samba-devel-4.15.13+git.710.7032820fcd-150400.3.34.2 >  A etp9|$f,b`u,XAe6w?gtG1PWՠ AkZ BdwobUU%2iΊ -ͲтzхT5I2F߀Y A&rf ڡB4|{ K^<@B2N;ߣwȼ.d1g* [1ʕN:e#='(1\6݃¾gƗ#gIc713306041d07aff1108008abcd7a1bafecd89ca6a496c9f406140865dc9abdfa4fde2d007577a8f38bf6f22a5f861c542a5a36cetp9|qޱm*x Qn+b#Y ;sVeKM=OV`)%l]>c7d_k&՗º]lva)|IpKpAA$\#ͤCʝ?BxrB{bLw"+U!*'!v#>Gɚ pA?d) 7 e/ Ee|    ! $&(+F+-$0h01(2 8296P:H[BaFcBGcXHelIgXh$Yh$Zk\[k\m]o^v\ bwcxDdxexfxlxuxvzw{x}y,zCsamba-devel4.15.13+git.710.7032820fcd150400.3.34.2Development files shared by Samba subpackagesThis package contains the libraries and header files needed to develop programs which make use of Samba.es390zl34SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Development/Libraries/C and C++https://www.samba.org/linuxs390x( p=B!1N  aF$2jENTv |H)KU +d`@t2!CYW +g > v&HI!E'I:l h_ Z=1y<u .Y3T4&{66)w+3'A,;BG\AA큤A큤A큤A큤A큤A큤A큤A큤e9eSeeSeeeeeeeeeeeeeReeeeeeeeeeeeeeeeeeeeeeeeeeeeeeReeeeeeeeeeeeReeeeeeeeeeeReeeeeeeeeeeeeeeeeee9e9e9e9e9e9e9e0e1e4e4e0e0e/e/e/e4e3e3e0e/e/e1e/e0e4e0e1e/e0eeeeeeeeeeeeeee57f48e6acfed5fa9841df0f458c77820b6e24ed8279bb23819c0698df22bbbf19a87ebf5c3ecf098bad8fdc2e0c08317efd3ecd4947169677feb755c5f86b325aa97c3dc8a6da5e8d196a73bfb4bae250089de7237665a3a6dcf5512c71503695cd7da44b981f9782081d3d97dc2d2f26726208f56b10bceaaae6e1a3b497bfefa19c5bf4838b4013a16d205238e5fa9819e04902a006a08044a0da795cbaf34f53c103d9d508de1883fac4df0fff12ac27300409f3a1c8edaf31c05c054340a1dc2974d9c574811447befbe13fc0f8b3d8906fa58ca173857f5b73359ec30f161766db604986021c872a81bc3e6dc403b8960c06edad4595f168293005943b874593d5ed89402648536af2b2a2715b7ec95b88308f700b0811d4e501124f76f2e3a21a55901cc3c7a46d6560c167ecef63390fb04b124e508eccf8156fd650dbd572ab4954abffbeef5c35b30e8c5806501278b70a08d6041d8a5685a69cd65ef487680f99891e461bcaf8245acdfac7964fa40fa4a298184528c2fe2b51b3066156e28d7375c095735fe583c41fe10f68711a286dd7616111bd0ba9a6c39eca72b30f0da89b141671dac7d0b96636639545a74f12fbbcc745e7e2597d71b4c7bcfa6e9c2d3666eaf6fbe6b63194f9d4b8991619ced1de631f1d7c854271bc4d7d6caed90f3ed522fb13effd5b3f9ce1d10f57b87a233f8b1cb8bb000a06b812e45f1d76df8d2fe7405deea4c26e6e1ccf3951c59a55836952be0923e7928b37a9fb59ad8153ae7466cba7121015d8ba2a3397624d5c86c144bad688c8009bb1b523b57a052b7faeb0db0c98b19716729c5617e60d14d2ec82d8501ab67a71e8a09b87e376224e944e12a2067e9fc485ece8ebfbc7d5cf0bf573e0500c5bf24c38a14ecb5e00e24e7947b8517b8f39a652b5a4a7cc6ed2dd04dbc35210090e571af576c5ac08f897ec08b3d0d2d5d40952aa94d082f5550483c051b99b33ee65aad7a50a60ccf805be82f6209c702e0e7f73a5ae774d0c68b57b28dd1821c1ab067bcc678b898c16d290afc34539c478fc1f6b47270a45b389de9fb9ec0042b98e789e2e76a17d01c1684441f27e27f5c54d7d8d1607fb9cede012344438922ffecaceea8800ef2175f1046485790f995229035a56992eb9f80f586460519b697827df8285c4ebf06595b743e148919677ae2a40442c80549d7aba0bc0b696ca55cc095723a52645cf7513c55934096218760deb28a607b5e85f82db7c1ab580e91df20133ceaa62399bfcfa07ae216642332bf119c5a28639f3e6841dd74e2dd515f2b48efd9117bd5054262dfd09a3617405695236094798559211d988a68effc888123ae63e8d2ba5b96004c14b3356dbf490b4e731cfc7a56467079075b6004265e32c0338f01e95f47cda607f72abd98a2031f32f45a1470dec6e13f4c8e17e93041953c7a33ac4dadb193dc843bf0dc47196230f74fc5a9c4ac198965acfb4a7a09b1bcc6ce465e1da70005bc20b1249c16fc62adfdce3f7dc4959a34f966b17d69a728af436e405c6653b76b8b1b0cea1ff3094b88f184043efdeaae3d696f724b61e1689c46ee2eba88d6eeab0639f5d11488e11115db167b2c1f9b0923c16ebfe2ac820e071af1cba5cae4b019dc46eb22b6fc37174d15ac7b72c723c10d44a520b2054944d0606d29c16714a4196910a433f607fed4e35d63918562c260077a6a23b99eb7ea40a5e790a7d97b17c8adc0fe8152598db810a35a439e0fd2184591f449c79b6bc5b5468443920523ea943440534df04294b940ce1c00c0a68cab9a5eee13b0a18e6e5b9d87693f25c1f804ac1878bf03800367d25438369395e7f2006fb647db68043d1590be759478e33b123ff9a54bbcf1dd70a038467eb6dd4dee91c9309efa27bed7b9d371cc936612a2998c16e815dca6ab2131a2f005b7837ddaceb2598db386c1d34c1a777baf0d741ea2d153c399b4b0fa22367ee1921737df26ec3e9fea81c7f525ee4076db13008901c9ca9f404a6db835aabe1a026f6f3e5c05cd08a28a339b762c6189d4af93a1b6a87f9d9483d5833fd883506b51ecca8ad6df0baceb27177fb6499a7918703b897a45cdc7605a9ec9315a0f82f2518db30b753b0d4ca10b18a94c382f3ec70dcc443437b2dc9e3ce610ac30bfc17aba981efd38215a457355b1f19ee2e93d26cfc3f6127d4e633b9b497eb1d0b62a3e7bcba01a70028c6c46fd518f9a43343f6e0d70498ee53f056d93f84fea1eb1df4a7c2bb8a671480afe65f9dc7f671e0e15cd8eea8e37927520f3ac8ae6b63fe8f7aea81f7680951eec3ab67f4383db52789c38b254cd5a9e4766b17aab8a99813258ebb4b147bf98c9f0b9ac8e9e07ad86cc4811fd17c0ca05ad6fa67befb082b2cd23859d7002fa75a5794f15fad8157402985d19cdd5ac6f244de44c7dfbbcad99b077aeaa3c1552918ae8bb942d1ab72962768e91bf180c1acf956f394afcde8741c7d3eb9c1f0d24e77ba69ff7eee8ba90786ffa6c5f4ec183f16ec4fc964c65b35a84e0be1b1f830b8494c8e895196ab132fd82e055cc808ec43d0bf84e5bcc059302e71c0e23a257f197463a9ecad24f59aa597f875a287795dbd2ce8b56438e84f9976bb4b587c364e2b03cea9ac7bfe92f670c4d88fc1b382789f66d991a6e526f4093a1972e1391aadde980420a1dec670f3549f87169c890fba90086de0d8498f0fb36921439a3568cd3a29c34bc8fd9c25772cff89b4edcc989ff5af4189ef2e0ce0e37872c17ad0196c4101f1dab6f2233d4987af03f7dbbfcad01f857b4576ffbb67ed2f4c6cbd9f0a9cd2192a7cd36f8201ae7dc5c1bb59244752a7c96d0bcd9f3e3ad075aecf96bc9006c8087a428c2cbf46832f58f5a9a8a1269d77685a6ea46e21b05e9d22e79fff5ff59e2f6fd5ef76604c85c807b4e3fc0dd84beacab1ff25be2672650e35fc5a2a04de281d9dc535f9718a0c12832630ba0008a46bdb263c2610acfbf6da60c6d585687581e877d06ac2587e1c560a57a924744d428603f832aa43148df878f81961c305f367353717bda17d2ab1d3df620a04711fd5a61149d16c19f34a48740662395d01a17ad400b8e6af775cd8eeeec7fa786bd0c1c686c5562fc60c40b7f0fb213627e0208eaa36a7262e7680bfdf38ab43a302de7a5ee1b18fb5e5a69c693660e5ab407d1696c7b4ac8f6ed075a178fc967e2e68e1bac448bf37478948a1f40401d26eab750f4c70faa63142713b1ca959bdea59f5c83e1d20b52792246b46127464459c635949c3f779518d0e830d9f34a33bef4b8d49477a4a648a2d279c88584caef10d814fafc233b2ed62e1b088b7b99fc6b8017b38dd73cf8dc94a4e97837ae5a7631da503521a5133a57f0445a4dfa2427eeb926d7ece4119a01cd20ba4acec5db90984ce61844ebfb044780a402cb880b08cb0e3b6d709b17117204b5ce3a21b987f0c33c9147e5197c8e52257325852c5c181908a3f4082b5520d1cf8599ee8c5ca7e8584f8e6deb53c1682692aec09dc7339df4507a69a44fc4e889663a695d0e42c4ca1819bd7e814f21ea857ca7a1cf61daa69affa14cb497273b24b2f9adc344da28391ae7e27ea058e1909f8fd85bf9eb7fedcd7dde1fddb48b6600c8b61eccc6409a5a5391dfba7e45844c4f2da58e90d275e42aac178717449816161fe77e2af95aff8ff703003f5691ae2280c0809d15386619c3aaf0620e8697c3c0d494cf0d6a2fbbde841699930bd1f5d8c43118be577f601d6cc6d9ea72bd4e42fa96b0bf03b1764946f28b3deeae86aea0bec44e3c3fd05afd367128b4e2513a6a73ba9cdc263d00d43eebac1c05313154d5bba4025f00fba9ada003bf6e08ec3717c956f9a10aa3bcfaadbe145f7723177bebe2a8119752430aecb7121eecb4e1998b5a24b456197855a143c84f2ecaf31540b1f5457c0a2fdbfd8f53f9b9b119b1918376d12eef6aa5248f7ac7d7deb71f336a52fac364750774f797c061e915eb24775ae28d1738bd86f5a5b902862b25dabfc4618da50b85e66272bf52218a6cd2e26338d04c25404fc53d6b230205d0351470ccd8809d4ec02d86007929edab0432c4386098ef7d1c09bdd8cbd6e9b0ff02a77cf2d3de460ded50b04f15ae58b86ce48bba579542df1b00f69e97fe1427fb1031f6930e7c3b058c09850bc72e8361579d8f0b97ce6c33df91db1edab5412d88550bfe89e5d34a73e8be26c6cd20a922ff73294bacfd6ab37123f9f6304ac62b5f3f2c020b7cf90ed8279bb84b70e146d0a47d12743138659271122b65de007d76a54634fb3fa657a0e6c8a3cd600d4be43800c4a74bb5e41f57bbf05d01629d0cd9856ca1c5cd05b52579c70d58b6328de9543dba02672487939e41e910f508c1dbb0923f0726dafc2b4fac411ed2b40275fe0fec3322730f62b84daf91fb23bbb081489863168493d1d893df191dd1a0597fa2bc7c08eeb7f3e7aebc136e2d47f375bc7a94c423e7e203d12b63ab72632c087a63455aaf0ec6f05b1362ff8a2f4eafe98fd76ba0459e67libdcerpc-binding.so.0.0.1libdcerpc-samr.so.0.0.1libdcerpc-server-core.so.0.0.1libdcerpc-server.so.0.0.1libdcerpc.so.0.0.1libndr-krb5pac.so.0.0.1libndr-nbt.so.0.0.1libndr-standard.so.0.0.1libndr.so.2.0.0libnetapi.so.1.0.0libnss_winbind.so.2libnss_wins.so.2libsamba-credentials.so.1.0.0libsamba-errors.so.1libsamba-hostconfig.so.0.0.1libsamba-passdb.so.0.28.0libsamba-util.so.0.0.1libsamdb.so.0.0.1libsmbclient.so.0.7.0libsmbconf.so.0.0.1libsmbldap.so.2.1.0libtevent-util.so.0.0.1libwbclient.so.0.15rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.13+git.710.7032820fcd-150400.3.34.2.src.rpmlibdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develpkgconfig(dcerpc)pkgconfig(dcerpc_samr)pkgconfig(dcerpc_server)pkgconfig(ndr)pkgconfig(ndr_krb5pac)pkgconfig(ndr_nbt)pkgconfig(ndr_standard)pkgconfig(netapi)pkgconfig(samba-credentials)pkgconfig(samba-hostconfig)pkgconfig(samba-util)pkgconfig(samdb)pkgconfig(smbclient)pkgconfig(wbclient)samba-core-develsamba-develsamba-devel(s390-64)@@@@@@@    /usr/bin/pkg-configpkgconfig(dcerpc)pkgconfig(krb5)pkgconfig(ndr)pkgconfig(ndr_standard)pkgconfig(samba-util)pkgconfig(talloc)pkgconfig(tevent)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ad-dc-libssamba-client-libssamba-libssamba-winbind-libs3.0.4-14.6.0-14.0-15.2-14.14.3e[J@e@d.@d-@d@dJc@cS@ccR@cctc5cM@b@b@b@ba@bascabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Add "net offlinejoin composeodj" command; (bsc#1214076);- CVE-2023-4091: samba: Client can truncate file with read-only permissions; (bsc#1215904); (bso#15439). - CVE-2023-42669: samba: rpcecho, enabled and running in AD DC, allows blocking sleep on request; (bso#1215905); (bso#15474). - CVE-2023-4154: samba: dirsync allows SYSTEM access with only "GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES; (bsc#1215908); (bso#15424).- Move libcluster-samba4.so from samba-libs to samba-client-libs; (bsc#1213940);- secure channel faulty since Windows 10/11 update 07/2023; (bso#15418); (bsc#1213384).- CVE-2022-2127: lm_resp_len not checked properly in winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174). - CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173). - CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172). - CVE-2023-34968: Spotlight server-side Share Path Disclosure; (bso#15388); (bsc#1213171).- CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords in cleartext; (bso#15315); (bsc#1209481). - CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users; (bso#15276); (bsc#1209483). - CVE-2023-0614: samba: Access controlled AD LDAP attributes can be discovered; (bso#15270); (bsc#1209485).- Prevent use after free of messaging_ctdb_fde_ev structs; (bso#15293); (bsc#1207416).- CVE-2022-38023 Additional patches for the PDC role's netlogon server; (bso#15240); (bsc#1206504);- CVE-2021-20251: samba: Bad password count not incremented atomically; (bso#14611); (bsc#1206546).