samba-devel-4.15.7+git.376.dd43aca9ab2-150400.3.5.3 >  A bp9|W6_@2y] ,Mwt ӮpwWP 8F?o;dPݔMm~Ci=>%VFܿʋCmP2Slw .!<ڟ;>f챏-1PէYZSXQx'5PpO"фy>`XuYplȐ>pAa?ad) 6 d/ Ee|    ! #&(+B+x-$0`01(282 96:FBBFD,GD@HFTIHhXH$YI$ZL@[L\N]P^W@ bXcY(dYeYfYlYuYv[w\x^y`,zaaaaaCsamba-devel4.15.7+git.376.dd43aca9ab2150400.3.5.3Development files shared by Samba subpackagesThis package contains the libraries and header files needed to develop programs which make use of Samba.bs390zl34xiSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Development/Libraries/C and C++https://www.samba.org/linuxs390x( p=A@!1N  aF ENTv |H)KU +d`@t2!CY~W +g > v&HI!>,'I:l h[ Z=1y<u .Y3T4&{66)w+3'A,;BGYAA큤A큤A큤A큤A큤A큤A큤A큤beb bb bbbbbbbbbbbbb bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb bbbbbbbbbbbb bbbbbbbbbbb bbbbbbbbbbbbbbbbbbbebebebebebebeb`b`babab`b`b`b`b`bababab`b`b`b`b`b`bbb`b`b`b`bbbbbbbbbbbbbbb57f48e6acfed5fa9841df0f458c77820b6e24ed8279bb23819c0698df22bbbf19a87ebf5c3ecf098bad8fdc2e0c08317efd3ecd4947169677feb755c5f86b325aa97c3dc8a6da5e8d196a73bfb4bae250089de7237665a3a6dcf5512c71503695cd7da44b981f9782081d3d97dc2d2f26726208f56b10bceaaae6e1a3b497bfefa19c5bf4838b4013a16d205238e5fa9819e04902a006a08044a0da795cbaf34f53c103d9d508de1883fac4df0fff12ac27300409f3a1c8edaf31c05c054340a1dc2974d9c574811447befbe13fc0f8b3d8906fa58ca173857f5b73359ec30f161766db604986021c872a81bc3e6dc403b8960c06edad4595f168293005943b8486186e935623059f05839ab0f3604f56687ceab73bf9ad6070e58a7161041e32e3a21a55901cc3c7a46d6560c167ecef63390fb04b124e508eccf8156fd650dbd572ab4954abffbeef5c35b30e8c5806501278b70a08d6041d8a5685a69cd65ef487680f99891e461bcaf8245acdfac7964fa40fa4a298184528c2fe2b51b3066156e28d7375c095735fe583c41fe10f68711a286dd7616111bd0ba9a6c39eca72b30f0da89b141671dac7d0b96636639545a74f12fbbcc745e7e2597d71b4ca45c2bb309dfe1684a8fc4212447a00f588e6fb067632fcb30eaf8ed39ec802cd7d6caed90f3ed522fb13effd5b3f9ce1d10f57b87a233f8b1cb8bb000a06b812e45f1d76df8d2fe7405deea4c26e6e1ccf3951c59a55836952be0923e7928b343892fe61c87666774dd2e18e31d70da33b45c5986aa1c23a6a853a6cecc906960aa488b92850596697a2ce4811cd350af7aec0b5278c15b3700ff5759a3a9ac8a09b87e376224e944e12a2067e9fc485ece8ebfbc7d5cf0bf573e0500c5bf24c38a14ecb5e00e24e7947b8517b8f39a652b5a4a7cc6ed2dd04dbc35210090e571af576c5ac08f897ec08b3d0d2d5d40952aa94d082f5550483c051b99b33ee65aad7a50a60ccf805be82f6209c702e0e7f73a5ae774d0c68b57b28dd1821c1ab067bcc678b898c16d290afc34539c478fc1f6b47270a45b389de9fb9ec0042b98e789e2e76a17d01c1684441f27e27f5c54d7d8d1607fb9cede012344438922ffecaceea8800ef2175f1046485790f995229035a56992eb9f80f586460519b697827df8285c4ebf06595b743e148919677ae2a40442c80549d7aba0bc0b696ca55cc095723a52645cf7513c55934096218760deb28a607b5e85f82db7c1ab580e91df20133ceaa62399bfcfa07ae216642332bf119c5a28639f3e6841dd74e2dd515f2b48efd9117bd5054262dfd09a3617405695236094798559211d988a68effc888123ae63e8d2ba5b96004c14b3356dbf490b4e731cfc7a56467079075b6004265e32c0338f01e95f47cda607f72abd98a2031f32f45a1470dec6e13f4c8e17e93041953c7a33ac4dadb193dc843bf0dc47196230f74fc5a9c4ac1989654849afcccbc35c0a397ed9b8ec9579d7a3539a11d9a1f4db4d40dfdf2846bc81f966b17d69a728af436e405c6653b76b8b1b0cea1ff3094b88f184043efdeaaef078ca39f9c1b6ffd2a287d8380c0ea5cf53ceb43040bca0c4f8a37c75c1cfd40923c16ebfe2ac820e071af1cba5cae4b019dc46eb22b6fc37174d15ac7b72c723c10d44a520b2054944d0606d29c16714a4196910a433f607fed4e35d63918562c260077a6a23b99eb7ea40a5e790a7d97b17c8adc0fe8152598db810a35a439e0fd2184591f449c79b6bc5b5468443920523ea943440534df04294b940ce1c00c0a68cab9a5eee13b0a18e6e5b9d87693f25c1f804ac1878bf03800367d25438369395e7f2006fb647db68043d1590be759478e33b123ff9a54bbcf1dd70a038467eb6dd4dee91c9309efa27bed7b9d371cc936612a2998c16e815dca6ab2131a2f005b7837ddaceb2598db386c1d34c1a777baf0d741ea2d153c399b4b0fa22367ee1921737df26ec3e9fea81c7f525ee4076db13008901c9ca9f404a6db835aabe1a026f6f3e5c05cd08a28a339b762c6189d4af93a1b6a87f9d9483d5833fd883506b51ecca8ad6df0baceb27177fb6499a7918703b897a45cdc7605a9ec9315a0f82f2518db30b753b0d4ca10b18a94c382f3ec70dcc443437b2dc9e3ce610ac30bfc17aba981efd38215a457355b1f19ee2e93d26cfc3f6127d4e633b3d89ae70e214c6869f39c6eba1bd4d835c031b67bc5c4f908e60816711e8d87e6d93f84fea1eb1df4a7c2bb8a671480afe65f9dc7f671e0e15cd8eea8e37927520f3ac8ae6b63fe8f7aea81f7680951eec3ab67f4383db52789c38b254cd5a9e4766b17aab8a99813258ebb4b147bf98c9f0b9ac8e9e07ad86cc4811fd17c0ca05ad6fa67befb082b2cd23859d7002fa75a5794f15fad8157402985d19cdd5ac0c8f623a179698e5c362b06547860c1c9836f83e97ee170955a30d417f75b33f0c1acf956f394afcde8741c7d3eb9c1f0d24e77ba69ff7eee8ba90786ffa6c5f4ec183f16ec4fc964c65b35a84e0be1b1f830b8494c8e895196ab132fd82e055cc808ec43d0bf84e5bcc059302e71c0e23a257f197463a9ecad24f59aa597f875a287795dbd2ce8b56438e84f9976bb4b587c364e2b03cea9ac7bfe92f670c4d88fc1b382789f66d991a6e526f4093a1972e1391aadde980420a1dec670f3549f87169c890fba90086de0d8498f0fb36921439a3568cd3a29c34bc8fd9c25772cff89b4edcc989ff5af4189ef2e0ce0e37872c17ad0196c4101f1dab6f2233d4987af03f7dbbfcad01f857b4576ffbb67ed2f4c6cbd9f0a9cd2192a7cd36f8201ae7dc5c1bb59244752a7c96d0bcd9f3e3ad075aecf96bc9006c8087a428c2cbf46832f58f5a9a8a1269d77685a6ea46e21b05e9d22e79fff5ff59e2f6fd5ef76604c85c807b4e3fc0dd84beacab1ff25be2672650e35fc5a2a04de281d9dc535f9718a0c12832630ba0008a46bdb263c2610acfbf6da60c6d585687581e877d06ac2587e1c560a57a924744d428603f832aa43148df878f81961c305f367353717bda17d2ab1d3df620a04711fd5a61149d16c19f34a48740662395d01a17ad400b8e6af775cd8eeeec7fa786bd0c1c686c5562fc60c40b7f0fb213627e0208eaa36a7262e7680bfdf38ab43a302de7a5ee1b18fb5e5a69c693660e5ab407d1696c7b4ac8f6ed075a178fc967e2e68e1bac448bf37478948a1f40401d26eab750f4c70faa63142713b1ca959bdea59f5c83e1d20b52792246b46127464459c635949c3f779518d0e830d9f34a33bef4b8d49477a4a648a2d279c88584caef10d814fafc233b2ed62e1b088b7b99fc6b8017b38dd73cf8dc94a4e97837ae5a7631da503521a5133a57f0445a4dfa2427eeb926d7ece4119a01cd20ba4acec5db90984ce61844ebfb044780a402cb880b08cb0e3b6d709b17117204b5ce3a21b987f0c33c9147e5197c8e52257325852c5c181908a3f4082b5520d1cf8599ee8c5ca7e8584f8e6deb53c1682692aec09dc7339df4507a69a44fc4e889663a695d0e42c4ca1819bd7e814f21ea857ca7a1cf61daa69affa14cb497273b24b2f9adc344da28391ae7e27ea058e1909f8fd85bf9eb7fedcd7dde1fddb48b6600c8b61eccc6409a5a5391dfba7e45844c4f2da58e90d275e42aac178717449816161fe77e2af95aff8ff703003f5691ae2280c0809d15386619c3aaf0620e8697c3c0d494cf0d6a2fbbde841699930bd1f5d8c43118be577f601d6cc6d9ea72bd4e42fa96b0bf03b1764946f28b3deeae86aea0bec44e3c3fd05afd367128b4e2513a8d53adb8702d319f187f0f85e8fce860d35a185b5fe460aa42fb6f41698a0cb03717c956f9a10aa3bcfaadbe145f7723177bebe2a8119752430aecb7121eecb4e1998b5a24b456197855a143c84f2ecaf31540b1f5457c0a2fdbfd8f53f9b9b119b1918376d12eef6aa5248f7ac7d7deb71f336a52fac364750774f797c061e915eb24775ae28d1738bd86f5a5b902862b25dabfc4618da50b85e66272bf52218a6cd2e26338d04c25404fc53d6b230205d0351470ccd8809d4ec02d86007929edab0432c4386098ef7d1c09bdd8cbd6e9b0ff02a77cf2d3de460ded50b04f15ae58b86ce48bba579542df1b00f69e97fe1427fb1031f6930e7c3b058c09850bc72e8361579d8f0b97ce6c33df91db1edab5412d88550bfe89e5d34a73e8be26c6cd20a922ff73294bacfd6ab37123f9f6304ac62b5f3f2c020b7cf90ed8279bb84b70e146d0a47d12743138659271122b65de007d76a54634fb3fa657a0e6c8a3cd600d4be43800c4a74bb5e41f57bbf05d01629d0cd9856ca1c5cd05b52579c70d58b6328de9543dba02672487939e41e910f508c1dbb0923f0726dafc2b4fac411ed2b40275fe0fec3322730f62b84daf91fb23bbb081489863168493d1d893df191dd1a0597fa2bc7c08eeb7f3e7aebc136e2d47f375bc7a94c423e7e203c9d1bb43c81be9212da4b4a414ae656a487cad55d8429013a9ced30c53603dd2libdcerpc-binding.so.0.0.1libdcerpc-samr.so.0.0.1libdcerpc-server-core.so.0.0.1libdcerpc-server.so.0.0.1libdcerpc.so.0.0.1libndr-krb5pac.so.0.0.1libndr-nbt.so.0.0.1libndr-standard.so.0.0.1libndr.so.2.0.0libnetapi.so.1.0.0libnss_winbind.so.2libnss_wins.so.2libsamba-credentials.so.1.0.0libsamba-errors.so.1libsamba-hostconfig.so.0.0.1libsamba-passdb.so.0.28.0libsamba-util.so.0.0.1libsamdb.so.0.0.1libsmbclient.so.0.7.0libsmbconf.so.0libsmbldap.so.2.1.0libtevent-util.so.0.0.1libwbclient.so.0.15rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.7+git.376.dd43aca9ab2-150400.3.5.3.src.rpmlibdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develpkgconfig(dcerpc)pkgconfig(dcerpc_samr)pkgconfig(dcerpc_server)pkgconfig(ndr)pkgconfig(ndr_krb5pac)pkgconfig(ndr_nbt)pkgconfig(ndr_standard)pkgconfig(netapi)pkgconfig(samba-credentials)pkgconfig(samba-hostconfig)pkgconfig(samba-util)pkgconfig(samdb)pkgconfig(smbclient)pkgconfig(wbclient)samba-core-develsamba-develsamba-devel(s390-64)@@@@@@@    /usr/bin/pkg-configpkgconfig(dcerpc)pkgconfig(krb5)pkgconfig(ndr)pkgconfig(ndr_standard)pkgconfig(samba-util)pkgconfig(talloc)pkgconfig(tevent)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ad-dc-libssamba-client-libssamba-libssamba-winbind-libs3.0.4-14.6.0-14.0-15.2-14.14.3bascabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2.libdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develsamba-core-devels390zl34 1655107735  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~4.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab20.0.10.0.10.0.12.0.00.0.10.0.10.0.11.0.01.0.00.0.10.0.10.0.10.7.00.154.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab2-150400.3.5.34.15.7+git.376.dd43aca9ab2-150400.3.5.34.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab24.15.7+git.376.dd43aca9ab2 sambasamba-4.0charset.hcoredoserr.herror.hhresult.hntstatus.hntstatus_gen.hwerror.hwerror_gen.hcredentials.hdcerpc.hdcerpc_server.hdcesrv_core.hdomain_credentials.hgen_ndratsvc.hauth.hdcerpc.hdrsblobs.hdrsuapi.hkrb5pac.hlsa.hmisc.hnbt.hndr_atsvc.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_misc.hndr_nbt.hndr_samr.hndr_samr_c.hndr_svcctl.hndr_svcctl_c.hnetlogon.hsamr.hsecurity.hserver_id.hsvcctl.hldb_wrap.hlibsmbclient.hlookup_sid.hmachine_sid.hndrndr.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_nbt.hndr_svcctl.hnetapi.hparam.hpassdb.hrpc_common.hsambasession.hversion.hshare.hsmb2_lease_struct.hsmb_ldap.hsmbconf.hsmbldap.htdr.htsocket.htsocket_internal.hutilattr.hblocking.hdata_blob.hdebug.hdiscard.hfault.hgenrand.hidtree.hidtree_random.hsignal.hsubstitute.htevent_ntstatus.htevent_unix.htevent_werror.htfork.htime.hutil_ldb.hwbclient.hnsswitchwinbind_client.hwinbind_nss_config.hwinbind_nss_linux.hwinbinddwinbindd.hwinbindd_proto.hlibdcerpc-binding.solibdcerpc-samr.solibdcerpc-server-core.solibdcerpc-server.solibdcerpc.solibndr-krb5pac.solibndr-nbt.solibndr-standard.solibndr.solibnetapi.solibnss_winbind.solibnss_wins.solibsamba-credentials.solibsamba-errors.solibsamba-hostconfig.solibsamba-passdb.solibsamba-util.solibsamdb.solibsmbclient.solibsmbconf.solibsmbldap.solibtevent-util.solibwbclient.sodcerpc.pcdcerpc_samr.pcdcerpc_server.pcndr.pcndr_krb5pac.pcndr_nbt.pcndr_standard.pcnetapi.pcsamba-credentials.pcsamba-hostconfig.pcsamba-util.pcsamdb.pcsmbclient.pcwbclient.pclibsmbclient.7.gz/usr/include//usr/include/samba-4.0//usr/include/samba-4.0/core//usr/include/samba-4.0/gen_ndr//usr/include/samba-4.0/ndr//usr/include/samba-4.0/samba//usr/include/samba-4.0/util//usr/include/samba//usr/include/samba/nsswitch//usr/include/samba/winbindd//usr/lib64//usr/lib64/pkgconfig//usr/share/man/man7/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:23822/SUSE_SLE-15-SP4_Update/b64126b71a588c6018bc481f4b00e0f6-samba.SUSE_SLE-15-SP4_Updatecpioxz5s390x-suse-linuxdirectoryC