r v1ruIKi1J16'n0_>:iMrWtH(;m"F|N=#ds*"8%bKWZE2±JCT&PguBaXn!tμ`92b쳹pBA"%BoTNθ=⯀:n6 [ Dt0#ZzZ !@]THƹu㶒Yҹ0UlZѨSgB9mtsj%&Qs_d'3UWWI:V |zqk)iMιY^c,e/MӸlD oaq=P9203dW[vxc9TbF:d42,63aR,UOI!yh)g?o2u/4/OݟS~F~00AVHyHYR7 ej@,{ˎrzbSukSo*^"Oυ_YШÀ#9.icwD=krUae!Ɖ^aX:6bT}$8?ţheYU;4"4{pxd"G8[v`1_ۑd 64$̕r`7J _Ya,OH}d!}K٢3 `HpHw(3 ڍMɥ_YګT3fDm\pMJ nLHM#ֹxk<*<=g$IڗzZ+QӏVBd`Xx! hq"."]nta..B_H;޽rb/U`p*%9]9RZ[&0\*UԍVgTZɞHH~P [*"ZGF|+F@GQ8ɃkA}HrX!JH]]qKQrm5RHgWp>#?JX1Eh4RK鈪5 (RJov#9D_2:50NuvgcCrPg?ѽ~/&}=O¯nT3;3]]#x}/HMp{k Oi؉LlYA{4coc]FqHy,m+&=V@pJ\.p\6-Wl:kve^`*h85'A8ZW7+_jFQr`DfKaS]M\a# y,rF=D#&, r@0%Z08wdAI%RոHT][45 2)|VF,Q37Xدjo5[Ӂj b=ZDG~cʫǺ|Ṩ(*X(<ˇpc+b;$1*7yWMlA‘Fqd,#!.?z2}xڂ. [gKW3݉\qo9[$Vj 7;/-FL[]<%, ZH}M<-`͸џڜ|-ODպ &Uh%⡣e pbV?.iwn7>o˯틇dMʛ7XFu â!0 1i X$9C}2C%Mą;"Mu }?6獥EVWmwd>S޼T>Ax@xmf0DŽ /*ŗ %xv*+Nb= XNb%Ӕ/?p  bxh\_O҅4H]DYn^mqHV5 64;+V6,tҖ+AXMZR+?%~ &<[C̛;6njQ ӡ1wIPsiޮ=di~j]QӫsQ0xx\ltn ]%k9Kʤ8Y;s"5=-j\ˋ@9+A/pѩl`KR[s{4 2 [V@7Cf5r;Jʾ&bDݭoz|Ë 4xt,s+QRw&}˽Pb@ݹ F;_BfvW ,ޔHM V}aS3S"_J4Q '#ǽ'pS dC*!>x|&x6a1^}/#'7홳KMm0Pw_E`2 sk? ^khV *>BĀwY ~޷}kc࠲E|/Vhbtwf䋅<{h?E:?G# |Q]339g*7wSo袠+\t[M5^Ty#^I!6QoCd}/x%ijug $)`Th -Rͳ#>Ջ*I.Q;<+DZ2^lEAc"qhA|G) 3!fͰ Y!J'mf b+/#ɾDi>e`h _m$Rj,Y9hUzH Wal-jٓ\nՑ7k^1ndS_a%;f]0clM[EDJ_]Aq[q9]DFvt$x-gk]:Jq. Krf>#[ ?sɉ NۃJ?jU:J=Tt\y6][1yK`lYQ]@RWa3%&jYG=@0NbӔC ?Yi[i[ w9jg7@ O=*%sQqW[zirob-%i"Q/ȧ2Om3^aog!m5o|F@H+o%zt/sK]T1o㚧2DaGE}J@xk0.5q.ƥ2YW9L} yIg@ݗ\&5 cXPD$&*?L-m)8ŧ}WQyHa flB9[YCږ:s/ 9J%]"m-KHXM\ o}Iư`q,D?ςI'8=Ain{\ʟ֊CZ Y9^7mlЌ{CU,%>n~tǝ>MwB\ƒI b mW a LLjV aBQܣgFEэHqR yKg\)TvDylΛX;mp-'uj u49޳aKk&lgLdm,ItBb0zd>N$aR .AKrG_?D ˷ w =ISct_}FM p4LXᨙyG\wHmnJaLhIrsxꥪ %?^g IоǴ]$/U ke"@όsRc='q4#r+ʹUn ,K bL{ڣKwiIOߗw}ɔr42D^/ #23"!$J~•9!$gWPI(jSMh֋9$Jʇ틄HNkGA.eK*/|@2ߞͻ]WnsRKE{a&nNb h|g |'((b$ᭂGi/"Y lyhrf  w0 1vzG¯TcsuO0Z^9D1سk*rBrSAKN7j^/!FF3r[0% *yUfXJmcjH:GޯSl5!WG+ OH(~qkn7GϛܓP*Ytg|N3ù1^T嗕Q#)6yܖs+My C9k0TB/bΆනRm*{ XRyR{R-3$4_ Ak2Isb'`t7ݍHt8E㭽% pu=oz3#YrI-i*Y}zGcM.-L`ŋsj?w'n+[2.(E$_0eUWiݲ `i;T6*SÒ6}4G9r3#,d.3=&Qe`q ^E *Jr%9yG^p7w 0KV@P;hǢ#~< NF0n(įO:U<-ႋNŝ7 (NIՏ&YjX L*Vq/v=1> !MaY)O]$1 }+ IxöGݼ̿0,fK цXSG+{2dp==ۢ:wd!o|F0 \3MvaAŚY[]ޟb?q3ۼ_uPbcB٠uh}:}!I1:U,LTf;]!.S΍)}KÄr@DX JNODW4|n _1ar.؋9k?>BHԪ> + '|ˤ zO}ݥ@Da({O'h7,ks uі/Xk7lP󨕬,"_uKFs"㙒!\:rGP=m(+mG;uف€mP!F{Lxx\vҜ0WvJ&E=G_i=?ͰdF*ϓib5˂ ,砭 PI?8ڃ=BI_5x[,vf Kn)qkd I`Qպf/Aqo <0[ՒvbsF7:$K7H{!gʈThPgPp,9{Wp!1)9= 2sGbew{rL^,^礘f-k9YCcfT[$x[PsuD2ԐEpBvmH}SU" 6$s*2b3CEJd{-B K,VtnR!CjXnw>1p׈@͙f_^iLY# }F5 S&!ܞeH:K{A+Ny3ǑBPs9kn>N> ૩BfFԥ2ZC7lt D,-'2͢ǫ!W=5"X,Skͽ6,Ľ,_Z$&?|Hdh8oTʍLKo6Apu>h[(-po;m:CUB~:v9?.Q4X~Z\zc;IS@zQSXĀ^.K(oA.=?Su Iղ?QOue#Ur4 0`!C#ퟟ>tXR%Dq:)-ПyZ}E@nx{%>!qFme.9ɺ{@b z%%XR*ř2=5T':67-xDUK-5&e@ޛZ`)`Rn\'ҍNZVz~ `v஛ 6km^ ?i1Lc3p4\ bZ[y*}KAȾ.[b06}|Rt(GٮXXBi6eo%52?HmE.RwSV2gefz΁Ctw ^ܖ2ۂ]mN5t/ܷP'ceߧnIweĽʭޤPF7 0˱ゐcv$ƴ\'7U{md "9W>52OT~Z۞B풿k%ww oQKzdHVUK#C$a8a]39*E4{Ý%PpzMKj양Ϟ4wl7Ȓ . @dΧ۲%ϙpp쌢W0b9Iq5K:ӷ7@͏;MW4ќƑEUxNq[jfUE^JCtdnEjU R* +e9d% 4 RfR3]Bp0)LZpp!8l aN~U),,;'p7!Wc Pˢer_ح M"y9ĶGZwmqHg}bd;Ą%)yHakW|G-OH7n4+ɢ1Ls1LaF"YˌT* v(շnċ\"~Gwd.Op w{OHuNEBia@yw4˺  d_D##VŴP%$'-n( Y#5f[jY0VK\pEF2?OtϦ~1Li `_`[=`%rb|0-(1oބ #7 !h-l{qY{{%Ǘ<;P񸑀ljX}i}/PǣyuS¸me8.zw_!D |_.8$x~ GE$"ƑJt7꟩V* /a&٘MN8i)8':9W }cv5!G̺c %h`q:Hf<>7W͚jcy@CW=n]vkDn-U2|s>Pnt{Ik. 7{!z$؅jF-5iWj.;4!BFff3SʶaôjGA =)a4i_ < YM7LG* Sr&[,(?y`J7.x8:p.fAH|*xQF4U`Nݰ,^?