- Update to 4.15.13 * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); (bsc#1205385); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); (bsc#1205386); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); (bsc#1206504); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; (bso#15197); - Adjust the systemd drop-in file for named service; (bsc#1201689); * Paths are additive so do not repeat paths from named.service * Prefix the samba DLZ directory with "-" to ignore this path if it does not exists- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2.libdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develsamba-core-devels390zl34 1703083733  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd0.0.10.0.10.0.12.0.00.0.10.0.10.0.11.0.01.0.00.0.10.0.10.0.10.7.00.154.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd-150400.3.34.24.15.13+git.710.7032820fcd-150400.3.34.24.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd4.15.13+git.710.7032820fcd sambasamba-4.0charset.hcoredoserr.herror.hhresult.hntstatus.hntstatus_gen.hwerror.hwerror_gen.hcredentials.hdcerpc.hdcerpc_server.hdcesrv_core.hdomain_credentials.hgen_ndratsvc.hauth.hdcerpc.hdrsblobs.hdrsuapi.hkrb5pac.hlsa.hmisc.hnbt.hndr_atsvc.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_misc.hndr_nbt.hndr_samr.hndr_samr_c.hndr_svcctl.hndr_svcctl_c.hnetlogon.hsamr.hsecurity.hserver_id.hsvcctl.hldb_wrap.hlibsmbclient.hlookup_sid.hmachine_sid.hndrndr.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_nbt.hndr_svcctl.hnetapi.hparam.hpassdb.hrpc_common.hsambasession.hversion.hshare.hsmb2_lease_struct.hsmb_ldap.hsmbconf.hsmbldap.htdr.htsocket.htsocket_internal.hutilattr.hblocking.hdata_blob.hdebug.hdiscard.hfault.hgenrand.hidtree.hidtree_random.hsignal.hsubstitute.htevent_ntstatus.htevent_unix.htevent_werror.htfork.htime.hutil_ldb.hwbclient.hnsswitchwinbind_client.hwinbind_nss_config.hwinbind_nss_linux.hwinbinddwinbindd.hwinbindd_proto.hlibdcerpc-binding.solibdcerpc-samr.solibdcerpc-server-core.solibdcerpc-server.solibdcerpc.solibndr-krb5pac.solibndr-nbt.solibndr-standard.solibndr.solibnetapi.solibnss_winbind.solibnss_wins.solibsamba-credentials.solibsamba-errors.solibsamba-hostconfig.solibsamba-passdb.solibsamba-util.solibsamdb.solibsmbclient.solibsmbconf.solibsmbldap.solibtevent-util.solibwbclient.sodcerpc.pcdcerpc_samr.pcdcerpc_server.pcndr.pcndr_krb5pac.pcndr_nbt.pcndr_standard.pcnetapi.pcsamba-credentials.pcsamba-hostconfig.pcsamba-util.pcsamdb.pcsmbclient.pcwbclient.pclibsmbclient.7.gz/usr/include//usr/include/samba-4.0//usr/include/samba-4.0/core//usr/include/samba-4.0/gen_ndr//usr/include/samba-4.0/ndr//usr/include/samba-4.0/samba//usr/include/samba-4.0/util//usr/include/samba//usr/include/samba/nsswitch//usr/include/samba/winbindd//usr/lib64//usr/lib64/pkgconfig//usr/share/man/man7/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:31907/SUSE_SLE-15-SP4_Update/625f171e9af34d04e78337ab8ddad37d-samba.SUSE_SLE-15-SP4_Updatecpioxz5s390x-suse-linuxdirectoryC source, ASCII textC source, ASCII text, with very long linesASCII textpkgconfig filetroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)  "&(*PRRRPRRRRPRRPRRRPRRRPRRPRRPRPRRRPRPRRRPRPRP R)'Қ "LAGI$ˉutf-88b6981088e402056a50732ecabd2ebbce78213b3e3d3bdc85e05a53e3fa6e7c2?7zXZ !t/] crt:bLL vwgl %YrO:Gћ_NvRA ]S *m.fmCN,CW*3n\|WZ`~s=NG|Zr:8 :n6\X]x48e9X׳Pg|R2݃/#5ތs~qϯ΂T7V-B+ Qe[V,k|ICwR% E}i"At2SwݓznXi| LPEE 9+*N5uFt_{y̙vbkR+9e"թW" #qӡEc O<(ib72hP^o?~Vxn! \&FL̿! O80}:Q#)ԿZ+4߇ 7S.XS6fEA6Y)C]:ԁ dMA}> J [u)INЌhdg% J8/C̤YH9('.HcT@"m(b$;'"Xlm gP CV: Rtp04NoRVv{Q-vmwdb+Hdu:uٕt/<(sCY2@PBDP|@nf-$,|qFgp/xex֢S^u (oLy2`l瞹QGuQ9 +j*^}Ԑk5쯜VuVt#9m%6""aAH9/9P|y>Z*_7|?X11sI0|7݅rZrv)~|3:gH]xWV!zsH|;.945΃)n͓6cX@@؅gtEpI SNJQMNJpk)XwP!ViDQxrDNt%vK"pCh{ 5`ۊm'벽MrץIY29P7Y݁ayѥ'%*1<1 V%*0?,$ < n|TⲅNNf0 KP\:,%X/򂑪a_k<] V?xcVgCaqo^XH\AI]2!Ody񶜮G#aGV1Zd[.@+.^bln R ejي0.zXO.Qغfs.5VϔXbv$Fn7/+p&wh+#~"a䤀XC.ȳT~y1rK&!1Vحc(whС4I3`bC!ܢc;sJɠ|_uZ6!G}^*嵨#sd\9?( Oakr,&YGRDER;dM vծZeζK B]p9 &?ټKi$py4`g0qv&+PF>NG7OquPUKѿB}j G=: fF>.pb1 *;֋1Eic8o:m-$3+k{;P1A!#[r #h v|63&#| Z4m Ecs\WjDI`%޳c(̯{L%p@+EwoT;_y_tXί,ײ~+Z =E+=eR ?ȭbDh!#$8~`+=d0O<NaX49_~5No^H.}s~nJ#͝5ǚ*麶GV_c su^ GʄekTԬ)Sqb[_: ɟeQX7w8fxSΞF<D1p#{&.K7-#eƍf<<@TJ_,8%7ap"?u'M8uM܇#=򧺔搘j&خU)"H)ݠ-͘aq#H/4c=%p]AQjJ`Y]PC7^ӗ`-ѱ/Tt0wv|1OBT7b<Qj|9Hjx%C =j2KQbZ6v/l墔VQn[L'%OD/#;X~:T9"R{Vby{F#|kxuSWj1;[bG}/S+>p= - >q@ ƜY:N" 1΄ q9 2`yŨje[kֆ;W?6?j4]cG,as9od|D uyfvU$(h@H^(meL<)úGep cb t{7C/bv{<vp-ongƺ"d¹^/U0ib5&K: T-(&7YzZl=?T&ȥտ 'H{sӣ,~|!8΃ˎ<՝ϒP;}4ELYE܄\Y_u4EE8^|o ) Su,ÅӃٗݍl8 g2Z{G}\h)J6> iB6 e&}nW YUl*ۍм/>8`}oٹ)G\Nu0x ;|#0[Y6\*3.|@"IvP(Ցcb^2msAu8&aU9=* bГ^JHY67xTz"TjPCTs(ryHMOeW(x/)v*6\v湇8GīY8봼G p.Z/eKvz?hqyc}tz2eBdъ"zycS!hnJ6Yd@]TSZgCl70O"@A]'J>U3BNslKA-&8xTO3 -eęm{T  O Y/uFZÿM I6ˆAhw [Z EøS#I&hL8Nj IA Yʢ~^ ée۰1O;xvۢY~TqНY"2nV-uN/*.wKt6Q.\n|y-d=HI_J/u+ or lꗣI[Sr%I Cz`3x[0sMM Ԭoob'-]bD[u/n/N(L[,P9;ʟv+T`pZi I+q#rnZ#KDVM- o ,TX"o(KZpHLij8;#̬ f-HIb3пՠjMP p%YAȊ+j܏z(*_N/$c,vEb2;z}vLE{u4@Ih`4)Qھ-.Ҋ._p+.۠ j+o̘V4“)9 2ܺe FGlgH]q,UAL.8F;ILiT )6cU}٦E% ȡiAG"_UoF[Fw9R\vu슢nxVB~0Um Xl;74wD>po )r~R3wMeJpv)t/Amꖜ 8_#$_-B3~pB(N5Ψicjc>) Q1Q\eKo[W d_HFPDؼdhD&C~m5REU: 2ʨI8E^۠mKl?l)sVh4٭G)ůAV˽z%U7 : >[2qEX*6VB<2*ʎK]U6NtrsI`K4$a `@)HFϠ7H}Κ7Ͽ;&Z`~աXNalVCaɤTbL|$K+},F~c"]Mh{IO'pИ1Qs 9y ڇBBg&mOgw-eZ!et?Ɇ S.;6%  gD%r!JŚvưj~/YɑX"7C٥̣5KòL~}H99)%R[@`dp aՌ,*ZeJ0ូ{7) g Y߾u#3Si>**-rp/9j=P8Įeˁlں>=h֌4]gg8HgtrJ"b@}XLDF H,ZnHϾR/RڑD j U`2n9a#:0(u;<:&yҨbGy{\ݚ0f M'c6Po}NOhCSX#m-TAIK~?Ĩ[ ^Yb(ٞ10I  "3;TJӘ޶zQ<ޯpnk$#lTs#mu0쑓 FiwG k"ˆ @l}|QrCG%ڰZÕ+`t6)_7 a Pua::h zAɦݯj\ʮ}/EXi^WRH +VY}p $5vA'7 +xx7|õv=ع.Hdub8%}¥L1]+w^=Q\c"Y!s+KR&e2nyz6HQkڝqz8ႤjFeiHىip☧T=#b{dfP~kh3ǭ =^! R,>'W=5@kLAN@W TcplxzPH[Jz3wF塀f7fȡBjJm겫(~Po9[GZG3ә!ƚLa/Eū$] E-/fIL3–ǜx5W;Mv8mꓣw]-e*e=;Shm Kp,]}Z6Ǚݤz?p LU!|=U0ҽ^vc#P=i=G;jcA\֜νY26/,'Is=f4rdV+ ]y^my*6Ըo( EgpTVPZ@H>US32޺^ʐ6_cnVYBz0ƻlFQ±Ƽ]v%a3{rPn(7 >!K'\<5rCϤᚭf^dE34zɞGcK|ܤ8&uF}i| Y v6d&Fׄhs t>Re&l5ی+V"TB(7(6ߑ,O W;dHl)ƝMN~y$ WP&ha#xx_“>XA78u v$4 "\S/˧Ruw{-ض|)btt xZÅ"}qB#t+tw~')3$EJB PyEFq3C_C})4X߻Yճ}0)L>s&0nTfCZ^%q^{Yٍ#_|:m~DEşyp:E[sq{` hA&Cєc'M/'_Y@[ mjU>CJ't}P vٕEZ#% 8i@*`Ѥs6S_)ԁ?.@>n4^o~pF:B d39ۃ c=щ5tEKnTPVkI| i]XDpN!SVtw|~) ef w&k `HMk\̛7/O?9Hj6KFMdg"ca~0]",?Q~:9[[+ ~KjE|[29eL ^uʣbjoT.,N!,Ag7a9%Ʈ/b䙦L0oOd5R@V&TˇYP=x?Z@DbRe$'2b;Bkcr8)>2\I~ NrS?h$ sB3O1e*ynu$%Ml *, JC:VTu4v?im`87)⯘DkQbtm -GMIdLTNfxG(?[Z <&Ɣn{P&'MG3dvBfTvKFL=yaO 2ߙ =X0A+*Q/g4ijCe ͐,rǎ\k0\1zyXO ˷dAxC+Vi W.h7AhPB';㞫&n}@+8\3vK\YNƔv8 ;pV-)$K7;CaWFC Eqy^n$=Tz>Ƣ@K'V focHKalpӕO㽷o%5 k Yʵ*BbȀƱnbzs`@UL4g<$ AY(Jo7#E؆~&f$^;5n~ʎc}SK<50%H6po..n3]tPo E)w$jF.f*MnBʊ,GKFR&ύҞCm{QPcӶYYs+}8 (e>P(zʐKXP ^ź%755gl'"~s.i1whQo05H)gA>(QyE%t1}ۄ;"}"@jaL*lC/-HXu%庲d~ۅ5xUڨ#Y#FsP{?߮oH<5 .&DA"4y1uZ&7vP6n7\u׮L ͦϪ(2Kz=٢|2 K 6wQѮ2k&:R]8ΑW蘳q!ql),w) n+'#ʇo.g>:ğ<(4"K  +YAǻ$h{ u61ۉ')P-O(tGc]7Vt&E@D~z9S+RU^u:>~, wrWG-(UQ-'3j VD`r@f"VX,!ؘ,YYuv%~@/$hc+>πzL^YwOUy)$FŢ2Ljfz5b LLt;w, zvS݅}Y~ A݌H7@r %wr6*͉ BuO<,dm~]$xIn5͉j0󗃤̸dp`Qj1'kiӐMCb;{ǜ+C O ugՁ hlCb02#$o:{A#>i<4ӓ6'ceiJ3MDnT#Ի^Y*K193p* 3ϱPWn'yW/eh3>EV\ ZO(K󔜪^1=G_x bIYCKIrٰN7Vk=7R2x5K`0]r yJۋgެW1,&܋p&7 ?xg| :Ǥq vF0HH"_u2]4 fm ^(4Ai6F,kN^$PpX˴{v§Q_BPخYVS"NRG xцWE.v 4P+ ged8l1NeU#(副bQΡp&WAcET3$|1sbklIS+r/rU)09sn)hH3|Rbw+:/r:VXlڣe8pn3InɊJqZqP@am//S-XCJOɊZ%&uBk tEaHxy(8Iub;bg}4S s@˗1Mҽ5<ƅX~_. k*#ـ{ϨݺR86!Vn~<5 Up$ gy[߂%f{R*|Y#"z (PXD N ΐ~iݽnTPR>WlFxú߭1:,*rϫ V.}ϭVk?iO}גq -JPcp8)O1w@nzsRk{}',*ֹwݗ~+J_A&]s(wS;[ۆl=bέD4X5l +"@{"~:obw]}aknOBb*/\ud35ad![͑ %vqɹ VQTMrЮn{ љ'~ o Ed=pyYD\Ժ77* ߮wja܁dR1/l!SmQ{xװUL, OpЍ9;A[yUqSd1R%ACOTthA_>_]2j?* -8 giowXeZ@s|4V%87TvXiha q)$gL/+%._B~krMW5HX;n<&="Kn[ B [br QkJƔI)!^u' V!/2pmQŋ(i>a(zL楋ig(;6vQ2EG$9TIҊt9լwuC6PޢEB`; 00O۹X~D,BtuIcƂ#xa8h7bWB>?L:4lUV4_{z̈*;n[Bj'PgvcܖIQt3qK 뎞|n&x:p.B} _ɨ/kqDA֯t [ozU^1Oj$}$6t!.g;aQ"n6b(;8Enxn1{:}=Cc7-RJj35 sK̸3yf"GPEJbDeR< ĩ-;( &ZjhhsXq^iYO3٤LBQGkذ! $Xm~t˥mm8ҵtK_kjN"$MCUc;{Jnޞ$U"7B" /}0x$ԑ>! @'b 0bSVr!v&󘹿Wu_c/Re6 ^˒ qAmǙ`7Fห|5LCterZD@kje\lokx/ig27k}@. Y[ϲ۞H?YlRN1Ë"Fui7F+= sJ7-XGi _/$"l3YF'_/cͣǏϼ4?]?͋JY)a漑YEr9(tmJDIsQGKZ~Db~@ r(Ǔ:O2{fkWx .&4"wI^޶ o1ԏYRq4N`nz\y@vE<$QWX,+hMł z<.Ntz*+Wv qk8Q?X8:H+⑺Fa63/f'&%:A8 r#a[WF|Ia78YMzRAo|~ ܿk!8QFWUff'⨀P$h&$Ek„`'qGHJC9*B!/U,ji>_Dl`ٞCh@Hۺ–R[Q]B09-Ӹ|~ۖ9H*+=~J |F4}M;?𵮍l X+6ő 8`CǀՓӊ^%4‹bCU*f%gBB?D&T|Qɫδ#{lvò>eIP+Y6 :[羉m`x٥8 5Y7H0hX]U=b((?s0˱!eCcLh*.5̷8l{&[#닜6:RtgŐ5 ̑ NyllQ#EQ^g;`V\m_3A;D %ٲ LOTE2[BW|)mԭOX}/z*WI-tOZ%b 4E?δUqͺibOӇia @bMvW,LvɒuބreN\spl}7 Ey1kE=ArI JKѯ- .nu%kas{lv,'kauPs))p{+}rNH]m?O fa/W>ٶ؄ѣ0pҟCo9qIrҳE =]oDӐ.G N?ۄ\f6 atQ2E0Ct, a%v2axϺMAge?sͼbT!kXD;gL0Lgv.Vb>8~0?'O+0K[gA$M7 Ӄ*ӨB@ʄ[8ľ[>sbѤʬv a" f}j΅͒s0"Y>0.3j_xzp3(wQVP@qT$8n=x[xxJ[!UvvC/  .W><̺Vs'v:!Zq1 :$EJڨpLNT>AI~4u, vDs8;!Lk X>=B4ԄhYfVݻ yl 5g7B:htu# |$pPN %S?jʺdo{Q4"v@aEW99Ci#3;ZPҪݦ䆏_^!>_ = j$U]I 5"G5~t+)j.26ֵND-E)7x=+eq~u}&f4zI! oTpѠ Q̰ 3bj|K&ʵ+{;/hj~%&6\xͯn7vg>F'xh1 Wvց +?2[+m #x` Y8 |p?tlo4>cNwR?!7DCU0bA4,lӡJg0[TD&*T1Q 鼏6SASsf#8ٻ1Q1S[v"H! J ]`cn^< ˒ Nk/)j7|Xis튑 [qڟmq@)UdH\cZ/1@pBeE$]K8ʭM>lE{aR#*Ek[=Iڊ‰{l7;&q=Ζ+9~͠o&2!HqΣ|X|N=B)J.g 1]{b`9Kan.Cᠣ~C4$\@Nk,[vUzpۚyJQL7,}#6Sx\ee"_ցkI(`joú D; C9Ql_ XVR0K0^/[,G7EgLeLTVݶ= >/]3?W!]#~Е)+,]\A"LqYJM{; $Ǖx:q_)qEJO*_DϧϳNyy $bE?0".QMWL [{$f[BȐ欣y*(n.2dCIx}H#]וlo 6Kd[؝{9)BoC^NR;ۍ#N~)f XTNeOkitr+s%2HV Ke۶V/bdվoZ~!4OeOϛkfYUrroH!|؂hT6S1:0F(YlŃ]X۸廏b.N3dPhM"1tz1F`0K? nPZ(kPoed} ^}Cc49| %V[,K7L.͛լ[ngdäzڽ !F3%FۧOG y}gwѷrU"sWdegoD9E2y0.U#(55E."/wQW/`sV8Ʀ> # 3*}H!3U >rYIv)cj>H zH D0ƄH 0B^oy_gUpoL)OG kFjf>\y^X JHLIc6)u׋ 1^M$;k^Z6hz =$WзmnT?={ iE(PaKfGD/ #A="Y3Rv-f.T.,5A+~Mpt*o⒬7@`~*l 7&Lg2:hd s=zV]߮B+Ռ`(Z0K2wJu0Rxi:>9SD19 "5 Zk͝_@xur~@FDJ9hV`G?\?nM<bPa*˯ a!^P*YREg.xk8 WI>PZ䥜6"BQ]>۽nEþWZ$ɟ|mUA;O{޸ z槐高0p]E`fxq|s( RwMK;g׵LpW#KD~̛qmu-u| */DF11ĵ=Ga KjC8MKwd'×RVp]AG)YYmv(U?ݐQUHOǮbR׶u$nyfh%۱b+h)aGehNi֔ФG&()(J5tjK9ʟαE1y*g' 2U M ,p|`1 ϹJOQss#MAqL)\-A GI3]6d/9|xGEs]0(#I!IMOHlBCo4 ylE*Mne=7RQO9p\ %ꠐ/)ϲiF _ aꒈ o1Eu#ݵyW wQCL%쎙kygsOn˚lF*MMs=[i`Č_#( ~!|=,x$Q,$YRL<*ck-F; tTL1\Bhpd<5W0I=[sU2,KƕƏ|s7/1շ-c ݡV—y&)n*p|xDEYB=Y )s0?MPLb -/>]*5 JAowA}=}T UNv _pU- i{ w?kႻ @QhߤvW^x"/*~p^W"g`=MhSaTGzlo/\Q[QBI"6 =3b`z-nm-PSl?O(u!Jp)["x EzjLEɍ9{nT#O~łʗX rpW߂ jJ j[,C}ӚayFJ[ L9|Zm/ d u_RdZ —%qB%}g̬֕#ʺxFuspڰ2)4<)&^MIc dK xҷ)4iӻ Ě1;۟C"^Sj]ݻ񺂳yz6;i`*gZP}/ߐK2kUv64b fI5op$禽+8=(~ N`ƈ Jd5aɭ>vZeVҍVX &o'Ѹ0٧Zvۗi#^E|# D^GUOz B1z wDoRKDG+@bNj߽i{Kgeet4Egs-Ѝ j:r3/fۇɚ+qU'1,GN>Yb@9p)4A7 "*8d:}U;#뛘 Z6|V[i,tQ"{*y0l7ar?K7h9ȶ{:f3 G Q%-*J_lVֆ K u֮܈fL鉨BeAfʪDNU`]jAv~ke>lq1w^{jpY) XaTZ▙b`C5sM>"ct;WXyЫ?ZP+`W+^$}X)X˖P]{M?ȫ|" VK rͱu~?EnBbj[JVχFTrAeXsELjp\)`t}W>,(1;}6?BH0$!avήc# CLZ}`2&Mp/A,_7"*<ǽxZ9lo ,/v:(=|vdT>|6e"J'FL|C7r겗QdnZ 9UAW2݄1r8Xݍ~GPg_SBm֔C֨Y ~y:^佫z*Ԟh _Ӹ9w+k)O1tA#H8#d#kG*0y?+-)|64۠ݡ{AjC}iSmrp㩈v?X%i(bXNpJyUas=lT8+߁UR}~\EB#iЕ~xFkư\=oxT0cZ6F! ,ΞlaBR".7c?7*=cNQ8MQ͎V~wWK0WŒ(7.> 5%٤HVS&i'*@n)(ͮU$+bD!hAc DQ|cs\CS5(XfOo|3Lv5|xTQ1qwԫɝPqzMR?eȏDavͤCm1G9{6Zqr/Ud~)ς+B΋QPJTq_sgڻ}Ӡsߕޣ?&e֝aߌWMU͌e-6[Qlm)q9F2+bDžDY_7+\Q%C#.$9Eo3 7w4&~WlgOm&!RE!I0 Φ& N,t{3wO/]N>ѿ} ErߔG.MlbBah? JFsh( JWZT&8%Q33:5BKh"Z(΁T]yE^_>'Wi~F`QaML#u"@v^ޒU/y%VwE }2U|&g-0+oj酿ߌr Wfa=" w`i% )vo9T _g>G2`r ʂ@iXFļ9p/Z/wo 8{o(lVx}lNN&nrSav!,|#F= 2*#ҳ.a(j֒K4zy$N̚r!ް#k# S@⪦@7Oh52vC(8xM,Nޖ*<arz$xr2t`S;ce4l}a,zoqxP:BTeXtV" T.ԉ%!Ro@IzŠ1kےtWMfϦ0cSg Ò0wM'O) e@0BvNݎ;0N,EˌHd`$x#7G6T4êu3'/`.eJ}+S+rtʪI6mBpu_Wb˚ -,UfmFb!$ZnFH&?bw7Dóbb>BJ43.*uoIxnj.O%y&l|swb1{Qm:2sCtޑzn}~2eތdt1o/Q$'fEsd<x;9I"X8Bdu?cfjsPy @[Ƿ}% 0 "Qa(.el* p|FXe"ZS(<(SCQ'X%`GPRYJ f~kz*ãNINcoYu>kMT:7 C͒(Y?1teג wBws&ڃ!"