source, ASCII textC source, ASCII text, with very long linesASCII textpkgconfig filetroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)  "&(*PRRRPRRRRPRRPRRRPRRRPRRPRRPRPRRRPRPRRRPRPRP RxgUMCv]Tutf-810157783af97da81700762f63e522d672744d67af54c183f5e69fba5dbdb08b0?7zXZ !t/] crt:bLL AxyzUceq61jHAT:ܠG02^L{UCc[>E PC|6<eH;[#KXS-w)okew6 2Ѫll!$4JS& +o|liuߣs3x' nA9ӾY l'*3P.2D =Bei2;x{Vz\ll3G%k,¦`X!BP3Eʪ{#?}8UNWoQ>|NS~a'Zkb1t'b\"мcI#%4zHPWWGD,2Ió)U:pG|`>`n,yڻ>el9A{v-+at[?p/Puro)Ynk߀ld+N?1|lik?dXAik#a7oh-P`[#9_LB1;>z^װ*Ng8 Eۖ\^ ֯*w[~zíx9b^AS*'KL^7֩7<)`Q ֵgXwx_}#~N[d}`κ_#dYpOs\8Pi|)qu< 9?;~>([.%47@Ey>Z bbY4-zvK04Ӂ r0-0&gP*k)F) &#g{ok7 |w--ZK&hBȲSn_BW(<|UȮaV_b%?‹Y aweoA1z\l0UX-pbGg UfW/\37%OK|Xu=װ-h<wĬ!f#V$#.]@7Ud1GL XxJdT@n? 'TsOQ 7ӴhDKFuIN׊CP-WF j}%米8ʡ R=e|Ŗ- >/M@x{o*NC !?yc]$ &(.rZ ߙ#1hR!@+j+4hoJ<@wBmu V+Ci0^bRbXtF(e-}ޠTk8vJW9Q~]x܊.`` c5^gsG_jȔ}Wzu2r,s76]֐<B|k 8-Ȳe}sSm:FO7T`cᭅľ% 3]tq~oPVD +q/Ih&JfhAV8Yn)s duhڵ"Y+6ĝc0wH_83)4, ֘ ŷ0d!$ʄ7\>>-@-F>]Ijŵ\Cq z۔N=I5͆ǚVkY" \E@^m/GpL?54 VӋQuٹT$p>Sx'y}r6"Z7*Θ} dKn]9tQ!k=etGΉeO)l[bvrSYZ7zi"L{lCrhzLݡDk<>a}}՜) l8u}uf_.JNʹ1CP*jȎ3K==$pr4%,I47ɐ%/n }@"3Tpk\ 2Qٱ |[?u!!#uakaiV|'<V'n>81B(IredfiNU!v@n&qH5/HmüA؅Ķj4mQ1꾸skP5S=cL`@'cj@r |b!u;_=dcKTcV Y΋!^'s7[ +woσis35`zjJN>]PI"MgW}.x~d@<#z?>DY_x{Qޏ$$J~\'acU?o]=6ؐF%G#wycSdim5b<{+ z6ַrgޑ)87AzLハƈz gȾK<ѣCo\bWB%u۝EGuS1a1>(r`:6>GkZct q|5A$Z5D_&n4:H|9f\cNõ8ILc)EٯɴPŒ2pFzKlM yY8 _a8e:,KNigXZC,jP`AJE=b`լ6ۧqfN,e/s{m"noؖ<9 / $\_"J1HcH zs鶘ړС7[qukL'Ge{1]Wh%M%Y }6xWCUns/sc J&[J_6a Frkz -"Cԟ_XBsa=tWX6ѸIT{ lџ\fOL/HO\\kjbT W@҃:Qڬʵ)$PKw#XzQN<3䉔tv19 ._O#kǹ2}Q2⺧D e濒N+7W"{%* 긇V$\ۻ_F檜xz/YfrC]5= Yz!$.оAv˦'%6>_lyyxtqLO'+)!r"ջ2J/X@zS\rSmKyuЗ>AV m`TBS7x|y3%[XuU]Vk0 ۼ-l烆K{x|#)PS1(UIB0iqQEu}N^zBEpGCkA6J*l-si"&84`_/n/3aEsvD+')h|!nT.8O"Uz五ʇfBFge[/(P~?b#0| &ݘ1oqh1Gw(%Iт><, ltnl`ף JoP+*DP(MJdlj7[α[rbq A0N},4>)A내BE<`G#d!2^&Z0GCN,jySW84X|:_`(Чk%{Kuٯt9SؙWMUHl{~v0km ͥe*OIw$rqU%\$L$$׼ j ƴ7cѡ(F #i 鹯)A\0o}o4 FKH,RGܟ*ϴ^LN:m7 x_L>xb(_ p0)I'0_ LN,T떥!rQ"aBi \qSeqo 3codb]h!\7(nc4C&iyߛưtST: ldئEf0$8NPSZt?rt(٨397T5莎stjo߻+ܱ_̈iӂuxӼNs)4l-^}]gkeQM&! 3~[ M5j!sPgee>05 'CxO%[CC5AɴXzy%a(RHci"aߗt]\ylhyVo+Pb#JegjCEA_y:a}oTΠ4[)m@eZXc PjBƸShX ORP f)YR$ O_P"IܝM9,%v3xZyNhdDN.7.]z4rڼo8L+,gO ҅N\ Uhx8Km߅3:& \qs]2 }B53!"wwh+~[EJj3݂-ӄQ?b#}'U/;~&VZssKSX YI@p1} iPCdli6Vkڨso^*ZQo'ï~VcӖN?4s a4)0A8ia>X5_XqԹ\_س~u#J"%F*gS JZ|#\*BX>ȓWa M@L"(ZiQ-b͵Yh|*<:'כU;)"J_Oars%$z/E<>VR>ˉlv ;b K;%h3PYc^J.aSش*q=os pL}.4"]M |qZ٧"Sk!T|t`rb2@\M7E*:*ylpP:4Ô3R_b @Dz>iqkeg6Z#Ç"!בn #f)̃fG7z Ϩ>Cyꊍ.{ANqH\'+Ȓݻ I}%.Ϣ}4@kx65eM@zBZHs&1Owm\; B{cz{xv)(*'IWڮ/*E23Ʒ;pyL͝#9sVܿ%DS1#j ! vjjW/YG(N ;$ V{@썅;d7RAͽwEK4d$r[%]Pg[P[RF*mܓ ܀.YkV?+=WwƨR`f`5fx̺?#=LF}~vopq M y|c/pXӠ(f~)Q9*LTUOݑuMo 75}S$5rBwn}yq3`cNxqMQ]wPm/g MM[Wò|HoV'^kq.\^h>BXm*}r `=<0k.nkNG#$r;}U^>ny~u `BaT `LV <1ZY`R?Y[6 j\Oܸ23(Z"d̼%lLBlrR|@?-< 0Fl󵲉~"/XF9je2UACxK`.]ެCL ;*̳0\Їq5r]02"h (W&;ڶ*XJTØVWw stz.M~oª0ȥY>e & "y rk@L2734N@";0~4R`ȄqZ܌RՅfإhP2K*Yl %OHEyz?ICS2c MAWۛ<2QҶ/F3`١؍Pl0W !BvA`Ʃ8>$@gx6ġ8˜KIbe(/@-&h;kdTU6.0>H*V9CrEJQYF#y(dTu8fv1:Yr@tl]||?AT8x Leip<)G||6 pxs.EB]+cmQ:k%1-nw-!,kKէ7>ڰa7(h\.a>.fe K&†ifk0p8OE#>P6u[@;Ps+V{LzHξvy໭;/?Rie`)Trա׬s_mUYiWJ3p̔w8);Xp ?G/Z И6,O[F($h6-yd"_k =qK A1Rw<?z61wZy dh/(S+BMHiJ* L2*[Ԥ*!3mwC`d9Րn* *̼)Xvl iH!)y/n`zƩ߃w8.Orwbﺑxs+HWdj 1l|elԻg$ +j~ އ|K2.Whu-W'Mz(y%.mFpZIg|1w݇7>hŦȩeKuP0O0LyE>JXdaAP^"I D& 6y0v6PT4N.o_ H7@kPx*tGjeε;^Ef E-]JS_kP^ZŲ f%8,f! jVERGvrbNE*N-S&umOg9\q  H꺉J%ωA= pM>}~n=gGLAF~5t? p0Sn7P2I(^ 9 OT#F=˱m6e>Κ!M HS 5@`iT>y3"h.mp C`F|ׁ3lHՐJ#aZBz߼ @Z{ǤcݩVMXyS\|!\ѩ1/ @io)g 3M'ۗS!pY߲h$7?n;nO˲/'V@M,J Ӡ*_619Gb| ^cٱB%# MHgJ @1`(_M1U81x}g-\rQz/xqwX߱hY `R },:sʢja"|cT%1sH 63žl8/ c8IVͤ4){^w{LX|¡Drelkn1@ hGza :,2HȀ<#K*c.$[;7J]KGX:'}p^lN9j߫x6TSu4Cz(BܩZ&GoTeMA"t|&ltlY7v)JL/%My/[k|j 3ÞC(T$e [LNVF^B}=Č`OU# D ᅪQn%3ؒT@w~9𫃂y z"sNj혠lU]!#Aqjp]&T#́[/\? H+#cάn9\[ӆݐٷ91{ 'j=snLeW})9H` Xw{fǼXXz 6ZJ6VZ>hS0W( xY?MjFRpbp}̍S4* 8}q`w &&}RqS*sI'3?bcҜ5N1{%?{i/s#dwv1;V;a@6k7// NߚGəoO$(ڳfbMɈ%j@}t}Ǚ?Uf:jڶ6<MȟҶki&Ȗ5۬W1J^y8AjF L[yɷtF]WoӺ޸MOd+[(Y3hW*9h1,feK*i闔 qٺs]G# Ǜ.yV}O1zN~ԋ/U^cX.1Nڟ2;"|4No  wT\*ۨA yC __Ca_b$s|2Uf0Cސ&(qkEkDtQ^M׹S!:D=7e^Ք>R5åk/ W}6_d7nQpL!|WOz rÀj(xRdv+ 5R&UE RUBr,׽5]*NP{dj +<_'phHLCt싃MbUBp$cEga \uv= IE2%(K,u!-Z#2>O㱥 ed'؋gkfsj!-0ӓ%hsԗMl;V:T?q/܋Z`5P%+9ʿDWdaVYh颈UYU?*#[ +/\kdW\mfÎ`Hqeڏx搉/Ҟaappd^ r J2x1񑟷MJ@N_+v/$pROlSё L/eD˼HC[P/1_jW9!Gk" ۍĪy# |+WꪑIf`> n<21N: na篨cWc\v9Uܐ,Ȩȃd"e brk8Bʠȫ e4?-|>LP\^9J~[6֫Il\ j,@JU](ybk,ȣ2ύ괊b$䲨\7I)yY^Nv ˽"^ o'2d@t$x``sV }i+mTcYVHڮ,}i:lz Q\ XwZK =Ͽ:F`4c+-iS2̈́7ƮbE˛W2xv|Ār >>&u|} BR P1uS^5٨u)ث/ J11RrEswž̋m#wt,Ώ9/X;H-r.Vg Um#Uv$ y)v܂cY.W^X;5ϜM-Hvny(@2&Ċ^wt'\^Wg})'ȼ ˨:_.FI\9w UbeUAؖ&?:{fJ +N<{qntS8;UEͤWDN j#>,5ՠnѥuu9S]J81ʆo%khfzjٰ/^ z7H'qnRB559; nS4-46K0~U*˃a5ąb>)kF+FI14kcT$SE'w;$_;{=F˶eHC}]㯳b>[Z$CKA&1wBn.Uv$T }_vxD z0ek&2,@?baaN W2jaTjR#Ut̿ħA~Kn, _r@,)m/"r|b[ġr IO'ד%qžť[>gi,F~#)7X]]7/` N?