ˣjMʴmI\."Kȭ9҄?жRZ0[Hj4Wk7-_@=@hûCb0ش_3Mfտ:t4CQCHhy8,u]=Lؕej~cp%xz13BV* e(KVZKwh˓L (ui>͢'AyT,A6Js ?O]C>^'T: .C7s`=c]zhP$ݕY+IE}*A@]t3[YGZ[cuM9 Q#< *j ,"[:TDɊoT9R_I-e[:> KtM~6.l/mrCߟs(RqPʻng!=*(tqM3aNS`$at(o,N"hڀ¯gǪޮʄ)Ymq ~#0w `w|8|PzOuZV*Y(9 ~1EOuݡ4VSt۾rjnrY͎53G>/ #vki還_ ):~`왈x \V3:tqxO"-Q}KPYqP|q=4r|č;uoYj٠"Y&*9 :?c?7m1$Y^!-~UPŭ}qU:.D7Fb?\<Ӗ^$)Ҙcv8Yl{~9Z+~HVWҩ ;qPh;,"3M|j=W@rbߌNG&in}}{dፙ]kl ? Ho^OW58Óa-w "2s4 #w͝iZ~%zNb'wn mr,Њa|AR\+,ieTFe͙aWD ,>DT:xZg^ ȫ<Ʃwfg Oeɕh¥E\!1j>Vנv鏍@ga/Y!MPK;Jx !l@ O0+s$qEKq.( C.8I2r< ʼÁ19ӵ󩕶T*Ϣx2;h?C:zr\8pٿIb}` 9]DC‹t'˓dΓ /.r]x1o,ԇZ[.LZZVڱDX_p(*3MCs2#L2NBFb[F DϸKӧ!A;YI̳ѐ​b=bRw@ C*537(xdbS HO! yjKL\*_Bk=XF׋珔hmi@o r=.RAޫ-O37G1G/zt^@ܫg#PS%v-4F₢3(} q*9e .oitUm= qɹD l2Iwb:DRM[XZM~ի4(э1PЬʶ L2b$ M-LU[y.wY)kyz)q 4_P |^#)tcŚQᲵw>iS_܍ A0-G7!KΦ/FzD 捜'ύQ`ˠ\95r;[lkAfabAcrPA!dD 1z{:sMا$@AIMA3 -JdAdGWs6n vM6~ =/ӷ;]|uLnp"9q+FsћmR2=nY G۟7#۸8wc2!V8;<]x\Z:ooN tt Ŕ@SBǘ =Dz֐ǽ9X*tv.񊃿0d:t|$Ab,sX4UU0;&9GQdjDQhd|fX9u:&ZY'l?%9=^Ȋ@znj3^yNE+ow+U?GGqPV4\tiCzU*+'b{#Lnk=&ݟd4`q+>_Ҵ2JJCg ^ ;Y:*#2Vߴ_Š<䋽E휑X&3t/^lq*AkBĺI {TEyP\YcsС@R.MWMXNg'ζ࢏UBZ5~N0Iz8GUY b.PPQdH~.243>^/eL3rZ,ЀsOUM " $Y7Ȱr@q)o}vсTpRG rV Œl؉OK<=;. HqW|?/EYV[L$2Ŷ΃o+0nO|D].}@K8!*7i>WjI.<`;iz8r59H;8_ϪScX-4͸@Fj.HHlw5r Ka.7iߏ_uLlڗB(w/e>p'6;45Xo9 ItwDP\MWb,xu y767↙YەD] A}okyOLMn9 G ݜ[_ Dap 3@Ly-B#FD-v&T)? ϥv!W25R%rʪnwSv܉ J\'vp.&(<_`X}UO׮=˳"Őtn,Gퟤ´utm| ^={P,Se`hJ_ktwQ[cיRMҊ^ XlYZz킑%K+O`=nkʷ?ޅIY(!J'rk\ ӯ3@o{^`4hC1E-;iOr̵**܆8>,& e\kHQ4wYmMRWa2'dqz-f =mBjB6« <8: v4Ӷי+F7R5]HG4;-8=k:;@;$&K`tfĿ$ҢfH6*JBaϭV-_&c& zbwzzcio`,kiFd)98Ik4A|WIi8WHsDMTT:!\ܻ#b~3-kΐ OyGh;}Zӓ.ē6{v7 3E^d9F/a(AiXn5r#xqX'~4r*΃䕙RİhM܀bzk_$aA%Ex@펇ql sqr/[eieʥBjc#aϓZD!A 6= %{p&PqjZvJEdv>ѯ5eT^׻w'Xnrg3nn a̓!RoAKJp=|ĿiqhRL)iii:Rj6I٪ڷލbϴCf|cpłiEqA*N%N4>`1sCzǑLGq''fmJUzLulH;'=ANݡ` G0GQ{2sVCɟʂgU0r9i 5N>:|x"N>nut}z-kxlAXM:0ka}ONCndǧ1G{ F;'V۰>@'t:!sr?w5'RLu@ yդxF\Y >80c:07|²v/J*Pɿ䭢bDԭzcՃ[ JbE{zι%u=QU`!u8Iv8HѰTzw:&[Ҋ}W k}pPNb?>>zfHEmM)A '! vv3*a肍!#?;Xs!NI?sh\BO:C+ֹun o%vTǨ *+hEf^3AUz30{oNYkALnK>fGgu/?5 ?\ʩr4Gmyd1TpNEs=XrUa 56udN{;Om` )2 h0e9v>$ ]Ƽ/ \[2KRL6)9ٿAo|]5}>V8P9e֋4/a=~|Giܜ$/<;GP9#qwȄ,ߐSSVD.풡 Zc1˒)9$TWq׃w ml]=,k17֏=${uL ,|k%eNhȎ%]d;u{Ps`@ޥO|rV[wZ"h1KLܨ n'dr]"cXOjSg-S]vjBϼBW-sݤ?A aO!v{av8ˌCN. 6ޏ9llcgƊo,P6'9D$S~ԛ z}ܫFd.3+ Bɚ)ntpV7igZ~bq*j2ojw*ݡ7M7#ߌB$翀ʩ9g{9gIk405yel7sB:G R0ah5]!i*5 l؛T+D.F=~Dί)Mr^.)4q_r\ZciOY4Kp4I_Sg𶸪5 E Lʌ/鈡VSIlg,8mb lN t֮Z/NvPݏ"؂(Dh"-,arV @Jbh GёQN\*Bn 6{f`wS#p1)!5܆gETiSшVr(yȣbRĐvhڵ{J0y~Yy=%+>WYX4s /i(֤@ehi$UsBtlo_'EuPb횰>)Mn3dno4ؒB2/խ"3nhi؅bdm3YjLf5GU <+89_$Hri!0arxzĚp@A W2'=óouVK _g7tlreyjA$2B|}o8*eo=ظ睛Wb#ND.]@j8YcDU1sp<梜Fc $ `ssnܱ>F$/ 6cʑShm; b؇CIbำXz[(Aʉ:k(vh!I֚YnS?hT $8L_2f p"v?v)Pf6 Nb!E_+Rwx7ҚL|^ nXAF _USrX)\;PY}~U$Ec%u[\_*`{s7hf9A1Bb_H 9MMp H}Ƨua/oVA 2gI /}<~E⎒O:ýѮK\n9+9C\b63Rl@7غ~'iU5 fagB;TMx/wCA aku>˵jx{2zbЧ;cرL qC|LGCudn~'{Mҋ 6jRN9G~йz݄7rhwIn>lΨ!-\f_ւi5һf4=e Ndt5)!qF4k^ M>`(k'DȓlV.HYpa^iM*Ķl&m?vcTo5mrE*C@|9J!1By'ObA[)蓜m"l(8˘6CgwL7$` ,`l16ͨN3$~JL=6ay+xED|[ dzU.G]GX vLz!YWx?Aȳ™wKtrCD!