уQw>4tI)|3ep+RuSMI B##'T7@A@*9q%Mv}w%H%g ]om|Ķ>'4LGȯ c!K!6V;}ѫr(1w)[qӈ qv.tAZ;"~HC0)] g<=̵*??uWIO\H(pf/p (YSOEqr;TygK{ $!C0גX]Mr܁X\]vHs\ @]zQ.{3{ϯ1*R$.V$9Z+ڒD(WtiuuD:)ɽ#pg"w-qk)2A/!!o@N:Y:\:teoDD|SNyV `NW^"DWܾ_8Ry㞲-d+ݺFJLvNzցN0*iuX5 vf0Gm.yia2A"K9xF3hECv}k-]̧~F;U"+[> ́ Ky Ţ **dP1j币\`+ Ƙ"ITSYn[1 URnHٷ~Z op1V.-0G>9q,\ca1zVxqFX*9+߄o)k8:O!ՐtmI}DndBc||jݳV;LJ:{jtMc Z3^,Na]?H;[uqX<+xj{JVyX]W^w<0S9}$<^"П{WT g,0AbT7lF-VYYDVpK<67f <76N; LdS>`QV-HX? 9Slإ+j #ORe<~j5Pn|9FhYس :A13>>y%>0YT:R/`I}hŽoZe'Ǫ~;H_ř#[XH~QhEv]DH"8M8ZIagaңakT}m ' 3&`}@b0!UG< $49iz4 ش60˖Oy`+}-)[ 7o%{r;D@p<( M?0N ld  5Snz06Y 9+.78KRX0?ʆAJ:m^˦/*.qSPtN%CIfz,;| NWgy!u#6(P"EQ+׋ vP5@@kzwJ;NRu9Qux_ݽ]x8Ms,h&O ja:\RN܅1TE3MPIP=T*#fB8~ˈ'S1TXU[$Q!fy>iǓP Q HوGC:}VWG9֚Y&擽14hݙo+CT^&B8KT74tv3]O-&gwm5}2B%PDKDK<  V>7)Lߝ7Iy32{gE7zGzgգptɿz!U3$[VH59졭Uƞ. bBJĽc;r釄H&BqgEĻ2 @N]`TiShr|&RPeDCr,^(8INд>D:4ǧU-[)]5XCߣsؿU.FG]C|Z, D=)jah㝚_X QbqJ?Ca5"HS_dN6q4G `zq҈x۩emMrNr=Zb`̈3^*r\Z5NgJמlݢ^P"?z7rm3_^cH~vjg]{rzʕȸi qGj N{!qYaO \MJy*lr>{Cdi*`,v3\GiK>RZ1W'v}X/Q_NjgtAUH0ءP#yx;,} (p[z*^O3-H9"ލcwQB`dwjS3a: p3# 4Ff+ȵNR6P8!>_gXR})"xc,5TټiCۀ |ܬz^/ :FҴ[Aŭ[Q3V̉l"Xռ_eJw!T=gpeF~t}ܦÓþ^-n+dhlt5EBjr!KQrdU{Z6W4?L!B3ۆC1[H^b62H¶KƬ]>՜BAtWu:'n_0I!g4ϭ]Ylxy0؟7(pcdK?i,>-{@胑D Hr}K7ڣQ [\4}8Ñ>b_Yp[Fa tZ܁!5[M|uQNbV壂粲+ }C.P۟t"uq=dS=W&G;:pImD#qauqIӝ<،X_wSʌ1.LKV9ƥ4]dkvF]ZH7Ļ =h%ǣf>ZQ'tʑx~]Y[耦9q.}BU^cm ;7 kB6bCQJbؕ#oquϙayqJ^<&I'Ek:ʢhZe(dX11/F`<]TR~3DY\M+LUˑHo (P-1q|SƔY(wJ +͝ o3D-ΝLE BaX:")1U?_n)1[ K~YP/OV: o2ҍ9J2Y$ZA QVe '$ 569E;cC:\Ip"dNewLwiq>\ [ָ8ͮ섮q伒࣊`sO_ $@*|Y޼L,@< "G$ `?(A#Dw agח !Բ,ge\0M.6Q K@cU—Ǭ7hNl=\}2S96K4`ruB( ^[;5um3ؙH„R_iV{lB$->5}c;ZY~w.J179~M5 S`t3rjȅuo= Pv GbCs%ɫ`ش fvRJeNLV2o_g1+Q2PG4`a6^0ױbK'}rg5<~@ U#pH'UEce;ޜ6|*]x{Z'!S#5iZ 䇼uJ`^d֬dXg#\Ji@Ez/>͢{by7{.{i7%VliUsG۸xN4͎$ \'3⍣s <~4#Jk.~ q|wf.B-/Dxdz\eclAmW% $  QaOZ4S&`pc~X-i_ml^ (?[E7v`mm&ռ#50a[n@I{^gL]>pUfbX+s}q@tMkt,۵= S xӼ>˜uKʵ팥! {7)QWfܢ8+.F~R](|eVj_zXsI{Y *\cܤ['Wȡ;GAˡK"C= ]~ŃVfO e""]ǂv_$Vy C!?zeW }`HECOV}0\t|E*`m+-[G/TeHuJ+9x1;cm#`CC'tۤ6ڡ~@~C*Wt 5-Z?Q.21{|)yf> FtS):=xϴYELd v*Yt!3 $5kQJS-Uz&卐.Oݾ]^Ϭr.y!+#jܤDԿ^H I Nj6Ƈ|;G=oí;x%CuZw{9`q CPv-gz,=$Zbs ]J|&4A @ tQ`fWKLdm+[٤ .V/U4s]jk{k)M~Ve6 39pS{5cNǼ8?ahiqyc-'>Dva leJChG5 [5hhȟex?4u}l^!?+]'`f:;] yFi#L =9nj8JnP͊)g ^ ֐g¨\{?3={[`"e 8pg_HT]3ʌ89i^`{uW70]#ylX {X?N7ʂe}F,2GOꍳ]vM@Rϣe j,;d:D% djvhvS1A `uo7yin{]2?I~0[]jq$xC*9$0n#̃CԀdr?=36~`{W,l/hZ QP6vyW|\ i\&J(\̶SŕA/|1=(2ϢN9;Q6"7٨KZr_ ߞ`|4;|"ԹRoG1b[Ժ򍑧qsaMg C[&, &dy4h鍆GzX!!pzzF8ptP׬&0F b_ ֢Hܑ[ضjFS$;[\f,@ EHsq;;㪳PAz( t>WqW9׺e]݅T&N@+sڍyr^ jUkM{Q}(i|udXKj' (3_X}`h J--.ʛA͈d$.YsRi{-qAG\{֨LC>qfvukcնG?tg gMrKI'fUZ-Yɾb>ٳ^_ًAj"Uvx,q<: *UK55*Z˺}>"$FGYz9^ʛ7"Rc@ulN ܡD#t%;JYp|\6w-wkQ B1Y[|/c 6)#dA9Y Flz~ձ9SKj2eokapEDK9c2σRII,!f1RDK@\B4ZPc%~ijwIKUAͶğ=&= dJ~6q{&ĩ R%7g}W.F&|lPl1[]N]PKuP_4(4 #aIAٟpg;Pq!8ҏ@n'v,Bye( ~MEu),`Gv^t2'嚧`);37}D+O·8G4vKDP=cل5S {JԺvp6N,ٴ/'`FծEgnas|3ۅrM` =?Y%y; ~8o>,?]̜gJV,ġiٯ6)KPnל+uªUxN -xe1h;cc690<$"醤e0BI/ލߡ8J>@p779=0[Tۣ$E5 &[@UT q0@{O+0.b}t9YTQv$xЙӄ71}dEbwxaGu;o>jr(:˰lԢj <ÅxaKzq9 2Cj~BICr%ݍܺi8eg}?u-M&+*ǫ" ;.:e ϛ{7lsr0X>,+w%->ۙP8 ]DJ׮akNU|k+oɥASE_QDsz@$[*E!‚5q?}8qan;~Bl CELIt9P vMWS(N8Y{< ֊HVƎ_BCWp>BS=\ENT1!?K~vz6ZeLxFOa^kz}.#ԗE(\R* De{pjûO1\[ĈP[U|<{^~|r6nBəG+0PF(ؗ\ﻵ9=kgƒX_z]]O+ C@"eIobPL 49 iFpr \+//Ϭ]#:6"Ȳ7l^'"ǥCn鉻73h@yQ6G4$+' qsu'\đ,J ՙGi?P $Dj<^A,&[?}u19D wՏ7`ref0Ī_E#?a" 86ì! 陇, b(PZ9 KMkH0 "2lF@ s- Xr'u! `yB7dK#Guj#Jl2i}@}©[;F5s80vçd4Lg Qzrb uoNX<Й5(TcIʭT{iσP\ҞXYO2 mW8o}xW*CˆJS9|*ߡt 7)@-&b@tCk>O?_}"5I}o%.UD2 ~L`7*x$Ym<1iZj,Xb&+EY x_@xid9aTD;cfwe IpG3D;@]0uW -C('92SA@dͤ:{v i(%BJ〸C醼W)m2ꀻV늩T/^)Uaw}\2<̉Y,-|HX#"rnC R"Fc ANhp Ǧ^4]$6jzIb۪zl ~4[|h4Bc5n0HMI\vCtK#yqCs<o©!؇*Mvw_]SśB //DyTgG5mPb|NF.-Sr  () 8U^>.o'5kEx=XVh:jlid5Y +X]\h0MϵV0G>f$૽i ߲ &qqIa.LI-c;(g0fn/xN=n(ve$GucXDLt%$yH8qo6%=r:n{3ȯb:xpos+*P5!HXEvvҎf!s~ŧ^{H(yg%75MQ71W^`qi8YNP-65$X"=j̎CTcV(9܉\dݾ:npq3%VvFs!(S=(]Y˔t蠜#;+" iJ_&/O1&hMm"fg[i LuSc/KRA{ɤb&zݶ4`_,(JXxD'6sR;/N$4ķAgɴ bma#L$siY9dKh%mOׂC\~3{'|cE1g_AEDwL_\T np "Jp+}h.~ńk$l ^Z'w5so]1Q`+7E;,wՋL4iƭH=\k\.brό1)j96mw)KFكѝr$\aȱ -;5K /֭NsBTgUk ؊\+P4Θ\LǒI$psPJ6q7t`yȐ3"C` C@$Lg +އzQMC14=$'xzzQi',gl4⪍w$/X[}>^}֞2%& P9ph;+A%{ W}m>O>#k IDpq^p+!_Đ- &Ez+PWN=BL%D ֝9_Ywp}l+&Cf7_F"e$i2TvO^p Qmߞ߁|8!p4yYp8p__$Ip0zԕ!RKd=\I lsHٛ)b$| ѻѨe^yw4lD Fo ~InVm3_/ E2X`[Ӿm C\D.x3-]=D;(-CmL AWYam.#;Nc=B|S8tDI=Q#2 ͍'- ^Ϣɉنujh03{l1ܾʎd0. OwfY(NsQkUPRuh ß o&0*0bVݍ~/kM↋ݎ&V}w2]*M8ĥڟKH2djNÃ_tqFD5 8çU{2j- i\CO'Ń.gx9_ xzyA\SVaՒ&*rLfk#"rOGwU~96=?c3`|4Ol>5pӝ8ˠ._bikO{-'S#K5;ns@ېlFVsi;B[ b$erJȳУZ` [(;xp4}tHܓ\ł.c5caU$R3 O[LM@4fg__'eVÙi_Ap֩ЌyqU p= w %#bByM'MJx+Hw4TR#MyԳj^"CdE; nί;٢ 0O  @= 6,1;ƚ|"Ѽ3Gy+H+5ZR|lvRF%kS`d,?F^ B0E, V aB?yItw2CbUQt)פ)@r '/;?*HKJ´DIaCI L@|}E 9g Te!ȶݠK!MӪY.A?C7mO*mC a2q0hgp ]7(ȋG>Y(moפ)Iڱg"ϥMc Jì?#HvSRծ:j )Q0C5҆m[ж.M cblUž kV)PusRX✤247}S!ġ֫8̖޳юa_zQ&+o#alKSG\X"Dxaqa=*e jA5y&&\>m1՟}I[A5)Nc_y G/ Bysz6]h붹5#J6!|xRNt같J^\.&fK.c)?z_3˼ >7֘?97|// K<3^}*BD'f\< (QA'-$5Z3•ں\?rja8رGz)jCQ.X&|P'㩸cml i9+/6&1;ؐfxm9۾0~*)>B:Eb3=&!1)[!Ҕt챉_-9;fIj%W=h/}k ʸ,r8h׷mj6NIPHUa Ds,y yY0S9Q j *7. t89-keׂJ[wۉzn;'כ干G(HfK:zf'(-Y9^yY܍T6]\SLtW,V*5{iyA۳/+X ;t7@ʍXWD2W~!ROaZ-nWj^! d%꣬,_I/yW1Qn#"km)!iQx'Qa+#H+rESaKRcs rfc;5G i3T)| =̚S4u.ý! -xT+(c͆%A6 {A\WmZ>ښ㨺ݰא 䢔-:&?P/FJ#Qalfs X jPNl~tN1g|y}}WCPJJhlHxAͰ`f2trk/ƞ U& ɇJ.bxCIF6J#V|V0e[>EE8ŮZ7UN_c ׹2"hҤ QK(`x>dтztauzD=7fU"#@uyη84d?/P<(=[ʹy`TYfViZMzMK~z;+8 fF(i"2ؠbLHU@eD{z,vL! ʓ#$M;?/U@# g&+Jѡ0o*i!؜b$0xށ]apy$i >u~3~5yB_`]T6!"NrV2CPбOPl!Eb)2L۞WJZZhj_/4ftC ?N&$fP5T0a]Ԑg[@BuzcCoIBd³[>%lWu=]ԍ2ԎԽR)Ibwr-"+; ͨ𕇃*HbުnI@޳R]cl8[=oikHd [=QJP8HvFoq $.h*~Zb~s+""G/ꪜ3A!- >Hr/?ܞ%?0,G%L-@ Fi`эOZ}+JGN)d(? ren|q3e!qpݶ/5nyaqr\ R> z/gZO&خo}P2tq]I M݌l2=erH9FGpb6 'l~ WO sf"C!%f#2j:Avafّ wnJz#x~k/`8;#i(LE!7ud$bܔNjQCsO V.Eqp0;0ZXʆ>o Ml]\u y%j.V??::N`сC'Q50ؓv6>? 92ƍ0@Aoqaqg|:v>M'pZ1ѐO71z_y ]yid|pdTжй.HlNc:Dp#׎E6f+odOFӁ/#wQ.S҉!}C>5 X 6`J3S;u/ηhf܎;5o>Kخ'W>VY/Tݺ:YaId@I+\H#^/`mi,hk#}z='R*צk 1!x}fZ+窃Nΐ6^Čd[lo?j$,kRS=)w.A+%4h z 7jD'Gąm,0c]JG1Ի3ppūQ܇p.L'HEGYI _*C&N*(*;\_~(Sσ ò=k8z;C: !0r]iA@?`A9h͎QONxda(;N4߃*"4xoZG }pW<2<)Gؽؠa(8%E!oj9$Ԯ)JM腢/sPC'%±4}"x rZ䏸8M"YPyB~:)RNqV t缛K/qoԩ9d:^~7$v5ɂ璵COeo^'9hpF:-zV^MDp[\.h`Lթ!yFd1#iw$B2'.O)MqHd\?v}>8^&D;.v_ES 䤝) i@M3U,n"`Z~GR! <$՚&d-V1!B s.|DVOMP"'XodfV FT!NbtGn5q'uR/bjBsf;oO :Tn˿ :Jp=Bwq B|0U0#ZT&K-yRkf3XxXgJ2\ȴ 7T?1[T4*.NTfwtccfQo=Eb[֓=QD"-|PF k6nx!3~+}kPoZ!/n#_8+]͆,}!-a!%ueli|0JتOEv#Ly1|[8Xˮ#`z3mf`q0W%yb ͤYLp60=$ხYZ"&G_Z͛{?ʼnv,|"1)SFd03Hn/ l!UKΉ/pX 66K!FthnZq(9 "d6x%I!{ fdPYxM:- {}1{Lo1{IP`䕳q  !hv}9& #P;.O)lިE|sZSUWҚE4i$*8C 8ʗaM<[?E 4>yhUZk$tEt3t3Ccu͟?*\ߕ lN$].)έűFan~G@iZ{ȉFfa埤0h.W ~ YoK?SNھn&)C4[xseiD&(lb5 %]Aw&@k̈́rIbԛY@hBɫ+Ϩu/I^7(lln؋67iSι\rf_*?mq#욉=.]vH".+zuv7a^A ?3tbz; kIy`qF~DL;XZ^E ;u>?)M`*v ٖG|Rn %oӅ24.%~?qשA}Fyw!H9Z%gi*e) OEHM%_Y{9ӰyTtNʔ1$z>UKCmvj>hiS=y҇\ڣ`ӓ83QSK+sO&c9@P7cs6 :73 9%2G|nXԦ#vHރ)iS3Y-KHzkvڼwؙA/r#Et?EY1ţyb/6nk66HBsYX=w>&)k":MMx򅥮 :mxoi= քC,%D@F%v6a/j &wpd8&8 )53d }\Gwi%"xL#*(ߟֶʍ_`~v.]lSB{`zS(0S <;4XY"Ԅ cD'>}(^##4,bVINi8Vrn'rJ塼NB4r ek" 9EI%R` yDQX>!7^y`B`nyɨ>׋X}Zx9@7[|fDF;wjrc˅$no4-g0)^"rnz@?-¡EJC<\@Nǁ]0T(=wy͟hjqed%JemR:GrAj/VG.SzQdV\cKSAݫ]L)tލfHOވkR+Ngɪ&O+ܼ}yb[hwh I{]$$MUrQ/ i㢼R^y~4ZvyB?.j'Yhi]G2E$P#ELU䜳7b ;f ktctPm6/)5#"8{VW=4*/INT_ K'Tzl=A^%I[Kbf)mK I7)B̭5eϳ΁mnRD s*;<)yॿao@pG2;#Lg=豢1/Xetߞ\ @ E7:=UQϚ> @DWn@8 ?cDy2$gM#>SҨYba; пg;Y*@Ŀs07$ d횆*R'B,}A>Wߥ8=Nko j Gq@4\ 0e v5(9摮)n&,lye-PQy{LFL(i*식 |- $^hsjS%nZ@b_ #!Dک(,ד9;?|dwBnϚOӑ&Swui~WytgӉ#5Ztq ? GCf/.ouqYrrNn>Ҷu&53ϊC); 2H<{rbs0ڦmx {~n :T@140{:^%i[CsU>Ȳ. ' t6,NJKaUd5??SQORv\ ׏Tz3w;/F]No g`I5lp#N7S˻%9)GP !&(>s,lԪ)V`Ie*OcPp՘DXf?`0wZOb,o >t9[̭aW) )Ѽ51 f{Tt/jy7a}bwmOo=>].cseEUL[0;a T^f"ڜ zJkc맏jBTg8K5L}ѬLٞίكxkv]38~lY) n&J[rmWC5G7Qxvg`}N\ʜX.>m'a'7!4<9Ż?$謩wrA~BPa{ ,5AV}_bgq뫌k 5d_FRF֗ )nzzN$q>*f,)DDuzу"U S_]%d|WeIaš"h+s!"Cm" W}*Y^yS(Y|)="v>VL\ң EZ^Pq LʺEk7 9[%{nt$iXza %gp)_=0+*'%vee?~Lߦ诠S%0v^rc;ֳC3}{A5gbλۣ.IA<-9 LVMb>_c%/| m] >Ϝ&ݪxc*pQFpp A,Qcjn 𨯷>r믲V} [M~|Ak'"Q}ۦ3MBqc[*Ms k(Ghm\rxvDeY3TÑ^F[x7R]Vy5~:;&*~:Ju̧Yv!lIPyap$ (*d<lGɄQ}̐ Yt;޶CxPxx{qQy4GiRz1P)qH)iܜƓ'hEkUr̺]3 _1ё~XĔ/Nw?G4[95I~3~N!+3R$6JX]*[/ .w03rXPp2Y4H w{G]b8.pDqb ErԿ4^Ɣ7y nnZ^x>D܃ ̺tU  aT0^n%\jm:@nF slkoW[G/"ڃ$ cx)P9PĘ) a Z{CM9`xL3%MCU(D2ꇟ&Ke2iCǿtm*iǺ@,0/^)GEg_8HiHEĴjvW5dt1jpfb ,]"G=i@V>d|NNY" dk 7!uxɅݝA pHtb $]kL~tؾ2IV{T{.*(TNbfq _(I&r֘kaskÕ)Wx-n_6l`kC}H}1?$g,)+"^]Mf?pmM3%A#(>$K`{#&%D[xu"Ò+RxQQ?MYds |o`pt7-g]WT v Q:\"FBWr$_BPҎ٫f㜠%8i64 P\ԹV;έOӌOoٜ%|u^QAr+l} =Mp3s1eք XC/k 2݆)mƅxFIWQ:;IN8߈3nȟ{֡pvL7FTxI/̲% h̰)a OXƄQ^d>'1HS ]i*xS#{؍BhUL7KWVGfkbryL\@e9g苡ZcP8y(וR酷U߂ý`MR]fU:zVz~)c[B>矉ܺ#r Rg(Q뺘,N4sGàS}2nщ m4Gr2W ZFCBZ4Nzj bO6<@ LOG:Ή@pײθOKlnZ*@8(M–ƉPɐlTz6\|yRo4u*HRÃQ fA,%!RӵwȁO;K;8.c HӯÇ֘7uЗtϖQ7),5deD1v0"(T C9?6{ g#&L ٍiפ+jegF9t_p( Tg1OS&GRkYzitF Aa&EFZ[Р:-c㳫"B!Z/>%'ns Gh!w }=1#.Ja]\. ?cZZj [ɛ8 {dbx6bWB][8p4ّ%uA烤ŜgzrLBq'2$-ʆĹY`6=t!e!"sy=x ~{)vA}1ks|0$!a_Ut4fʩ뮷e#6nVցLP4×! 9wEev$BEbZFbg˪؄il7`U4T*9$<ɔ1Q%;G̚01B,nգB++!#r`4; NlJߨx 9`2&Jsav%ԉqM6%[`M;scУS5@-uyp]܏~1Xx'i 699"G4BfrJ^ĭ\}hm,հ"#!B7w4>WYe9,ZJKts3+T7D5퓜t.#CNmaSvY-^PԶ_.+ƓhN$ DF˖B[5w1d𧗉xM)(I]dAhs8BD#i; 95V¨&b [<떦2j+{> !Q%]PbnfM\^jb'QeU1o\B w07`x')e!=V|ވ%kin[GW'儭2m fTA>ѝH0͍3A&G4]$ʝlkAJ뺸d zT!ʹG::+@R Dٴ%'Vqdx0tsY)^A` c_@=|Sleub3` mX9pJ\vT* zS ~QǐDaݎ%k]Eb=>D9ՓѲ3: ^?`5XLW+rxLxX7#=1ImEnR8Li*JdyWZg:k9PEt?TU}c`[.2y!< 8ZrnJ8e__טf5_ԩs?PY[~$0 `Ie@%|]Ycz^;'jŊ_R{kֲ'd.oUyE&.?4Q'םlo#7ECmf~ΐC7Pժ:[ 3r3"Lr.;fx~3#}3Fb* hiP⽊3S3XW꧰ӂ'ȴ3mCt(@g)sw2= |Y'``B-sXHQny]6k9I6 9R9lT꜑EN'F>G8RE.'{"USrYٯ:'4Hr)aӽʕL1ۑb[?')9Q .yΪ%56ыw^/ptKO/f~ :rv1nt%ƫ1| EMf9gݠm4DNg`BٌC.Z}{i;6 --DG/K<˅'ޫJDT0. 9yTHzCLEϼхݯ{}g=#dc&p o!9СE-h׿lBo; /HkU{ùh}<⏭a "ke Z'&lWz{a5HzoRB ]?UAIm)@kUSA&l5 ?RJ\@ԹH^}i^Z` -&F )0E}}z5C`s\^k[ٖÄٴULe#3AyB_Ј}1:ѦgI|CRb-7l=ݢSq \lIu*u\Gy zʳ~bv+ތVBG($,\xt=1le]^J>=?4Lr)sWgv[FNS7_A<= [_.0Ei֒C" :랹E4(g7g$.o(y6yL f!"}in$؟YG7{&`;XO+ p4}^{[AxqvQ DIAЅK $ޡsU0xXG!=`K.$+_ MFZK@@_ T>'sًY&/'жa.C[+ϡW,DǏ(b{M׹Z0>rJFF&5FlCdAy!x@qdBwfKO/%-iY\il%9Hʹ;MĻX}VN4gzYgR5ԟCjn`@mxG0#0PC<fBw?}2xx+Rb\eX Oe k&αb3-r|96՛Aڀ2Do3&؋Bbz{5`y1zVNzJhF{`q;EH߁rW0I;tٲbg&n8R#~D0pg_cW<;yzFaQ"s\~7EИ4O0zǸXnPxcLx:wQf:|ɖAL˚,Al}[5qΒuzKp;=Nn<2kT $֜Ǚnb6 Z.1Zm.5<$X4n}֦{?eQ÷mz^AV쁩=|Z k[2`zl9jgG{`*4uo!YjVht(t.}<G%Oa+; 0!Jq,VVn.(p; :(%{.n?{,mSqI;% x&ȃÅ9-}{xLBvde&[h(Ģ6 4 ̪?!T\Ao~ʬg<1ػA51l:R4ED$Z\uUG']J D[ `O:yb}Z[?#aQ\6itI6$ҩ_:k蟣LqVkz8i!7H%3bHʬ݈c.>x12b-5!mh³N7g/ 8ZSxtP:w[vQGU4!'.JqNW6!-F[nVte] sA@8(_Ÿ=p.ȍ@pr\\'1)Xc^4(^dSZ?,3J(esCͽ:tu4&}J6Y+3JČFݼf}eÈaiR>F^ ,ez+E6E/Mj?J)Xx:۠rL]^>" BSRi %IK5'aSƽuJv ĿG6KbhlrvalOx+jv Q@ CM#-/2Aa2d*XH NXtam'}[4ބl]emܺD4B|$Zl$8gYZ'KaN+ӚK%1`T $TkN{ B-vjj  ['1[G~r!ȭIN-(Ɩ` s%856À&# H)h.cKX-A#Y7m$tgmc1oqN"" MH/bg6٭,x~:ϯEVW_==cVǽo# õ`u#iݔQQ$ߠ6{k@'MבdmEYF֜ܲ Oˊ!D  &~>*M)"@ [1!I|V*+pN8u3m ݌˰v`աM<ƠENe´ ?ZPuO`>K7:oWA݀ںzLdc[*o ~1_lawݥyZ|珵F\9 ,*`Fbx@1ӆy\ 'ܲi`mMI4M mf0lAY,,þ^m&::yEK5GE1f`6j+nakq*h".O*iWݿdBBCüVVoyEdEްBbqvPְ\S1"yq l]t#5&0SeQ>-Nh)HEO nc)ҐaN65jPg瘫6Q ߜVʹ PtT&H_ցCw2Fe{44hRkau8N`㉃%P&!vUp쏋Lܴ~ʇ {V#=zBO^/nrnɖ%r!kwm(LIsXri.pn1!cIAn8P +XB//ݶ7ʼ%d܌g[^τ56 7c?u-K&(z|t{(ąA+? .H3)ukp8Dh;'om F7^|Y]4,<Ԇ7^ھDP'o Pw؀+}eX Tˆz {]bԳhZLPUIMNښCYsy$^C$@G|@1݀ gSȳB鮥u6?gWR`#VGtH=`ޥYRjY=$0&tͣ+ӵ Vgl)i3[!Il|?6gH :A ļM>[5"fk}o佪#{vgq5N;)BKZa٣;ks8=%0oj$&^'_mOII:|k̩c}M.=.au%kx֣;.EF?2HP @"4ݚXl̇^Z;Bl{3+:-? }槬I|:(7qq̕עQ:-T._GA+dE4 5{ e#9Fc}qiɳ^- !yE}!6^囡ÖwI$^ R&;U?ej:oYl!DqT/\ $ͯzv7zkJW s`p}sT0պi: 5w" &=';s/݀Auy̶UƑpyTLE,& ZZoE|d#wDs.m4f쒧I©3*+٫HfsHƂ`[%pDQms.Gg07&&ЊwPo ::*J>AuVl1{쩬@Mu;ָ!8d:|S90$[~AFWrw H3Wa;P bOpT'Z/GɈ+ q gsf>W(?