+6qLg|LqWRKXGEO7H$;`o7Y* _I T&8 (n-Q-uTz}rkI24`"G @uvߥZʚ$0{HMi,9d}ԇ=zy)7Ө)B;=DEcwGmAӖ g2B jJU#\K{i8_9X!hw* !0p妠ȿqy_DBhe[@nz |g+R׿9 Ugx$x-KspG}7"OAĞTR(4Jh6 cmZi<pIy\,P"A{At$W!RcJ!u+ SQNo+dSh:QUR=8a|3'#j&Ծ< ֭q[Ƚ(v9'1۝ 9y^Z'T H%D835S"p$=`tI08a;52%lٛc#Ojlf3_ {Y<"Mv7? ~c]2&iH]UZ ɎeU~CVW,ؕ&_\!+wn4]nfs߯he ]myӹ|lpmgiZwQ.M컨+ zS.ej)/D_ S|ʐʫ8:RF,ؙ LI4f&Voۉ (E)p=WB.K!ymϼ-BUpRsYW;(W:aԦ.23ţ=UN¨)'xYv-A֖>+o/zTTWSdp{bجY#ƒDj)x*Va Ase3744;^m1|d,f1܃^XiQClJq !nO3}DJr2ݯP*%y_W6-"Grb =vI*,d<#7&EH`Fi#wxNu[x? 8j&JX 3XOiWMV$ȇ6?<ɣ6^6f@Te^40?frQPȴ l-2(A*!l۵9d.^PuR(,0;LQCzu H8Hr'ޱ^V{H}רĢDbJm1QXĶS=֭-Tgm4}3?7T.{-Ğ1K?gN)a򨭏 rjh#] GIr< rJS}ح` fBE?rTT:s ܕ1H'- \ :+_-V˲ocX 8R d6Drk:ZXp\ICAB"Z ^j8*sBWi|RzģsK 1׭]VOڟzF>r"9ttT]{1C?lB[,o9\e4UuνCҰJ2[\K:y(΅jI ,aZ$"G哤@nDҍcJ sFB<,]! xN?_w9iJKUڲoR6߫kHs]Q) kQVdq=̹DxO!8G,zebvu?Z @Ƥ2yX \f\+I6>sJ׀?}P C;m1`6AMeAv>* ߤͽb~~JHp7RZ߀ [Hf\\&%YC7X.͸OO]~oA]_+H#^Lƫ^뺋WVdt&J22ɐW\z$صdi\S8Q(h<1y]iL˓a͞8fGPH>D)fViI?6OoTYR@"nžyw:q06֟3(5̢ifHBiNkÕx+xrsQmAggE!2I?#NVdQ$6nm/s%7PL2O\a2QaֵAl9jʸrKWLN,0nr0y$b;\eߙX{iOx̙S҉/u3="1G/0-Pr᣷*M셈`{I_bm^BgN#vB,f1qG}aYڡ`T, <gT`JLE݁ #ڷIn)ߟi"ٴ:(7ʋ;nPNZ K˸3Jw˄LgqW&Jh~ي)."; 2Ĭa!,5sjIf7Q$l]J%aU\!'@k]* k:[d@j&N$)p0Xl'It !Z4c+7W)KFPי3Epu:@25{߅&ad,h^ >=4j<]_6 եch_Wf<~> `tJ6(ᷝ Jc(I5:U4e-e Afk}c '^pcOF4ʱ ftPfO&ӱy⾧6GD- { p?AݿGʹMO&͕:n#8E + 4 $҈E5H #ثge/SEЫn 9 XJ˝&Qќ11_!QUn iH&$$eGxÄ^0* os*@l*{1V:C 42tQ!->A_ )da)DvVP}(uc@QwhyA.hl.}ꑖdkr3/Pgz]%+5HHo9&mWD9"2VtT*=2F܉9Rܶ F?ϒv%YQܞXסr89]?nxl|qhR6ArX#b+7J)fuhw>5W%i"bQ9煷*JF"k&w1u3oK[e'jQ!Fh(קb}$2;/]sjUCDaygQWj1a^qmU)leW)E@xx5guc"c<`\?zyRVjj&@gN%y?F]tY\5bQl(;={Oo/>w1[D2r4}ܾQ:Nɟz4y:0=7A:/{ԭrby.|X+[67ЍtXIhJM?[is/."Jt-7()zZlhZ_Ԩ].mBS<[91+rB2G- `Cx)r@g5Y{kgϝDq׋W+)+Hx"u`^4:cRU~i\mSܙ"X(ϔR:rQ8CUI 9=IQU8<8晑VnA:G^]gmlڶP)`1aW VIdI'nl}z>_gF䋻_ zg'|Տ І}A>T={G5@:%wZCĚ}d-)gIHaR:sogۻ2zSяPae\9<~qg8?Kp- + 'Ϫ4I+R.Lcq!Vr{EĘ2d|^>gM9T(ghhb́ZNa 6\A6aY۹PjK*ԄT#\䯋 ‚@lu+ȰL Vepu~,eL#CH;\|!j]{k66OTO d-7Ώtڙ8Yw$)o;.ԹF:M0=aζob%fC}VMț{q rQWLpR }˒Y=\>i"Ƶd0E..^P%YG=Ϫ\u!K-C993̂6%3ckKY:ѓںK"717,;-]Qv)"&{˚'}<( ʀ85e>N 9'voBLՓhʼnf#$FDd慬HPt~^[0ﺷus)W%Hc_#:&; dwf: HÖڹLaC<@EI5kV}5-&ȿì>;65-DH\?>y"0o@+=o;GA[;M:=J>z|rW PW*wMvPVrNSe779}%@e/:랟!1S>4}0{* j5>a\:nGDkG j S0I9 "6i5ӓvrFm89PHHM+i(|M))[ tl>j\!]6JmXP[ R,N\ġXrϯjOd2D=NPS 7^WeIvhm'] \SȫxϜ'KHyG`m^K t,č~1ݻ*Ca SW_x9qee TDzNžjwޖVT1o$w[(7=T:!_E7O, ?q TUIHmpM*to.g%ZFO%ϻ_>A4Rk _ro J 0h3g@>qm,6p6N qNd?bag5cjQ.GDg/Z5 P)+ %".` QMwaf\Ѫ a9W2͒*C7,ԓ61Ǯ3wI?FTjRn@o6Gmj XO:sBP⽎yةX ʊHX`3)/v%UY9}K_|n8 [CύY/q-òm;j8kW"P@f;gtS $r :\`h]3)< %dzI?>CM^0@)w(,WNc2%ΝRKӞaކJ>^_,+98s")&_SgTOVFm1aϐ8ဓj$y,q c~5 `SjP`ҡCGs2d4nlltbm]v%g #% k&{^삔 3~)m Ld}`#FcG`EV܊E1wuQ{9 * / WـՏjW J)* J*fz!HjV;wtDW / `8M#ٙF!c%0YS t@b)4吮0ʾYˬ( r;a)[ԩxW͵BS6&X0v6!.eF* =V@4kٜ׵ i)R-gz6wu2~FY1MQe0J]fq 27k.K8)J68Xtۂ?6fԥ[`sՙbA'DxٿsVڂh;I) ;xZo:h-8(d`+0+㜳n3tbpt*Tz C2T@hUw>mWzɉȱT~ت[}V&v+ϝFMKCK€\#X.]/2ڔc)v4{x>NR,ʷqC݅%K3O("Gũ":zٝ3 ^g/,`,O_E͟L|gG5!-t?0}j+6bN>Y Hb`qAMJu"@0]Όܗ9.N"NRRk`q[:|̄)Hq|o~V|F /tBmMn~*Rj/J<еO,] y]@ZmYҘ~QV[frЇIHP5 WZ"IUάRWnp[F>!Cw%&ʓf<2Gv׹x~k #ǡAt',ev䙚g:-Er˯}9 Ec!|$dHO>GaZjwL.:]tp=gSѫ<=U|LLhST/PaS[3_يh}hn6MJkYE6jf%UC ܇,bH#R_ۗLo~Q~4ֽϸ~!ŋ2*BtƓ.]XdD6zITsM缠%$(^ maRPPmEcݗv7#Fɳl.Q/B㮔uA&8sP"cp͢IT<n9}!ܡh`(v}@OJ[cai*Aq~_F;@LS/?}ic3u++-DfRP"g.iB<=YO gG#HQz0^mtL(ŀGHP5 6~TЃЧń:a9Yi$DShP.F HljsWV:U*"\`A3b3|1 HwPH8qS_7<6Q$)ݾ[}+s)D}φ55%;*{89Dl,B;5dM B ep7|/uT 3p4ԋmkLY/] =AN̑Bghofsir{nivǞ vVYXĎSrܤ@%p;B$py9y8AnXRͱW$O"$UmzI-Ŭi@^Q?4q~{J8fIL]$v+(P0 Sefj0lOwVjS}3e"W{,4wJd-p/Dˠmv0qwH^܁9ȱ8۩cvp[G01"46Y_5!Ύ_s~^ ђiL+lњ7} DI!DTmۗsKE,hY=`$HLȈ-9"\ 8t%{oaZ \"#DJ2>4 IX\:5ҬW"+@7Cnj;aޣvb-ƷNi"мdB@MWOť#C2?yZR8&JA>"Aʫ؊kR-~ ?a ltc*TK{:5Rj @`ֻtL{{' ޯ2'[ aܱg/_ԟGq4-Ȭ8u^-+ Jt't q/27ڣ"uN;Kx-·NU+8F7{};*3P WGJ=3I (IRc -uUXY*2P4gUp%ck򴅿+v6Ư=uU5LIHԞܚ ,y_pH (tYhn| \3"䵖ț87CNJn,O5si"t @$~lSlE: `8". ςI83a`,*wzbږ9QKABf! [7tCY+Eq3Dlkb5lFohYP&d~noyJ_yc 1bNYsJ+ĝ5vGJG:pJfاbS)myH M6|'k{+uՆ #RjDY,?lgqE \SyRET*X@Bdxש)D 77-qW|Dc|#qPd_UV% 4 D"!nm!TxlvIjzvdP2USgUu <Ǵ[ľ'XF 0Ò<l0KDi$9Z)%8 FZ+,Ӷ4u/[:1\ZnDQr-u D^|K jFs0nVF=SK3NyĤl l-lt/n=Ϩf=f?g$U e#oIjUiOnĶcHnL\Yg:>W`-,K m(lDȤ$KL{-Ab;yAv: ȧ^K*XcÖ;H>؀Wb$A= z3+o7Zl\iЇUK Z~ư1u޳؆qVJN(7xLAa}#pfIwP#A_Q 6j{E*)03=aaàYȺ)S9M۽! & ߤI͙fSU(8yLNH+DM!ivvYg,TE]yk3G<{57I8<o8m qhor߽JX-)*yD>)fy^ՉaY'D-/Mjqj1N-@c:w*|>9˫>;ݏ{; :d_7۾fJ9Y俕ya7ctv8F g1~DAr@^ w6x&햩eIpIe%XCO, <&tSߚJB`yFq9n:AaJ V-_I&ΦIfSO ݏq甸AŒzl>~D ib){"M]f.fnVbsRF L M@|Y.v_Jt4%́tC@Yq5 !j3mjR!կy;5%~@КΦGF88IiqTK4td:V!bajQTKVwlqVDEηSMeg 8S0xz#"ytJ=t jR.`i#}/"mI)`? kF2#d_cFL5 $0#DŽSXk`KF U0,A{,3 pղON79 '?<~U< c*SL YzhwfRY*!9СM."z;M>pQBv”={/ebO}ɀbLŸ2? 6|9\x #8 6!]pJW%Ȗ%^Ix: H,; 5W:gʌkRFLxq7ǀ$&`` 4 *ڞZ*8u QlX3wUl%pA"1KsLGdcf1"|sѝ_jz05xmߊc$ފ|4@Qen~`´'+(X`p1턼ƞu [a|d{ɀxet1B\XbsGj0 rߘcВ.C6Pd"LT2'(']*qw4Ө[k]WDu}19{bqùڑm2sf-#](*>BdUРx=T3^yqvg7Pʀ[Q]%c=d U!&$#& ݶ7$ lƶ3I1|csҜtskHl Kˬ2% f+5 L{`s0 UYfcPL& y~Ԙ)?+4"cx"3msU &M,9K͍,PӐjToؕ,:s>Ɯ<1L\jbRu/B9ϐËyKPO,8ɊlzQ24>pԧa~N@xpLyt3- iDiL><`mj_.*MdZ" (KZcCz 0dzuK1]p iB D s; Hy\}_B)쥑GӭreSHwƐ{LX!u[ȯzy}mf W3 zg"ԳOWF;-}cAxq'}{#/T2DAˑ""bHH!N?dXF}ws:QЯomMG$n1F)B & jY8b6JwS7BgTiSn]B /jyӫsuEL)GLg?o+sm>yh[#;ꪏLǂ ~U8~Q*&GtXaFW|լ~|8$q(u&Uy7<Ԁ%9|ޗ,R:OHϥu,“gwW;< 搤`ۊ Nމ/LoQ]C@L>є-7 D@CD&`VU[|VI,kbϴMV15LY<0 M[, z{8!p9q#175!kJlO?/ѠPnJ|σTtL$u 3^R?2kY("hƊc@ɣ A wsaag0@+gGU-8%}I@4~ѿd[bӓkpGZ+Hac_Ai&qֆ_yRaP+A}Rժse;, #y+_+MH7*™dQnH_+ۚL8mրcZbFVq*e[,AaI#9_N =p4H și窇͠c5MMƈ>L^ Q bY>^r=R4Yd" (,,5/%zx 4 xyVb\حsBZ@[!Dr-myB ϡ{ BȥZƕ݌dҌ?'[?/h@5Z1ڤ.mU!