^%nlȥSyIZ0oWP0t}Z=wݕ=_\{ESXؾ6GR/w`wzXjYޯ" hnԢ?5$)s^KYI=[yoZ3/CgxSpɅl8wyOPd>H `/PEajaEAc}MDse;ΔtC7ocx4nx/:R-&H0dhVpHK$4=25b e"'Ǝ 5 GUn[qmጓH^H(W8_mFT[@r,0}8e@݀6G;~DTy2 6`ݼi1GSvcMO*܁In/,L4ُ/w7 ^C?E] (p[7EarP(O&\C8xΝi7oȒcEhΥzHBYi-wnG$ ~MFVTۭ%VkǹL}Q'Bw]<}ܢt|!3¤z`>ؾ5[qV Rث p!OQTS&OԲiI\šs G lc#j*eaF7g-n 4Ǟ+> hhYL^f oa6%\$I¹DsʟmaGculBԚ=.,3Yt[tNXD9.װiH o?YfrIH^[FNuݎ_|a,T9Gddua!ujh~rtVvV 'x _EKw&cX-Vo቗ sEMrXhg4nP{~,dѨ4\Reh2RD_"^o6 X)h({J7]>G͵<׭ $;x&]PfƍR2S+;Pˍ(/Q!kV;ϿW:J_O /pd`i3it~ϚS%tdPVlkDnk'07ʥHH ўL @`Zk8*˂tH]8¬=/؆(ll̴":IמKߜDx${i6!8B[ KVtvo;|N:nC=s#&yyv+,o)#omk$0"Xm'nTz݆TUOyV\q(QҰպt7NoX݇H)ӾAk(5ؿxqcie!x#qhC|h*gOBx=pTըhЃJvR[Z1gFҩO_Ɣ(E4zOK?Q _#d붳s:9dâ떱 qϗ0crHHjO8 g9P['.~`yz>GHa5,\Z=kYW[rʕ> N&@mO=VIէoA YDL Fi=,CJ2_=wc!Op;76h ঠ{\٦ZoYBlÝ&h|N]b}G4|1Yrh-pEEj&\s=R(; &&Jpg:Z`Uܣ7DtOq_U/b,w#Y߆P=&gq!Sv2LwJ#efabk zqonjYt-2u4MHiL3bxi}aj+(hFcXGV h5jmx7A;S5L I oVL5 *$pT(6>_.)x7.ũ ӛ#$Mq߲TZ =5e0 PJ!VuLpo;r\[ m MF9^ō@ #N 􆻡}FVfJW`}ٹ[jf8 TE{ 7ܘK/3S3(2-3 IzF‚)yyjUziey;.NsgqF'I7_ YYYY׵>VۘK_fMĵ(t "K,JlǶqkqJsG*x:REAtJzNRE 7)iBm hP|p ZǧjH0QdQ˴Qmc8.:a.f{d:b!pW_;ϑzkL*YwFDDzgX^ԇA>v. R^Id&05^(`.2q=uD].KB | vtIGX˔R@/e?@4t)6_]gkVwqo F>](^aUZ]'e-UpG%V?BpD@1BP!TPpz#\­АRTBOn)0*sus:Ȃ"BJ'eT!MBnr(;W^qtN4%ǁdCӅK`{ȴ9<3\>4HŢ\ )Iњ7WOͯPOl.ܒngw8Qسg>!} iU5aOn\|M܂S%S_QP.U^Wr&{N@z}/EdJڧ1,jKֈiQqy;A5ע}Pd;P|pSgn+?*L L/Hź",3, :UcCCN;"-ˀ kQ9tȪDbE_N_d—d+_K xy\Y叾2S°_z-VM3٫nar_ӷPqkE8q/X^ Mkf7W$œb :l4tx⿯0^{?$U>:װ?ʻ}_tYRanۈl)uxN]+z [ eu `Vz ,@8>?SL)-ig&ҵH_7>bR:}Š̪d٬bp}} CeDP*ߜpښ\'k)b*/a[C!=жՠddd}LFPvvbgOD:`!_Wj˨&Q<>+4sl=0u%RccY"t xl]9_hY!s3N*WHIOXjp' I*y6sK Zʅۭ/K\c06 r2 P]H|i*\U%-a;Q;NF3I&F{֬~N;쨤d(A\owɪEQ@SVH ΚFۙ=ESڭs+`NX"uMN.OOTA-3GeWug+X|YE,'1M  ]lpZ>HJNy?mc[8/R#gy9$_f7Ɵq#~3 ͙y)Q-ϯ{3._/qtQҐ*|hm(U.iCpdsjkZu^/gO dޜe+LþH%^E] =a۠$eZIבn5>_vFܭyƲnF !r}q,^:u GC KpxUOx/ԪfB8J|?:u0i6@^( BQK-ɚl86`B@*s !IPa|4irVȾn1;u}/ր\mKfw;ߺ@N2yN)2@{dިP n|82_DJŌyc~Drj63@L 5MPoB,Հv=ަmEsECQ&٤6+?=GKW dySqGyS(0.SOc7<8305,=|}A+NȢ\gݳ`Ium|WtbJWȩ-tt` r+ό1 @&Pan}K W0V]VvW\mHB6;Tc2 )C"kAaԑۄ#Ng1._f`ZTA"m~e/C\̘GSAd1v[Lߤ$nʢ3zǍa} F1( o/ra[¯L:h5i{fHmg/vw7FaMBuC6 o*@GU4z.haӧg^ZxsH0F"熆BId9WsSe@ʫI9=Q+w\Bt@IPP=.́mKӋf0^ARWcD #r1+ :@t3oiPQsT$&f˙dTtfx5HNT=$.(R7vxS/AFʯ)J>`N7|6DJ߻ORb\6`13 hS|O,@zH`8 ȶn!+'ߪZzRgKWPi-UOW׋\Wa3k4Ko!2QpuH;:|.]5.6dۭmv1C?<ҹ)H#j# >Dz4Smp'i:Lz  )Be`92A]U+fRJRk&h_[Ih.89srs2|7Itj)L!N5 &IRɚާ>1M'đӞy+xBuCTzi~yzɝ]rrK.>~MPk/BF .sG>.'L?͖ 4 MQ#&v}2&91ZQwB~HwEɏ] V0\!0h^]:0+vy))y֜w@9LE.9,\ՅN?v8E#I0J!M *RG`i鹋X| BOa Xh7C6V(IDEɷ1ȷC#5WIR?NluA#pC'#X><-rc:cJ]v Nmx`i Lj3૘$%V*ҼR#E'߄4;_{o iKGw6iC@Er-F6V4c2l,U:)aIW{҃P bqEq!AV'27`Fy b~gnE|ycSx$RIo ÌG -iA$PǔDO]=#!]+wf@q=n^^_񐁳{3ij.QbCPjPU?tS@bd1$K jNGM;IC?ô|n!+kf}?w!T7 A]8Tk F>D2q]o]qwA몕x)^uQW!Aa^O8Ih?yUVSx~,{8Q]F9Zs:]-0yqM:VmR*NR#`:"lW-@1/ $U7e|p$ψ<.yT8PuH .$L&Žj-țUok);Q.R30tM->A T+Zޑo/C9`^J^d1RCM={AN~NOѾ)5VWZRed$iv9a3ɠu6}X\ˍc*tX$vi`H ` >'q/Vb%"\vڅך +9a(!Xi!4s0 ,5 6rϹT̾/#e#6)M$6h*~(OVmyR)- )Zpi#7KE!~EP*@j#GlHurh).Oi6) ƾx/{Z/Gt!״8KQ`?~`S-="?>~mbMϛy"Rl* p(XVX X B#/[Ϸ]m%I%R `@;Ayd*t]{^ pnAL~oߟwK9%(݆lϒW.bua\ͪg}=⟦UXO^m4cC`]bG%^dƘ@eJܣ]J &gF"Ơs^5F')^94)L 1M ec<~) _hM4d?J$DH?