ܯ|'+aQZ086BZTOn ߂h#A@ePiwZܳ"6uYYx&a2BUL)/HR^mJ0w BZ*MأF,:oU}Ejs#o'M{m@}>?=H,I m) 4tYn8_u%BPljTYAJ&~?w?rp|bLlKufs+Hr:}!y#jh3Uw G1"P^"n8oZ@h/4mqfGp9J#Ͻv;S͍g`MEϑ瞚|y;Nk;=1Zc6䋵efRpÄpl@I#\[c"uHTah$o5q_"WB(4WAO;YH3COx:BɗGD(2*:u0qU"IbmiXr g,;57A=;K#DǛsY<򢐯yt(VL|GAɄ)tip{'RRJ(Xnn)n!IGُ9! b-RI_,\*tᐥkrlŘ)4jw nlΡVlыDRոu)?C V H\GҞ%LΘJC.8 A [qz̓z@Ѕ1г(1N{&TF/,(d]6 "݌3S'" w`٪]eY;a>t{c vxTnМVDw E"~aCOt۟TKj8;D#t p|^0.'4aT-f.`meT*$ lјm0#=Qrݡ |*Ȯ$( X?ToŇuw YWˣ9 7u&ٙ6I>{pDrNfg\P5TYfcN}6qZ'Tc UH!: R}E@!Fi_ CA:5Mz.MOkad?nzIoHA 9Ѓit;ጺ~ |Ȑt#j=$ IXE)z%0OF,"/eF5 u!-1:?θ6-8Ds͸.w]}g\aux)h¬7)n8o@.46-u?~ʹ\ӀC]9ku9]p㬝JV~d%d'.\EO8MڬMI|6PIU2a|F] Յ7mDJzlZqQNQB KCD]1MP\:`DU}@T3W^xٺmtg{!q(v Unu؁CxKYkuNWccA/պ\e#7g,4 DtuW{5甜>nIݷIu5ߥiK6eMoR@Bıh\+ocO3lx޴ej+И>DU/[Uֶf_]~΢P^5Dj1c^n؄E" sHEG>OS`JM'r>%`ɣZ,͍L+<WF 0'{l Ϋ4z~8CVz@PL(N9YgDOD7W,*[nFIeNi>(uA,lv Wn-F{嵥Qi9dZ$g 'E ?9mKqDc--AʹBGm|Lr-;x(y*챂s!Z w*Ќ며ABnQ^xM$vʿx R~F;F4hYkY3[zLUIKdcӰ1N݂7{W1+˚i]uy0A?:ń >" 1YѢLu-c0M mfbMRXj9+Թr  _DS&@JY`ga;j85O SA͑X{oj˜A$2H+c="6FeyE6Iu[Z~Ȝ'^ [HwY+*WDHadmjD-ɆLYI{>k]bLů#VHm1qhpϽӕc =*E҅/ׅczʨ7s?J5Q'r !F'V( ^8 >Q+-^bՈdY5o$kCV\b+tRӢi+@ɢ',%h09ꠉ*A0х;凝ʶr@h=,ƗR#@˲&zS1Z7nhɗJ$;i!Ȕ5s?\C-9FvTf7As$bēCަb7Z%RիB7:/ުm-o[0g>Etr#!"#i޽![_ݐ|Ur[J84ϚLWH d $<"c:f+akm>Ӊ!5B_O4#-}yr}D0jm-U3nS)43Gt ?ퟧcXu$>M~WMH\$2Qo6k^_]saVsE֓H|U`̩g{PGwB r|2HC_qѽGKe݋w;tg$~mS נy>#@ `Ð@é8-Ţhr9NGn:,A6]1xv1f9`[4CjJ:4U\:˺B'9}h54%RF! FǚcCeE@̗8l\/<ϐ~6rL&k|⎼GXAm=y;v`V6]be"뚶3k%a9ꥬsVoڠ .MA0F%o>H=&Ihɡ 5HzDkejx2{ߚQ{cl#״*\~@]?/u:cjpg;$[2fT,{+6 UQKn[:`~O _ԑ$(O\|[rYl!g{ޣaijNt.yHcaytWNsGaw,9D!i߾fQ~}pA> %xE{WڑÞ܈iV,~eZU=-:H48#Ӯ_a-~d4=b| b έϋ>$ZsP'.26BCɈKTm_jO|>!VH™=•F8Tmo [Z: j9Nz1_W2㿵?q9,tv}/5ZY <ЬդKN. ^LW̖کe4քboCZk#ih6oj O,vWPcW7mTjAZ,fi]ij|rEgW"7!0mP *CLf]=%)&)Pm*B|,dVЧOZ*>І\fJ%TlwaF o%M 00ϥlUz 2>\ddlwjq'Dg 8h',ɑcw^]:wM;Ub CX=>0Ǧ6-ݯEc6!2@p:ceJC|^jT^eWtkG_(Dj|6 i<ٖ߂` {{bv쇸PaY rs$n@_U5:m%|SGӜ ~V%vݒD[ K^A3- LW;r36QtBD3BSL+b|#4C6\UQ~1xLjH1|M6f{z@۴8 SA]U/e_#0S\;g-R?:OlE}84@4+l/#C"@AsHSUBn]b?Zt>8ͻ"@;<'xBt4^k=0Jc(jEА`Q@W 66oV JWaQ>A4om[x#QJ z9rlm 0fn%*FZhhR:A~UTWCngWJEDrM D  (#P~s 34?ѭ0U t'QN$FD?QnP|€] ӂ>&\Bz^'YzaM}X."}E; 5kr!1鱚q ;|sDMa~$"C3mxb7'p2qqpf>!vAK^p6);o"D@_4\+O4.Rv^87$XsKĶMdJL@J|%9+=^#.:i7P hWrD7$cxJu&<عhl 3F3*8{Ap-\NX1l+)hM> cyI}GJ!bɅߜ+5۸-#"S:+E iraQ"E{nFqKM}X<ތ/!m'$觛i@#x6@~ X2{+#[9_f9*^`3=HՏv|, $򲊅 SqSW+_ OFYCԌɊ|oY'&A"] STjM_3+&>RҐ7-&hmnA8moX6@j;Љ2?IX&&B-UiBʚSLhrEM/T~6iR2?Wx\5θZѸA \Me~jZ^lIiR*ESV%^2( 4^8~Y],@4 =77\$`KB9hmO$\qOˑ|$g VH&cDŽ@Xh=<98EKZ:6:[zk% j#r 5j9٘dF4ώ wGիItI_qEhO_ܲQ.4郞por| ),bb) W 2Mv#[d Tn BU! CqrLDXawl0qޛbFboLk9N_׋ S ߻ Mfvl\7;k-# F}VxFy 쒊`ns%RbGP!tIY,:ٸAԥw3aBBJo("/W6~u6um(ۂ6 M_qn&xaub0 $k8Mw> #e@l<u>O"Gy6YylcG;|깑^-pbfKYyދVUd cb~b]yΥ#|g%JŜs :0ݾ9aj8 ˀF Q٪&- ljef.BqôV蠹95IF H)סombnvܵEKT%&bjC%y~i!hNq1Rf i/[WO -H 8ޗЖpq꼤!T|7,F,Qgsx)X@6!PᲖ +wys&6W@Yy/£_'Pqr0b@JJ7=! i(@v fk@e B >bjƍ!jp84.'8@7J6 |m,Xw S @ОI>6nuLf!G(9,W-@@aՉQn|9CٔdӧS5&a $5Z$$Y Fid^VkhA=z8/$ikhh|uAX yX&i2 իnU,(5މky(? 91aKB'pJsqjRO&@2,-CBδ逇P WNzTeU{|wJgٞc.5% tse1v[!J'אAv'MgLA ŷ{4]?|p|.֙-9E798K4oed}OE+V1$XрąZ!m]d'q"_Kh qw%f^c}3q^|Cp!X[CV_&LnnWBD)ێWWA4F-V 1r,C3@c;kQAqA e3t(l%x6*{k#},9ʧ},y-_;F2r2xѪ QȳZZSeѼ0xcݿƯI~oټRLZM?>޾ W_X7tlj\̜D4Kw~J@όhSjrIL!,V6~߷?8"mRlW I9QVr'ǎmջ:EuxݱزQu]Wgq"m)ceAb:Fk]xCe-vd4#.ׄc4QvoY3wZ5=25MG|ۄe.(_a5t}c19#h[$喢SKG ^`v/ 9ъӅM^A<`‡iDS~ -`F҂/n8Z"$7ځ-Umr_}Z#(0&)(LLu.lӍ>s`ɎyQAz, ]/>59qp2%tԴ{J<:Ņ.+ʟNuLL`E:p ҹ]ko[ UP仫//VA&8{RoT->_o Ղ9m싩_a-< Me$vzt]Wު!} X`9 #=9T\8#++%eaMH. j=_sn8id yI=h!dcp!q*``*7|$T)[tޅM]WߟFe+x[HfҌ.0 5И4x=1Y1 ?GQ:q;mX>4F uQ"&[Olk+@^LL1 L43y/-P-a[%𕗂^b`\˽E,?ˏh֒=  A~.{G4& YctS&^Se݀|tutDڜXEJ|ƣ?t{>FN.È?QLđ܄xzz.a.p+ a&[:fGQ\c0Z U/M㌀\kHQUa|T ϋdYԵt0 s1 Q1?tF\YSRT_Zwǰ̔uf7!HL dWцq?H]\"V yNF`g啕Ș "7-j _cHG-wjTD8 #ՕEqJH[WS0얏G/ g%l- ]Q `X 7|`/|eЬfhucx)|! ޅSS$TUFdI@L]F6d@{#Ja9u&/HTlcNR0mkGVJ%ME~Q..ܤ:,{4w#M^z^kKU)tV{NISFA3Xq/b#ptec)̡VoW8C5..՚wq5=ViYNt'L#"իͷY'5D jf̴ɺ)˗Yծf3[q\(,νb&Q!@wctޯbޢ=D˸v>#$ i_z.ZCb}<&N$2d8Kԇ>LȪC5H2Mfet3>yH)Cۦ|\dW3sS)TRPg,(lc\_d;x 4lLY<<})̙?nf׉ǃ-YpH.51@VL!QƽsTs1@hZ W{L s?%ڡWLϼ6#4+)nL;2o>Awwj\mV5=!!UD{޺'GO-ٷKIp]Bz@@r]] c(f(UI=`{CW`坹ؔPjZbp+>yWn QQKXTuGP^d'VR:ǢˆtM_a!m,a@W&q'S>> H}qѐi+zY;Ř`1X#3orzpBDu(P򀤁c;w:4l.:O򌜡|~TqЬv>̺e/D]'$'CSO&g=zVv,YisS=oANrtix1%o"\Tmid;Qsk$Ws =T9dž.Z[]G`82n¯/GR(o7E :Ҳ˃\}$ϡ>/;;F;O!iuEWb7'MNT1{ABWe:9Z&k({JmEysP㵫~0]b1}_yY4W = ܰe%DKk$x&=tê\tHӰי`8S 8ؑ7\9~oxe[OhMtIwO:ͧ=\* XucIs%ҬZHaYH0'amУ:#C}IiX~lLiYG b[eIY$F~J x˧$.y'*mR4/ed#|%H\,u@Lp Ja)EYh`,{;A#zܭI:It.ۓO ϲNH2iPH m{K'c#&& f;$t^iOy|\u2'|Kh9M xd" Go/-,衘22@!4ؑCG@|ÕplM%XiƂA: 1Lm( Řl꼰9đvF؉CVJ̺59-Ҿ2A}UI#ڻi䋕 Q2;rl>(LPOYso%AiJ|@(߷@9T\vZwvF{gxcpg5M6ƜϽ (Æ5|R.Q'$3 {nz:lp)2T37J\}1ɺ}MCe4YLiȂa }|5Īd̻D$E ykNIbЛs\M7sA+?imbY45?)zKkhf!!zkfĻvP2w)li)BW;avq蓊k6ay7BF18tGuW{byk /C [DAoςc[eFfo龻?+aӆ.- ;#:F"ergBaň) QHQ\۱ \Gz +]k`f3h$)ԧawԙ_E>ѹނ*T&U 7呝n!p^ŶUYݚ3n[z~#Πw"2(SvM 6>Q*m|VL@=kf~z><5B(TC 8z <:9^kY;0%SΞJٙ))J%Lv#&<}#SD>=ߺ*3 J)rfW؟G \D_9iY4pj߳oV|(>E1KWx^RqbnqNts;}/!A]eq=*qb&-A9li Y=fS:O!o;޷q4ފiq`Zg:Xԅx~lWSEYKeldHF6 ל( n5\}6A. ("'@n k=w.Kȓ<Gd,$g LZDM,0y,!㘱;v` e!]Xj&0/F]B oCO'V /]&W O419`nSo-:Z2<*J."{g/x%,KZ ng9- U{oDV)Qx%X &d \^mf~jo-q VӁq&,&L,ogs`H xU",Se_|x O^JwQ3yBr ^\j镜n)Se_p//5~Y`1r6UylG>b/xǬ`Ɛ\oӮbtŪܥ> TKɰhͰs W rQZ0#} u)R%7319DIY gzY3׮"\O~x }@E5 OoۣH׸'fȝ)(p9+&隣C0% T@RLm8W4?2ɒJE0|[y>&k1~dm"ز>3绿FԼyN؃6{#"b᧦b]Z"t JZ vvd(|&L"+9+w $JlA͟;%r 𳴧nsl^կpD_`VlxZr0Nj-D?i [7E£ϋoDLca7Buz8/~ v17;(%ߊD]lc5i y|n_y(m],);^ueT^XԊoLQeHcg'H\Y qDsD}kR/i:61YnG֝NI3X鈸%gN4B^AoZGfZ!K`m$ee(X:j-D _S JPqGT$)XݳDŽ,Z+4G. %[ԭlKlrÈDO9 P>9d =rlf:^ #v`F@ -},Zm}ђ-2Qʲ>sK`w xEACSFU6+uBgHm[nCz%MSosK !Iž W5FFNbўS( jr =.)ym7 V 6mz@XS.u2,C,mR@1LْH3Э7J@ (bTBC;96,5m-"q}pDg?:A1ZqKhTBAD ,YXrBXeǥo ]n<GQJuZ1R^w?+[uqe?cRNXP|(+"j|V? g5Yh| -!e98@ULTp\Z l'|!8{9@]StQb|-#ze~;Re uNØNrBS6p^1YwP* }0'^?TePqnh:EdW㷫/eN<$ϳ, .7wHd}- Gnُ+ ^Iʁ5 Zrp%eR~)6m(0ݿ,=K`%уmuܧ[0}(ެjwWnہ?#pE DqulDpgKMB=Kdt>nP9,a(~0am# {2?~+.7T_{q~ޥF+mE}qI_޶=ʥ3K$<5ovߙrB6J;q=0А7$dc Ƞ$>]n8<~V串YnFMՄŜ1;8!- zEt{CX> fn{8pM?&QJ6@Wk6oT&idM߾ZxFv:ErZ037#aQt.ےyvxWYuP|ψ&?0v _J1_?/i ǒkEj{2mg_V 딨򤁇y /o8#@u]"ˑޛיܱdrV+Eh=)Eo7#w!bRuy? |r܍;uIeQH|&WIs -)~WzZE X~ Ij^m?W5Vu6XN6x1h>K%-ڠ`t^kͳ ElXt|ĺ2k#RKL!)'Xc^:dѯ l׉<6r;FKS4+1I.5d/l7hڙ."76 ^uԘ@#+DM6Dܥl,`]8 (A x\X<`G Q/`#+, t&G$מ^]+לII`AF~O JJs>za`-|{tN . F~,H܄ %nTa}_B0݉Gߐb 4<2rh\Oyb+ӑ2GT̳9 L_,P_@%h )\U8#:e#.Z= 0peXv ( hwY $UoE]6quOѓi%y䏢ojџb;Q0aNo6S` M/ )S0b`]n/m}jtLA`/jȘ?SZ!*ʗ#banpsF/Nu0[zDnؗ~jjF*~a//ٿ1;$ @4};Kz$Ԭ6|ΠO\znh_zw9ڏD9a6=MC.߸2# lGXGڛ4s cΗֳͷܫQ?1]%돧H7ur^ӗ*24@w^[FibN'í c!]=sN|U& >.P !e *{w{!9`%RBc:wxp|o6('Ogf57K㵎6(FLSx*{lV\Zv?Z}TՒl=Q kNB??Rm:l X slr#szA9SQ#卅u=<,"ow{#O@p #K"'QKȩb6#^Wٖے~};a !?0{x-G'ͨyec twLg)?a_W N` y0@]U{oX a|F>Z nlk+.NP\V+C)`EF ۧkcD^$ 7&a4jԋ\uZ {NsKusEi+"b ::d:3ӗTyQCMHvm6]JgTwK&k!f:s aw`kbӌ/G'-pZfz2( xb..SaǦnBeYKgÁ(4@E6 v'_1^^8 uJ\tgM4(;WPɹ@4z,F ~7͍6'92<-0JGbq!~2@&#*$KZ,a`u SdK1zYu%[ԊJ# d˘":q0+ dZ"@, 1#V1`ˇ#G)`;FÎ n,yKcˎƍy R $Oc@b6mc/Y °z`]iV%#P|b씮xuHs%o?﷮F^KCHp|ĝg85z}+p%/"IQ{b/2o߃|'I@Ϗ[gQ`FG_Y:qB}H /`jOA٣ AU kjҵ$!'2 Y#Ij=#"@X9X}P/:_"o[Rht#(>ۺ'"O>a70¶u">6FX}A. ɅA؟z[HмzHh__KhiXxRC\GݺAָmPK:wPPm:}f íTelmQL{;XVipr>7Dڂ)gܝ==XUX5'2YV|U|fD?DL!lSmB lk/9_SP 9j<`Χg&$Y XAO@0dX )tNQi1y6 gЕI 5hC>{ գ/'MMy5|MNbz\C%sAK' L)1q+q&h,? Pr~cg!үp5X"8(5wGu)00@LW`]9 fiz)/-9#É3^fk#;2y6WWéi^Ϯ%̲wA\n?8QsDzN]ۅ-LƽsAw77sT '{qHtZ8׌,uM<^g]i @v[UJhE`p%M룡.dT/y~sH"82*ǚJ*Vj<Kj>kɦ6cn&+V(ԑH P'vj&mGo^ՙڂ+[C{sFti:"frpB 훨jԪpS+dG XbOΘ^?y;c 0!{PɅ$:oGA ) &Yh%=|DƲ=g b\xjtR'gtkv .ZqǛ]Tno͟i 467J _ ȣvIsCTe1qxXpĨsI flD̐s}y.E?Η\TP|q6bE!ûmzk\zf[#xC4*BC;/ A)g\p'm AGb#! Kk8̂{Re H[UCV /0,1z^ A(ུ_Vt!Fj +2!-*ѹN [:v xH\ۯ/sQB)`iAWM<6vV$cEĠzG"lb"Q@[iihv.9I>c vO|T@}kJbΎeƌ/K>xeoܔ;@sBSC@&4mMsۜF{GD4V2~/ۭ{Dk 4IU x  n<6 LoVAUa(cDM9iؙ@Nt7|:hؚHG"jöOSRbR>4ȵ7hBz:wL.*ĉJ+Nw&za 'PJ7kϳVJy1gCGplptdIY0ñ`_އWdl"3J2p^=18'ɹ HL_GH|äй ;t^~,glU8= ~vTTOxMnɧ8q.&suf)f?f{41Z:܏I@↸tb\Jڼ0n򹶫:eBC-ߋiۨJҟ=2xjh#B;I>.(t=_+/ D@ ׭41Zg'Pc;c~='R8+]^Ywrh0</a=&ơD]ɴ?uHq ?ֈ4Rg>A:1 /Ƶ]%g7e>- :h>@ jQYNwIvfGk]JJd`-u=7.Dn̿Ԋ< ߝ4QF,槶5kJ+cS;Oc11'QU鄾y8bqTz5aOmo48MO @) 0 6':J0>tޔ0+&tT2TWj,k0'Wk3Z L! `xg;O@uבbddDyVz()~Hod\Yhq޶&6.axdmՒY%+t(Z?P pц #W/GH5GtAX859#[0.3+#R!*D;ey*푖G#{ɶ hRYxH =E}rEVyϨ"Σ"gNv|ȿA_FR炳)UbyO:79n=JiSs6nGqm4pm`??VNgtLT,OᕟWl˒̕,Q}K޹8# 9!pOҹȾwˋ(KbRBS=Sd'ؿGu?i/dӥy]<1$acS|pyuT3 4hmJ|19X ^sHBV$CamD Fm\s['q`!u-tfDqt<)߮!C-;tHұx' =`Ő?) !7m$ID-Һ&B!( G-9lSJqR<Yh!U-VqMu]&6!}GUh<X}ӥܼ8Sڬx4By0a/ lbnJ–D$eeXa 4y/)`LTb[ LO5λs(8ì (M}.<K,Ś A46܍҉"+Xe=F;u`Vfr)(~Êus t`>TnQilƎpx/bV\Tj}?_^br>4WiB>z!Pi[ma[ͧl|jQ)o}i{΃؈^(D9~oҭ4Svl!  DD9^oa]r]Hs(,x|ҎL1ʏ[1BI&{6W`~zdFB O $a y3ċҴs!81Wx=Ċn|N4MwD .iq>P>:\s"-kn,%pj|麱<5a#IXfģp-vZcj;Y4X.:6d[FX%$$; *ú6btWT2W8j4W9^na-JA^2JhX9nWy4+09!8t}^z*jR RD/y= W9"Dez5Հq}<9ޯƖg;DnS馵P]q=RN/qh{ulpQnF"H*oWhU>f.;6 I!IZKވZ!P.2=x$po0\A51' :O`ںnJogUb]2zhڈחgUg^W|QPi&6kYn6u ߂Eh~]ΑdK cqtyѽ3Oa&1Vb}"c(E'厠QǗ~q -*qΧ P#Νӟ0_V:MfR7•lJV*H\cc~BVGxO|۟lQiԩVGΨMG_J-3V6 t"syVҗOGϝ쌬Raf_1q,%Vd[]p5-$lSHYjAQH5hiAu t@q.ɫw.[ Pr@+ >9??4_Uᳺ5֎H~N[1IH (PHCmg.1zy[(\˦Ώ*Q&Oa pDx hppe=-iq n16J}%j*c 7wFev/dQf*mGy/Zvo ⒨ ۼ'pM;K;4ݼpYk$pi-(bkbGr=&Bw@D Q Vq},MdL" 4M}?Qg~nThDW"?iKjͽ[ Du T4zw?{%u|}|kYO 84n[gs'!7HtۘÏNN JTbdZA1 /TzXpg>_ Zfp*9w+λzu[* !m9@iBsD&}J l{7 򄣭+a-fSyϥn +_m@A ${MJfLJ֕"?kpWRUcJŭW>*fD坕6[\ބf.Fa9k ^yDJ UΌRdFC9;\X:8uY$"j%e{:_л׈}]#R[yE]VE+[ dߚ@pY>,g)?ީO1>٭۱ry Au\3zYq0Bas]}ZI*v(dKGd}WO,2.P +9SϪi!.lѬb+sJ"d$OZSִZUbt UEzC}yg*'`{N'$d1GŅntQ!/:[ Q,M2k =@եmj0!}G{҈L.^qaF*%"zQ>aɺtԼ;9xB G`q2ɪzMc>txOGCYlP&6xz|bs>/0ױ.,g]w|[:e|=֯tQ`1̨k$[ 2 vwX Go3 l ,[cdTQ&gv۟Ddj$5=yr=4{M{Ԣ&k)x`QMކ ]À ]'6)A(@]b屉EG};Ao*h%di6XJi']ty7~?wҩB" a}?0 Z 2X * Y$/FAF%\jC}%'RTM&FS?g/XžŶAD!IG~.5uJNPUp?{@Hv' 4U/W W_@`zkل5n3rq?@!bh`b\y b)t&Qɹϊ-uXrW(qVϨ6 y:G%!'ҖQAPۺ3698Nj$-S%Jz@S'XUk;ZEAG ~*ٔhAsǬ x"+d5EySB &5?:*,c zQQ߽a|wtk7>РVv9)Vxv &O>$6e>ܳ|}OjYHqbāLD߆Ľ,>t|_N'9>7 \.+=hBAt,p6VN\(Q l2/Ɖ޸$J^-J^_4 wD?s:]Tkl}Yx녢X[1ca`ݳlcdzCcpw8m3bS^FKPnvloZEۣR!<%.CRv0U g7WpGԃ,1%-T UsaBR^֟O'bU(!9Şxe?`$;r_E8z6F.F qC4jBo̮K+~G? 1}u)Pz!\3^%P?pʺkUbL G/DSAb3,-DTP\F7$.g__.l5B)o(4v\Lә}#27ZB$qhrN]Bc{d;T|e׮ (2 =0[H9ʢ~F6i8.3HzhY 7-ФIVTh&W"70Ayx|TQaR~^p5* =oz.˕t(h [xJlJgaIfčh^9{E\y6zר!=UfZz"<ÎRI:OfJ]]/H(r ]عu"pi>;wbsgwÔUc|ߌ%5SRsQiQ]Tv= |^)YzMlLx6`h,藌b* ^ӰovI^UzBVo[MS52N9җvS h&r7󖚆U3d6Q?hS¡\AŨU7²E P|w\XT-Ll~Xq[tB">;aħ!L ~g*xw^%@4eȠ 'ӥȝb[T>ߘzbr֥CRid >;Z= :!e @k-8~BX8}Ѻ Y&+otf]?:~0̨?k0 ~b3ݙ|]ibϐYh/+cSاo X0" 4z*ȵD`{j,>M1QD(Ǖ. ӡ6Iu9{ޤ#7XxijB rju\g_Hᳪ%pA $;ABbV׿G&idjo /`SC|nfKa BQ+G%g|NwurFl͏ԝBaJpfCBQN– :lwnA#-ڛn%TCDK A,O=DqO^i}>r-\5?#|oAk47_@BR+Ek)r Z mZgC'9ּ@qCż>`ܛ{:}t\Gcn8?Ugeo)կ:Nu6t+<>ċJ+٫x7MRK V`պ?g59 Os"9~{͏GIiz \.wĩTN@mPgџRХ16`n֤K?|=-,چdl.nńIJ3qH=e G5yTG [sDLwEGei֙'%5 λyz&=2 ]U^l} b~2U')ح/'W :Y"[m&^i SX8iŭײ }ġ'̰ojcږ;=j^vlE}Czͭ~U 7Qi!C,NJj:CPn5h?TEVk7Nw=`;j(^0,ȷqJY{ ba]4-R4P1nat~{(m%.dEQ1 ; z*,s8!#a)Ħ .hƧu1TWp8qVB!oRTȹ$ݔ&'[eh%I؂̀)M Ԫn ǎ瞖~x3_g$҃\,l>zqp n`PxY)9k{P8>H#&u^&ՏdVa:ˆ'T (~`P.Utӆ^!Ŏ7WtthXK|)@=aga"@\*IZ]&RilP`ahfīPB2쯞BF}-#IVø%R f x@,EseE,_{P+""kkt/6ᇼ-F2m&N{,#Y# t(30j7a#a2ƃ8orbfX,y3 S9ue ft. ؖμ(،WdvKY;+8 ˎN&2g[@9bW[e=SFfE7/n%*kr} M9OĨA+jY#uJ*eyUVyrxIi)h)+fӶ$7IeEGYRLjMbUe݆xpskzklOyVc>@ J:iIԏ)VL0`k,dnP%S]IaF&h58kԫ3G~wegJD րe a[Tk½4<'y3m%BӺSo Z[(;lS\LD@,_B/?俁IE1ŗ1g)]ƁPg1V2-[+$Zh/UhUܞU~t3_}ܰYR"8xЩxfў7bΓO?9dƽbobUnJҲ EBj"**̋ }Yc-su0Tޣ-3g{x<[AFO9sx{F}oi r(w /Mԑ\J ,i*o.D}A, `M8@rZ1]M )P}[SU @ AL 'fHRh{h CƳudxp7dp8X%>[$ γXmc4i`%d ~laF*d덌R",إ#l;.