̎ Ha&Xa#C]w? 02rܶQ8M$,a>rtb`^|=Z[&4!nY2p9r+vtޅS;זk:QsYW.rs I!]F&1@`*,]RE7uGfid;QbJUg `.jvKn@_ovUi6iwTA> f:$=LK.vVI@D:͒gY"?h7? K][>RV;v,%ʔ*{?Z3\Bv)2MB[{W=]T&Y\-k<̍QL0d7S54_R^f-y2&Sb P |'ct4j1(g{db "o %vqAF8C9AW"7saiah-(-v˻H6"ٜ j@>.{W/yi{| Bt X(83[8rg.z0`_ep[-ͥq!߼F½1|M]C"?_e%ֳvuۆo`־ 'lyBere,E,`3Z5jMv(p&5q@g_Co p'=u~|ةZe-6ZU H&8A`VB_%8*1 %ߘdEhGM6 8SkY/"mR#K7:zk Ի}(KdQB!fV8* K0 u?#k.n"ai;C=>q ^#KEZ-|m,}|coxnU.=Yީ'Rج[vP]1N u7tcy եH_=ny:S2}Tlapa"=)չ.>P~ք16ug#a8,U9=&Sgb΃A$( Rr~fx^OiIc 'KSܭO(A) ettE_]cb9HB*΋綂M9x4}Mвcw_*61 D Dڐ@"@6$S up#iy̗G!7QuE+&d+Л?74P/yKxDÇA}dt~NX<+)DHតFؕ'5򄝩ދ=8ܰh`īɷTI'a01~SR(EOW-`F@;5aAJ߇BAb q U$4n!ZBLQ+iڎlaCQuAó3GP$bBeJ۷{{`g+ tBid5[_ @cLgEύBr )3͊O~>}rrAT F]Ri#8ƪEkhí![sPYlBEjBpSw´9q/)ϳfVՎqA{_ˍOu$ 5~_dy8_#e=&~ /cƞphZ {Ad Qʏ |k'/E\ղ&IqZ Ƀu_ӛ)m^ vJ,ȶٻ㒌 z!Hڝ ds2Ǹ,jVML5ӓО4jcyO@OnN*e91k}*3RǮig>z*x;>W^l֢0a|"?\@6ȫ644q8~%YFwgm&N1a$GJTԠ7l Le %.@(STy|& wDA1ImYw\P*Q TV^h?O~@cYxhZ`z+E,=\*~mT`A 8<2B%nt6GUf>a H`vǂ B1Cd)>-O wM'# KpQFYw}>L>I[ f5WunN<9|A$YcZ5+.h-7!` Æx5Xmo)1Sx4_KL AQ }DYEuEnN ]ծWjD3>(L<>1y'%`ɥ[z%̺&Ǔ˟xIܞ{RQm)e}ߨt Iv\㋕HcRm.peȵK2^/Tȡ4{'[^[5+]5fřZY#U7[\ȿ{_y: :>ƷGt„A9)jRIyr4 }QG{|u=o] OxJը =&N˦K uXVKyҼiy09E(|_!RcHIƩRy1ՅlXMMy#jȧkKci1 )TwHJfz+8>^O<C| nܢ$&Ў@"ΗXݖsuDg|) H2ퟂTQuha.rxrZLŽ8XZO >X ;an*oߊE)0Nɾ%xL]uCƐKvyN Vg2agmwD]ۗz˥}8dҔn놏6saʼnoux8;t]3Ɖ;7ŋ fXqWAq"[i JNh ЦHGBD9- S$xO"eL(R0-gX\g(ھ!ˌ%#M$ py /9MT,bw"{%%jG*\ȼE%mqKp $&ďI U%$޹Rf' ]aZ'9ɫ6Ts.[hD$-!мMEY&ꋡM"% \[=rv/)M~% PUR _5Bߖ_Gw~u wt9~FU*%{sG.y]G8At#Oc:0-5g/ݖL,uJڭDOI_EIBeT=MrۯCP:ӿ+m`:,pOL.Y2>d_~f͐cQz)#]wۺ@ZH[PIF~QE]#m!2L(N 2:.{rU1)#Tn4(׃+M'I#^Yrc׍"^9{@^->ِ\I"^@.݉+bNh>ڂ A\t nC fp)n;X` ̘Wn̕F_0z%<fZi C6pT F9bɋr=XBkG/a"/BV^m\6l,tl k}ѫo6a |;AѰRnQ &OMԫ08۽b}4DK\k[)O_I)-#6-ya|cRy}̆uRH&"S R~j }^ Pj6G֚%R\[/-Fٲz֊D)XuL+gr ñ'e3=ҵb7Xv.mPMt[?W-4N~at]/첽|RR\U} ՜|="4:jݚ$] ˻Q}OV< /Iґ#ʇDO-T5̰fs%$5>`35>s4dvS ';=gS4]rͪc JW&Q>6>_:V 2T4d%fv ]Yڽp#)!խp^h u+>9 W42(jm~b񁭚XnJ$5V${I"3g~is+2mI.8Aqܢy(iB.7JieK䤮a(">jk8頝_(w@QU-Cњ~h7d*p_$ɇOaN.y X3c[n/!%&V0C6<1=ɝ"_q%XLMqhR l0zBaJmeɫN#o]sI pۧX"1ۥO}J0d"pbblϭgfDsLOp8 + c{|' -~ѭ.&,Som`+KfV2 n(WڶIl@w(~2L=D*txTO{9X9 ^moBmqoo Wp8)|~u 0CsOOʫObȇv<4&Š X6ùz>P3Q=s?7foO(Yi&T8{jCbi g- Gwwcr[Nkj@\#sG &զ . 삮)L1P| Lj]S=y%ǀ*L 8p=k0l/tui&(9E>Gho.OyCƿԖ/ۂ:OC}.)"C0PW؋Kf6^ S `坵p#"<<5pl@Z ,U(^U؋Fx]5w6f.)vlD<+ͲPŶz9ғVyΊg)5U~)b 0Ϛ$JYY@kfFKǙ:2_we._F`b.{O\ *hg$Qs;]nu%ORm-Gcԧ e6DG7m,KQM֎ gu"匷/c:sg{. CrC_ƌ#Mr&T>Q.(lջG>?@߸/KŲsNu~EIzu5 x,hN=`+"m"k`U\C5\s 2NT#d;Rb:+cΙ*ݐ‹fx[='b -։$v-_x 8RͣD(B9a nƨqG9z݌ Io@*;|it # ZxĦ3* z7bNN´N!`/ @ƸG뚻* ]cDsgH agj \RZ7XyJm1f̨_eyYRo"i+턟s{1ܫJDi^r숅!?2KlkXyAAzojܻQZwCx?w'tnQ e0~m_XMz,^c/~w EͲp>?z1RSJy34PI [w'v:WfW׵.n8ҮPSPu,{?!fpeikMA{pu0lKFM:C2vrs܉eNЇߵ6%6nMK .YYrwwq.. : +vǡ.Ev*S 3Ft^.tRuqO|״7.&&>sT;MkŕCVVg.z)aQ)p=;eqXaQ(׎Y(yH,K VxCaTw<<혋q4Xw(e " MU1SH9_Gch~ِ*-U]$ap;'sxl@so?ݥD$ j0΀Dj*T(A&tb&+?q8!P~ VcOs8Qx*pr3)T~C[7(6 ]_\ãD.lyztj*@ڌ_ޟ@Jalg޷* ؚyԍ7`|g]_Z&Q[@"CdsZS>sq.[%%F˓s }ك~yҪ a`i4r?ܽjȸZ 7$t I;L2*ʀCNspU4H9#nj)<6쵺:9tS:=nB^rsCyZ8ڔa>Fx =SG$~ޛ#inAsXR^E4(:څmŵI`GӣۃZyZA2f)N xZ< ϛp.gd1^UՎB y5Pp^[c|b.W4% 5j|4qƟl/D.~4X*g?HBuj,Ldd7: 6La&؎$IQ\DzţU~}=q\3' &+гDc$uua eNnɰ C#GϜBQNۭlv8"^1X@QSF2JUKD~'P͝._K pܿMy^ Z0֗5J^1ю$tP%Fl%g8W7\:^gB x~IЈ0QRa(/LG H뻩,luvx_^9*^\VD蝿*N͚ɑ3=Q.t]nh1Խh|=R[Γ]yb-mHmz/Znᦨr60ǵD0ZxL&~M]wZ"3b gd8X|V iy.`gQ3`kQu.Nv#PSL4`' t1,7b. x׍ Br+U$y{^IEl4@`܎X5fwpJƝ;ۢe\ y O9 pGe!jnS3.%x: xleqA0KL[@ɪIJKŻ\lpAr57&\vNu ¹̨& ҅\GRyeȲRe= 4E!;:SCG8>*u'x1vrӹ=(/{Nt2`?ˏ[F(gʒ@upHh<@d dDz5do't›sRr03"y?)jžu5Ҍ[o/c>\W )mT2Qryh:QV4A -\&M Yh>_n3Z4`f ߓƺY/ek-&{%exIIhI[1I\sLeo\J /hl^ *Ja=M+an*:GF]''yς]"kڣ|Oaeh3(V sPiۧkb\8^:bR;C)'/YV 9+{CZ,vPO~_9ohAJY$EjSnɴg`r!.*-w<1ONG}}ۙhdx+7ALgжTó$޼ꕧz)`J1AO[#rl_łmbyuoI1z[ iHk"a&͝^f##nЏ nHO36$iA(jM'$vtVro"U`μ9 WGabb-e *{8 e-N,ZXM! P+ 3UCCN;Vp4T[]DǢ`CՎ]%̐4rUA 9]nf~X".z} *ǭsi06} Agbm`TҗXyN=FoY.K:#~ʱ{a^k}FtbkXI\fc5#FR/-" d'加c*-iC̯_{ZFC,5z%e~ tL(KכȫI"I$91" 㤊|9qphi'hCi:HnI$'l}gnb54'4/as\U'6v]8''jV-p7Wa׼$bALDT!򤨔YA=#AGxViLǰDy&-z|t\10حVL)?d'q1T0`D6KW@7Xp F}WH9NKk(i @Tg4̠ =5gu!-6cLҢ3`+hfAaİaAĊ!ٗ09̏E/qIm:,[re+ZiIB箹WIF0iĶs.\`)Y-5>Ɋ׺T $3'Fu,V}Z}|:mYe:JZs5w`zҽjJ0LI&L"6S(I(Ytc/P%}>n9EA:p14J]wwx[q䊟%ު`.7#mʔK伱l3'Ne3+ zvةzLuKi,,__>s"+ &Y][ʢY±H`ҺH +})84ѯcs6B*̉ײ*>KK|QNдCm^R~/z'ozLOWȘuB(6XSyD*l\q o_&!g M}]yY)|a'*UnREߘ%ov>,~vد rIi*?_p{֌v<, 2[?"z(ЋH jOVB)LDW]^|=iO=<lޚS} Yk);1/LS_aWv?Wvcƨ1c>";ġjPU%&RM1[R7Je&c/@: x%/ΝxX*p? e;C5N& m2s@[hs&K M|u?-:мeAZ9E wK/'IAL^u-XXi$oJ&>r}6A'ꐹCvտj|ʶ;Z 8GR+sɪjY$mu-js5.LY%[^Þ q&>!rU|#gu. %Y%Leܱ#|W璲z]Rw5p>^eevß!lx` +E&i (?zDYP鉆8*,NCy؀09xRfK,M) US#MIX'ʪC@h|{sH1sy 1.ŀխH[(Mu+ɺ$n!tl%7iTq3Iɘ[XrؒTa3ܤ6ܚP n(P%A3!%͘DsJFw*\65錓(]t ftuxbh xB*d3[Gտ$@4gb~jU)￈~Yc6aXRC˜ [RW4{jo$S&|D ^۷3eO͚"+Dmr=ARl.uSP.ø)3:j8?}GBZ iYi$Q}qd:H6ɴ(fCqu9}1apV>]e0+RqfС|aEU!a-4dyִ<Գs٭iDr ,ϊYcVܚ7WkdGJhx ٘ |諓Zl%{aVs~,|S$P) X;ׁv3RE>v3$Pq>M{C:-Z)0AfƞLJ7M4T6hc~pm,: C PPd0kŞlS!%&\ϣ-_^Pp@l4m`e^4'bDsuk45CC3"+nbݞm^ OߵN^஍^i5O/ ]<5lTd[ζxRʨq1jn<9/chK5:It/N <%IKFc%w1Z4ڙ-QܒgJ-%5[d $F귐0ZrOZtgGYu"gprFLz>Aޚ SYfu (!` iaNf xq]ai?)O)pݬ-x'k}kAo,8LjoqQX_5# }BPL R^9H&VA6*5rFh߄miZĨvx{,JBH;bL!?@uKcm8dO6zAӥ~aE r<}!hJ>Ґ 9h3v_9k`E,?/3F㿋kwQZN%AWZTsV9`8աcNN.ohl&<-'֭G~6L>lӦ J5,q`̀bEkE&A'>)C֡/T(ͥ A@1+HPQdUƖ gl`cms Y4L^ ˺xq\i6ǕNζM/C"ҞcmlTe^YTeeޣr2:홍`͓ ΒD*#Fq6khA_ŅpkׄdM``*ChՆ1ZNk ϨSw>FCK{k jyYۘ"y+wڸF-_wuluK@hg֘x\D^֒>+;}Y_겲S@=~K:I 0_K5C{ '2($M"ҝ(Ihp DMB]fv`)@dAO .)OnS} ^NגcUK j(tC[EWx`_cM%Ң,14ueulIH#|-R@?t5}Lj|<)-aqyʋN}]nƭP kTFNnI7 ɮgkx* q-  1dTIֈa|ޞ=:y3tb)[נy־h~,>&VSNt+W*6֐ڡ<%K,L L AW\a(Q4u,q[USB )Owi̷_1혜@1vxɣ,l2zNU5r)U49ie+ ;HGm8…]Na $(ji7[dݗtl"`Q0V /$(U]TcJo@,gK6C_/}g$OxVT+ 5`?!c)쎛f>[u.H% Kv"&00N5$X֧xż~1=0 a 6_/L\V8A?m8K,C#{y.]