*\gkasnhR޷{7v7V|}n쎇$4#D}z8LsF9n[1XPoٌzj:\)c\mvRlR dsV %DXyLup%u="W#{$͟(Ƴ+ ໠6 )a96NDgڛN i Sh2=;l;s[t}_z(+! ;V@)к5u%. i'N&ښebE \K_aGULzk)2 [W*Xz|/өc2j߽+2[VD~P*+u %4 pC-k'muuH 2<S*Q1f7+_dH3&叧>! O_5NZ<8]hs ȚK)1\ p1f'7+ k;A>$!W #:MM;ș .4^wt^v \3E:+5htM oVlц1ͼ~&|?@R?˾p-ʼa׼ڵߪJ SJ9 w=q6=Pon|ڢLyufubhPI FTȞJbKqdotx>v5>V[@Te*_qb\.{ʾ_(M ?Bєu0;f*YZGT\NxêL@6x `9kϠ?f6领mLr ʹ]D<~%Ag5Ol**T>rWȀNʶ$5\bC @ĨAuay/i>x]KU)^D!tc" DWJtn- #hXSf(b~Eݯ:(SfR)pDDvWl{l䈁,z]`؎F]qchV(zGp7+g[:ngRqf x-)A:FD3 o^>z˲q tf8fn.Lc ^ulIش]r: a Ȇh?:t+j*-OdK~È m R(3'H5b===仙K#tcEzmqr-9Yސ~CS~xUG&+,[.{r%'QM F/TxAu_|$L;ό 2(G*^^Υ Tg2HfhDd%F_xC-[qu$d8 ,"szq IXD:7ؓr"ⵇ68W1ܗ.%ɗY%t@WmnBFo}pCDC\bW޽n&}p7b{a3xX ȺT8ݳMk=#r6G r\U =VS~-=pΣ{>J5堟]H7j)-VQ'[Z[s6|v 9?4!n ,"P/6{nȇk|tcxB.,*Y[*+P`U/Gt͓tu ju#83:jʭqPZLГT`j8$xݻfO4_6\Su^'x}VZ5IEC]kрM+q- /ZUY &`z{ luTX\ȆVbe%l/VAżx']qyfzu,S]ŽckJ#j; S,gExeI43qM.Ak2PzoĘF je1/fbT 3\j5}OS9գ`Yy $Gwɟog݅I#d"!ntYa6`|g8QO[\POAT߱Cs+x"A^@#_߁O34̓|GnC܊PA3w'/Dq 0(N7aX* W,amWdL":_ ,uAryڟ !p1̚ OۦPuo214Ia" 7YY5CUY{ِRӠV9drׁߏ4 f'FB<X8ay55D. ʌw4ުA.Vc̲p7U5,%l$\KEaN4m"n2Q[Vgqqhx~{=H֮{j%lk &mZR% tDPU4c^LaZF;4 ^I?2oGsIZ3z}>bJn?MD$ţb[6'%~9@@ӯ"g0jPޯ܎$-Fo?IO^*Q?s+ 5=.oDֲu(z?<ނ\Y0@.ͷyB6 w]PJAh&ʟ1TDr_-ÃԔP,yAxlx()7 (SEKˣewMt6-271x`1٭C3(EIR40y~hZ=U[ǭTc5IIPzsHm9 #V ,|_~efp Q?϶=^ IG!(}R36Dx4 U㠰uz3MWVݟ-7?xH8m֙ {Bhwڠn5L%M44G2q t1F!R_}C[zJ-5Tw @ljXEiU"ΰ٪_ֲ [zCn̆E|!N2i04Vp"t=7! ~VIjx_WnѐZY 3xeJgGVƬiͥJÆ8]^[9џ kbLGF*B6ݐA{uBckdB`&wi L \8lBf"ac=Y[P^Uk?n{$lT*[S;]RC>p{ԗt_'x^霸4f'ퟞ\2d]^ mA]+2:{o>טѸM.!.:,}#1m착k?K9mGЀ+l?[0OCd3AB ?%횆/dH9Oz(rLZ5b~wbƍLlɪ$շ8bbHF tn!/J5GvgABͷ9@ 5b>ޘ$=oZg7eXטEk~]N|IٝKWMg:7s45OtY0M۔; bt݀>HuMӠDΎV(ZSa(F tE~ufeB=Z8Gqd;D[:Ȕbr{!S3r2Gʅrzl7=pK|ןx3SHӯaJ*:eZ 7AiWp{s>W%Xκ1z/]]w="?NċhfYm mM )E]")5x}}] 'ȄLz* uEWbSVŀ?HS;[vJ0]<״M~ym潚/-#ݝ\hu*`mftZN\-b6G!aoG>hDQ2MXA'@/XeP+Wʤ02R\1j^oӻkUo)]r6/Ew$QoQD=Mr̮{~8]9^H R["ӸySЏ-bס|fh=?,IߎSEHF7l;(sT( l)^#)e⳪Pƪ=] mRclU&t-hCEQ<@iI G)Eq8~Θ `#V5W||v/V'TB>e۴"n V@ jDatx*#!D❉u v-qUFͤK~2>vO³ ޼eI;h(c~*5P8X @j8OSWKw\DȻ/P I[ >@qmJ/ f\/`bP1d+V&t;k+Vn/Y?Jwf`*M/-]Iʽd<2w]>A-.5OE&ݙ߲a8\zqNvJ=H.ǥVF#b.ԻySrdy`:.M6`' %^͗˺:2$7a[7 WL#P+Ano>\{ qJ(z "MuߍdpHBi#>aM껞|6ţ]&1=FLlE)P;w%kT3.Zy/8xCr<%?kD%ƐO>3dAёt3.v(].U16o #" LiZ759^Wċd4$'4jnOuXxfy5t;x {G|nkTZrĵ+']TiԣSWwL6SGr>_&]|G i*]ڧRJ#B-HPz6nY[O1O űBϸx̵w|_ِ `'s)*Y3{( +^a~ ]^;YGfX$X57i$K& .ڗ[qr)ōP$$KY/?$[,np 㿌4!x1RnoƁ.}y1 .*%GG qPVvASh!zQ wpBғ&ٖ:qv)51/QlwޔwAY}7vhCJɁzo y,(K17%PPn2(+Nq' N'YU\H@=u5Bxyy9t\!fIs+s7q[3Gɏ{I6*[;LK 3HSN}-`,lept(5BTom D^v^]5\H f^# QLd{SEhau2A0=?$?eVS"導"T\ҹ;a^92 $N" h*@oVk6oKÚfl,Y(@vz*q=G>ej|Mm$c9̈ DSK ֿ^*V(8#M?*p!a}}GT&b z^*O1LIFꈿeMQxRk(b.F3t jGbCo6HoV锬QU=/\4 Ţa;*`LsbfqXA[0%<=$Kn =\ E1q!B S&vtxd,pXࣶ`k0o*gvU7Z۽Lva~jՏjm硥NL*Ts jΔJdd9p ȴ(&tGN~ vZ\#<CpybFPX`Їmh/J hYP; e#^ V o,֥`MԭP@#A'Ph-)E]rFjGO#@ρdO/ɗщ>B{R0T :vv;1R ` vֿ70-苚p7P͠Y5=RG_fqIpERPO.iscShNN4%d^j*DT lj__;DHr7qpݷ#z@2$,% tZHf?x|) yV#uqOs#ehĔjF6ʛ\~@w4@`L_œR^cb |H,[:wQ`3m텶*!F3kou 53/;|4ͿtIdCb!m3a77Vaţv!nM9AugMbn6N8"X:GR#soVsvSdpZAsC7Y,Tw2p1DN`t,{Oo*;uHH!U\2voPPC6x.\])k͇g\M)vo<,k7;$c^nqQIwÎ3 I>[ ߤ?