˿L)4r^d*B s!!_2R.{:@É䌽hPly"K҃A"ojlw"Jkӽyze@4E lwh&Ŗ f[xxp.=%@'-]Oo-s6p¥ y "S.[Dҳ+.]~j^|6U3)؃ڥVdmcjEO嬟 J"-}4&\4;c:gUF8%BA,ј-5^#~J2~O!2IuAk uG3G-Y\)b;gM%(*Yݭ3)GLGXW{]A'?|sS`؝:^x $'lCњS,86FQ` :ơkt"I/Z= X~@.a>YJ@?&1tZ)~L6EU]`V042H VdW͙W#xum%St4,-7?7 Pdž\~7UƕNV(YC|buZ4NWԚ@ b~R0LY9܎ m36Ot|&atJyIP:M\睫ro̮;Yqp٦7Qp8 ˎģ\AR?Xa*y@GZZ,ƎMg aYBu/-NLS0xuD]6y%L^ձ96O^#&+ ΍ $v5n7PPTpK3&Y KUn0B@+{ [N>D(<~H쀗pyj3kw(Oii>yp,_YV ̟2lo4jmC5XuBZ5x<)ToEa>[p꬞LP36&3lyjj'l,:<:r庻nOhHы^'8+?*2?~0$J9[Z,jǫ͆2_[B MϿ@ၽc Q* 8e.S@޽K{.-P~j8 !wd(rF=}I/AQR_1zڊ'8YcoB>DVSfxǬ=H<05-3Lާe : ;D%xth(G3-Ϣmg*r'2$ d[~/hX[o:&,j[jdlcNQ ͏VH'}3j-䎴˗I,0R5 &3  W)3)Kw3Hb]fyy;|;+bf[狊+W~Z?RՑ!v[;6-G<)ճ+r>*QbSBOBIY76bDMƶϴJ2J߆YZKv#IƓ4`Tc"IphnPZ68Xh <o)( [.7ޱOy]R\-=dtoc3V2$lpٔORGnV)t[q.C7mdѩl 6.3˲< z͈>jP}f 9ⓘ@K*g֔D9Å&7id1xЦs Q_$.:Gl"!T7HX㑠K/1[ ([i=BU%>N{iE%폆*0>A%kE&cН~w]<>qo>'(aE?#':bDw?2W"O7jƨb`I)E0 sK7Zxs%3}P;vmBu2/GF4@I&Z8&w+cOwj⎌bXls2} j!Rhؓ&Y/H#78ZALv0qZ[*2L8W6Ma "@M@lSk)%\g c$lxzfu7!}IҦh, fɼ-F֩= nG I#";^[1@:, CS ]Us WĺܯK]!cd֩"#v R*ahO_1d"m~'1s"|a9>RIlԑ9_+^=i0P"Z dleE;=*1/P0lԪ*{fUgYEB疽*U\Y*H0RL1OБ#E0.,{v1RE5O$" cf_3=ôl~`Aer8D{fImpVu.+5χD%†>Z(de8cb1O{у<mRBө:0ɲwm3,cL嬃QwrvL?ץdT[GE:x nkA?oK<-!Kd_q \`AsKkpXW󑭟u*ވ/6.Y1}Ǒ٫=c'mmI{!"֭a2Ǣ ۛf'{"bop]BѐM.SniU zvvS ({LrE3*,@KJKi+ SfISw{ BAss #; \!&sN\y:G= Ȑ3wF`=3Y|-b_S5P0QckkG KUw4E՝L[Koxr\1_fU3u ?]M Kbpf KM|/*45rBdIhG ٬@'CK^lHkjY7 Gg-! BO%NU[nAn:}:я=,yڛ&}ZñhrEIP݊zdLQb ~@F[7Зs4T!pVHx(DSV.}ܳDw3%b%_e,{\( }{C\[C4ߪRڧ&HYt aq|픎Џ/vbdn׎J5ؑBW{O 6DG`=|S MlZN$<7Li6\hN$e{y:>|n@nKe] yڈ ޕ6A bZ([9%ni62@R N(}+u/Kn.D5"ՐGl#,YApX65VZ9GW0>? ;[4[ )aZ_~w%!~glJc(b m)I$v\irpE ,HW(A0hf$&Z5 8n8~ʪDE97LqwcYǣpJKc#!T^[v_-b\k*СW9{UG oͷj<*.*\c+pHH "ufEsNN7[g{ !{F~(1Wi4z퉑SآT$b45+~>)'xc'ơQxx6Li%~ԧ7'vubmh+YtnќJHҾ^e*Z{Oi\J\<^ ԅiU!?5Ğa"ӾUHuʌ;2|sv- ͇o2ưc{;( >ϓ}cO6z=;L Z\#_<ҟ^4ZCvΠWz!_ RX1ݦ}oVńrPG2T$@.)AElFATcrbxid&IlzP2 ^LE1?N[ _)0:nd/bXoS{.pCoe,ݙ626kXψ=H5+ZcpjhnNiJȗ8[w෾%bfaF1pM7dne*5# TkZݾAb-/,8|>oF_|vgXo`WY/6TǯM*1P_N!KF i,H Ƴ˩gSF&˝ 8g.!P2դno/x8Kt`>rcnoz Xkb?]:`t U~hw)#P8{8Vq\}#[Ѣs3BZǁ4o;5ٌ8w;k- `zl bRYMt7(CT$ (I2Kp qy{G'VZAHwąĊ7>NJL h)]84je/YΥi1\lxT aX2 o`xW rsE?Sֵ;^a}ڲ- r9>fGxEěY قޝŀ/\;CԣDX1Ϡdb?l+]zW4 oQ^$]G.~p3wRyc.& V5PtJ!ucyplb݉vy!H J¹D5侞 4mKOz׳p.T߸ <%>ۃkiN-NQ|CF jًr=j QUȍFh|D]o5C1,r"Lp9_$DԳ6]tʡO ʟab4]JMWOA^e# Yɂc b27V/.$b^`kTj0ExȲm&uOPkI~R筚?mg@ZYa,Vf2aҪ%SEDVpVF7X#(3p (t1LRg 8S@jRۘ ·Anu,;mǵ|/i=~-PYǕ.a f #j`V1r9+Ax5\ /#uhB+ T&^$Ǎ!=Ϥ=?3&Ҁx*c1M{&wP3l$~>!Wqn:226+}47D:TXFuT!(ՄbvuFwTw_SA}r2QYn"p`I)Mjam E!V|#$Y W>T?##'"EokxgeRe{V,%ñZ J}cqk!'adv\Dukz}&A!:hhoD} 4gc\0E)^(\=M)9/$P͎\H InybҊjn`#xSO&jh7>3M])Bs`&?Ev Ѩ/#Gu7w?Ӯz|C]] W56ܼB)` ޏj9ӀXدnCuynA?jCV)nz ?6( 7gM!Jca#EVUP[4[rҢqb\kop-䒿\n{cuI(]-tR1u&RJ)S"5ø7 '}lӇ ގL ]_JV;@@Aг_% bs,.ԁRk$)}x20䂧xU>(I_ܩ:;.O-E8R+ZShr=?nZIl"dmln03; qֈDgr/RV4f2р]K0r;hPtUhi e{aeN@TVex2@iXg4h&\N|1l U 0ḚV}l _<&  :ĒDMaT ם:ٿը+G"1 +:wUpj7i a)T-1 V0p.몦0eϋc JHU洝b]=Sz`;"Z H=DkTh|d.[yӥ>OYίы[&~(/uZNƶ;eu7L9D~AS-~rC cF##\~.[<Ӛhu+wOL_/7b&n!$kGN5Xp\˧x(&󛀣h`_»9C=xDLT%iGp);>Ȣ=İaŵQ)*( B׳ssR,S*6t}8;=l.k :#%*f 杤JOPwBo뻂Gq1Fw?O#gSS}F=N5F&AT(0æ| ʺGʟ}rILXlE.tkv wè|$o6Æ |^}/'u:Vi&*/m83,Xs,ȇRZL7)vTDB5,qh;l4~^ZΚロ/O xGw!,:W=k"569v`񏢇҃A 5c2iU쵔BYE!f6~_vL5Lzq*(! 1RWA'{/~*-Ih|NS #;2s ׂ&BMP]4\kɆ8$d{h `)-+,: w /_X$E;vJhahiҭRt.FEy24 k 60U&;E!'G|Ko`+@&B\8J~=T8T*tcz^$CUٛ*鿊ށG- nRd%EIN}'RՃa~TnttPSMd['~ʉȱPGAIJ%G'[wލ%qC2W8F1@׾Ha<]#:Q)yDh.['LƼf~:H?L VY*B|"7HP&f*ىh̓ZO1wIS':'! ټy .7 )MRk6.sF!:Rnz\:7-vuЀM8" /I̷ olm$= P۶䧼J{Gz~(f\[䫺͆& Ob%5/$(GXr\:d5@$ ю{2uJ|hh=-}0 D[?2]^ԣD~F]<0Zڷσd^2,Ɲ]Zd"  sa̓ir0󉈪D|o 9g~ŸYl#IaHğ&).%7{lJgo5lw:/(48 S?JJZ#֘>gC{ r>|nq; ,lݢ|4`aF$*)LaQ6wy|E0<9^1kM.F0.~I f<2@:(^ 6:F=8kwT*rEKw=Gs,Q_Xd.w\HjL:gy@h H>䋫e=mmL|)S yLf<]h_sBrEl8UEE}烆er@XsLL8Ŀ~pʙW౐IwVRv;'7**Y;GepW=UZNDڙTNشBqjzw;mrWrɌˏh@ҏC\QUp@"a"@ڙX 8 Z^ipNC 4TK"4g3<,gEŀF0 =H?4?,HyJYܬE\Dim[8r'._!IЊҭd TfYjOGI.' t<+ `xC|?YJ1Cv-sŒ=(b?IOT(<L煗^ K}2@3D0e`dJKr҅"ct9(WPT9QgʈCʠ2-?VHXYN5iͲ9 v:ERn.TPrrƕhgA.sP뗚[fsb8']:~w$5m`$c&G{)Ď7+ܗpFWCvr5ȉ-H_le`vm~7 "1?Qy8ѭ07$6jm\m 7kIG\/bjM% ثQ': )Y;E=:"|q`e]eEu 46Qnjk#E ݪ[ͺAZ%Q&jv` YvYM/]9yA^p?)Ig=EcCIdnr|b`瀁`B(.e}RCu un9rQhLjOijy8=nU(4d!H8&$|KHjH7@hy]0o?jNo>>w18# @nQnmh\@2?2b 9vqvP{]Ujh#Q%fn"xblN\alg2Ԏkؾ~W>{YgoH{hI!cW@9 7ҽ]ȳl%(0'B:99K\znq.B,QڬbF:6=Z]㑽^X|9V"ԣkw^HITFJ$e2UrfzI_HKhB*rO/L^$摿S.Z~?f8zf-#)Wlao`XOvy1r$b4H`]e\^6k|2O6TO P)  fJTq(QlBZ:'"gDDSM) HBt+aD;*9ǠӒ%gyP)cZh#3c!UpS~MJ,4WJ04;OGs8?j*b6d] Çѳ鲩ӿ uk:07piq2aWA;4.h:Us#k!W}^ihI_gFr(Dɬ A,~-DGdI',]*vy;}jz62!sB9b~BU(SzZeчRO8=>ni0(c̐KtkGп!«I_-nZ27X;+9SÉiJ"m`:+%+ '(X.BP.2_I(qTw)C }:!2n:sy>zsm+q3"`+oS:ϰFŒgc3xFn 53E ņW.I_4/ 3'aQJWq,X3Ap5dlܶ]g{ -K QxzY\|It% CZi_B ɒģ+FH5㱷l˱׊l~,UM+-MڍQvFn BLŷ|UC_Xq0N5qװ/]-0%^vC1s嘟U0[0K jY΂#Q8חXhjqWI\oHl q?CKk]ɓϽ!Ms. -…@xM"Z`E޳h !(r6HRW{ej̓>]ߌ+C<@.ϹuμnxY*]F_Cc'q81Zrڟ>I* 8OS;mXPqeŸd 47Y4Glgĩhc9_99SSGWHyMc_8?cܧLhJ2Òi" 1\FC z5p<]mϽ$RzD'vG ޣ!--S6Qer!.H56k,6nG9{#?DQ90fbɗ# RǛ*o(Z佷y{d i %c~!]fR~,o!+(Ѓ>,&^B1r{yU&w-/ciQ^,([~>Bє.H:eMOj#O1nףpu>3wL3V0Sig~/G~iQsvUD=ynXYM,ErG|P/ϞVdPǤ UK4WŁ`mo6]%rzaU3 3T6"nglFFGucaL۳i7( ͔Gu3IQ8\X/R,Nە٤fܚ eM >oXAY7ږ_nxϴ>c+ehv+z<)NJ(Ho{4Rw8, kD)EƬ3_,Y+b⼉oW6> }QrI,kA~$lk͵E7蘭l Ekw!W#u~;noTT4_dFb;*CYpݵT2(S-{0p-= ~V?LU:ƑP ܬF`;02 c qj P\ĪOcq[3 `4ԁ ștU̓^$<\T dӓylߠsV;O">VVLX1VSBf_sӳsTs%&7+UtښMJ4w7p1uU5Mľ@^<(HAGq(jBZE^G =9N2k:[>ږF"x%kC4͂r}א/!NxTr"+v(x[Y< r JMPVShJY> /oTjn0h `4#C3r[Hw[`V6Od76xczt2$nai%u%VƮW7K" JB@/âkZGUp)kޤ׉t8kMar1L [uK7EU8eޏ,RJ5q9/URݎAfHPWdۧ EY!MLU``fAQZ^e%g&euN ubc Wh#e4gF5A\37$٥Z5R$TmpY4PH{hM"Lc8<@nfJL@Fc~ې ia_ b5N^ԑeo]C'g&Ug=^zlɿ%k (el]3kzW&I6@fX+(oboxaC q -ΏP箭I|VIRTe{m^w~o s*$U<4Ta,VަHt!Em>jν 1:p4DLsHSB>V0 K"ƹTfs͹4j`d=]ؼSl9jԵ~O"[ߒ$xX c/i:<oV']'Zg= /ي9fEgsCXy8R҉JC _l0{xAˡZ<r/Yi2t~`އ6+m=,ݵZѦfL&),2XBZr:L@5tGGkrW w`  j! p욙1Ugp9AhGD̀#;Xl曔[ ꏨQV+NDmRd_+JG}ܹ"FG\1RU77CoyŘ#m{DهjbYj7{">;1VEoϤp"Ѓ̈́p9;VLwɥNnqK syT:S㞥Ml8rHJqܯs;Fzu#(jT(,2d*4ƜI'Q8JB(KTuDOr(1VWB*N7pKnNJI~(CDs46KN`2ѡ֌7?$cxO%SCXy{bk?G/,|[x6)vi\/;,ၽ1ɼCj4i|ss|څUU9Vu~HMĴR# 7e\Zoz:3Y``4%\u:ޱ ޮ{{wJ(fXh݊mBѶ} #8f8JͥKBv~tZkS %ˈFeyGypqJp֧`xz/P.z|4kdlO0UHMw֭4 Ȁ7x[ԢĩR0h$"X%fCn)" '`^0,G.QNZ ^ Nir5N4ζO,޷oK/'Ʊ"LST>7Yb,D9aU<ʅfʃbg 0K}[Rv5 Q rznHpX!Hؿ.4Vu܊HW8>lȠSK">Wx@_S9TVUhBsԇwW4? =ǁ2Xϡ#k8c}&mTJ`$eFX]TȸH?p =k䀾{QL yfJzN"l}zl%v/m=쯴q,C%SPNB]n.햊jXpF)r%?2h^~!*ąb0!]ߏ3x\T?t襤+Vd1G\ݒSeE?[z&5P\ cAoH I B+,M4gUIg>5nZO0IN{EtsGo%P 1 L'B+2bZCF#e״ӇLuz/n> :Ts]8>lxj|A O3C8FXjݐae9/B w:zN}; պ_62SH ҋr+7ӄc$ak^b(Pze՘ e> ~y_>Dz̑6|D=?Ny#DnzzgEmk2GRq+U"%4El -Rdy&v.r&S2QCyPm'|+L5Y+DJ)}-U&ULNgy }cݕ (.CDzxE ;+*r;8r+csn, [dFeζi& 3J~O˻Do~5>d%"ĸ=`:="]/0 >XnH1րhraS2zso#8񦡫A Al(Ay,+l_9x+cuVz 4KnaϣH~\L8*cAa6WA0B~fl({ ?14T!tAZjIf /$6CDvvM| i\TO$Xek?S~Y37@ay=Sfʹչi5pǝS@]mDӺ&>[Qt-:v_Aś׉!.y*9缋lt~idL:Ep@\i )_}!^uD9QBrsgUä=1nLmtˡX5 |(ֵs}I].NԼlx)4+^ΪƸppnfBf.JF 埙̴mxVéqf g*e"|,R=%B3Gȫ!L#Bt 9 ܀%UEՊJ\R633NmhF"#Ɩ 6>=P8;izSy_ L )YBU^t9Hv!+S*,4gIdO"oE9ݒ߯xY?*&CTP폺j:R&`]y hǐBSA mz1BaX'^-4%QL- >VgɤJ a@.4)MN9<:Jw( !RD0mb ~!yTpBq~\JXu+% PFgj,+tC`71z o  ]xdO\:̸݇Dv֐biCx 7Y&`7Vo>i Ʒ߂3jq}$=V<&LJ9P$O[kт$(%:ljm%LɹTC#d]S`Se4E5cȉkܡ0b\_N D)U7}X"B@C4Dp$l 9Me0^}S']ܾ(6p_2u0G9CK$Ag=θ f )tr W{+֬@h\8cl*a6r wKYڬC2N*Ls/dt)]8ε- Ɗ; HN-qjg5oe 24qwsj7 iݯfyF]\{*PDuX%zE/mf S&=#C843twnNCJ\jZƼ _ޱ\:Kz97[1uo dN )Spb0 ڡWLCĽHكw3%9[}"U\}ٶrz RJSGӬY \:z/Q r~lFs_Ղ]YvK  UB!Z*;,h$[Y9Tx>y~>%eqb.lP=n1/Ia}WC'ܰ hZˠ_ߒ.vgǍ*,B7)iefi;ğJjlփ'#7(3K jki}͢EU1_*{~DA Io2;ekPVVGUWZ|BM񰷍@14MٺC&.3kٽLRid B;Kйɶ]r`h y 9̱@!U4V5,Y_fVN}H[yy%FG!ɕc-|1>y-&x3IXEݗo͜f/kNaPލJ\1Gz>ƥĚ׏f=Ҏ~? ypQHɔt=| 6(4ԝx^ōRAGg7?Hvp V069.F9}bV5p~hVTF ΛQyk_'m;p@D*{4T]ao2vw9c~Sxy,(hʃp1 U< ;|"$5oV4mX*:tn9QR o]'xMlI5Di\~@,WPU=j"U֊yd.XCWC@$?M>; S=hð){3ʬ3I o 0<%аm<YTZ#nq[Tð.wf~(1"W͇ EL 1?N(Uf{,Y5FmH\0[jYhTtR4% +_ّLW1ӈ(%utڼ,Iv( K-gF C -вx@ThXvK].'}cCjeh:LR)Kr7{Ue H"ǽ_ t<,f 3 T56iSHjD?hzU@"Msڦ4eP!<5\jb =1'G {bBdOjf$SXrjØnյCb@eF9:ڹ-]ٻؿgv ۓ´ E0TX`1aFqZvQ wr N eYHAIMbGbDt+?S^1;.tr^gŞN컫5!"»#_>&FZxKML;aSǫ}M$uؒE+LJooZij< L =PCv'ίx i)5WpO.4BឝݸgNznqFO OUZ;:қ#]K YV[,NM!AIbk(> 痔diYﰣ5ܩm:#,e3Txu kp m#V=QOB+ ,taѸsO,(BDX;$Qo jeB=l`д& }ѩ|KPn˄+L_p8Tc=}e*1EuBF$sg,WL /R@@1ɪ̋ZFHGzk -|W82?ƅHb=o"56eO ^ 1S Ѓ=]Q dN5R,rCRGɳ] >gl$,6e<~j+K^t{T@"eϖBJ a''Q\OXZM7FDYJ5,qz2q1Uzćxn fJ%:d+$/"!M!ɥ7䥐_%U\1) K( 1n$]0-mJ* A'#ldu:>HrpPU\K"c[Q7K7)xӶAU-0j7zܥ<ۥ> `?sV SOlTYƈ9_ټWqPirܗ~4sVh6b, W!jw54s2cJ]vC)W2D"MD!]5l'][_/Ym^ZS7Q#?Ps!s99PZu%dOGA^Yۦ0DCOf]|%Z"کR̠f0s4qH.sS&Q̂y`ur>H-b|qq.^-V<. }/>GM# aV, iܲcUq%:'f4c%Bm-o;$Wۅk#ǫ+j4>5@0pŀ!1A+<)Ǧuvcszd{ oN(&1 'nR=ILtȥUaAڗ~wʍBbn2H]  # '`>lK VIWi}^~̛j0}$H7-35f`V0Y7Et.#_F4A^+M_) ěG!`Ȧbl ?H0Ͷ V-+i~~w<[\*>z*" 9_KH wAT*CL5PeuLgZ ]ő8``;sT;# ~lb^VaN3$0t=T$RnkɵQrܓۣ[ ,囟uI@º!Ch؇8"GbZ" (Jsb]<:9Mq  -@ dže._Ȣ/wLKLf0Ke<}A]N@=?ݣ\`f]@ S.*ۇ0нiىs96"1ɔLb*gwjkE71­blZ:s~z<؄#?@ ^"+ R)GBų7|+wXY [@Âe6 w# #ѕ@%O-Ɖ<6CR[8~uYc}k$lu{L ;>S3`Ai>SrB+ 6B^)#St"tFV'q#y8VO-@DHCepNy}+om6gSjF<0ؾ+clzV;R1*ZbAh$.ŋV`X?}_um%pm5WgMRJv1ƥd6:`KC4z\ZM-#s.T Vuiߓlj8=$$fg{R0!yvppZ ?1kigzws #2z'}O{d0)Eh_g1`(xkatvb7FzdKp}!  !A\ј rA/WĢ~6 VkoC%nc=Ji1 "2жA8S3&BlXTˋڈ qhϏԤ`BΖ$$i-_oQIʪSZ6n쀔7^8vͰ}n]Aq %r~*`c&|QН-lܬG ?6WS"Ѧ'e=NFy\ћL3zB{sAL0[Җ"Jc`zvGIv|{ym!.fk|JN)˱vHrFz5v.3>yܻ"@ EVb%VBNP`Za{Q47c9f^w;Exq=h7kD1{V$=Quˏ{M5YU]$}GWIkhV5ft"Z{2LIqX&qjf`V0ag2 (EͫZI'@( 5bOsϕPl؇*wڞv3i&^{z+~-&؞QCxk3;~1;Ma.J~((pZjϚjɩV2f4T@^]?xV)maU7^~k涫̹#i]z paVsv_mD& )]֭e7yBy17b?OmnfhGҴa`K@< J0=}1 HvhpI.!P+Kɓkՙ0ta|kUϛgIlmhQ2($+0c k3A꨸^u ) 8C<wC&n? ܇~ G > %ЦO-+Q>l3݅i P{yrk?j͠6z2ꓞ:ý:Ƚ+<2}46<ӤDNsy+Tne3P8Ԝ5Uzu9,[ߕaT5/K`6 X\ȝ[E-S̤TV/Ze{QHD>A94],PT|CrR-Kq$HxSd `9HCSSjg'J)8N FbiIaR!?!ef wBcxz^ÒXVj:ic9Ri<Ǻs#'rQK譶Ac=}-}+ /3w5 5$JD})8_S^ǖiʟo#n-f3 Ӭ֭8xJ,7V'Pv.njY-Z}f- e_4Y[eW }\P`ޜ̕W?cPzcj} WHA1THH/|%:EoATpF+FfB<:׵9|f4I[tJ*>3^"M~>ʌGܪaꕮQ3 ZEY8Gq5b^PI< xRGt#D6\a,SdiyJ/ޮrbfv aިF\z2; KCˢ4˲kaPmiqzӺlp77d-}Sb$xPImfN;@9$!t1GBCLws%'@1yE/S5*y{2'ةi ▆nNme]P=ܿoxfY0B1oywQ_}{(Ll CSw^kiPrbؼ=0뀲^g5Lo=X^VH8fM:]mg Ͽ#ΩTD qCc#JPxRM$)"4*Aw%p'<1u]5.)(x>r3An0>3aُr~l6O'Յtbe;a5WYGպ[Ŭ8ɂW7vF=p!m))e,0@eTؒ+p z|k h-+p$ߘ՗\GSZFuA-JmBX}ZM"PB!}}+Y"NAA4p6>BwqEВw崃t_7pcy.#d 1|~Vfo-hom-" vMy"Wc ?!pmG0 >V'J ~/)a8`XL10t8/WppW2lWr9nEY쌚Nυzx{$mw{yOFbLUlWBj/ |+۵)bJDD/a).|d QS @]:]M+`b3\RGwۂG80o'u_܋5j_E }S^w<-7۾Lu̝g z-q*@yzRIY<5t~/FTO:fc {{Bb=cn IQ+R/fsDVxnBpQq}kCoڞx}bt꽑9߇zi{o 6NRrۙ0A<rgte+eC~|,.!)e~<*ka;)Z3 9v ¶MhD:yeB/rOh5iFD}U8wg=ьm'`PHydvęhW _ EJY>٨y+6=quhVTN0q\--Iʫ:#L7}@vC^hN^hB2U!֢^ 4!PE{4Z˽"}΍"00Eِ^HMӽ6AESwJ'aPٛ*L}86Y.$J+]A<Tҩwj}#,Ѳh暚F!U^zw@D {o~IQt@sKU>_Ze$wa$n !umI';|,:Z_\LH6b"=6fAy~߶-si&;]xֶWlXvx|4R _ŰXw%PM2KEk{lM\#fZMWttC_`^C[7VJnp'B͂ =bЅQsqGŠw?W\ҫ3)\WaJTߺ%u}}=NzMi10 l9E+bN`"oFM?kIND?>~N4CΦg`CCw$]ƠK># =AfLhywnv-} EB֤,)´A "W",Ŧ95zzϮ<>Qː4*Ж:e0zCf⛼hԘ\}搉a Lm`р0l1s` ,8@\ ,,^J)PD ֵ| C2AtQPJLV`TP\F"FXbtK yHql PAc"ֺû%dx#4t^T=v/I3bBk׻LyY2ITˉs:ҊUCԒ%WR*sH 쁛?۱c?({" &mz2\FjYlz@<M.~?M/6 Z{̓CcQb4bd㨢dŮ]Xcv`Iv3}hX r:'% A̱a05.) @Hcu6E ۫Vsm준%Ǟɘ\c9G3_~]hn)֘2 dqG͐ '%+m2z'VM6mlJsѤ⤌ fA(s5ZLm(فxw$c[8{T)ҡd>ϢB/L9ڬ8ԅ-tG$6.Eͼa#k⬏h̯ZS6|$Ɵ*6旞u_"kbFF={Vo[3UDQ+i癕{HZ "|$cr-i?D/a7|[~wK sxCan4HKRvo4e;Ԡ ǁ};5 pB~V$vB/U7M9$㥐% nqb#g[El>R!tQ" u-:9iUlxa"hX&{PBd ud_cP ޵'HVw'$K)`z&\{aw7wBGAu6JtNEV`qa0q.m|TtQrV "pw_O%$LXF}0e*Ee'+oLzbsȅ4t|"k/6UPte`=9嘲T'C +qC=f`jxS t:5e%NF&\1/Tu!$}'\k[FCۻǓߞ'ri;%)w3f^ !3ZU J'qq\Vz^aYς3 LǴgsi0 fjascٻZV̢gוPgO@UEn"D=ʴÇaf;/D<°3=E2LBmb"NzkO˽1ܲ8Hh 赛 *T#,^:y}dl,ͯZg2=!LhKb)pop($ Rp$*_oriE!OhESYz~>3%ՕB4S#Vp&Hv.`:X&3/Tp[ƒ!ztiNMR?Ux+z$ĝϾ\մ}CbICs\E3S*)0N'iw|DI+Hc8aapkCPj\QB;*`.M OV*a^HcBC=Z3bq/W[dzvs{G6Ŗ2]>Efbt\,bڧ)!