\2";g6'YhL|f<;Kn]% 9tQݍ?R?uqy,ٟDa0I3̴מӔK TO%B4F/" {4_ۻd_Ug ?{#qX۫ q'P© `%X\#P m\ *~kKa+?4!6dQ(V{aN43 #RC mq*+FB F+_սS}܏1PAۈpgvi̇K W\Rm(Lbk W4€{7`0.;+> f =?g0p8`UIp̧4]׷@b)mgq>wBC-SPƾ8CtZʏ޵Pt$\y:[Œoj(IO7/wTA^抹t"L&kE?@~c@! HE"^Rc+ʩVJdz` ]+'Ԩr3HHZu h?#B u?yz:w#\lm8}_}^+.⺅~~g?(XRYΨΛ@ AQVߕݩrTPO"'7] 7jMy>u+@?vuU [B}he .\î9ُn_F(xGv< aq DdٻckQQ;Q2T^K:t + u< eBd$ w9KiXt85z=:4鄝HPPq.0K@뷋ѕ8;(w Ud:bLvWy9*OX2oq "GDߢT+H=,7r]x-SOwqF@Дyb|3['^+uqR)xDp|$DM&ߙ"@D+ɪ P?sOtu}׀䓨{AsyՊ}P!' ,>v :!&ՋlcGZ(kϭ.H@V$1y0=VnrO2GSޱ_p' _hH ~uh>JI>@$oz I|;wXgW;g:ki4tj#}`uh`ڧdM97FrD-CKm(tK$TLC-o-O4b41Gil?0hfD[,`h@(2oxoO-2)/V_,+mgb  im աʝ^Z}VWEեẍ́` )8l)cuξ"*L7*9~e]}]IE:h8r`_[E&AP)݈"{u g_]yTah-Ls;֭{(l4յ1jR-g>3Q#[%/t.* /tQY;A%mZ0;n&3#ɕƳSud절ϠCj"{%uTW.z1Qv)~י!j`ZQbdd`ڔo1DL7*C@K4H$;ۮZZc0džW=܉*G FgJu8/5Oh] R}]2y4$" Ъ*&️aD>vX7PҬؾŅ.JWWcZ7Se'נ}:3$H\xb=x(^n󇓍[jwdZb hKT:9M*JU=,>LeuEWeb#/iBm&kߌDÏz)b0nʟ;!"®WJ8Uѽ>XsFFCL]Jw6V6yR4tv`ҁ,d/ñtj{|\szKeuZxB rdEj>XJcH fǛ3  ʦ슖eե?j&$OqXgt*ns/QeU7D@g?\/62.Y1RP^>s`D͟ o'bz 58׳5n,agn|K[[>ЊE@^5S6^+cv"  P-:a#X4]@+3X՛0jfN&)Ҫ ^ >_u4ܣ'Emr 8(/n\W|ꀓWN鲴&S,XЭS"ܥ82 lϢh|SjC(.n],\Q K vlqw>F[B6Ѿa*'D//ەJ(b@(|)KQK?U1O>ںȗbsqJ ve:HŇb5ݦwvsq~ҌIۇP;TH,YvKdc5 KB,ޅRB=PRA<+_RW5Kll5ZRK$z9I9X$*i?tW$az)F]IL33O 1_x˽&a̡%pm H:xv&w>䠗O"-jvEG xU0¼FW;:R64|+xd-[Nsꞏ ׸baϫ6f$ǒ,LR0IMyGsVtw`D 2[w,\*N)suH=BڬSuQimzG }mI9ѷ4~"^qع(scN~%.مi E-}9b}Pf> 3ѐhd@@4d{^ML-]짌z+6y,Aa ʌF ^dvbvwe-@uFZ:[ kL8wۻ8yR½`f^퓞"}7`zilہ?ϮGx5Կ47!OsHKa`*\{\ Xyh2wpȑǕ˺ >cpeMrf&o&;M a8 VԦUj 6g).&̀ wJ ps^_]:al$Ow.1R1/i| ŝA%cMvH%0%-|-zq`ebfFL#刏XNsDuĞ BqRYbV N If1&9;m85Cυ|D%0$cO)_eU{4햃fsuTnjznvEMx*\XOY9-lisQqd$Sx8/ZUxMQ%`")HW&jӈT O"-*p]IM67K`EZ|+,l`y < RH}*l8]hdYּDx+,&by1GYx=Qf?4p*dtW^ ȅg./p`@Edt8%IF|FEզySV]Dh;2do[Ԁhpw DQA-@j*H{cS]TVR' ewsf@^EWԦpP)EyQ1*}qYI*֩E ߺb.w*T.n'ewi]B'GAa}u δ6@4YD]yoDhLs\ێ {3!nF sD[}WܰU w V%E a|m0PYV+%ȓ\¬_T"; aI.)Gj @ݘ:_7][>I*9&tZ ͖Py7$ZY]ԉ(gm1QA ڛO7 'P֯Y:ªܣo7 xdlicTlj<92&(n/wņ U>(%"Dqw2=EkfI<?A"Wzbֲ f= H'vüK/4™XoG/1&hC/C`}>?cx^v:ʸlԘ(9 K9_s."ꏸ6x6=~.Noi$ 2e*7sjɰeXc}P4+4X~~"^t8 ỢM&jY2E:Q Y'h9{:}HR ڏ%¼Xܧ,z׸z `Zs;rq8%!xSMEMQyߥ)18x9;TQ/T}R2PB[ Xm%'5P;d%߫SiB\p^kid"˹3LOsG/"5LH'QUv9RmŸoD1WфR߳ 9yo{ cݥm h2J;>eֆx:7ijR6 UO5761+SlXo4 cS=\1QvQ]S{$9A46=0 J{Lrw[r J|ypJbAeiκ2n r}h/I!طH"'kHUϨkſ?IrD'e;g,Ih=+܀ʫV5/0H(* 4 h8R ((SzTZ;EᢿE>s[b^pkSbr ,ND&5AW: si˻tsgI(ᰮ؆}bLQĆ5ϭrV+y^PȏԃyTbqidn^iv(%EC^/eYͼ~mFSؚZ,WZI8 0J-+,^1 "{NL \7u'M]tq[2aA|W7Hx5FEz\C2ܡ$QQ< oJ]_ ꥧ Od8[ﱂ90ݠWfCʤ*Mq룟) O!l4*٣08\c_{[:0u&S VafH# Aa%! iYNPJN l4^k9=AuSCo3;LOeii"k+4?;hB K].+=:EⅧ2Jw 8Z]׹ﶌ;B5ɾwϒbqD,l }m3BVD½>f,^j-h Hmm4:%zUx*,Bw gVy IFѾ 턅 oej)MJ񭎣cΆڵ(IM3ȭls$wy!D!B?dR,yC@_0] P^}cD690z*"U@>]A14쮔b9_uraf<l5G 1h f.uhLԓb3z#׈gLvNU6yiޱr+z\a. ?S0}90eLva2O7;y&רjG&0q?4?ANjl4eYXJYȱWzɪD<:))5AE"xZ,֋ InhI1 K@tX^X/.t-85 w^oҒ[ȴ\67 -ڏV42o7r0YON@]*sM({*=e^CNT̤)$];T1TH2 >ŖLV C(!#Of9;hRqB cZV\Y%8a,*:)Kli08[GV)j&_R~Ճ m;XO$c{DռCSgz`t&+A;E"Z0*tnz䃤!17M3- oTNẸBK4KXێUY ]0d|M9`a )t()o=Uԋ8>(_G (PVW8}Cp[BF3dOzSf,DV=? T+I9o -wB?8NxcH<ߎ-'OWMz<*Q~r0pJr(f!nvZȵW7Fi1rb~DT&j X |Z1 gwNт/q5,uNnI|\h~臱,Xo İ8=T(ex"8~^z3fEUؓy7'.x%ikc>!G*1~}_CL_v)nX1١+ QKd6 ۢCa:4FOzPoPu}|sꃤh@줎I;:W4`1wՔv.rlI{=XszV3g#%7K#\#r,׽i0J1(H>w:~X>*(jl4N22wbFA N# ]sw}&'V9\.dlo31͘9\g+n+lJRqjjW_~sHH=7rjcГgٻ}~a'_$f2./>Cl#} cY%!\~`amN\lj|#ST>^gJ4uDZmm)(ۘkc;<םqC{ڹbEzʪ,Hy)=[R3L>d:Qn@Ϸ6j~@%B᯻̓$B56 9je[]ZxJ6=Znâ;]y+kKmCW]hǼHۆrK핫HToJ.S9ԢEe;{X\`?˶j9PmzI&{vw%RYuDcYͫH|=^ωzN5>c nӫo ⽡=Yo$!(G=;7PA,Y}"2Juܔ1>ɱnUFe < E'j30&VX0ן^>{sǗ$u 3g _NMJD:|Р(&ͧMM,}Kf^E6n5oXtO3OO|lE|Umt֐ ,xt" .fIgyґ2dP5n׷;rhOf[1`%+ M.,dI Y8݆% z-dF_W zW /uՏ+$33c~+ i.}ϡ%rAkmږ#a;g,A`PUc0'u4G=F}fWFgh4ܾ7뚋8)*-<o1EFKJHɸOWº ۥNt l vp-)"/3gcj"*(h5}ra^'S+±?^h]3wdpIdOht{gMe3lS=$>}I مm}|2"C =D9 8Rɠbb$+A܆9TVe1f$/5?W%Xfx k(wއ+!U@d@T_^}! {هCWZ:(h]++jhx7"fz|!eWȜόʓr؟x`qgDYrvhbelO  f#('&O6:e7z紾 WeTWlj^dVcGM)yPpݭ֊)N׶;wW#J@I9UAvm[:k"sYEWw [p>s?)zu47mӢWY46#G%@͡ݕn/{85{&6jq+g 0D,5Nwc6MI)^.?`H{N-IC̄wY@:Qi&$qd46 o99fTPEFQP+fA)2 c˚hhm(ɘ+1-(qJaꅼ;(= h(z=<v~ygkJ=@:+%Wdž'4 4a,L r+v9ݒe- `1MgGn {<7bPV0+ U}ƍڙf4gN 7)|?aH 3|涸ϬI@R6P9s<[y6OXud jN";ʗۛ6FwgL2?bi_qYb*/>HVbMo=f淊wETJՌ<\-{)S~E$\SZj723.M)%x;oӸP 6$ Uy;utx ;@P#IդrAeMNJ[.mI"quѫM6Yqohik8W*TwTA(\;8ul2w*lCx+ɒ|vu .UJOI!,瀎'qTE/{)_~ FG*w$l^DxRMxtV0ݙdsL ֻڐm2bk?4|7f tQ `^؄PF:ӹp,ghDR`^|`vW˕Py{ujW`6J]ZRO.|EKpKZE[g1طyMci#@`qA$TgA$`<#Wjӷ&)2imU[9'IlLUW! jlh qU`$x+AD곓+g\iuz9]`"faIK1*kiZcҼǞGTW>`ܨh2xO{4NFDKZp%^j&1*͙il^Y26<3 g]]D i'2xf.FDq;c5P'ۍw U:ވ祧q^(7{ [b]sUyyJ(i3޲8Sfy"]/ 1%aKf>0M穰+fUQ$[&$@.Z"<j}-MIٵ2x9׼3n%MOYߺE5͗CnVII-gaY*,ڗ2M[L[-TTbO CDKgKHFa)DX? +Qm?,S%F@NF>#3grn3*2LD\[TE k6o a$P{dVX/N%óN5sShBFzXc~܅ZX)`/k :Z؟y٫ɩbkbDL9nG=6٢BnNDD% e0)8|d1 :gq'<+V.e!1hq 6c@oiSցFYp- D0=x0VWgĹ:Wl܄,?%`w0-ulie& kkB>i89Ls$9˓ÿ;az !݅p%r|BD8B7Q3"VUhj* z@v;njrUaVP'yٚ 塢SGL ap?lp[)coB<r-22{[PVx٘`@H45C+)<|1`kﵒ:O(뿑ǃ @18[\Y"\Gm<\7j}Zך݂jQům׀$n1|ǪMՓW,ՇzX[?O;;ht]w`?7c_(O+gO~?݁`;i~||bWlRkcGnë C@ |@ c&s[4rZ? X${I,p |ƉoVI3$Ĭ;/v[b g25jb_A̯jFiO~s!~}ߏ+"rUhГY;O8.l G)R'c]M%+ XCT- =ak}K Ňmqogo1 `Y &S^XU 2PH&vx9E}xK6׀vvaxع&Yä u(apWZy2!9ΐnfj]h-AQt=Wx*Պg]"NoCqd۪VuL )!=#a;֌N8۪i47e1L-Z>B'( EuaSKQڜ[OlǧY~|r DG&!/s߃DoBU-5T.!*N;YhG8lKR`GD|d`9GPoW=-Fgņ/VQ_%Ls%м5AnWL&\8,̥^(-M H֋wt ܰFc`}04 K0 W^+ "<8hj1Rp@>nwWFEG;"Qx5Mٍ˔(.uˊ4bH= F8"&[TT$;]ŧbn%Wl}DmsFX"  j Bzi 07J0t٩gP*0 =eiCjfHnŵ7DB_L*@rB͟ {݂hcvgkə!Ve_)}0j FK+ ;ӕJ~(%2@^)C$&ԂXn^ȼ c2ãm'cQjvNrҍUE^ ݷ-]͕çF9՚voO0šfjkfN]Ȅ@d %)-r O^A e] }x2=4F7>ݯ#֣AP JJO&HlEw>=KjsLZ5d2>>L,ϚYjHQ>0ZAt;J 1USRMI޴k?h7[kr$$؄(8xedh@Ĝh8#41l2XK?G>g`y'<2~bİ,p(QH b#(k;[\\3EСY; IcT9AԊ;ٯ1E qAf& %ƛyp:A?Qq*)|*5FƎL>OG"m2[ə2iljv^Jxg6^"=T"Zi;lNkH]/z~=NыDYnQƴVyprh_ն90v^NA~&ǜtN{ ZZU $.lՀcmJPK83թKCJĜ1OYr+̜Ulմ[=%N1?