+fT0 ;ڱQ"'x45/b < MAb<9mREZ2$.5k|J*} 5x˗app2aO u`'IK8 3pqt-Ώ }}aDKв"tj\ebQB#_)r;jn;LI@#2?nԬ|2 Mt>,<mY@\৅7Eo?5^=滰7cnKq(jDK +1둢;KXLc"{$2gb8cUS_QAy2rTR кGJ?m{lMc𗝤q߸d :uu,S/ M=[(evTLB a/..M*3< . /[vpD@Iહ | )S)5Rp$Y~[ɿtųU&pk} ]"!JI*o0Qu&߽ߓ(p%X|ԏ9U`UfT %41A*|Ȅ1;7V#2&:%b kovg{s20pkʽOaZyEB0vDIC ׯvW'Da1wL_>VVp#P{d'\?iJFNԹ@,%rez5KXLMmqwG&4geX4E<*E#-!gUd7r_rC~HQ!6:GB A##ͱ́sr!|>(q!=@P ZiƊ3Q[~ VMt͈ ma[:k,rH:Yl[64z7a;0rJ-+e#ĸI8b5PNCl=I baUNK*Kٿ#ezK%T>7sߊ|`ՅMU/ Z"_M_C,,yaIz*-% $.EN:x痍D[vDo)jT/yaVWS G)9h7fɫ&)ɭ~S7(hC.-NBKro*CˍcKq#Y+izY5>ҫ`|E9cf.56$ɏgE"QN{++ZsOɄ1n &2}Ǹ*E$u1'zUSxlXj[xG0?rDի37E|[.y pby;8,&X>HejRq57G& m[R\>c[J}[I/'xEV~OgImdzomS [40"| M_Gyە3V<2[8 p~XvKj U"8Ӱ >9auM 1Fcӑa |4/d\Ɯm߰XK ;e ϫJLa-j\G~0,Y0S@q0&td0+,A{ϙ)]GK{~0h0ޱVD%D &ӆt2cB^ #CL%e AnҷQXWx[-Ob,i # b:GŻMʪ Ο6 aO Z=$W{[;]P(70˹UmPLDj,*=&F {ֆھD\EωBF_Qe( GaA9 ziı@`jaSB57_0/f&+,238Ym͉b dY^|]c 豟l̬La6-R8;/[N)c"/483m1e~:1M4#4_1r@P_No D:8*c?ss (B~:ӛλ ?Wu07<"$gÓVQwX6z3"çW &&Xv!5f"řC[uxed .6}O _~L1`ɺ*Z@A B-9Jj*ldLY'1`#' Юұ4`{Ѫ_8$),=q6m+8Ռ F "oټf.Sy!sm$=%6bm+wf3Sيa8ID9~{<[􏓗tkTl0duww_Gg6TQ׈n0 2_$+M]y6PrQV9l8y-wgNHF(ikpx|5/2=s"*.v5: hjfZ500(|<[Ll3b CG!8Ml.nEź->o?<[%m џ_!y9*NR]!Mc~kKMєsqV?B5 Rrv+wd8:ӝ?pbfY] I/fhu(G\Sf*-iI6`TM#tOPIEr\5g:1i̱ rJk?عMmHU8@cuJh&n58E)šqS#iȉLuD|Zv/XE].  }@,B2IVAr(GYw|fۉ՝بI.:1u޶\8g7 g VHA[l3,d4OGr+sF0πIp nI0WB0\O@`ݺ}QpN\fMLt$lm/׀\Kb@SU5]$\kZҮGUw@e1`'zC F̥BѸdk@,l V5) p"}H­vv." a68]y D'׼0-9=0 Э[ M(^s9݂SUB/icl]{mm.ģAҦ Np;@}+gE|2%4LXP1ѡ?]/tnFHH LC(,"cC}mTC%mfVbWD;K7~%?ur Y:r$\Fkj_rXZƴŅ%BZN*<<mڑPr64=xW>S,S|:_ ,;4_KE υx^҇3C%7v5k7{WȢk AD4gK+dD%uּ˕X5D i8kwJ 2,ƤC }96ڮT|EZTK DAbKRE3L)=:~~;ѸgSؗz9rlW|kݎ8 =헡;o>%5X $aeI/_s"|Ȟ]KuPA!':}Y&*8}YUE9 ]o̪;pQ[(S2ʋ7'۟bL<8k*Qv{cKG!Q4G:_s^1JE^D}UKK,.BwnhcRxUpzrC$~U%+W9? cyH#'.sD}wlcʨyV=RKWkelJR Ol* y)\ww6m-f6G[=#V?Ks.Db܇!8Uig-}ֺ{vJ랃7zp:J0>QvhQn|5ӂunMIJl)+ 1El;$D,('j'#T4:%f "Q &Sbj@ jQ1pEAZڃv7@G}4AZ V{kV~^Y!Q1ϥ'{\GO8tч6O#prKqUaST0TgM ]Ȃ#e_yR6#yf !i5 ~#c9 tiӶX^ =I4r43 G'߼g-nOnű/-BCw$ 7O}OG@;qQF_$ =E8-w~B֠n_{Z_`O~pn<* Kul+"!N]X'; ^NA vpr٬_8VFr,}wSr|!ut-6`)%{k |Qӎq.Yu+apQ9$|n`JT;c [wڶ.Jy-6 g ؼE*G%u wI8d'''О=ͩp(M'MWwRXV{RL&+EΦ]wP2Ԍ.vWwt]^iDȅIiPA^n̤?l5mN=_bhWvYgSKL Sx*'k>8o}Ҽ0imO A/iΌ/%29Ӟ0ӏqtl8o|N %:nO̠~&ƣ=G Q`{51(JSutv3{  ڵ~L{U{D5NBSc>qkAHe;B}Z7]Ʒ "!w4ӕ޶mE•!w&^ JH9Z4ڀϮV=)%7Y҅/ݠ7^_X6l ?y举9{ g+3XAQM!Ң?{NKL އʫqP}OUFH|'A.Yʻ<|9J s8ҙI 4fݵE1.Zڴ'&#LI8Ԍ)cUmxXJ46y@)xl;sC-"Y3#s#n1ױQ RY D>gX .5=)jQHQnRmZ]c]TJIGDbTj{-y$ϥF7Z4awT뭳PJw+]^@V Kix3YωY X=Ŧ]C!E#vѼGRd UO ( $(Ģ-x$P։K ^<83n16/-mpóhHB9É.2Z?cLa)_mhϹϮ͵>y~Wؼs8=ԾN➦NdK> 1<)[SRaR!VrߜC`k\.5oKSJzKgz\&9o[īK$մ{lZC_LY<9"¯UW3'PXbE.~4t=I g(Va p9=3H<0ov'GPm|LP)g3ЯAg</vn=}-#htH'r@3|$1ikjKL @cTWUpsmGYw|?341.-]܏E3/|A& N`8^>h(NRr7F*!zY`剆)o@hM׽Y F%Vtk@d3_} lf DZSKLuS8LH]?b#liPցDeEb.Y႑QNq0AM:,o~@]j^".HlmGW ~Y$"v d.\yqn$8:INE*vգ[$Dwq@!yϜmQdU-M{66Լ0&|qnKp l3gʊK< [L_7, "o% ή_g)udh0Q Y Ɖ$?K _ htg7::I`=I   nK1B17(bJV54T*uDi'U=Wx>5qfF'(W)4T>`7vC'|SUʫ<&N~wJ}V!L%ON(Ap[K5qmphm[ Jj=U(r༴ fe CA4b^ͥ&INڑ7F2mF )DYwlwMv&fvޏp GN'%j*'W=]\BznFJHX>V%ldEpuG.W*E1e8jQ18J)Dk,E==.Lu=f/kqw!֫yvÆmFt4G%Äag mIsX:zi"l&J0<vStTuNY\焰̘+9ܔAy)S eQ3P|V0UkTɽ+[{2F6k %".)'xv@27\IosgJ޹=u//bjꌬDᝃ 6@_:#eϾX.ls%ɂ;%¢BmڤMEKGMZ?9Fu/O[xo18.0!6q\~kgelLUYAtBjGHVcJ9rT\1R6Ē-yjS\acQp$"`ڴBW3)?=u7X ]:`Nx: tF ؇gH_% tat؞S*Kr'<e<@j.+-ue)_N- )`ٿ))˞'t V#5p+O+]‰Ii|#!