|;6ԷIb" [Kb9CfF+M"=&$ۊІI;NJ}I7=P"F܈}c3@Hu;BhSsͭea 7¤#&W:Kj+É,4|dn ^E^k?x`tndWd-YTYS2> &.6]Fy1v( v5.Qdoց'xATyB'QE|GGgi! {9?D)ȡ^W>XVi]ܡ]cddnqo A(C[demb7K?YU7w/-}aE-Mv6Q wqٙl" KAܲ߯w tXe?:q JTY9eX͔>3:2GG 9yh*3nFrXrȲn=9'6\SqEVXB9L;Φ3b5'F!! L#y""Nň&:u ;껨‡"Ԛ1DQxغ?)"$/}s-_*~BM(ۅU 6iNvYa0]#'2!|4}wK ›OK=WOZ2,mZZpy7;sS^pR!}p#g.{e7BxslF,&77H }CwSg[3czbW˛fx/fDlJmkϕMmpSc!Bz Yr,jKbt)j(v/qF-y2Ms2nѮm$k3:"\6z3Ò Ӎёo⒊;!3MI\!-Y5+08Ju)P坔3>pi\Oߜ ug5k _Hv(c=]jJi>{R2y\ߝeO03)7一ЧJНİ 4D| bda=TW"s[ۤo=n){Kd﹋+l/x%5 X+M%]1P=zoVv,0L>=oi @tQ]s0!s>M%c;DD2XAt +lMW=ȈI~R \a)UX}6F_F(EfJސEnAl}\7@t3L.ֹݻH#KB):_qXGO͑1^klQBu TC3\<|ۅMԭ1\t"[IH/D*qTh|J"Do {͒dOxTz˖𨏼_`ڛO嚺B"YV6蒤K rpÃ{L2k7/ VvnUG$8}nj'io*%*KYHR1Ղi,z7v,Za# OyVKI)>.CeCrUۨa YU? SnBg[B$ܟfۺ6|JxJ:QYS%,BYݳK8 3PB98ݷK(_N%[KT¡w }q(R{:NL=/Sok&pt󹭮C!?Ўŵ_.+0؋ĘD/fs:$4(i˒+6uӼ>?uM`=3zώu~ho\E@/U!:0 lTَUk]fD :QbK5-SAye[d3}cvT$)nڶe IFR'>qMkze ;)oCGg~><#w0GJO]F&SX0v݂E,:bDmto$)$&*gs''_ddB3.13Ȗ%BNn#UwO!b¿Fj~ fg~AҨN|kvyEQX3dzɧ]̲ z AHUz$"y;s6uTNOhT{hMUSۉ/B^'AXRY&u2O ~l[)oR"x7>z\G^AǔwU>ȏڋ#h_\Ny!,~pl?'rESuw3b W1XEp 9pad{vi dR;Dq_R ŊON\yiN``߮f*ݫKјrj=;1}2q)3#N@eGNM+@f߯Zأa * ~PI2eҮNY̪c hiH*)(Zg՗u]46%U}VR(aA={F4lqNrex%Vs1widʚw,ݩSj5b~wĪ8ETaf3JEP!_iߪ[52^=UǞilE U~`l29Œ$ ׼p+1W\0<\A’(*MܦΨpQI^V5Af/41L!{@_-wSQ'$+ddrð7v!O/N.f=Cӈs&Wѱh\uJCx<}V[zؓ>- t^Mqxv_p|83Ck9uO@U6R1/2HoEٿ6n͎i;'YIN ȧTSL*,tI=,Zq#47嚤3pl:a2d]U'br)դ[R I6X(ǃ;lMX![.[5\@\R_ДfWamҪ$:t}( !ujO"'J=hUwO0Qɠ^/ 09:i >E /=2dtҸI-RSL0$%CREb"x+υCHw Ttઌ`j[% |QSItEY{Oqs H5ehnNa:Fw%Yȩ8> b^2 IJgJL:Gb1'VLbZdPrzYʟ /_9FEʚA-ɉ{X>|!ȲFkO 8Cz|T]\Wu6Zdg=7yqG[c0\r}צ8gTuiza)a)&LH/Gå-M ᅱ֙?tv UuNޟ_W8h?s,5t䕲C] .5lg;1S"exkIGa0ΙT}gjE6Rr Nku܆י"})C\7hQHtK5tX8g>vT JS7 Z!JyAje y9a1ι:$gKAM.۲PZOxm-Zb^eAAÍGU]r%Ij7#_mq2sّع]zbG\E6M"7c "Kre= ?yYX|Ta |td))!ME+x4+О}(Zxŭ^e͠EY,x%n-C*[Nk6Pq%Pݥ^,!NjN樛Q[s[e׊pp=*{ HE3YS r(tGg#f sL.{A8qs ݱ"(^޻_UJ5  HC.Vnۅ|3Z)`xÿBŬGl"ӒIptrbk{lW覂 | ycz1f;eeU ϭ\EXle7ҲVc aS@Lztpj8ÀO 0}[c5uCYO톪kKOXפMq4 ?͗AQO f#xu I?_P?+f8EL8T%>;7D dWJڥi F ~G-em٠V| 16#wi#>kh~ŋPlJwДXջI*b1=y;r9l263ͱRLT)u a@'3 3QJ˴ 4&tEf@rB_3bzEX14/Fbۖ&"%tE3 #8?;`uvKVtPxa,ȝgK s]6]ao8K%6bgH70x(p1z*S֢SCG09qiaG5֤zC()ʼnMyZSu٘DeW .>OUQscGRX*55! #G'0h]2s-x sjԖ8sv٨$dNYD徥bBCyooImU~3ĜU[6&ߛ8Dt0Zܑ\zA*| FWT 噖͝fi"Cep[ v?(wKc?*(:2!m'CdJ!wg~ktu6lYGA,;뭢Wx "$ W'3jaoԾ*eͪ tݛi.@=(6 7ǹ;; r`z஝B.`+XdWZӝM7ղc2L*;77%y:`Z 'M-\b[0ƥÃ&whݕhq`T,#v9hhf֪[V/kGbyDHxt@""F$N DUڡ¥--rb Дߣl2rŽNj2xUFۧ▟e:!(͗@/>Ɏq?8Ā7YQf\ h!`˰y1kCɫ;F\cHE()Uu mP)l~f#NI\^u;O}QBp<&`ͣPrɼ>HThL |s#ug 2T3̼ *yF6sxeBle4Gc\l"'{F)5!a.j9P3 4hpwRt]= e8lLI`piCtE!/ĦO5O² 1(Ŭt)6:?@j>>mo>jfs {;x3!h50Օ6"JFmiC;|sc#r)s pFtxWdR5hf[iRjT`[kx^.2&GO~P_jV69]VguMP,{{q d qc[@Zz]nr?%%B`[k}`2YuƗ,|Y R#*կ†ּ %Ug}pK۳&8E8M\R,+Ԡt',T J,@{!FҖm-1h@o,A<ލ!5 ڛPnaycիfڬ ɚ*hx3ܹ-3J= 0SCb@*߶وmPA/ۨɯ>ڡŰE*~cԺ"\l.87ڥnCend{ LU9iQi6aevE\o&B)jxVpb1(@DdAv#Ʋ~A|r!V.?T99,Iua )!/?kL Ԫbu&̲paД(dߤBcD&ه)+dfƪ%8nII[YA-+X¨QW}ۋu!u{P/5<Rd6ܹ_,kϭt. QZ%kC3\nTP w[ Mqۤ\" ySXPn9BLJo0cfMӎvn^ kG@h.#1KŵeK#mn^Ecqd٣,3p [ID%Lhm}MK q^ GHh (;ɏ;(jx;dحO/ 3Nb;ʠSX1לXbd5̱8kWc3돀]p=G(V>,(_̝LjS'A9X_Hу'vTa<& g2 R-nhAb\1Y_Zv400կh!ARߗIj{? U,UI[c:=GJկSm^.1p3s,ўþ,(~!;x]6$w3F;p)v,|n >NRIVD+,AEHDmKN՗tiYk,/I0gȌT< 9: "Ҙe/e4FۑmR'Mcgmy|q%j>$ȱ>T PIإ >-ZSY Z3  No_Xjac{!A}' v,}y=ةpg7赛#(-MES}#iHĎwiKW ',>1y[lH{Nj 0 `:UV612CY?y}ɥcQ,Ί~-3y֤tK%<_3EnO1_45~IwرyU-TS# lND&c e"sCDR;ԑ.L_*G33U_g.I!TKUgǮUR',x,8#}zuYw-cVy|[#El> ;Qs1-om"(0QZļLILܟGbTclő{Qx),6m%\n FN*s70'=O?$)c5+1nFGx^^05A%h[i U6+7"!*Ts-~A#(Nxcw-SFi7&ZI1)Hf,ׇMOs Y: ip2 MX 5"@È0U`R̈.˫\%G6G P_*v,NC|hf!݉~ HTK}iSEßs :Da, D,O|Se9ZnްN !1R!̑)z%GEj2nQ.8? ;:S9;c]a?TKryv8]%Fx^+=G^xftR67gI]81O 3wp4{ Ka|+ wR; NgRd ' {(6ϒ$+x*A$kJlYjQ\\H*/-]j,p__TVxYxI\r(ڄ<~]i)qW8ceW6Td[&tO8pcq1}i6x29&E B/K0SbPGP 5;M7;c͉Jt_?I5_R`Aܯ⥘Jb \`zW?~NC(%#ִ0&MM"rmyrj?;4BR[HYm#Ϸ P}  å*/ m$# .swB6QGHt[8ݺ9m| gkDjZ!Gϭ>bvK!Xg9jMb_l6v`a8K9 cMu-+}f9.SZГ3v*~5kBLQƏ<~1Sc8&eX0yFB/_^IJ pL,ȍYz_c! ᠴn5`p`)pAW5-p~bj)/&4k}UfGݨ- '8PʕѶGحU)ij" yw9iz.E[!Z[AUry@g}"gԣ!Q((9ib.J;"vN!$HNJ4?J\ rErnF0& :I@7|"Y+slM8@1QbF/F "Hb;E4W2i;v1_OD-eGMk1[˰TU`B,Ashts#b [T D OB~RHU5+ac0!q }"y<<'@ěAl>vA+NQ,eiA|/"H:spojip41};$a߲=!Cnvs??cw2  |8v{w$G_ga E2%~8vA|64|CMp8KQD>gڦ#>PFOg5E&! 7mʝ(Ӑr 7c3($Mq0iX8zW!'VSIm6qyOѬ6FHmpbqL&1،8Uf,JTulz-!t5ʝ ܴU~i? cxV8sኈechUVW3JY:+cO0j>qc*\PsrIQJ[X ˍ2jd 9%QK->2]̯ ʚ5lb]6iw`-/+U5Il'"Meʴd'kGp\<#|(,г$*0}/?Hhp+iwٯ%"CRcTr$`ئJ쀫q3PAGtYShV Ooۏާfy ec@]opn︺=,4[r•;RZ20Z۠Gnˠe vV`!Wn+1no+>l3ّ3- 5nbAct_`XKD<Ϙ}深)nXCɐpIZ#3!z.EJ+/_=R;/֖vVŚ6`k'V*| W~t8bFLRyN-H)UſTKF{8cpZH<#h}UV4NFH-&56WIb/2xEnhA=J1:WFJiwPЫi1UINδ#8o UMe)y I }1tG rp)ߦL.iϢC`+s 4kDL/FZL,h ^&[:uK’JksrIx2[: i׬L#q(Gx)]@pXDĨvGoMQ.xjw)2qL۲&.hd{XaiPUlBCMPH'geRs#<;q*/"R'?sMr ZmV#kfl_ĸDh;)DJKЋSit?N ÑR=?LE(PlaOWoINY)4x1bJf΀1%im1?GדTqiZ%7ɰVMDd[/8EaVѵJE47ʫ Ltʀ,]N蛚>=_\Y"B5cԂХE\'@lIfZ0Sq_EŨwmcCm{g% ry?sTF\w2go^Ddž5M1 _E ֽD۠7\˚ 1Zc5$!ɀz[ 4 HYa%[9gwH3^8m_'SBaN1- 3CN߁03ۉ#>xP¨VZ=bm&JSZ[i ."as`B[Y0|`E5$ygem(nLꓯ"[yu 5#0ڀ’9ұ{r*''U ~(i qB(นŎ1!g:)͞vV {"m ˱L8bfix׶7N0_ *y-~>R>33\ r " N*&=mۙW7_޳pSBa^MTи n:zx{O'Kcf7tZ՚,(q`̰97pݴkoعd8321 sD\]UA!ȸd_q%WUfoH_60J%Z"u'U"eaP[ s\#*A{rPB$C^v<-b~EjTg&kҳqqr@έrsʀtkF$+2]Up lt+?'~l{PADª9Xa:F뻩 0cdg? SJN=t?+*\kyV"FhI"{= >+Rl[E4|A.WZDuoL$ޛ]GAcx'~Fms{ JU@9 ԑZ>T%h Ji6%$cy_di5b'UY`՜u  ^O2/ǑoK gfo6& 0=SoEKg ȲԔCNZ6jAIȹ{󣴽Աm_W9-WݒC!GOT8n[3ߝH>m'#$={ں:BݶC;].&ZB'{Ln_"=Lf%2;Tf3&L\wbPΏ P,١ظKW(5BLI&T0YxlK~i'8gMeUV/Â֣{|FlUvq@zqMo3YNt6KlW7S6U`o;SZ{"(T*8}MQؖO[z2J}uWMX('e8N*.i1vX#RqseۈCK.*Wph ejx!LNQ'^ u!'ߨb|4L9بV,|%T֩y6'PsO ) ;G9(8(?wRdUo1#>q+F?!r?9C6Eб*‹s0 ܞhWJPv\`]oNIkD 5^D<x|u,G5=šlq>Z`W>wik&Y:{W'\`Am;aS-<3y3@aG/@ߗMl(@qV@ٹOIIІ4uq2䢵2*l25]FVwE|K>E\I)RixjmU~/l9Y}_:ŽnU'|}qs]  Di`/+}]i" Puj4ӌы F-(qp.ݐn ;%yiɈ vi9WZ& #t%i QcC{悂w2{uexGe0bGWZǻ.˟=b> F @a>?]~D۲t͢NoCUj$KIݟќ`"gtAӽܶȁj!v]]P$ d2J ⯨"SAKu⳯duy#5> t{GlAl\89,s2&4 &_M}0#怜ohV1X,:i7³d>y 8}`+w : ۓ2u4\wm- P&MIAz;[`@[?I=I pQ6li#x`RX|=QJ/sዏHUQj)&^|BOz1z Yk>(IcI}Hߜk]U _%O8ը}ͅt J蟱#,H"I+Jݿ궜]sJ߅%3Bcgb_YAlcs`]>&հ|l,AOm("9J&26F ˀ=)}]W 3+e;{h_SS7#eĠ ]fE`2}ԅ428 XD~ޱ<5_F4W"_u_5>teC1E' BKW`6ԣ>($*6tYbRZI W0 O Of@u /N]sDb+2xd?ÌT9ѓc6 §yŮ:Ђ!cҼr*~)wIX7u +1 /TF>DPV 6=#'l.BmY;E+r;oƾW7|ݷ&3+TAbMu;I+hAs_>R,4 \u45Jq;gڸ8S2rra G |,ϗB@݌h=R'8Y]cbaG{x:!2<]E'*?+_zdkPzfE#j0_X-)Scx:}d#֌Ro;Lp;ӈ{ԱIhȸYrh)X_*KDa>XLc2?If[~) Dr0;laڝ @xv9󸯰r.7U]< ˛16W54QR`Tr>B%׺CU(C]y__\˗drd+.~$*<ϡCHcO]((Ic'*?ٹ\EeOJfݕٔ: ǘNllsgݧfUe8N87ULF}7ZFO7ʊrzaFl`ڱfbemxaȄ}1)FǓvԫhB-)+9 n9I9b$.u_JV%$14|ouBhzqhI:scBcQb^BzK^} ^b<6ȀVa$ҫ_>RNDyuZ ]0(tmx Dž2ׄ@ [%8͑8' 90w oUJJEv&;eĕLȠaY!FߑJ`(ML37+m<W _(N,*.yv_|u ha1 jl7q|[a Qn:3a p MhYL5ha׫Fx$Rm\' rG=Gˈs Cmԣf*& w giVB"QIJ|EE_^vBk?ބuУ(ƾBLh&QsLr4XYs7^ܚpHWPE DkQLq8x1R[;?`ɗh7TZ3%濆1qiwyiG7B=L,lT {ApXށ4Q38BۻR¶#缩aKԫ75``O是rGA/]DzsҚ[*_ԥԴPݳd#Vo7;|1'Gl5EbN;S zv5DrBGu<<ڜ)Ә{D^.{>8zM, |[G˾QTb;yw+_Q}iFK{R2/Lj B>}0 'M['m n Ho[x Θ ^"WY|\Hz3n?tkG{(f7JUA7vD=-IL\=a[V4Bfblt2X8,YFlj]}lĎb)wCeVY1hbs,r}G)|gn>NIdkۢ!i㲏  sXW^@xȉt-Gv"KCF 8,id#}0;5ŮCGK`2@MAQ 9zṽ (wOROv.~JNZ3tcu8?;7r&u g-V?n4Kį.wy_8W(4W;߆P!#\m0h9ph*:8U gƩc#i jG!@Yorb82}"])i7uX.&e ~P-Yv?wT!,,kFnoEh7f|tJl]pzbhcs8@en]0ٜT3%ۺciX:%7K׽O96Ըk|C:0kru,Nu.O/0~\]!ֱ8%Flҽ"^䃖mх* JM^`͊}RZH-O#F*f3Ǭ#7]=!wMs{ 3B'nnrILbQҥfS]x!ooG褪@7)jGŬ]$ꐱ_XNzٓ.fS~IqCɥF8k6昵}up8cad}d? پ ^R "#*GPyHA6#oż r ŁHT}n *,"VU68jiAfsB܉5ƨ T%WM5r} H*n; wAJ-gXi3a0ɚrX|u`r >։-x##x=Iܜi=B5*z On`$l~ZRiG8a^a=i!|.l -֣zvrY:mTVv8H85/vD BSr1,HXV,#*ԉy^m0-I_#ZJci=$#e Xc[[%,_NDDldeiD=-4 )SgVϧa.̆Z[nڋo|5wm<>JKu & ܍M:l*h&^ [tN bQc}#)(5zp1mK.p@q "7M)U{Dr|'Κ5߃pϙsH\/ڋO4UpXPPb,o;+%OkbmR 5ۧQ⌕[0,c|ǖ>jNHCb #wsma#qTXƅxGvf.}HBL5kRzi'%ecLeх5eh84lal ]Lݞ*6ųL9l`O~"j~" -$ɟpOcQD Q=t- 5FH kFt$76qLb\pnCsTm02T0&wc_zL(:'QݼY O,l%ț֧@ZZ*[LZglV+s:,(Sc;Ư]u {X15bC4YLGK/)H~Qglr28..sp }"_a z&,"εYM7If',P&|~ww͡_j ',2pYay'(ԉԱ0g51/@!<RpeV+Ts̩mO ?@މ(=V,~–o;h`h(+6Q!p~D˸33QIJsÔ֍ndd:jae-.xW,}, (keqWLs#\Tj u YdXLʼn͈.e߿(NλQ<жIޢ~ԤĦ˸͵Qyq(0hIFUgTB~= =nz i i{ʇE@ye nAXr' !&.gDxx%KS/ox^'; -շ-:(QšqnH/vv> 'QaVt7767wJF1@>ߙa)?2~ܞh$@#Cܷk3$["'nqϕm=^=TºkC$;_x:)4+J7 l]t;7p$qB/Dq+ඟKĆK*_?#6ӣGbtSoKp>=& )@ZQJO!r0RVzpYN }#sh+(ᲗvXWbEQVZeZq2Ʀ^h؛ԠDmc E@O6DS':WvE `G28͠Tk=8zPRGO&I{fPsI- jH15:~lk!JK G|ZˈJ*~pְ1''y+AF6f09w_K8k˯`؍TNᬣ颔:64if,%1- kAVpO}؏Ihr#سLP4l27>voZ]]㬒AȂd-.:֗5Ћ "31 "tD"؊3 /u4$L6l6"רlgmT EZ'+%dK>W:W ޜ~ ]=< J;*ɴ1$ ?1(#~[B `!r4G1o0>aH&a$YM] 2OMסCHwO#l[ l*ɤ Y ?N @7^/" cxTﺠ*`2 LyN+H߁Apg3ȌXөDX * hwH}V? @pZ>$WX:'/]__~Br-8OS[y1TЂCȒQ\x` ρ~)>k'l["C CO `E^%y*$4""Y4''uHi,kwhMN$74Erxu{罻VAzEh=G9'=QQ_G\:ꇨ.=bDN) #矀= z;tYK:c >2r%/Î<+ O{JdZ4z0$^*rN -AY&e\+7U$2H^{Kr9tP-0Cz[iqE_q׍%ߤWOgTa$1&.;[Kle )L6V ʗ]ޚ &ǰ:q#f_+\AJ *i Ɉ:Uۮ7lB2(b"ZDϩ / BKn㙎#A۩ Iڨ7-B"쎉ojx^Ј%ă|''kgk ,9aۻS>SMamETPNi;ߊ ,vp'3ZEZ^K2,ܮ!W6?~PdBKJ*5ΨWmi5p}!\ 7ڥz1A'OKɃx<%cߤOhof=By */W.wM:C0V3^MH/{būV72 ё*<Kz(^]|}TËےr5T#x)M2 r?+7(VqL>Q|noł۹.Ƙy ROTZޠ3lF )|a*ki /(g"`@j|yw ^p˻FQ[GB^%jqbஹ(iz+vSa%*bۨd}y".@aP+\,=ۼ\'n׉;5T(׿yi)ζcg5t[8PKV'YcVWGt?KssYX<-ȉH8Fl67d$z(G?SedƇmyhn\f8p"ζgxeIu7/V[$7G~>1z& (VisH8QQi~V:ǛЌi`Ƀn#KPSh)]^m dG/zb<&7`zֻ {3K{<وYUv<@{ & գ5 7'h.(8w[ы=93uOLYKU7=VH]=:kV"m|97I}1z #x;gYrHYmXs@]*+zWw.N:rV4z2;9rkذ~ώ%?zw`X-|d~ 1j"WJp.0 w9ڵ L\L!enq1]ٱѨ˦NzOl;ni"%.hl6KTJ ݍi񜜭#ZnZ@G)l}LՓ.K`c߲zkds* ,DjYk=)* xv)}Ct fFCKk'G7T[–JqØ[HoecyOg{_EIo.QasPJȿtP%A-COnn׺]S*_ JN6"}~!gj]V*OpAa>pa򿙷W{&R+e|Qt"[oNKs8g'3WQBGWAfcŲG^hq.w_X7|Wz'-qsq8:ƥxGhPo6lͣ'yҎUR_,C*_u 1DcŤ *Dc%Mrz'(1 ܅RIi !':"0zQj&%xҩ#oHۺVm_AGjk`IG?\1nܫ -ACHGocsmAĕ]f$(VИHwYyXF`VK]Xh|+uuq\ަo1zȜO^Z!- ~/ilWX fDs/`à6 %y]_;'ӋocScWɦƪhg?p-q;g9CI2RF;J7p+H`Qdq9x РaY!M.(L1ݰK8J=i o||ZugNeXHMT?̓֙ea+}AyR&2uTXdvF 9i ZC B~# >!?4ޤhYD9|wְ~}!/Wr'**) TB.R$ "k]ɬvh u] (Eve7OP&qzD&^|Sч ۑ^PybB^L)9Xͯʻk}DׁPZrw_aӿoVM,"7:0hRV䎀#J1VbF+XŤyCبӑ⭽xr`e}y`o{ԯK8Ca@ǰY*k3LJ!\G>{ϒ%vpt" +c-yt4^a@CLhD!6is)Ցۅ) 䏐;@Fљ7Ň@ +͆/ӺȚ[%jV1XtۥyHe{_SKj|"r~c6֜CN,BnEeIb/=4} pxmlU=OH4k~nl~1Xam@1 }C Ms95xrivcѥN8KCi,Q25!e9Z sIhB34(sP;ijͣu;P wk=MB{G~9}^Do!gI4!|vYJ=ӫ}>#3BS(a qLd :;kAGOeJ^PAo'ኑo+:!D@TCζ cѫ"#zlB/F,e"0wuA rEj;8ýRRvzw+>;nѳW(=#9Zvz IB pMSz.MQ?7MʕJ5xqKȰoN#T,ݐipS?Z`ٞ1ڔhI8Psdg-!Tnr>ro^|'_Ue}hIYqA rb!f7L8٥Z&Y4Cqo%)9Fp>x ś5*>>Ql'U8l _@6ÆapE J61Oc+Ҷ`TEޚhbO^+%bm4.Sʡ\bsc7'ԤZ͆j;@؅̐c9[PjC]CIU g&θM C.]0FEdgoiڒ[{=wA<7Ȕ)W%b2Pujy$=v,x*8S tQT}[CVi)lTUx$qE&ar.5[9'l{C_vF|"9dr)yzV֬CY7ɴK~dUߍ 3P^*^E= ӹ_AR@0T|,w'51n$z?BWb%J>~tӲjj,s^v gzS3@'!ˏ,i''OcJm3Wq!ۄI"S Bn Vֻd4^P##?&H:Bo9u@X%[vN. /v5s5<{,^N,}%xUijhlykѕzZ2JH5ca)ldt)E<1TY 4"S5 zbKTaKfjLdsh t+(=B g <_ hΗwܩ`τ GBsJ,p^>,i!FW^{v|[y>>n ^փ-p*7Pd.RW MIۡ7\Mlj<) \i&%9($ J(uGClͯhþ9U7ib;?9}s@s;8/&!\ҁ;S`e`{^z19;<U$V%yvB:bVԂSṾ&-W.3 ) ~ST9h#ET!`!`*1t /pojÄ60Obɣ: pj1C}4ybLՠ8VB5B҄J ј$u.nzVI`O?On I14q&&FODi}Q }Β;k\H )j6(vd=Q^f<gG;^!S0_p~_Mk2Ӈ0A͎xFs6a[ $m7G~dj&F.6$x\t.JYl8ަf~ր\?YF>}5~a. /S2w A~8/DY*cbS`b:r]I_4:?ٴ.&,Fi o:Xa;w cH$Q;c' Q$6<ƶH<#@_ujb%d`gb6ȃK"Wg$"grwm 򫷾Зe !׵e\>pHRɰZv5Ѿl32k?1AHfqaX\=}K R [ey271z{9h-eH3 B~. LD U.=5"jDJHy ,;+QDV˅V{gQjzNcR{Oko<7#C#iNѳ\YF:z_Qo5eP ܏X$}=!'3K מ$L_Ğ@N| x3ܡ$Ec)d7.4YTm$Fς w ؑ P3L.ykZw5!kXdAyZ l>p> ".r (&GVrkβ@jOE6۲BdDM./8$1'_EW,"u(O!ɵa,u^+K?KvX>v+QZ͐f9Вӣlr~B38˼W [/`Q GE;Q>@OY}׹lcc!BUd$TIφ>ekтd^/Fu7?b6&A`H'I`n>&āGMMPɰX+HPR@&f epVN~=+YwxdcIDgܕ^xԮ~!5yr%O ;f1 Z`\y 5e Aurnpj)kETkĘс#nRIPdizzQL"𼚔nC9[c T*{sg1Wȇ?pU[:Θ/n,Տ[S 2 99%M5!RsQu4?+=T(D Ab+Aͭ9Z]vȾDXwcuh&[AA0=t?c|E!@Y[G|:JB)0yCA@){O?uT >|!?ד٬}&?/ܡR{q= uC&Ӷ<ڸtL(nײ%yjB@g]=b~5}Nܞ]`2\=%0Vt{vp[uYZcD('qFl# %'ޖR̍ٮLߚôѼ{zŸ]n t7JJJKalovɺ]>aJ]?]bZ꘼#UX~Ka 뽐.&>cf şrsl*H'gBcQ-{Ǵ8Z-KқU|7oBÂ6ׂ`j1/K*V&צWKHLH8 &#'t%@'!