>GP<_M&)\(?tǴ{ %Ӟou# IGqWv5K05Xa3j,߆zFt'x{ y?lxO&)<;}5GIH*F[OC(903056 9O| ++ajIhL_7qLXP5 P=%\ 0dYB(gMPdEJ+~=@Q"P4M+6pN$wYҋ'&Ocէ<0ZzcqԮ\!Xh!ڙdzlhL҂BĜn-{<ûI"옻S#hU*:N"䀋_"'\- aoutris]Z*3L:b k,X :zNE?`U^P)*T@%'-d}0KMT&JL.@DC~kRũ\@%ᶽ70w' 8u5QñLvzh0X/P7mhRN0ZgCOc7-(A1dM#}mW6D*Z`* h+TBcI3f^(%R=}7 o~|3W 5àKG:zR1Z19E ϿN-$6`(Qz1ENy6xll]42 FabE'[.0%ߚxmE"1}#/@DGq~}pRK=BU`n*E^Έ$Z6+'T`؅yU qFbE&"n?5m묛B#gDo'IgI7-Cw;VK..ӨN|83-ܙ.Y~dokxf>k2mX5`t׼.,o- mܰ6||z 1So~&x,d+m, @ߴY1[ƪwˢܰOo!PoN%O9 +AO]G=K>c*MI `TR7fQxH:\&46O+U7 Uc bF>^$ m֜7ӊm |> JzMaƏstHChjP31A}%ßJQoVPud97n=8gۣc2 G6b,w t[۪I8Tpʻ~ OC9v(*y.)x>x/s&v_ P-7vn'Tmp=#Ik7"-*<#oW[FG3`fʥB';3nvqnX34xۖ$+B\(I/#)+PBLڣk-T?&uY&Vl$s?qx _&)HJU:jM56c Z$V,`=Bg= 5dy>j$k?)ʥr~O׽&aMIGMphteЧX|hM鴞aWX3pQ\ odXw?a܏W}|W,&b=uu7KZic ҾuBl&I P_Ġ1Hri/c\hE߇#âcF .X"^ lz8C#.C;w5gRb,JO;WWTوe]l-9j˾a#WURy]8w_$Q7tW% l@Հ8T{Bxz<*Ik0Owup˻Cקbk ;vx +Q'*C_nQD, ~`5mm$%NYv  T0 qԆaTs&sITjtrg1$UFjՔ9jo|JL :?@ +-OTx3corvǮbyAP-m@qCxM5CgYͽ(ٍ efr5rnh1\>H r¥ؾ8C!%C >4E| Pv@唬dˀ r^3 ⺮K ly*ݏofu37cIXBh{ edEBFuj+*u-O 4*Pp#ܨye5E`>pvƺ<+qmd3cc9Z*n|ٹJwo+1E+14=|)U.~h?^m m܌=woVr Z  _N %Ks F_.tx9_|a|M)˓߶+-[- r2v3:Nh+2$iu~j;=V c:5$1֝"G[+f"]jI9>*ڃQAbQ%.?# &v],Ԇ (|0Of8Q:ʉ]:?C}3Rn̯vo5=>XHMk~sbLT]|PV3l U_K%\5|#1@7Գ-1%a&Oq^4ꗰ:!c]*q0F!?^P9r4PTC5|EI&\pp\6<*1U߹ݦvU a?DYAKel(_Ee><@>ls\yS KX܂N+VR >ʇOfG}&JuzJð zj鎽m!@FrD8QDMe:ןeH%R-Ew>DڞAr]{yW6l4VE5TQJؿ.h mNYoA6QQ'7L9į[K;RV%\۶r7eh&}:[Ec~E`12Kǜ8ttMYmm CF7.PZIPw߉%m׆WORU-k˒֢p4'c yE}3 t'b{9!j/ Vp WDZ6IgߥzF*hs[dl(](EOqq6- &ss*[f9cw &D~s:Gg7YDR2^jF-+X/O78ѷ S!>77Yg A;6L [Gp0*:j(q@@h( ߬' jU&1 }G0!ӿ Ja]) ?.?ðă(+rnSjgxv9!ž@ˎ m[*l/ S_VyXg*cfIE$c*gCDY ou{ $N.rIv449lKӃy503Ci8souRM(SϹ2bG \>}Ua![ȋţ]1e+Anmg8.<ȢKv F-{C~>}*ܐ4*W\斜W(2#VECW'0!,&X .(})1҃ Leɬ :6pGه'-&wLI=s+[zK PG[t0TnN>H!M/!옰X*4)Qb ;_ggX$naXʣ ƿ|Iߡgcu)I_tP,`+iۯhV$,pLܻi])WA+w6}7F!UdHᥱ~tXEަryo6٠cω9ɆQ 6Ex)wHBxpSԲŏX^=PٵUciM3X+typ?Ds lSAmVCXBOd0ДQX2՛S9` ؿD钕5Gj=Vm6-NeBtK4vnw/cmEQ<5 q6Ԑ-bx2}DxD|锻;FoKnC [0L+K^+q^t 58t,tgҷb3gz֑LH:Mp9E~A+;ԓӤ9NiOih͕e|v]3OИCvӮ4B1msW3![Z62F2\ʊRI?뿐M1t5 U6Ap3_bM)h7WrY+;ꮯC{wLAm8iІJ+>P͍%A 5/*$Cǻcwϩ48w4H|VAn΄mAHAǽN {Sk|Aj!$ǀcMpwhe"H uZ{n[Um'@)>TZ23Cf$Q0rEʧNqM4掣gˠ ߺiGfF3g&:$<:IH\h c㇓1Eg~4tWߤ.#+Cd>0YgAk(cz_nErL@؂Ƒ ")(YH\ҒaS.p'?Z"'T^VfSEUGJt²2.񶭋I'ca ]0~wC/$'p7k:o:^CBw- /KAU$}7{YvR`؀|pi`$w],=¨C!"n_}W,­QG U*wuBZ`U,g#&pb6dW7ThswgG9:(/=#꛼wht?ß* fmHgTO2K2S|C2zAƊiLy`{bL,}6jE,x&b5Lom-YV#`B]ypg5d nuBtcd=#hBW qo ؐ,dˀzwOuʍa (|E}}f<7K9vө%M"x82(qd CY*ݷQjU76G7 kWLJ"{7;_]mEin{ |R͈Y@tȄti)[Y19*AM4@\+"pV? Cb%Һ^t>|^9Lm9t2;Zňrh䧱u@^O#tH25_@#GR: qCx٨ᵲG^Pc|oScvh= ' G8Ο!$c#,.1ڲ8`,;G@d_2XNI}݅NOoo&Q.P,#n%J/=㾧FѥE* @R 5YG"7ONKR1vR&)+H6\-=eYl~!4Fx1_aSCCoHDA,EFN}DZmQЉ@ ^KD))I;TFۼU\vkfOI;-fOgkF%xnpERvBᬵE( Qm,jFCzy 0Es6vӀ,̿[ ",Ӊd]_L0`Ã/QP^3ڐCHJn.X~" ƃ8s]lHdU]&0#]CR|/(8x64# sFYpTCt?I>c E-93g9OKGw[$}7,*]Ao둿M:&9@R#J&T#s2GC`e!Lsu nw6vI9S@ ԣ[){E5wJ8St[Avy>x$SAkmUo8)``qT (RɪPlI6Ŗy^#"~fFKu9afv]n70yԡ)u&\촇foA;+:L[ Sײp$M&=l"2qu??;[G,6/ ^a(%he@ '>Ȧ g5yyȜy_f]$'aYZy6F%D9KH̅̋Y-ﲼFO]eyv! Ťu1/[?WG$ 2dЋB R"nA0πrt}{tUW뛇b9elwFT5}N:}I 60PD? F-T zF*=A(SkFz R*YJC݇^2SruF9b3 p}?!P֌nv] S@$s ag˾lT: @m` @&Sl:\ؐQʥOe3z7dw˿Hɛ䁷_3x7 כ3H^(6 wQIkfԒȆTP FDa I=2+!Vwf ¡eu(enaA]CX4+|03Vclҋ?J/nIG8^4Hj}F[ A JOhg)\e Sؖ5bLROi# &bj\Ǘ6uGvQxFT)IJ`ZM"U~Ml,j҇"M|u،NUq d D<؄+,ǣn/#E7TÌAXh@Gȟ9/FE+P_{1+nL ~ٛQFŏ5V4R?mAݥs[uaiVKq^Oͱt2)dڟ]Xq Xe>vh Sz Ffo닁~ykBx߻ IIKڼX3.;ZJ%Xh'gbf [w96%1oFHR{!xTLCB5׌S f>F;5ҩ@j98yo[ڎI3xS+48{!?ОG[7pGoІϋsx|}6Wd⮽FNF,q4$%\ERѱ,%N{cY)"Hu):Q[iNv Jz TsS:5Xk^d=G6l7ķ|!>=ڜ ׊P;UA&k|آ1 fcsue+7A62 5>- I&(_+fv2jZDTz~cI5E=E7a3t׫\kx5jQE0 `#.`S_y8܁d PRLD%{lx+_qL-z^,#E7Z3 &tC,bQU(;7q ~,<Dޤx+A]~r?OY!~DŽpJХ5)+Tnh2䳞EǿSuqs_(7fxdGcN 1R0>Qn';ʓ)kcZ!q}$&y^yy=aA7,h_ݢ"a(M(7 я/hOg0w/:f›y~myqq0)t4'' hɂ&?Kn"u!u11\kТg H !Rb rJ4|#$\QNVfmB1 <"m!LMi˷ZN7 (lS2}.t͉\5ױj6;0XбlibH9.Z8Ƽ |l0΢r뗚RO/~Ef(b4LleD%Zi[8/-, SŻwF9aJ -9Mͽ>mmd^qApDE ;p<&Na-#'fU] cĄqMb׍ͨ)sxS2,\/ :ZjPLD h&7=<ce?as@swJC-UP[š·b f(uMƼXYlb^0/@(@}p|.=ijf3 x\s FlJx mOƵi)>on9tT5F.Ggy Q5DPpHEӼ=S =| ԛ4hL;h/V c^bzH:ˌMa+6'(JI\G**d(#ex7[vױA?)Amң ŪUbEn|'Z( ,Acw85hE.حSN/|oں(Jk90.(7wHVvm2qF;q%+ׂ4rJ*Hqp <15 Z,P)AJGh~*ƧzUVO@4BIH04C~Zk/\i6-qq-%A41Ey :CJTӬ`{˕Ckfa97o2Tu űlӷ Efo-11/qbHۣGOJ RYi װ S妒RՒvI~nkxjHrXX#duPC Nߏ 'HizL__wpa!d?a^$z (oΤ;zep{p wl@7K8CGijx11O>ZRmbq7ҥe=W bT=]h;zi$J9()'κ+D(}|O6ŇȢ9_S W{˄kkCvw}D9Ue% = J㔙 $@㼼PV0?'VXh2|2+5ӭ#*OyO`I9T_wzZKކ$qDM0RohK*>K0QFS* 89,Վ@+I4D_drDhן)M"$H8;3Ҟ(`1]b˩[46VdGf' %4?1@nw)]W´+v*+ܠk%Gv%Wg.GW+m1|A4yx֣!PٚO QMk9rNrZ6CT8V " K#66XfpBcv{+$r2M{[?mqɡ|``X~9R0wui xX^|`|[ 7ȖѢCef 4Jn`!T!=\xEU7LBAd;*,qfjݚɆքB 8w'xDg ڪAJ,Gү[×; >%yq3+ÚCW|kVq`Ioc8(3~G*xOnLz(޸Fc_W?Rm|N6}U&} $Rʾ04#jXԚoVgqvt#~cCLiT3jlqI|RJ2/.;6]qtfsGvMT IQ ɭJRuV3ʴ3 $ƛ яKP*kq}"f*뗡"+I+LA(6ie?Ccs$5H`IK F_ )祢3e$E< s7ɀɈ*IgP:G|npZPiac4_ZmӨP~<FZ0Hg,z%چt3Gt>0wĹ0z-CG#wdHPoo!5s⟬}tOH`X+D̋>9+-#ny:SQ~B](IgD糣y^p tNtl12\ 6U7DB} Fe^Zќu/ę@G =iY)?feşeY /v0 3sWE9qjT[k;un{,jq"d0iXqDRx_Aƺ uSfuwiG9^)j 8~.?^8FL;+*Fxb-@vTz"Y]64 Pa-΂x@=HbSOдB+ ~s$ W<T~YR4zƸHPQ,Jp,g)zИx&ƭ!_u f #N oc`Z*$`:/$خ:&_pLO# W.[{BOJ~?hLAdtՈp,'IHGZtO8&5l[@݇_iKԇDgXGJ > |rjgqJ:On7Oj0FpzQ,O BVbK\01+B+}W}|2~T v|Ib|;JES/LўMB0-S4,4c/;2fJ8(`0ʸ )ZJ~{toUϧ{RA$HRnܵwgA '&sE\/ \A2 uxXS+%O!=no'HG@3uvzZ\:ځN.kV]|yЗK<^m>G<^rO2wn.tyěN VFɫp(RەoG"cKڞ:{rdJ̜;X7<2?(Sqb3Xf롒E>w.ZZJΗ~vgV80[vDb6oqi>ACܹ!