ˌ>?O;% ΰ;ʏNN巄9ݙYaH^E܁pU+Nt5IMc cJ WO{e@5gBNT^%e KR,0`voFRMUϚ ba&k0KKۚE @:]<[:^I2B`-,R'̘ؽ(#g \z!D6xIB%zG_y)ŷ4aԏJ0)o&ad&2dnHB ܘPQm$핁c:^ \N]shF|$/k}CrN xX |hg#ه&)."(FdVM~p~ҝC{jd }󭢖Q$ZX$88#\l3ҪX񧪚u|[6ǺҩWtȯcm.'b6ّסcͪ畢 gA2kGBXg] 6~f~hDSr"M6XG/oy??ze],+[;GY(2R swH;".Ʋ,G飉/uC—2L?V^ֱߴÿ‹hRDGt} ,7 6Eo+7YAqacXp k 3kÖQ+\ht#k숤e1},36al DuvDxC|Dֳ)m9}{ˑ-^(6ysWmoQw,XQHVI#%0mr y.Cz G8d0_^Ad鳕둱ptAf}€mr myDu,YbYצ!ڙ_|ma!pML"SVQ oBwZ @WR .MRRǛ `,Dq6:M|ubry@~xYJhe(XzA n6\? dz 55+Py(gt˹q7+a#E {7r1εgAO嗒 X~fABֈN;.2Ω?:?;_(ϻ/ x>uRSoSP+}eDŐ(LaˋFGYrd>O\w ACٟS%}TRJ2\#'A s\CGBXa_z(uYd󜅆GYfwy;Q' VAY˦*0Y ͨux\c.IDBQOXҕQP?I>y%/5'b'G:*bA7N`/N݆׼Mq]}7BZ0ǵ} H4 ԶѠ^N/Tp"щS`\n7~ԧ ui7TAE4CN HK+pL\_3%+tqHJ"}']anT`מT at~mӍdOr;<^q=:nJRîYcFz7WwHvdog;ߐx߻w4H 3P>ư+-ظTZ6<Ǚ:MOpcBv\)Z3Ƈ%*޷k=t$mdvBGn1b<QN'oBgizHopaI]H8MJ}I5de=-syy`)F|ס &:-;GB5MN5PZSLdlcH{ Z_ xw-"-\=a:⊅ȣW&Ĭܶ\%wAE39)f~8BMӹQm;U 2,\kX漧bI<so-Q0`YB:P< vʹ:-aha[6cvjC_S+A؎T fzXlE]t'm]߭>DE j /r2D[c1>xI.jkVeU'N6-ťCnR,Y/Vs!edSTdر|sUYu Q.20)V>_܎#E(;(=f0<[Sh#Fb`v||2^hmO#i1pvvf9皾r9=xʥa`C-RNK8B #Dfg1Yƻ0+CADˢM{Yc?a%wM?? jLacz'"o\j m?"j\$"IEXI2 [UܻC9w0_z-B#(WI:'52hRqiZ,gz DRti2X.JjWtiDOÎ$kX4Ld$me̡f%΃o=jaYvDM8\|e@Xp/Is) 8Ym'ZNMiQR{"yϒwUQ}&py |& ʻamXVQX\AXYv'MbԼ)LiȎ{YNFH½.>G0e(aӃ^Pof6lzYR~Ϊ"P|j⏻T 7DPCFl>ؾsv̋&a kMcu y{C~Bu<9Xt1?#6[Ɔċ E=- _fB –T* aF{'>J LE{A޾9ӡ?'-lr?{iDPgjM>a<?pd6Pvl2[R/u.2ֳB9ZɰoL vDfHr0׬LxMyK&#NNf#&*?)*`UM@ɤn[]v;bZ4nX=i'Kt|%%TTy u>td3cݙtxugנs UQ96)ֈ2⒛vVa~5\'WhȦ[u{IWwD*ߊQ4-:JJ￙ӿ/XXG5x .Ivu94dgX";xVeF:iY l`H|Ux5CH>ڱpa ֟ 8hꪠ KIΒZh?ԳU3PC[{"""c\֙2փH%0[5!J}=g2R&7\6 WFv82htB-c-PeA7:/QY炲z-hoeA4"vf|.y^ O`v!CFV{U`"Lf] R_g=0O|ߩ7~$^(jg*e]`^cV, fZP3!jτcB^#>b@Ŗ1c_Us$h^6CV :&>Ys[Kw)技 e~ -EK#'tg@ZGT]`š0"0aw$SsQ똙yUQN#C y-N2^z04jA ,v &$J!Soqp;>LpWiw^+?hMܸSnJMiۢx:o$`xgų\Of29>lymPᩝp!0*+ۑ %* de!x=Pæ0+#_iH(TB˙iз6$A:v0*9?Ѹn@rTy ˵i.- 0`aQF:[g:-%I$|P&_u7h\L1LJ^wf[D+hnz_AǢw.I-Y/L$ !H`,/Zd6E_5V P@Ŷz׉J ~1Y1Q}ȝ˽Ѥx&ɼ72d9S ~]2;' ɭ 5=7W.{6 M K=4$<%2 >$[WB.sG[ `FgqkraE V8c@s(Ve/Z&R͉/>mWb6Ń^>])Xʲ*=ׅo'{V;xՕ_1k ZKw!Y|~b/E#D'ϣ> DJx+:IHM'Uۑ‭HK$T،hHz{sL= ,FŤ8L V6yV Cs֊g (0K'3|)BSP`Bc,0+L0_6{7]{I؞yh}^JPj V,֐ v3L+|,$Э7w߮wʄ녂UB[",(*_Da纞%IBӟuC0YgO6 xAOi]ݴɸg)ѿŮ& vg-=sᯞ2"1TTRUݸYE+mFwʁRx 2ë zO8c /!?U+E:CRN7^Io7P& JUֺ]yl7Li9SFzP^)YE!hxnrLBzeY=_1`OwZUǗ PZEWⴊi|ىyU.^.ƟU W%?PFniWv8McmԬLs?݌grWI JRl`!?kEZ!@`i'IЂ5(x܌ &P!lT&LLu8i oowFvi SC,RZ2ԽnqAk7fUzϮ8 ѰUfn*_.A'ᏺoQ̉cMsc vK IK7ݗs -pt|jd8 `M ̖Am!ʛp8 0GJsæhGo=q 4e^lAABL?aPU`wz*o82pKug, Ę ~P:FW) h0 yP0Gk;~s @RMjP0MZw}%* ĔPgB7sau3`ɰUW4S -l%o;0|?6W:Z6RX½i[FUvG9pb|f1pRBQ83 >&')S?#pvB

mu^5%UPSƯ;SUcWFx2-MeEw8Qa}u>Åk!zN棠kZmo,ybY^;$.~fW+ #׬i.eve0:;n>MTK&Yaj?Wkln$I6y恤ږOS؍",%?Fڐ'V¯l,1 }9ɷgvm:c͸Ez]џ͘OS =j .Z""7vڳF(gg7KcͶ\g:.88{%=` B 6J׃ B넻E1KfVKHICBy.;kHJ8m,;o2Ֆs+ޚ8 nzdIPs\)є) p*j|-jfמ* qj. /% !L|ʹ)K/ؕ|I*MtIDYš4(xI ӧ|SHU$NGî@t(ղ% ?&Wb:_Zݟ|֋sp-t3DLڨ>[B_7.sIk?6 uhTc5 BC [[)N÷`+EMJd1\yp\UX]NA RD+.70?^#@59cDqVc9H[>w1:]l^7-y;0{ %AXY%.BY iZ/jiWVL|%Uzh9&αkY-<~s=Tv8|J9L3֜'mx91 DJ-&lcNςw>#u!\]LבIQQyfMn|КGGLԎ pp:jxPLAW7I틋xht=p/c]HPoo;j:Ǡa $ﷆjC i3Y44 ͻJV1<|S KzgEl @_x7c9]M~|VzژTz88`X^ʦ9\P掎/fs:'D*TJ01(d e/+tGmNWoPHTŠ  GHT2%'Ԫ 3aKID`;/scQWCUxgcd8*%agk{FdWHdX;̄xlUv3`E}toMѿIa8ErqRQڐ1[;qXmlW$7*U'6iy4ߔ `܋)d6RJ3T4g)b D9JçNb3Lw2/(O mfK+fG?