-,6p:q͊= fsʟDE ){O/ydGH%I͞q.95O,%Q>p.zyK&?g{ޤE  GVYCL^l[KqfΚj5MU8G[ N @2GRӋ5 @2sv/v?ֲ!vQ[.VGv|@`R pz: l j#8;khZ"\]gj'~dD,`g,%Fm)/jl("U{Ĝ-~Qnޱ*!yT!9 %vc4Dlƃu=Jި +^eCѤNr8f+@:bbAfKZ0́F6D=Zy7ZXE! ,٭+1#o_gkuF$pkY)zsD:*rg@Ut:ha6GdZ﴿#Nz,VOB_ ]սl8ElNP0@[SpY6=1# Lht ]?ܮ◄pҼk%˨#K*(Қ}0[ӀHL0Wk Sh,Z}v*Y 1ӒMɐ4 _ 5H8-0(0_fw\@i VAÄ=&je&_!d,G2gxfuMZ N׾"h;͂z›TCuAt2T3h VerK*@scY'b`|~} @WX"/hIiXj?3$"veЧdF `@s>]YsW qq-~ jcNF `u\ m\7~I"E5W(O*:Jof@[uဖ}#h 5தZՃ@q*kE%c;IӌhgeY0ӆ*BIm;^ieJ!#y&6 #JYl!U(mVn2ȍ2 Š<{d^!? DwJ/lM>)ߏy1\q)A_&;w{{oQ$l}; ᔁ"5 B¸Cfn`r:keF \b":7u`{g<]3Ao1ZO*PFu 6d2Qt NMc&efAy@֨.4_ ߵC vU^lI\WlUi-ժS?l[|1f]䓷Dh Toӊ'jG#[\A!t-d T\u4]1 w#Fs^;uYRTlPH4í~_IB`'-" $3)$64d.go^|i迿d䡑"\!xUFUտQ/K]ӅKn_A|li䗡p_ߔNfӉrGKژ!4(mz-qbSI炓@doP[sy Ri3IF1@j ( XzhX!AkLs~ۚ0ad7L/+IoZ'\_R{c0!!A)ڍ|ʹvׂ s1`F4Hf? 7u Kx,>X umۗz{#E{KƇ#pn;9j[:{l~ J%ʹ,ʛ9tvkeiWɿok'}W R{[ߤ}*3:WEb<-\h x+$Wv~+JIsUe9?2"_!3]bۻڒ!= \a>u^)[0vaܺ ^r %ցA풏T7Ӎ) [{+ݼX PЭ(Ã{@ZCK"&7 (#V@PA[#fp姉, :_w!燸,(aJ%-ӭ2TueU[pw:WN}Is%h:֤10\s4Hi-;!(Y6]YwB&g͙AU^=b ({7R##lqY;6bP e 3W͉mցTz PW-#1 \CC +YT;o_:1/(UV*r욥% GiTΘ@=L,knΕa@5B2 --M%shuAY8ȓ9@?<FCD/uv>pXuM憻vXnF*sʄ  [Uq-q<^~ٹ[A~[HMv!Tcn<'U wqfU^پ>5}h˷tSK.*D$ŊU Xs>Ӯ{\ӕ_٬ѫ2:u#FQthd;2|7{KsYi"z -Nݩh J31pETF1r;jCo7Db< JpP>I@W"5r>-jfiU3e*tأfҦiо 9]>LOU:wVt`O0h̦nC[tty2ƧιjmJD~bإ)IYL 1iO}>&%ϨEdM*n>uni ptxOhʐS~=e*I1 Eͧó@0)F,9 ag Dli8 :+ g7B!-&i7kdĝ̏)okM@!P/lbeg˙n_n0`jI-l ʛux1bqo)v'ÕO_cR4 &Ԙ'Ymr[kZWŝcETPZ %{3-XkT>6*ovyBq_"iZv]\MsOajiu t`Ӂh]a 5􀲃&,95"L;P!Q8*qT},sNYL.c vOՃ>; QCHg0:0_5!{hR MHn{mb40^CFfTWY}{0<>StC+hISzI?}ykW'O71Zl6KIa(SoN;Pu&T+XKI Ĉ툩Lxz^vq­%C#S~WR>~[5N2'8 N?M4`*fO-#FԹU7鸖E&,84И'0sN s; OSW^xsotx&A.rˁx"'`R5uk=y!ҔM4h^:X̥l>W؋DHɡ\xH8#}KS,NDH!Yb.K*M6V'RVqNYNwl(EA&4 #I}3ӥ|#ܲutxy;68@C a\@HV=}%'ktJexPWJ<;ZЅ[3 qE&h|f#bcnɻ~K{^ޏ C҅( $^-U[&zo^ˌ0 =] =hѺ›YwZJp.y_:՟Q ʆPd(@ZWqTϯsڏw3,{`JFdK1])첡q6 Iȡ$;Pܘ]%-\}c8y)[FѤ~嗿պ'!(tF3HE#mv1c?aʰ!1Vq 1fc+(<ɿ/1a/ӓX *tqc֍5HU?wVg᣾K0I.)_=I Ųd(&S@(,#hMN i\b)CN5_ωߵg,>U9 u|lh=uFK$CpP$ c΍jD2"=1{_#%\eGR[\1$bÀǽ:,B{9~Q-+F`l%| h@#UFΗOxk~Vs&q#C=r-QY:=fܰNI?kz ctUT=l\9!tOUN\5:5hoNR/gMԜvNX,w̼5FEۚ7y \Eet8(xjB I(C1]ysjL~(}iELwc"ge̛_6=+z >j;7Z`/ˑ+&%*.` f(mV&w @$L\pRĔf%ULk7&. *( g# qvљE?018q~b #3A/: D!w(k|ڶ3\fg1mjQrpyAmшiI珞$Uz\3` ЊJxE:P;Y 'ꦁF^1m=w+ Eox/_ן2ComXPH\r&t`y:;T:0hxQ $!hZ/}iCn4F(;{ J,HeEz:wǹ*R<0I]kaģcIdJKBb*th=т]۲Е/;lҝ;MdF@z }`v$G=-[GDt7^*I H_(:n+!w5xmEg42r}NqOm9cegCEnk?q\ck bA|װCt_|DoU EM|pb)=QHX$P*&^jߎ9X@ iuaDUޤg~X~6t4tlb;A wѕL(OSw:X21hF)7>N̑9?Pd48y \u[m} $M.)G"c{["2*e=:U3?yJ+GG+[bC iIB|}Y^>q_oq`Nٺbil`G%*8'!{>>e-TNOizaQұʟcqyШ\90ӄj_Y0`]Ie9,돣=C{7 OKZ"Q+'_Dz-aQL w&^(6E_ oef _]ۃ1өyt ؝ʊnBz(CTqƌpc iQ L_i211ïٗKPMHYHvl< Hb1OB9P`j_r{EJapz{(jc3Fo,|NX, V >-W>_L@b'p| Dٹm4X.Y+ N24:FϾţ\XHN n |;P te7TaR5AWՒv5R9N-M%E%.%[Ъ/aUh7pٲ_- $+(paa)w gQN6cp\}{9\tqu]Er(Aek2.o q@iw9~'WJ%{_qNpZwI_$)XBJ)}Np(ln?"L> pFffNPҫ^ҫ4h~[',Fe^4>ٌG*#Zjzske=^)F?bnPXg/S4l4.Ţ$U:ewo1wRqBB^Fmfu^wCJ6d&X0wuOD6֪bHv8Ļ#_jljlm4+9 z1*i/qlل]v=;Wl Rh:NyBZsGv7ERwUA]"4` -ۄ>>5DZ{0 {iTm{\2O(Ks~-cB3ou bp"&@ѩ @AC@ >fot̓Y2B8!TOFg9]k :?2XPYe]GPd,qGk1bN޾CoY š%#j[³gCm=l Xm:͎ ^5[o+zp~W|wCtPT3?Z P`(x:Õk4TV<8gY51{wPK%T+KdiyS[39M"92h>\[%(Ɨ"Ω;\ͣ.AoGzr1.L;BP[" 6̿x_ @]t}a O~KaPc_ЪsԍAG֯W~u=8ﲾ 蛅i?4[!HLq-pØ2#u3滖Z1S)* .QQ wh`@ G? iH[ձ2# _ 9Upw wW:`tݦk ?QV'." (v{"e%1JvQZ\A=gz c#%P6V';OlˆB_ڞ3R!4lDױd9όp/=D uG<p*gIEѧH"vDO .*sޱmG ZyU-HJF/POtU}*IUC F oF@ۺ= >(wwĖq`HB•3FxaD[s W24!cq\w4gJs8 ^KR l KL8F9񫩇D61 PiK[A`f9E GO%,;6"02w=jymI!w{8Q-N}g:mqp_= XmViwfl~^}qbC\Ux;P9X_xzA;Fba> ]D֢v6z/o^PWy|)܌&KI&(n($~~ >Ӎf{}!kZyc$@gg|>lj<) 4Vt`6ڣoWv)+,]~s.ћJ4#8lІT^I%D}Jh=_ Z>P׼咸4/16ǓY4c\M!@$i6-)1{_K]gݜtt(sׯ)HNovClKq:y6RH&d";H.` EÍ{Jy O ~fKMիvhN4*̊ 6d=s/d[!ULӹJ3\Af>q]+,!v 7o _F%#a/z^6 8֛B<"É/&7Щd4\)m/G us0Ai&| :OA/m3Y3B+Wl(D>r;3CF?aZ-au+* yݦ]ݮTԹp{Uցٿn^mcSf{9NԖ{~JT1|"q5ʼnsoJz@}dTCZm +ⳐJa[g~Oiu)c)r <ߞ56*&';U^Ef-XspBH4u5޶ZZ'bD~ϺWҠ<-a Y; &C_](L$ґM9! <.#1ߞو09(H4t䞯є67 իM?ĉ mh7 5ږxeFtdh5|Z(&;6nq9g۫KِQŀ.('=No=|0L^;}(:w8ņ/Vq9alAB.KsFnx蒵mACS6;M/ Xq8]ގMc'2a%hX^#[F͏7Td7o}v?:ϥio)Gmiݴ2o_0RYs6fk6yuRZZy6xpj"%t䘠NV-oUoJD>-c#)޳ɵƅɵ.`JH^۩90Hc1nՊS\]Srh0 L.QdCvP%e2X=g\YhM 'f+MI\HJ`P<-)HO1`veա G`m`g"NF q y$Ahasu|CwSK䰋ZkbvWcbTn$#V@-tTJNbm㗺0TKBB/,$O/b+ysۑrSUd)4}{ I8Uxty/SvclǏs>ɬ0A۶ uSLڻ9x{)-Hwfe먀8̗ sii**科rxBѣ;. *31!7~kxtvQL 13-0]\03Dw[tSvzKȂ*=RצX[cbJ72ސjq6O6ы*^ݩ 2 WO8=x=̓41v⵿=6_8,3vn[wI^ؤ)brN3-ofHqwY/,@.6 I6a0:ww9>;6'I#\)eXf 5 `,7%{47[ƌC]H0:o.L ]ȸ cpU ͌ Vq~ȕKu*NF`K_I(ѯ͕P5JY=d@&q[ۖR3hHpUfN2T^ۺZw EYNL@BoĨEOdJ_-ھ 5и2#QV]6ؘwKLZQ>%gEC+!wE=V 聨 9qtCqwk;*[ rIhDUMrwUEB7I+[Ʃ쳼;57k%NTnIW?+_vSy(7RI^ :mK\/&ǐE(d#N=/B_ &'=`$bmxb(sx8w7i 1yYGM{—_锓P4V$y?w,{ZZel] KF#ag(eYR}A(+-ʛ<w^"xmX.`р|NqИ/MZ.lDLgC80;KhM @ʑt2ڠtHђ}Sjz] ɹxp+i`E4mFM[֏~eոNt=)5:)*q񺌤*X'ި|r7:d6+r#z!!K{i4bQ%XQʏZ|' }s]!#t8~}@1_K=Aӓ!o¥]{&K9?+.Mb]3lF0a"ScdH\pd할LQj;ţvfOI;za,FXI `9 $3:g^b"sNQI|%*,%"9.-n8[T+pTmEqӮN1v17EU-l&4C9Tմd ~~; 6 ApfPuFo.RgU5pu<ŋϸa߱ -IuYH\3{.+ B ^45Y1|PbzXaD` H[W#6oX>1\/,P!!cuQst)49WY"ٴ^f8ǀ/ev] K_,wV:,z9AEl5㐂KFXX*63ǡRm6^` oQ>:HoH;l-?b4$$ѬKTs%ҽzDcvu,.@p/<O.'*)H@*rhJKTkk#Rᢩagh2.V.ŤrH%3yiU\_0@3(a7߿$?7NP__2Ab xjG)D?FD5udwFEgxPِ^xw%Y ew̃ƻ̯%+3̩ :8>/bmRkYJLJ"mԶiu| vwI[jr֢pUz'sƢbϦ wW_`l` =FNbs945&:P| :KԷ]BJ'rۉ(6q(kFϥtmTbZ B&v{DfD$#\!CCѯn+ّ0Zcelਙ\mnP ,hwFݯr'-Td#֭(Fyج-Z12Z I;VAV.ClcԪ1H} 5 "J tV`ZmGڟeBٴ'<> YFBJڜDĉCfXhC m4zM-F!RHV^E]|")O:<¹)ZR3egJFwLj}ܠ*gR8 <^TefKK`M( o,"˗.o W&j_ ^%`:,+/@#8lv{:5vi5V zQXuN*"k~1W$'!xMc.[r@*t?$ P 'w_=dЅf$QX,1#u 3$f%geh"/J teX*a+oZvqǁK6Fm, TrWΟ-elq%3扥M+RИ(W.,)hHUBT]bI]bn;1"ښURGt(Jm_ws?`NxVNi_OĨrꤱ$`&%7IJh4 +bu̦{^6Vۯ[|c1H[6w;Ǝ}=  ̄ 8M%BT3,0xִ;,ՇOtɰXE*>Sj;q5:!)L0%Gic^`.ڂzҊXe2z% hp#Tr;@~/"QԶzׁxzSWhx ?AIi_ҿ.!}4c $';d U>@uE_R`6A/>C6@HRߕ=*! _öjʻ+t#HA:l#9w7l0[|ź#A'54wC |Q/+"s=/ Yj/}[Q\ɀ 5a 9ݔ6KUuJGeoȾgO,==@x%ř6_hm)T@ k>,aޠ=uܐa+fjzYP1~N+qKv@/s&؛l O[+fJ Qχ.;܋J8Bzfu8UT` Wk 6Ey]"7:jZ#[=!i)|6ojS0B~" u5|Y)3mYN2+mwxx*שM!lUtCgVoq˕ګ4 |JZv1$mdA&0&Q#pkmSBPh2&]UC<Z\2t?xűp9x ׫J17ߦ#4O}Il1"֮6bl4Qp,aq,Ѱ8'8G*u@pp;;l bx@bY۩.'gGgR~tCDeDt';íoTg{@_c|ZGEzCYBwݠ]L6YLZ'WϨl- _4{L&+>%28/ǟBkgu LvvQ" y0I-z 1UVDOn~jݐiٯk>Y= {:`.Bmu^ZҥKV*=nm7ᱎ xza.ԡu#އrͤ)-#72<ٞ!Jyk8 <5߷c$~ꖡxmf8%FVEg# 9 Xq_r5T|Nzݪ_Nl{=@Nw@>A! 4"ݝ SʸD&kI`b@M ~f[:? 0Bd2gc~ ^㗴Tode`̦`9;L R,>L~-[>gTk61ٝ1#/<"3r9' {HFnuhgR'! ^2ڙXeF:K.!P!fzQEvCj͌f3Y%{{i^n5J$AB63y=Lft #~>IJ3|lоe_B$GTP@QYv/tБ6 Y+DY: =P@ -GJYj3o*^_RR760וE_(ods.{nO=ѷn⋎uZ4,]CPIph,wb`c9t MF4Yu[QKձe0~<g*xuȯrAxene5A*`tL^< C?@WsIr^<ʟ+ DT;RgT\_gbneUGuvjͼ{T-EOP^Ta=1ŝTۡ~{~ zA>"r,ցF+ @^XIVAg(x+L%H<('h.} P|0fyN瀰BpPASs @ݺw+*;ؚמxa, ";Nڤpl'nׯdFa[:uPzGj&BpSN.ڹq"kqb^g<)AN8ڨ3/sc=9:Ί$FvC?-"!&N `v %GP9~qOuP^uŇ }}f|Z41'4?$zNx[3OvaO Y{@DK *;kbo=3U%gd]hkՇ4I%ml(0~FV7 Y2S&|C~ϷFvd Ms;bA[jR=Ջ'c8:[+Pa5Hܽ5ְSiE' ]EFHL}mrU ˨%^`, X ]> aǥlΐתԖg(jsp7B CnZ>Ub0_KOU-oa,n{Lj|i (Y{ *2%/6,|kCzR;4'_vǑ{tD8Ke[GɨƳ_at;{&rGc RN! I1l-hd@fJeA&r om16ŰAyS B "Gȓ^BsP-;~?2kMoH08<|rHM֓G,)ܙ &*Gs?gn WJPCT5 ?Z0)lM/f|Jة"bWU[!5 2G^帽^GtXF$=1}4?{GM8Wt`vtgAJΰYz0]O 5Cc t'JYaKF,ϋQҽPuఠw~bt)#f86^4ƉapYy}#ԦC^1E ~Sv`LEAhi);$sV l G.Ö>ryBe–Ï#|)OK/6 du\% K(Djr{hzDTy0(1TZAK :meRB%%Wp"d,4ܕW>e+Ӯ=ì4{I Lwu0T6P}j@ˈ }w"wKK& be_[K65EGZ{\T 䫌aaA")O~`BwN]?PO.7LY:!չ/s]&@^ⲍmRC(%D N@ ښ^r`i{h M`oS- ppT1a03OtQ`v0WhٌK/ui䝹ƴgN8LAa8r0bτ{i>C!# EJ-QG/kDCz(p%#x2Vo Is5lk..DfXf۸y>a.~WƁ_O-2e c) 7Jfy4oiynJ QZ"e7_i)LS^ k/o4pCoS[k+alzl<-,*ȀP[)A=Ǔ Uu{|;t#wo:j$/CNO-x 2y|wVqN3UVT)*̂PԊ;p{ I2d!K2`͢Z֏bxb%ڃjDvǗx|cUv'XW6+sCژǫ75IĠL{W[e#6q: -4>zKUӋ |ja fC3 ƭs@ioOZ,E#[*k6G7QX&JmkSl: .ZF7.%!*jv\KDqH:']k|)An=U?H,I-' an]qf8#:0c:'JI~=|o%eA5;+}pۇ3g'd"g JˇbmXk(]}J8vsi8`Ϝ-tCXͧmil i, †7EO,5 !4UESY}CMpbjY7Dl短y'mY7՟/L|b`T 従zl8p~ Ƨ~{Xߚ2[S [zD Wx% V$FH'Xxufƣ;߼ i%_?"+ehuN*ѣt3S*ڑ1[~[F.ڡH,hwP;S]FnN+ 4}#هa /3qNn.5vrn,QЀ03xBT_ujCS5 P% .z b3My;>WJCx,(SKQ%^[qd+`W(Q2\֞-A\K) sTy"wٖrM°syYUڠUXS}?ps*FlRiY\'w%;Gni7lvin=%&AQLF,) U'qiF?a2Ӱ*=.rx|(f6df,bb%EZtovPrXUJM1BLbӳ"Ơ͢_C $I:}UG-#H+y]lpx*x=6ؠ9)5bXGv'?c`̓ J`/g7)|Va kOQIs\s/ :vJC FSK(v]z~iW;;Ba}03H!R~иgٷ뼶D:ҷ.vdnxs /nHWh% oa_bM*t$~IȏEK?^,PkG]RQ1@UFmV ) 0N6|mv"bAFW8f&l|2qٓD"*3B-%3LF(!}r|EeGY$y kBW{l7~_y:l^HޭYV/lc!Gu5@3 }f<vW7=$ΘOWt{5pġ"1qJY͛Wd_T++vǓp&Vkyx%ϟuHуe1:'rV9y~om 6ը+:-ɗI/)'i3htHGs@MJļEn[xFt=;B0__fo~}˓|n㖥m?%k08WҶߒKPk.M,0/2iЫ"8QIҟ;"EdEr讶̺Uud ِ"a `5F hEkuGc.l@^vŠV 1wnB՟~&%̈́gpY@6!$ۍM|6(M4 4QA@N B3Von%,%AHXdgA;Y,*ˬ =fˬ YALWgZ[{K<|SCU's9+ۆ*t|){ėi႖JI@E[x=k _W CΊ(zEw7Xl4H΄Ԡhv"PJLshunI-> I]iF< l?}؆0}1r4`߸*v^ ݎ|5\A]ם%s* ի OAY;8iX<xZ)5Y ץ-r[XHU8UuMTa[[k2j,bSw;OȚQs_¨i[-qaĪ4{Tsbֶ`GpM~}$S-~[؊2VmRRV{׏QLlj7jYd*_^-vG"6q}Q(ܴDTP)rC #G5 72 V.TIRezB =w%<-pCoݨ:mϓ Lú%szt~רh ̬(uEME6fV.#ݵgxR!øDbAڳT6){"<71>}3B"~u39IY}ih*=u,b{tpTw6͕)8O:>P֎N\Ҋ+ajN%1}xaEx)+ daw~$j}͗oκ>= Q+LDBIsUNS HF9^F*O *[y 8Mhѡ J^蘬uCƱXkls^ @4^0c@|Aqv$} wLf Bʆ| <=2fUiJl='{vD/cb-m&Q|U~#kDŽɇ1 bR0fWnWZTtQNE )Q@XM-z*h/׸*mL쳽"9VwM.:qAM1(Qr+Z(6o`AȃhJӆ"$a2OaLJmSa3T7|J>qC8&5/ ]^z(.CM n2EIa&Aך󛀔5&T߭/4Fxy\mH HDw7;şnFjypd*u=vΠP_aA%8mpG1fZ4\y\#jWK 1)aiWO+qrcpQ;ImTAi Q:BcJt,0)n>ٲ{x kV⃺Qn_\g3*sGG7ViK.Uwn:AlY $|E k&Lv5/Io%KAGN+i*r0Z)>֣}ӡ{XoB,#1629ijm̓X^NO"p$Y~0pk)72Z%_l4MSbI$zGU/C?"+R1XGѫ}V|1~I_c:Z}ӃYU?"n{lHydZ8=Y7AÉՎ,U PdGM\ o.szU'Qoܢ`f̜hf|lt `Kz[_ 궃8 i)7v֬RIF1qь0vE#eP;LKr8hX/i 4Y `GrŸw)Dwa%-eaɉ(?;LE=aؕ.FX<(aA3Rڏ@GCn{`NNYЎC!|>3/I-}Y QFðd j)ħWIh%^I85L|g։8{k1iϕew4:'SWN/b7Eq]TF % ׄ==AvsI0j AFNUϤʾ/o;8RtpūԱ%vl۵~ &ڬ7:ܧJjorV"\{G벺D-I%kd71eO֭ 8o5 _1עwK~> 0vW\0o"[ex)b#W% NoZ cʶ j+dWB Ej;Uu7q]3W-{}is@hΪ]4tЪa]`~bF> S:;ǬH6旞Z??v9md4Ρdtt6 ?.⡨AٔA$7#>z.i絞za#I"uwFY+"}'0U ?]Rhj'?1>6d^ИP/JN&{nCxd%/VMOYȣy쁈Ui}['mq ilmxAVA{cWzd!1ԚTgm,˖Sy,:n4ޫW)sA`O0:`u^vEbd-(>G.,Q$e|936Cm>: B<:jUX~Xx LIs"yYV uI?@'|NHQU1&'V<1x@] tx>3;a>!3(oC r|TJGkN:c/d[x+[zp:y򲍗Z/8zAZS.ddxal(͌2^fWqkr0WO+6l>bkNX(0ZqkdÀ7$͛2UxK{Lb @*:ncc۠Ӈ*+S!ȨD7<:[iՁ?brIH(+l9m)䰪M|k 55D.2| tsāǧR޲:A5)1.[2_Y1t ?EXXXb`yVꃲU%N*HBzorKU|թ5q!(l*ʠ\Fijw3t w-Ob D<:ᅲ+Tx:df@!)j0|!p8RNILT2hPwyuos}ˀpv~Cu1pR :V5_E!\Lyԙ>C@J'6nrs5I,w̃\1Eg@<6\)57cKh B E /`RTU9O ϠSm8*CTh |#fI-kmچzldxEaZ"A底:ٿ14T6әE`xȨL[ ԋ˵ YVӰOI~OoJ ʏ.ѦY=˫W gy{?02&d{v#>*L~L$L 4ӤI3ݺ<ϋ]/S>"IwcJ}6wAć9²l>%9~N)Hӊ7BV+w1CីA>a B頿IƬߊ҂H`"SZwoTXx`cI8cg!jy?*wɯ`bK*{kY/xr*BCHyIXuy%7Y%r2jlx5сaXen$(8@"N[U(("/"R,5Wgi1jPEELB=#t];m7yI:Ʃ 19c1}ZD%Jۮ԰O#adFArCu.ZE'Ӌk[ھ궪k(y'\0i8 Ş]~לЫ5iR9UST-dDsBkn<Zy+IiMtoƾTOw;µf0I3MX#)>&K#y8w%C=-l!S ۬^߰Oi:ݏf_lLվ_^ ,F_9W,#baW?9{Vm iO8k͑ggxfNi ;s 6,JY+ f?s^+EN8 ~Vy` >N"^Am=j|[&,bd >'d,F=wG16~tM.uХMU j O/@ cMpX&$*ÄV3ԌIAo:!mh tޏۿ&W*\p 'o^k(Փ|Lssbe#~Z\nkE.z%=Uv)o=j.;(O؏ie)u)3EF;& Ď9)}NxE-W?oP}CD OB V󵩟UjGR H~IhYDq>3^`0}GWrtj8,\H`aژwl h~~<{ŀp %)v,|ωZ&À,9ftߴA;D5-M2Y6_V~M5/D/WB*lٯ<) iEqT]6a!5>*8zsv5+y3DdGS )$%7AM-4y1ۜioUX$h3knHC$nj6 rO7o Ճ+6~ԍSvVqZ^9lm0Dc4ܛ-Ő'-gO摤 c&,׽T 5̭~X(.*I~(2 !q;td-~C}KأY~(h~KC7(4]T^}F?)*0A8MOOn,9)] ; +xq9 /"pmlyH yCFC,s67M 'vp Gòxp6wDG'ynlu@<'4(-5}ɋq/T†Xcr%TH?tcHWnɅgEuMF"3N.޻!tJ2D's]\#'sM&IR2Yj-3t/nUEVJj$4iDkay%i>~eIUrHJhuĹ(}2mddCS\μV3wډ [eYʧ7bOHc;1h=sVidAS>bTUOm,wְ=etC(ڔ@9sV#0B6;mOvUV8왆7i#2$B88F? 1q<}K O$A?:w4U5INi{yJDY1[phGf{:P&υgr\`;]"iAQ21`uWwJy(Rf0,"F)<S:ȃ ÷M@a]"\6\Ҧaִr=imڹ{/d2~y-x[+h?G*EB0*FTw'usBUO1CBOvT!烖k:xECdfi,Xh(TaC5 2=[ QeuMM oR69 ςu}[G|\T%?YD:I+ߐOvPDܤIpzş^L2sVl u>da'.cr0~ŒSMX@6WU>osMaR$˾=Y i @`/P- o)yױԣ*]Vt6 :wѮ\@wH =|%~ȑ <Ƌy1떌@=xURx!;]m"±>lWzDgYCOGQ(+o9mvކ8ye6,oI_JS 4>]X 9v69]{,p Sټr Dz_T+?HY5Õ SIB;~z.F:C7qj1z}og26H㈃OwL"G2G"UBsjW9t>eF1M^AzۊN;E1q#<1b{A= @&ɾR-S%ّ*elYQ[j 7mE +9!sE3 :H#(גdɤ^]Y/W*w=S%_WS78s/ tX&+f~vE̼­c fr B3Wx8.:BjE'bOa;Hj@ 2ƭ@^f&ށǷӄ"k6&8D}ߑu8+E؈U=LrͭZ[m%h. q:o8Fkй,?h510>,Z?litP=zǚȓ8|45` @8{k|n O;C+K4)}b~}|#VS0f9n"QXxek3:0$@0eD 2XZlXY ~)x|ኔkѕ1I uȸޅ)+5 lkx Aq|# p}b(Hfycy}U=㬇1oEЩ8pHãPZLK#>[-:gj7XZ8lfG(Q~GXnǺPpwYV ! :@Xv$kՠ0WǿXy\xbW‹nv++Xdn?uV4S0&F EipE< w_^K w\*} !{$`8jE_kƇ gkֶiIw?,}QNj,P}$KSV;HH+4PƎh;2.Pɹm7w/Ck)Ǽ%g]ÒRћw~LAm:h-IIΕKΨzSETe9: Qc;b ߏtWЕ{?51Wo).T=@cȀSex{<|oULlmK߷X4 |,dTх'ہmF{y[|ctODaHK8@sj\⁨ϩz"@~g#x$O:gۥG.ϦïwbR\}hD$Q'5}X&mRi){⦏/wW3/fWӳcC.<͝=:=L֌}B1!Y;n,KG|bW%V-ieĝh[=SȰVnkT$7\At?*6wdPφvzxX҃~R4iWZV$k 5BZN 2=h!mJ~k} >򦚕c.14&osQĝit0Ua|/j#p!wA6|S_J0ʕ&,5 1Pt^eh1? so-c7: M)I/RHEIJdKx.]w9%(61& v,ڔAjz;$XK Ơ{U4:>KyR2f _?TUQ`% \\.1X5))"Ѧ4I${XLN ^*-)`EqXV{2dKgZ#ˌʹ A/~o^9-&&Z^r|=ăPQdw^ڔ/N l]q9[h;lͮ;PJ~#-]O}.Mdv/ tT{yp6O  a| T SMK6* iӌ_7[^͎A0 ] >@;%XNX5x\]Y0bfXW]6_ɳ.禈?7ww @W\G) i:r"NoDӠs]+іpŌ/â0r ~}\f-rC _7Ӱgj,n`M#l9<\'i "eD5qDW\tCqP %18˼,y=zրVҜ]$ǩmX]1Fwx=p=&CO ΢B[+Lo.j" } \pƁfX÷AB &eZӭE$!2V_ݐ 7縥{V$ɚ$35Z(7+$XlG;c/ز x0-Eކ<":ūU@G;7 >tYֈnL޿tF0aa@s&JN${d'9{2cg%8#Pf8_-8D;PQw|^"t j;$(VTOXƢ:#cM \2Z<[L>ђ(vwgDRGN}t!m϶I@3@mϞtEɐJd6Lo[uﻑD%LNҝ<\e:~| Qw.NI-#>[ޙP#*HQؒB-Sp]}i wiȼ>ku[pQLa 4ʲҠE:&JH/XPڊ*Fe݌^/vQQ*؎]@#an'$ydM8*{*:Y+Qֳp ~+G?SvU)oY?7X'ml> #ċ؋*Clo X@ƍQA.;%.Pslպ~AveIFtv-W-dtxֵ8>X?sDM$>(k P,N__ o4m%O=SQLj^: m|H LX!QbG]3~m/ =v-%p2ufJGRQ}p1:k- L:TJS#'[vGiΒky> !o݄3×j_MxYeڼqfRwă$#o9Mo Zɼb?ydcx"\,l5݆Q  њ!\\hiz xZx/bm[(C% sZ㕣"+acdu1UWT c뀭ZX1mKѹOdkM~9uj8?K7{^vjє‡+CW  s:vd8).R†COW2Jy/]A>H I7τ#Vx JD;9i"w]ǞGNW7}}\kM~zut9vY8~h!NΤ+yXo6XxZ=x<~}+> KRMNE3))q CP *ix B6g92iVg\(#lPSaFE&xj63=f'{:4FXlxZS97Y]ee_'Q;p(uyQw+booë́d_y$YC ȺrAJ 4@,s~VZg#ѣyۀ,޹`p aQjUu[ 0zW#K< 1kKtҞ'Bk$!!TW7r =pgNؒTQG| wD+Ⱥnژm TY9vIT(NQ5ɋh4.IZnASxO]RCrȐ|Z<+ВK7$ A=,cXUj/^qMIv@yJ""L }yN<K-k-)kԥMPЂvdc}Q*9Є(Ei<Yp1 2y&EBp'ӯy:ɉ+yɪ6A X{D!wQ|Z!@錎k5wV"mX`VZ,X O`o)-b5F)5Âui__>>߹U.SiN4i]Giad8ܪ2 Bcx/AhdBۻ3 #:LB`-vdXv-iL_\JkFL4'N: uooIm'9M |G4<^$yUY'PUr_,oN ]s$ƒʍs/qr=)Iźu1Rt;+ !WR"ik~qoIfj͸;8@;#ga#aqjwEk*5o/q>03^<+w@ CZTs΂7_4{@ a-p"w B8M~Nc{pzrganѼpj0M _T7'^l|pWcu7-lPSZsqwO=M>2xř/APSH_Y|L{_<͘K Ë'fiTWv,#.Tf5߅Db`JRyCbȢ٨͸CWs;EUHAw-^.>=ƀ$w$oę)!S$ަip=nng|6#RRP Qt oBOdacʆ;`"nw8bYAXr j)zEXiHgάc*%D #Xc솿YI:8a2˚Y3G?PN  #"љVM=Xq6AkJ2I3y8gM>q8"XHctBOHwS-aq(gdRgRP?pU:,5(HtcVW"BG~pZ0yO9V(tƸxߡ:۔i'{r"PB7}yq$ϹO}j)=* VO. ڟ & E*NhɝT5 lTqT3$\/WLLjx҆gCp" J>[` ԓ*Nڂrfg \,p4ϸ0r [1Mp?#AuwZ/q/Bފa.S/V13m+ĮY0.1ƌ7|vJim$J=a|y?1#rzdNL9 Sየm\%%č:G!p@'}eC)K0=H!%(0 lQvmCū3Vǵ܀UpYm>RJDH%}yykO3H QeG`ᷕPG)#[%q6w0!%:x^0ێX# uŦFtLeSdR)_kL8BHEi>g3[O~-r_v8\K@gImB? +zu9|@Fx (g!P=%Iz7T~#ZT >ꌝMې$%*LqwѺ8[ \``|8z䞒H-oO}gSvY)^\'ACAF~: .g2kB;q`Ijc<;teJ4 ;/D)|,@ƚKQ&j9ʴn? yT5asGs /r"F! 'S(Dɮ>f5jxhfGHc" kY-7;e h.:= [ЂQd+H9@iqH][f1TM*؊V+0"Uެio+:<ڼ-~ʢl,g'|Vվp\`hd@?]䏰t2V_Kv'dwJ*?zbƠbI9 /^̓7Kؤ[:$^m],qK<|5 |2ـJ c*ǻ-&Gr̯bH?Ŀ^\Tݳm=% "fS#Gk?~GqoR>_X4}䴍C9…݊[_ϰ3v-K{a~Ռ 6+U*2xaxNŅg~Pn'x<`} lR2=os:@+evy?^Dʂ:?o!O^xRMWD?"8[5b!?~M\,CC7jޑ1ŝ2ok`[ONķ7ΛM]LVGyAfW4t?>d;(.)Y_(Q4Q?` YCF$MaܙRyRTtO% `XqʼnT[f={]]VV̺LP_8qfZz3WynKJKgoj^v| vp>aW9r74cs%l8*Pu\^tY̒ DUŋKrϣl}<D~qZJ̌D_e _ v.@}'kG8$WՖi3ODTs-߁J*h/e_ۏȫ/ޠ.\IN>GtBA XOvȭA0?kQvԗ7̆.`ϜT/AkC|%g&K8U(L%vI3&no/Fc\y܋TT:"VÖ !oNji"D\yb:'M XZblG70zJ;+8cN%]7F=,8`>'C! 4 b5>x',f )Ʋ0ԭ0<:e[?1komE]J6TAc7FOWNV6hiO5r Mz;8QFA3rN@J=whvIZbj J;ׁ)1SPzNWȥV%$ jDi)Fz#+ooC>klH (<") 2@JKúAPm䰚{i rCg3&fV~hW}r7)u& ҕ#{ͱa9Pt=lƵ~o:Ml4=3?MC)µ̟q}30߿q\jߧ8O m\A~8Rmd= ݌#5@C>kܰQ4CU[@ RN-P8U{Vj@z(DY9i@0SP8FmڴCڄ'͎T^-HBe7#Q>#}y/?'i>7T\wp]qOY?v}Ť5l9ouK^Ga 0pn?K )S%R=Sb `ŞFN i6*B3;gca9$5Y_K,jm1 cg"AB0*!f?76ւP [e;ۤbWT{P-`}y ˡ>qcjHߐX@ֵaQp/])qC{c'r$aJl&_fECu5֐L~p30AiAhCݿ.20Ƨbw}+~v["L)}أ0]G?_ɸ][.>A83aFHm8t*d&p$7՜i\t ؘfcշ8y۩Bco`0q7p xY.ٕd%8oW̪YGjY,N7<$B XT*-&ni6.@g11-/$wDvqT#VHI>ip僐̡oZQps"܌ӆ_P yͅ=lXxapM -+ĐLH絏N1y^ \ȝ"ļΥ@Yˢ[zGB|w$6+ 5%$J0}g{K] m`#V-h.h9<cܿی%_CD*8EjW#I,Ɏދ'Rl_+I:ǩe@uw)'z߭ʭfӹ%U+t6m`M_وEfHMWժXsx٥TeqUWɍk c0  d5s"+,mW1xv;(gg/Y j H&N8[!neNEbUƂ*ps/.zY} Sq(8E@9C}1ѯرc`w5 0Y8h-3  `EPSeMu xOG]mp`@4[Û-ffvIgٻ~>Θkˁd1^>lXG0"]ȿ3[%gGNqd>= ~_3X ͺY/ٛ|eB=HӚOsCm~ |T9# ج{, _BԩfX>[BΦj__wS,[ T8Փ_S 1l =y`-#]eMpK CG61-^t1:qkGOBB{Tl{N]K ۳Le6sQn~4Gi) RYd?ߺJՕ`;XۥFnV*pZFZhh=~bY՘29>n=Ggm{8 A_4`Cb' [-%LS؋)a 7w&:^ԗQbDmX"E(P$FS!I2=s3AkC] (_z/`E[)Q6sW ; nW榚"uf_B. KOT?.]n!Ť_UՉK(bkzג$˫`u%vdD*' \ihԒgYzr0ŵ @\8J&=LmQh`xK[|/{4Xo*싻{^LZ1kC;Ywz [Qָ3[\[0zjTG$[v]s2b?T/]Uk(<ǤRƥ,{Me0+O26[_,fOy&};[CTvG5h`~sy7J@ZvU bIWl:Dqw9wþPB%LEW1ŷe}RJFzZ_8f(P2G d`*G/m`T-ivW KrYңNu / QjXI)\?V4L-mUxs $8<[v;7:4KXu@ ˞9!KJ m]Kgr]"y{`oefC 5تWqhU] ~}@ Bm@{3 C 6P!%pHvuy6Cv:I)͹$(oE0+Uhʹ_lvD2nFݮaL |d:=Sm 1_PeՃ^6@ {!v]Mq9;JuW7&!69Kŕ󉲒La{u )~(.7ʪP9(b1+1{Kj\Lqe%jlUl"N[Zd:vi ȧ|Sdw`dfsYM\=#݁J4ܾt:_w%l-<,aۥr&13 Alc⣎$cUo8VD.GjqcI_EonI n)Oy.6򴧛q^teWaqBNRՑ=T'Ǹ;VhJ2_pAwR_sp$ޗssV7W$'*4.[;!!6JGwTU+[S?E:liO:cF’8 WZm!b?CUi] j$}NzqN6V䭂 Ç %ڢ PQn=Xk,%bt8 ?jJW!x#ju< {Y 7" bbJ )6!ikvzRPK9ݠVyƋbM2b^qw#fcQk6hwHHw[[ f'rZ6s.va͝A9K/ַBiUags + J<._MBeBvYL r:K_LѣB0b}WNɦC4^;tzr,z!6YDl;:i+F%P^~Lh璀l;!bqMDvgg$98|At+q{MK'1jƽFcf]AR]J-3ԹLBN&AMp1VtL(c4MTK?Jbۺ~q7Jb]H9%A1@ăKB*W %'}I_{Q h{ygc5y'±ĒEwP ~ xHZi#L(ݬ϶ gU'8^1l~#eM4:ߐsHgzrKA#,(sMxH1ĈaP< Mw~ip}kY_` % jdb7{iX*Ca 5nӿ6nmnO k2VIk6駴Z^'*E}õT>=a^لA^0{$˷tF&/uSKPڂҎ\-K {nWNq.c ɯ"EvIΩ,ħp |*;v'zAhڌ0P"h<†r@#ٸ#dOFT+SINN8W*shX݂~GǬu ȳ^8cADujmS Pǖ(oDx({ڞ.AыBiF-VCNJ'+0tKʆbw2Ӆ\pP /BUu|ZPk{Umya\?_S6G8?`V0gd*~^:3m܍1D.$&iH^"Ev~@jOet< T̩Nciqgw+Xܽwln\N\鄟J9+.qBjuY`4H&^aF RZ rzQ,9M¿Z)??A 5[ҋoR=f?UY_cAEhTGj|X.,*UÜ\"g`|w.]"]ejE'˜05Z|+bi]Ydl)# Jvk)nOd8T~]>ۮ1@&b /FG$łf6ua]t6iaIfQSV9,# SVO&{]o$!t2N*  J+&M+r1>oz'@AO~k1 cw0 Wx8Q $->}݁9' BX] L5 PydT,o!]2}EdRaneOXL*lG9P6Y}B'@H4RW dsyE{ WT3̧jT?b'8*ՍD\]Fy} Ì8+˃ !t&I" Qq#*.eRX2!i@"J|ο$)Ր>,5Z!Xe(=T"al{Uw[8_c A'N Yh9bY7uP  72e _ւ]  J{2c6p+We7|, t yG?'atʿ:(R#qkIq=jkPͼ:Ԟox4m㦹U"'L>ͼk$ ZyBFtqŏSlǡT' Qv5^նڲX2 NDs8T#?s=w3`ͻ̐MD]yA+|wI23%)oD_x{r|Ed`py(Ѻz@BŅyZj{oPň/YrZӃ֛Ќ8BY(oMvQ*K[3O(9Y.:.}31ov# %2? \+Q875~ULF4cXyӻ Noe+d;|db mxțq{Que4X!)bP{Ir2A ɬcrN xnd(Vw}2Bd׊$R+NήLS 5b(yh!nΊxIjh5\g~)\: :')mlu2 vpq,V/f q2# 10jD;e'AALiBӞZNL3B7n)cy `v M`5C5^HDI_H4dKe"WU7ÉV1/ʋǀ;8{VBjˁ눯(G7Ʈuxc9yB.[؃ ގuW+b1;UMwD1Kq8+˄Uۢ)ObPe)9@/oŦ ' Q'vn;;qbM(Z~`n ը|ss~q\‹cr%,&òkjׂ/ȢDf3!Ob&㫸mLo46k79+W 8>Mvev#PioҔdcU6L7-*e^z,Q1.wr.jOؤu=EDxO&b@&e3a#3£9YQ۔ߑQ?c≒-k}*on7`Ťcȳ*+OsrZښ/I pAeQmφJ/Sړ[Z)I`DkVq=JZ{Hd ΗwHqxmۑݍ9("tsfٴGb􁬟eU~νT(C"D5pĂݿz9߬aY, )~=Nq'W`ԥc|ФurU7uC}gTe2mtn>u/ܬh+:4"ƀ7z>]O56NJ9^G8.*q)/Gb5)˧khNEU;G ۜ25S$|)'K*!sYr`IMՓCv0BM u"'(Fgs8J=utSrGK &)t VXԻN?(>p8q;ޠ;*A&)1L̷-+m uڳ4RK(!ڠMYvE^o%CU$g<}IG5 t"9CBHn{u_Lc,MJ ea=be`Ed[Cgʡ>jA~\\X0:ú./"9mpsU܄gʮwxz_}7W#L)ـӧoHOԐԕCLz{c("S3W0U!PdPdrg>rE\PT/ؿ0I)+Nwc:ϙ”\gsT!IxJt֯XGmR˚DÑYe6&ǨyB1g&Ts@!wsfܒ9O>x ̍Vne0-KSfK?_ޠ~(clߟ;hC'纞HP1goUR=]bIW߅o.?`pfhR@j ?'8_t %Tjal!ZvFңme &RSJPT=yv9XE.sGm; I.i,)\芢(%xd .7<2Y9(3Xu}oogerwu͵MW)$- ۘ%,!pP, Vʠ5CKs Ȑ/Oc=D kOn}-lFizObA|\BNJ[nJVa/t%F 1vY@O*''T%/6M$((WnGɎ A)KTQP\{>`j(FYZ;neJd_} b˘Vo.M֖#u=GF Hɋe_͢Ip PBzE6[55R6N#9]YiBF!>c΃(feJ+צ3 s{]]J X}ME}@[ hZ8}Sz0Q^5fȍ >`d+ONcg5}2`t-N0;s)XH2=1bd(auꧻ2tU0;m3M)osZ$^a/#[:a)t ـeFTY<6vߗY'GIxOG9H W9>󹨡T1Q^0LQT$Y60UjjVaXø+-K]춆!-zTTWf?[u`^o{cn@] uKLRѽyj*/4u镸bF6^ԩ #.3ċ2AYFuuq:qKΘ184+?5(֧#LJ% 9: SPYDZLYb~GdBcpi/F3E{*q.ZY-NVR1yÎ%Y, Nb`,$jx71'cHɌQ>, uz:l6X*NWטU2a~91~exp_G﹦5Q ,˩u\5UD HlhlD<mXRi!e0N5^]\ݝ+.8T&PAq& Ǡby1rJ|IdC|VH6۰~Y%ݲ٦韙i'Uؗk2JכI4yaXHPW;' Z;uYUԳ裂b=`5UJ56unDl!}t ^,ac0p!H#=l"aL$K:snkĉ֗0XBPF E#2qqYևYWD0”+1Jҙ%=ZY)|UB+٣&3q,遛:*eA\gd3X1VNuFO[ Wv{}p21L%(4_>vh@0SP!f)pNgҼG"o#1UVWD{w٪'s|Mgqj/0ɗqIWe@PMN&E@R)ʁoɡ[Ztv՘tB~IڝT^B|`gUwgD/^]!V{oQk%䂙 v1%'ʗù#fgSo2ЏWZIg_^.+}5Ƭ2l{ʝ VBNǓ-H↿ w ^8Nje7sN~~վ#oA+Ol_ײtԥA*(LmbӡWx40OU7HngJhD]Ԇtca/ ux#[ "D}QDH"ՑQN -d8&DP_ӏQab^Dy6ù@vauO&X1)7F9 Oa%R_R ]x.1JߒVV$kvPfd=u,s|gT%πHJ9蹦ܘD+sf}oͤmd'0j7/lx-?jo=qx_QgkE\g΁f݃.@0 G(EI3 0n.y5u &ĞmFZ5'sklVKBOիop5}Jo K-+KTؐF ~^:nڂ_L* WzAM*m t:!":IH@/dD{W]Xj˸X`Y\ԃo ;q~N3-],m[|dBc&(vK R=:u{qH[HM.7p+_1]*Ifu~B oYbAQDode4n⸚M-WzeH-Wq5ь"MڒE]g+uu?!Wt;|U8i; @칚c+7eZ*𕑨=`RdoP=N2HN) {zt4% i*.%>TVy}0s|DQ:+\ K45jXta5jͧ6.CVp 6\\-ylf# ->0E@J< 2x&ў6Խ >0~b:etVf;% @[:r; %}9x ?[zQ絮iٶgXlxׇ4eva8(/3iG 1/OUQähB-Z󏖈Rx¨LU-]dXp"eE';6hXC҉_4]sag0E[lb ;" ƒ<љ Q[+~g$.PQK遪.&ʚʃ "Y/㼩Tjײ0>C?E"V9yM,JBn}tRJMDׅlA2 kѩ^zX.}fo6@ =U~qLYnY򠱜-|FeE;-z$Y88ftb.+ ɕQb.MwQms>P oE&4ct,PL!j|ʂXϸ+`M{ſ[R/#~VRQ{Ud_#=|&P;:0Җ9Ļ%!sG"5We0ƀB/S೨0,1@8[iJ"BZ:?s:k6YHr0v@b=4pqRa#& p0ER(*!x<-%1`w#y7f9V lH'JG",/oVOѰ[;AƑts,Q >uتp@AqolkI(U\Q"`d궭!J9?zs?Zisl.U4ְ35{]StG'+X@A p͈z.# ' 30%Ra~M[ =yT׸i' !"*r;vUV) H&A([zp؍ȸÁm2Xkh6t\X E&|o.rEމe(ԲV m%cq*p5y$DituKH`J͉a͠E˗P(:搏SvzEtx]=LVeq in)eȺM#>v2UNv⥞hM-$YfԬ1a$d/kԠ,w(Z|m,) G0wa2Ďhe}cbN3K=?D~eTZB VFz=]בC>mp*gFG߻X Q.axR5zE:l .] aCrY%V)͛N3QNeIj\a66 ̒Bm/cמ@ɕe $41"_ʳX%*?1 N46~lJф7i]WsZm;tSXKKtpCf2Vn[5MݧRq3LK*df~aҡ ]8\33@xo:3] w3De;X_I@o6u{w]M@ȇg6;61,[s3Q2-RP,ҏE+0Dä[B)C吐@8c__$%FMf?^5?/?g0TE9F LXZθku*D,Pww]+V*_xBN[ߨ!o8Ԁ}؅56:YF3rztK`9F|a%: A.];\Qa_!3an+ .V rGONHCf&tKXBoSqrbMد7th`zu*3) R6>=*i.Y2zJ<0sJjϬwW.-;}Rݵ-?,"0ۇ>/T*WYQt\TRzj;XL=Ġn˜>āÁ$[3<":wto%r!*c&|.ЬwiQ<+c4P5dꭸ6x&jDUvϢI'кIe@gdT͠7ec|B[ ypc@TrP[Bug:C 'AQF p7s;W8H@ <-$c)Pɛ}x+HGP+bAZ,^RLk>?N1z֙L3]ќU8Ex6tǼɼyf= cl<2aCFRoMzgL+*B ^Vv?{p-R Zs8x 49&?*%ueJ˔ڍwF S~Wy!^V3HXn: -G3Pdܗ q{brΞؾUͤ$[(NTg3_x)l^zoo9.cw_b MdN=c~IT\geȐ GR@IgГ[~֐gЋo]rHZ"e9&F77xfFǿ!uj^ݯf:,C܆BcO`̹s_:q,M^WuTC*0l%)V}E z"-v#䨔͑JFCnVr}SaG_Db( Lօ?wAf*ޫ@S_Kcb,+?Ǒt #P)nRB3wG_\l1>-'}WJ{<%t")~R۳K12[O3YTo>C D BCuji(%`c ޑgaQUF6+Bvl`^8 񊙅yc g܅Q M !ɻt7+i@ΔJki}#}p<Gtll|Uȅ`!0؎~8 Le9!:s)gJr. 4GY8p57BO/*#$Z.ՈrZth|9/]j;.þ$4)X[̳n$RE?ǪL&XoᨢVj':kI8u_8dyr˸wIKS1b!/rf6: &DQ]Ss;NXN&f]M@Rv.mT3&X79i2mpS:@ 4ѰzH}}ITD#E~ug(˖1bZe:O'@#QGfUIE<6CJr^> RSgi"qby ykȜ[iS.  ?Z#j! &R琡3_02O5I"((iO ɭgz0OPO|72kэ>ޗї׌nThfۤ楄lmG c\{a#%'tM]fbE'~ 17MK>Ei+PJhc!.g\?ZW~M"eCheet\W@͡iוmV$M̉ jTvpoS*G+sQ҆n ,jG`- 00%KI~L)kcX BVr[h7~]\?HUbDvL0`V'Jv(c]\wqq={3# <CKr`kk\IsT% ^>xthIS"}H۪&.բ$ cd+Lp U*wt ui"rn P+*HG'i]FQ&Q fsL^M^dY&gZ:EҚrM x xa>+CGMit&uϏ9AAe2bnji`H緲ER;e(ZDKŻ frqM5|lwEaөaK йw#  Gj/IU{h?DӊX76@1|ILxyם([bXZU= \AE1)-@ҝY!? ~N 6j uuT̍by+Um>ۺG)pY8("?\aGռ fDQZVSUd2^߸;CR߇s¥RB_C^n6ak<gqc߂΃SpScFB8 ﳨ Qo<>r ӝ?C=OuCFH??f }末<):C󉾿( |7>#X숒dMR n.䷣lCf `LuKAL] +ӳ4R3Ɂ݌m:;U@`S-[DGw#QEYF_͛FwtDprtq}QH$3 _eekVKl3Y͂/ҥ@D"K.+.[1{џYozvУ|տdeob;Z&'CƷIܳa1߽O[4zvѭ~ q@*( Llړ>EU{lpbb0t1VAUk:|re&t=#M9ޛ*dNDs0'zwޞS|>H+11: ULm Uďk.}RT;R1b  y{}!4gdpﺬ0pb' 6 }^:c;%_lGd*4\m/gՒqvs}:uS9 Gt=ؖ2;V~2oQq2~@,Tp}% اZI4y#}u&fΔ5@6#RMr4$[ ܨ}8/͔ ؔ"$L ɜBNw8[Y^OhqlG^RŒW&ch5Pz9u{)1Eo SS4׿z7C]˻|  7DFxEqHMġoC#i*rQiP8[w/(ϝ*ӹxX9";FnL؆7;㎡{wu"L]$]Bs~u&ndQHp<}|7Qua}B'܆Քսj:cI8&Q&9f'W}L,$sWq;?҉x, "CI8+&;V5~B*ڭBO5~VI6Xw\_qDՎh&hxy [є;>7_ ϷP^}¿Q,~J緅mf6=~jKuG@d4bZl dwUo}8 Bb-vQ}25dW,:5B.lޖPw +JU, hN *~]T.yHO}kB:y Ε.9\Δ)N&\Wւ3k`֧pCy'>QIҺSv!RNrя薘KJHOG&` L}I!?TfTpX^q1Ǖ6Btn3,vٲuޙc+Wbt;¶ʋINns6TclWL;;>=x0-oϭf}f_q?5Ɲ2Fu~AѧDŽYQ;%rT$3Q%`a>ta?59l [YvG2k"2{bcp?(E;P>tMP)"J'=,6}d!RKbqj`*gT}fU*:[`?OrÍjT|ܪ3?͔Aa Te3+:ݴ*y5AX8Ƙ9@pO*Hƛ1e:##F6:dȨ#NBhl٦K|1qg_]c&PO0ގ( za2 u&B6 wId<ƒ&7G ,ȫ*eSէ26,P & 3$>x'Ĉ&tsT$o.(\)!׿oE]r|fUizϰ-sqҵ _[ CEڑsHVfܫy\শqTpb$w|`^G9b!*{8{*4ePi0C%O0kIʸ~f4L`1c$\JMi2p[KT&$MV㰔 חM)W,]Nv/25&R%k@u‚ĠB%C4D&K(j@xkxJs|f\}փ"`ӷ}{% 8tt i݂g=V>| 0_,XW]Y94ɣA$oI:7\oBj@u\yFɍ>Ӵ'}\jӾ2ۢei> 3&lʀ(W.Id̹aVu ?7O ?%BpsQD7nNΊ૊[׀I,lFyM©3tL2 FI׊n:wX]gz,hΘc@~j,"id"YQl&3W$5gI??sqHGvoY4Y1a4˖tXe5nrik(i| D,R j2ܾ6Q| ;0T f6Eq3\Ջ L$czd߆SP *:EP$^/ }2|`,һ-Ru<h[:$p̍~^G6&w0Xe:@k`yy/  !?.n, RJ!kX>\ڣANPն voյRؐ_1T-%*6M*r@(L??aрZ.g V2 \U8p#֡r  6 ם,*jg Eß % qdF+O+K W6KFi rٵڕX8Bh~\uBoc*7%tƇnvQh(^~X /pl 8a ƗN(4&K&"Ƹ"xdV.y0`6YS-Vo('>qoO,yT @YBN|jnL̲ah{kILvG5]|m0M قb:VPG7f&t9v%