$$\QI0 FIT Lnf'Bvئ}z S " jLD(iIE.~f(](jPƪp$5kN%jLd`+\&x9L؈kg_׻%5|Ȉ,9w3Bclˁ !X3-B̓Jm :jjyz꧛1J):tM]L3FpP /M6ŹYH 4\Y]u5eL%ؐ_Qe3\7\'zשG[.ZdHB[{d"z낚6'_b ?- %fH,|-anm̋ W_nAޏN3šmdi(f4= DGWjli;Y0e.,WT,ӝqPw1 3ZW2b ZXGq]h =/F8$p <˃p0T٪G-䄃 O(H2AŬ ;.#}WhH ?6)FW[c6EjM'&Zsn;T`74&_(KU#&Yͻ5e e&\vuF'-{.i@WA΋b_Nuƺ1nx5^1]qtP*tC?a WxC:+j%`}116J/H4nV.ZÜ-2e¼]A[<ĝgo-P ߟ^p$Z}NVbBI=v7=5% C8DJ+cI$Z\% KoFmc B#͝btL> JA|-MCA۷N U إwV̋;wR6I$49[/*#Nş/wG!ƣl۠#NPhiͻoNGO0s"L1 sQ?-Ϊwx?ΘW{TMZidtW9J`g{|1AR KH;yVbFO#*t'<ĆTVOچfJ(cU 5{~Ϲ8k8gWkHS5~NY xh=):]9SjYa;x3cp/zBքY3|^C&xɲDT{NR0f D9 U#rYAVp$dy }0=K^yn:h 5iSޡJx0ӻb=vPN_\ 14hT6ՃdksMBv8Qs!Q<֜{dɠ=ә,TG^2!G:W)sd+9@P苣Vsw,?4M4#eUW[12Fa%$h\6ՐK:7Ԟ0Pg@ǸC=y{1a+F;t˗E^΅*JT(͒te[Ѐ]-%J¬>Vb@AHXB6 .=}P ‰'{7HdU@. E<Ќ.<17vvo{Řgֳ5Q q#&U~qexk$xjyd*х\o RgK,8#OR! vedbQVl쎯2Y&g^Br a`ъm,af_zhd=ӜbřFgdyڍ. `"ǝ,>q:\2TeL_O-tB-ڭ죇&kk<.!(Z!rȵ 85h?C%׏u&$xɍ wGao?[ i6,;]#g6 z}]҅ @o,Rbn6J\4%ZaFםPQ2-ϛauBRp_V4-{zXL-2ƅ*>@FZːνȂ*oJ7;4\ 8da wV [!ckZ8-²lgg8k7 X oN4Jp~DŽ (3|Jv]45-NNu/;X z4"1WyMߐF >{d뜨!ZSr׃qqVkҼ^&MMUzf؈= 6gYl嚤8^<cFNCxvPCKi{k`$3Ծ vۯO^ba0q nj0Ke5?=wnc^z|~ Dc|* q0q}#kO2 Z BX%5eV`!ſ1 ljmT,ϴҠg{1nӑi<ME4_"҃6`xܚSq:Y(%z:`U 0n{?=IȣR3d.բցGWIwO-fa:bY;w+իeh TA,Ça5zS]u}P+2. G@R}):o#&0.V5|ZQа8;38Iv$Yt ; eJW.),l|:08ڠ"wh'BuI)mp&u&A~w%3;䓠q@oiqDЕmCit6[v(Mp2YWV! v> \(=X2>ĩ@'2R$Ongg-gT-i//NsUa\ u'qSYdI6s$2-껞=jd1"~)fH^^K^x]jw-'2-L#GSc^~4`gH^RŞXvr6ޕ®|9~p.d4HmlJL{Vb4 Y,E4x7]+B I(m5v yf;@*M]"m- m &#!ݹx}]Rgs7QaXKpg>K=s w9i➷#JRl J>hD 𜳇Lpk\ScW_*ŕ=X`8g*\7Wi 9{UE7)Ѓ D;&Ϭo{&o${xe#-Y<jH@]JW<mμoAjWrXJ#%?2m#1nj٦%`]FMhfpo4ڷ+ks)2f?s KEj/CX&OW8\>7]F/(M|C!Q<6%=K) ]Hyc^d<\Θzi-otn( O~=v'W3vKp3&Z3Uk|]C `;EN u46h 9(grWuՈ QdF^=|9 بq @2(>.Ή gtaݱA9.HЁQ/j( ӄt~: ת.]^fuN4² v]0KVO(YA}rtrzC@v-ɒXҧ)N+x繡 A ٿҵJ3UhԐ>GEd"9fC(_gE򼌄aF@z7'Z^VlkAQJ^X34JFLS5rILsjIfmЭͫ0'S$5YWUOm^g`Py<B(PN\?|:M/(Dm"GB} &*İb$f)]V V1r 5!<;gQLgPh7Y!Bb*3jnNR, [Pү~bgY 㰞fE2?K$ʰ{I^yИDm lIr;"4c^n9pM(iDjD:UU\t12S4hTo[}m5rR+PR6^7>;D1G1`J*Zcn^Mw7.^qPqjB.IVYM>7^a߰DVݏDͻq7nG%z*dtgmX]kGbad* 3sdJ#e-{ھx\澇Xi٦H7&_xC_SRë'!]:Pe<;ʈslKHMro˘FG'HHm~ޏ)pc=)wFaZI%b9C2ckqWe}rc&8gmP^mky@ HN"I-t-.PdcfEg}Վю!Qځ ^U׳cNli$-a' Z1Nӱt{jŝ΢Yʄ _O!PNv'X St! @(-/(J|nTgZDȱ^peJ =nvZ(ѩ]k r{ }H H~%n),n4`*VyyPY~ ր}w.xث!h- f, Wf8Tj'}#?U6ӄOBc @L(::kϯ!ךYܫƿN$Sz=RU:vQxoOx+Z$բ*ߐppMRX`s ŏ.AS\jv!Ve3GF>ɹfROxU3 3KӥbsCM%|C` 4f8}+pּ [}7fK*j|U$INQJ=3B¬Gspb 8'06LjG&q+W%Hy.ԸDGmAi kp]H{S*g9DKJT:<7AP2~M<6U#17fo X"_?`ק%bƑ' EԘNkAd61xFD.w5쏕%?WL#P|/ p7a!4dZlguYO?o1|u~H@.a&mw#B#3+{}=GӍ=(`B/ Pԕ+SM? ,sq1[_8 k~:oogQ猸-?d:tL&=@U fJW)6֥A3}yT3Wƙ"lCKYd{7#+@Gbՠ|?#}Gb+ IWbJNjw& 덃Q9BCǡw~ iϔ,rHgU-񫽗1Hn YDkb#1@JX1m֣Y=Iv%^? j1q4EbԖ~ ϭz_"Ήt-A;'sR\!rN !"z!2t5x r-_ ^ }FPoS2.z,c"6fosz6]XtG, %_Fq obbeDE~HW'3dn `VB?+օ^˓RYe7XyE!SnEE׸fҠn-&i5bA[bͰRZJe:/?7Ϊ>gi8|F_R6\}!V\RM3ظb Np;BJ! e)Vly Y^?p:f}Ix$ynNx~D >MOn:2D Tf8nplBQ2YsJ=ʹe Zo{aZdcBsI׿=82Cf稆_2|vCfaErTޠir[3qo o*!=VV{#pPR;1L ٸ 4`N6 {p7fު/JPy@R;)knӛGSET:1>X ˦[\L eF("~c'E,Q%JZlr1vYr OwKYqAu*}z%Yh2!e6,IFa0PNR(NP љi8WYm~vE*٤?pOjydbkT-9텎Y N02|/{ivm fw,6jYWʹCpT1vdm|yz}"Wv6J:H,$\4ۊTEi 7Z]amA63qUZ)4L_BJ;5XqU#ϵG ?qk~Wov]@B,=*KHYAq\.m `Y~fjJXn{*2m)ǐQ×\,(,gex}=x4=Mjz\^S뽴Lä ᄭiM7=sO}p([}D*<\T]aN(SP+%½%&5K Q dqƪnw_4oԉVS?Be,,T1[GB1[\A=Ҁ7նT+MGH7$Eӑ>U> ZKypQ9b6kUf(QŜЊE3fo}J?wG1ڌbYSAmoY<˲s\]&"!eڻSIвp}@'XE=rD Gދdը37(#:+XTXE'g7&Ϋ\''7?!cͿ#L "U=K8wUBߨ;Zd!7cw廫+\{Eץ Z2B(nsbƅKɋ$UѷX0k~0,xWW3|u$Cxᇮ=ܟ&Mpު@f{ lMA#Kϑ,"qܭA:zK -Gg+ ;x\ԕ/1‡$i%6b.Ơ /kN'iS֕;Y(;e Pݭ#5n/ܶUUD{9i:M'X5$~n5le6tw 76Ub[@d)IV\iUJ@ƏŒ.l 1Fz=ʱZ.Y]N$LSMӍm7:b ֗*8bh7 QLJ:LߣἩu쿏sV|Ʊ ֆޭW21yV[@Ѱrti'^~ʎzd%rӒ"zt> T'uv75xiˮinJ7iRXE ~\aAW>`SOñwK/mMqG R_ȯ ,'~ƴˢjb,ͼGC>?xk^ n3VƋ.~~ :K@CST+t6+_C|# q*sƋyjwZ,m_Z2uh28 =˙ΰBNZ-W.ms OX!ld6^{Dv2<qї&ĀmT~X@fN`c9|ru໖%;j ϮT`1!|#JzH9-,߇iz!m`92A@(OL_X3vM }=h2 ܞ(Vz*74pF<*TDvQVYjMr) @SW!t"Cf5mb =y@Юe~(QQ@bt8}=[@1 [`]D&8)fej 6/nR[ UDr-s&@ L+Ë? 61\=eUjG) | ¡V5, ΠGM)T_+g j6etg-[EO ]hm)i.KUSkYhiM; XK:>)׺2X hgW)b1kw ˱ v&gb,PY?&Z~߅ԇ(m37. G/%VdWsmj띨īLVAᑜ9aMQlcw0'9x-1WV#hu CLPVzaSuDv'mWx?lظC>FbU%wK1"s:D}JAi 4d}| W\ZbXb^ b*◙i~MJ$m C3YVH:1Ya+z)1ҚǯI 杣!'rY9x[Aa>uTlL-`tfOaW*qà&!ߤLurș%6\( @TL'_Lq\ ?)zy,(&q!pԦvf3%5CJrsA47;,*Wv rd ʽ48FM`3&؀g AnsUC85`Ph $\A1;)Տ,7A.k6 Ƚ KC KOI$;,{iɮrfX@)Qn$uSjmrHbI}b;c**KՁuvzUTm:rSjʲS%ݺwg>3k̇f0hg˹WE=N :ҌyG_Wtw?48o!6W;#SI"Q56 w2D2uQ׷?1C#zE˚~݋GbAvz?A?e!\(cT{Sae=^a:\9QWBa.7v{qydZUbl$('[֌ӟ(V7vGfSVOtSwŌYc2(٦ w++74L*I8tcgo?s9ʒP){!(I~FYiX>)Ydl3IԐXSG6R'7A|uɋf2"1m;PgkK#`$I8>@c:-mcr{{ e"!mHd(*aV }&$s `}2RbWYK(.ki4J^tOȡM;*yb8$Ulq &he[^n{D+HJ]jͶ\FA:&E5*tGa74ӆuM%ocͪlVkw% "l`bH P#[#1w`CS4DEfuҿ'0iOq2z- MX.h6Jt+4KGO7iՀ Ƥ9̈nskpu^%$|[p 8c~$=խeS ~ĿUwBvVOR(.S(\β#qLJ 5NዎJ\T!1*bWZM3\rpD~2V1c#)pދ%TI.JM!d 0vJ waFCf*!g7lԘ.c4m99: (bEPxfӴ>#d7\ze [[`o"S2sTF=.j'W6vc+BQ o/oa qͱ:U!A K +D?m9(p zhȳ=| xnvLӣ^rLt/zosp|hT%8QLv<! F#p |l>9͎NHI]U"&PGYϛ\K6 ӻtp-'>οZU4rHL:%ed"tMgB:&嶯\^4pAhnQfoy]*4{ /AMgMrⵅ\Yx&T®ywهG[@-kq*$ Af %A4Q}@*MY0;A-NJI6iĀLTSV7}L.|8McU0Ag,W^m ݶ6D|З[d U$$hѣkz<1xs&Nay&,f`n10;i!Q5{$e> 6B^BMG? #\`+Zg46Ժ -=m36aFhs EzPtL0rWK@HC*K>=yOntFu%a47 łԕ(^P*)^2,xWpҫ;F,@=a],/):` o0ڻ ˦H."} qoW4M!d$@HŠ`:j@>l{G6Af<gq/ 9kE<פ#r7jEߔjg7U{H@RCS Pi!Y,X i9 TN~8TTaas(S_zEJ ;I= W9ڱ׻% J0tfƘug;d/L!3Ȝ̽z1XxBoE_;3P䣉RZ?ª\&Z lһS `eN*iW;=jZ!Ҧ+@D(ں_g ȲцN丯%8j8V}X¨0)]\k@.L}.!ӷrV!8 ӎ{C>P'Q)ð:hf9e#-81? : !`/%A㙁 tbFy%N(Xi9rUAPX!'^M򥫅A/+k68DA 'uǔLeXM52*}x`N7'<'PN?p5.]+sV3/^[4&P~Y\x0R>73VmG_yDwD"bHAzFKᐞN ϡ5Q3Ѓ5f XMJt/n^^Y 4^fX?ap,8۞)2Z`0/^s0KwGZe)ιHN4$yUȝprK𘹖6yK#T: S(K7{WE?? [3Іe*4(j\\v qdtNJzᏕgk/kVA,$Љ;5Bp\ZQ6`-N ]2I?Gw2-CHߎ8wMYV;8]SslOG]c81Dԭ_#qp7\8>db6dYO|=!K@]nVq;.YPF\b ,q3FTz!+, .ĀXrNm̗+6>肋 ])r2]8)|3/DwIQ $5ՌGM^TW/IV;coq[ʳct`6%&^x8[ԆqT{d6{#1lݾ7vgN 綤BnjLH03-tzMqB7h+% *N rߓKϝ2q'U-"=;qfDž">kYJ4awFH7Z0cc|,Uԁݑ!_fORC$OD; af!EjC&Qh8؛=Zy95ъ "AD`aaU 1oZ}M45\=W1dc}^+G0Yݰ?^``}+EKQ+QҁE6dw=C kdSOMVp*%4BpxS}aK*e{$;DqVfZgFXpP.ڀ ; E=̶ꐓrv2=!-.mk'w~XQ=6Csӻ?L{-+g4q'H]GjҎ$HdiۑHOհIXHx8ȶj&B01LM=LbEy>KY-f5C/VH:U_uE 5EؽaSZ0e iNhOܟv&%] Iu[DHf4kWkhXZۥCf[qmӈX6̀>GʹƔX 3Ł' H*|< l@$wnJnCsgnwݪx*B)6I?¢%"*g[8HfY9gˁhy wt`kJG,(VNR~k>Ƞ(ػ/j@A7g*=O , nw##Tij֘L=%-9o2Im2k1~z2|߰*My\RC(8 5BiI66ńNVrc?6) #Z *ز7t' N4דŃuAFCT00 Uo1D Q"v J}w gc 72Ÿhl^f,2֑jVOLavNr~ɭˑ N"Ҁiy<> L:MNvN>`uMņ\ؽ)@$Vhn x$꾱4Bq$=U&VW+ew+6vW|:Yj]4L!Y̑6ł'rAd>MP >f7aw-. ?O҉e0iQ[رqs5K%߳%aH G3^xEP"3|2 /n ̩˂M%N>k[7S5U%ᴱA$2y2;Qznd&Zַ36ʈ% eVebHc"tdٳqІp(GTamU dc$ipw3!}JQ./!|O9ýf22;DQ`R;ojϝ4hwSU N$pRQ9K-AH[[Mɸ\RzVhNsxBP(^G'x}㗗,SEƧP+{IiY=ZyJz0 Z3YgYAۓ]3<{5Ng%`Zo}s/-젥jA-