$Jju\-{AjxTpǍ-?f1`o₄^J5b24B7iM)N<$l%^%bF=-aX٨(J{&۷;I*^ ɲ7Ȝx20|ͧvCoRpw]F:^ވg~;mz$k|yo k;ٲ/ Q_qIwTjOTՙYHt,pBh_]x0qK׬EW [>1wWx~)ug=>$~;?R('K i`)؞CD8\C'#c|m"2T\Ic~AhƎeIQ`iNj(O늳3V=Ш0ƚob˾7WXMw88y>}@爥 ˭O!2A)5-#~v$@4nH&ӄ$0kgYbǵ "dx>lRqo+1F o?C{ JϔP N :mxHuޛE^vlJmJiW/ ^pEČfH"IkjM$rFUTR؛K`M}!0^,4(8Pil Kg[,G1nPOUW*GIxLZ4sOIMG*H@RՑ&x:{&TP`d>M,T^@۩@e#eb@TN/NāeYs\}:Y*NdoKZ dz XSg)a\9]k,ƪюq(+ZsnB57{3StJjP6U>,%p˫z9o%H>+|"Қ\˷Zu] lcJ ﴥ.D˓vd)_a|u%dmBl< IQJ CpD)uDTF)wu,Rl}cCl#M155&;D5qVG?+ [EOr ހ1V;Yn:nYsvxtUGS"C=!O1 8^_`Ki(>̗b.~wVY6@Yc<}]Sn`!¤'e\eRQ@W~ eH% (VC^^@  dטAFFY< Vu8M1(9+b*o ~c.FbZ|c)fN^5/>F^1۴v?EP|Q'MkUN/.4'%D&•;TK%cw?~PcmaʖU>*5'Ɨ{eCu^k65Xe,|#1젛X~r^ StYA xL6,sɶL,(Ax^lc;v{VTm1+܇;u66?}`dV'7$Z?b*_?\Q@tFA{N8 Gog\b[&eKL. g2>ὡ;矜3PԆ\:tf~Y zŷ@b)+A^7 2W X[Xj3־@;@aOGp EsU:1+xZrC( |Դn A{06R&tX#pXG,$q2M,ò}q7S2V ]V ÔfSRR6i8)i~>  n_ =2W~Rd&Y1P$ Dwe#w(3TJD"h !EяkQ7%q#ȞdY# |Ӗ#~| lk6 KZſ!7 h, tem"9`Xk+؀ҜOnpx׾Ap*d$F9z`pRU,6N7Bb! gf*Mi ܙLなPׯHR47#/㿦*'ps7TvRE)48h/Ahmy U#؆j"F[h<YLߪP3(on|e!TϷ2ž|3 w6u!tP$Zſ,ʝ NRUyNh'o4 %x61;9[ux7} J(t"B &N2TK_6DM_M#l~5y!A{b A'աhъgfC%V;0 $] ]{ Ca\+ɇB^:\x@teO, '`׭ _@tJ .Ƚuv~[O] -gu&c4x4HkJJS%k4=4*Cφ(@%္- K2ݻ rSZWK\3<#ܥ99|;s"fXeO_A z]sٜ+4ZIräґ݈-K4EsR ZtN`1&vkBd\.tGܢ_#t~>xsq2<#܉LpPx8^-rm &gZ>X%.B/S=՟E4?4(nPHI#4 e¢a* O _֘j֭Qa#q >L>W0ViM"oT }&AXkU;8a>V{O"À蓮BW(;?sRx[ᱝ0 {p%=Ø\0'a_ h)d,Pujo/L7JTcpoQqMR8r,fBjfri6u&T8S=mP8]3頻YUhrI=ƺШ3–^L58 84Hu* }ƚ|7SvVr}4"H  SwYs'O{[dzo.E+SۗSb"k6c6Ok5Xݒw,[f5VMy+59gACYDjx#2ߴZIOظ1D#gNS<" iOt1K*p-RލgD<#ӗ'n$O6w8 -,)[WA[z"(KRc"=a^l}e^dr0لxpN~ t0r(Ezf AC¶AwJo(* )q(V o2p Ig lm[4+⩝wH&u#x^KE rDb-gJňgC_ҾrH@P9~2ֱo$||]?@lB㫑̅.*8[U?ny9|ZSKlSHܛ#rv]|z4qL߉8\(xla1D6>'hmnO]":%;%P`N@vqX08ېzTR|_Ps,ro'bדay4%)u_'ᐮs_fWg, N "7c`%lO qN%ŃSIY8xq-7/rcS 1}FIu'iA:4-jb[pG:]Re%Cn`X˵t8h~YW6`w;+^\9& G)Q"A@=7\E[XG<-p'FgRU^ u4NPټ<*'ep6B}!n϶\CaY5PBV>w{3mTtЏ:J.}p|ѵx T&"]":;f(l^T_ /{IBRLH0 įoOZ؀nlZl@@"`uӅ*tܭWH&XH͊n+#~ +w{_sNNZ@wYGxo n5N# \B>s3Dwۅ91#-X9=/ȅyݩMT[〣XTx='ـ#73b*4Vx*)e}^^)[Vl!ꜝf0X7.sB;nΡ?m8#>@˂!٬i &@сVWߎ:3@(B;ϸ 5s b$pF`BQ$mv ħ v+Lchy\嗳Pi?GSS)\S=>3`Is0"# *;%;(NDٳlH$J`i8uԑЀ1TXs8sc`gYq,ڧz^WC98pcRfFٴb.A4l ~W *cs<Ix]е&_Cz܋|8{j$`FMxNZ lqY BEgGY"U:v[^2|9 Dû Q1뀛%Ui`ڏDv+=p±rRj}njR}8P Z9Ab1*3-Y)Gzns6Ǹ #w}Ut<]vZ?7BΦT6qK!Uj> GT&XD {4>[ D13omn>J=N.x%/G[F+/nт6~ާEKѠeFўtΤ`:SLA]ڵ3~:?M#u pE㉃i.q+Zj{Iw9p$]oE j:ςфۉӯ1,nz9~[ t-^Qjcy j$^(*zgؙ%(Z~qݠ2,q+h*BT)\2tN8Zf-WJh@R:_T<ӌ6^V#k~DR|K'ub`~s#`3}. k0+eƑrh\UYܨ9/zO_v,J[`<Ƞ7ar &S|GlDE7jÚ]'UWxqnbzv6˲7Yf& 'If"V)Qs֏?ŏ)B T4v),}(DPd~#Rnڙ<%)xvԇM'4z'4LTdZd˸ 4'^=` Fµd3,!Fn> 5hW"@7.5L sMi*0Oԭ5U`d.s]{p6PC3\(cJn!߰qxz?5E=z )h׶LxP<5hb?z1օ2NiZMJڏ&hO( Нm:ݒ^ƒiTr0JC!u]3¬K@xU)|xH~T4BJ  Nn7ogC ]kOzXQQd  fT%^|^w,L#`Zr'(!A Rj;BpZws"݄H9 o"ϐn&8k~ a%[A95G(3.]i5,WI( $E}J#aFPh߃۾ڬ׎ҊOmNo;LJ| #?}LA݅!deY:o~ѿBA Nɿو&|IMwq}/ŗPB9Y0Bq4lgƸ>^A j$ cv\^li>]<]9' I !Ѡ9gO(tdì{1ycdچ5J~40yP S$G9ۃ,~܇2^6<#kf.|?y I"w D N'u]xE 3iXt_c t{e*.rԄ# IojA43nQqӡc䴒 ۬ Lw٢<G>DQ;k-fj E1$P=8sl(\3T:feFZ>b"y =䪞 |>NW-uu6tc80. q9PR7RK^k$lCCZճꊴ`sx{5MDdz_S҅P-y>ku>qp:d(ěj e $}-@'mfi~(̼";>z\b|KP`]i-T h&gß[z `ɩU O<%πA>U .m ks_RP`["CFZ@wB$6*au&n$ó{c 蔳U\yXW{6RגC?(@iTu>H5R m(_.M,v|puRHlz49]!DF\Ojl%q8G|ΊftHQ &>GxH֘*C+n18/h/U#t/_!=}al :v;nU M< 0k6$/oC%.}?FXՂrNyQ7n]9+˙e !S;ۻـ#[3ȧ:D7# dŪsI5 1аM]ī/tX$*/Mmcxƒ 'H=o*䛵gNuVcNaYWy/wVE:k 5tTaM:`GWp%/0\;x4$rBľ ]>ݯ- k=\bpxu_7]`/<;ނdpNw<j+i"MuŝeQ#U*W,CJ%gw*-q ~5͔?l\;]t kv4O̢`u 56Fǒb9 $Bg$?ÈM>txy+[ {37L`4`A!/ sS+l &eYsԳ sM/_jƟ(lX zAS*\EiXum؟l4 Uk+*uN^QF ݩ vPWPdzJ(_XIDG' HsN$MY)a}x]WHZ&4pɀ8HcAqi5d7v0 Tly}8 񒴙e?ϑB,"ߘ/uLmJ,0} Bۡ$=1rO?=.8s#E$V4nD@!ݛ3Ӱ`·gnM|h&"p҃\u۰N[Ӆ]*J"~'LMuGc4]o @!?LmC#c"F&6$9 Ƚ6h"bmF#y;ioYhuZdCX _f8W|Q~ DܨZ G< 3u/mZq4sx.F\Y6f' `YGLaP"ժ:s@먊X7l9;`jJQ;EjE>ӎ=|=/>h_<Պƪp6$g F&,x_!Ӭ5MM`?6 `3{yb!C%"t_y__Ab=S\K(vp X?vD^O EtA]ʟ~'{"P"2I(^%~J4X}IBͯ&L[bA ~۾!0Kye>VOwX`Gb 0Yj˭ܝxKjX]97Va7Gpz iW c_/mZ0{tZx`ʜ?[na3 z0: *;Ռ<_iJ%XDoֈIdZ3G^(BMr lxݗn^6;ZcJfl>!'>"l2<_/hsB&n\l;ьU5[7p3ҩKr GY-n*WKk1 M}1OHy;K6Ps6*Qp˔]U~`%kB2$)r4 U:MV9[h\~w)Ka ߼ِ- ^qov:䇻(Qqtc]gUi1$xsQ2i#RG5M8,m''S)ߊZ"hJ'Еn_/bWckʱ!Il`65OP⋽# Fdp]ׁO_pR-/(߶0?7" 2+ ;K?Y%arhhYCt r(QZ]*a"xcљI MyBNɆ?P*9\i[WVb,[Y)A4Ɠ/5`E꠳>i^S=vԴ_do3T{A7RN8Mһ?}GF6`imNjo$=2Ǵ8|m2 +E7atM 0%+"VZ,UԏC6jZ`~|UG[B79+=s z@SS)[eqYg+[p~3yߑ Wj; 4-KK0 !jNs Uzn)8\cVGmEOHϺUHM WY:9Rf -e3O S LF2eӥHZ6Uu# #oR.?@zk}Vx .] tp'A}+ ^o1fL|pP\ ևOE< uYԩSfMgJ~č&d(9? rw*~*NJAcPW^_wHM3 Joc+n #p"nk a -6Hmϗ:.;fc`zD/"ue!e1d0e+UFx&"m} IxJ'pp;eE BAbwtesCATEr#Y~a(66h|G0~#u/ܙEpXǂsdPM} _t9Oc*yoJ)Q/U1 Rmp=u s%lx5qQ*2!}E`KJ Ugj!as |ǭ- u) ٸQgK19]P@ Y[HsF&Qz6vnT `Ks)XJleUŠ}zT ˮ8rw&`Z2P~FK{o1SX8hi-UؙsEc ى/ U?{wx#isHzޤK!5B%I:R8;s Txk nMy$x*~PE"T :` .`8Zt~Ң8#&y_.H[?_5E5>'Ýґ7`kacC[ &ɭ%0rM͌;S*csZiꢿdݏ,cZzFbLpg$K8 ~#?hp`@+[LjPShEd xKꍐT $r:un\\QI&H"YN?Z[)=x>ؚ֋&.oINM}_Zl>5s[?:i.]ڂp̀h1C'?kKWOƗ T(lYfO&<iLp@eF J*.X<6 #Y(^ǴӬUSD~Y㨯ulxOSeeD\7OcNf[>&m)Δ yԮ/#jI5MŽa=$M۞U/˕L hf+ҤA!,FO`#1p datL .ǧLZMS}O'k]2sD]36U5KtW#VɯOw<Z7-;̈́BcQR7zXwy蜢T&Ի\θ"& 7hM͊8 ѣ;'X>Vw&y3 ywVV9W~j c 9w1~:)Js;WE5Ѥ\$=v{؛7(g_v.)TĚAЗ}!fNZy, oS[ n1dUͼ|HgH?-p ,څb#'<:Ӄ #++@'/ėci|Oz}]KLqPi Nl/0w)g8Z}0]jTbnAD` S[KS$4~kci 4Idpy@p,9΄JO9b *WR,yU_iA$\b:yQYeÛޘk7>Ȣ.lhR؄;ƣӚ$4E(yV8E<@kғGѳR"LohDN.,#KBv:EԜ ;a" =H| T߮ibfv#鯧Þ|2xx$,0}e.uPZ 4oU<䟷0t~Ri?,& IQ%ôA؛ݒrgNP?" hyu985c)z`0!"S 2ExY9%AqbO6{ϛGlcLXZ,ٓLf g6'yJ͆p=Eߘ7_=K7f>45U/i1-Xy`JuFʢ$(ݐQ(tuOlFv OJNlBr[P%~1DJ@\p."8NIJj>; nRjN^UY.:w޾Ggq\^B&%5B͡egodjdv6=)ė-xol) ֭ oRx&5E9*'h͖fZ 'Bo,;ŞV#'P-h 9Rj@C'%#^ i>֡gT)ex |k^L.T3<-CUF[Z).d !C+]wJ)MF1IxC9|9:x!P={s-ߺGlI \nCe[*[g{=S>Duۂ<;#(m𓫱j̕&!J% QbxJji2z2+e5ۨ$y| E:)X`"J*g٪Ѓ ԞUNV/EcN697:|'rKkK{J˗|C@~K=HyZaEC_kϽjj*8((a}\̮$2 5C#C dZq缟~^nd29@h9HȒIyxf+|LS; ƣ傠Оْ[,PABY.y?%I#:<::'du:B@!V/vJ l$f]7j0-\=/LSz4ZE&tt!X^SC("Swd}/NU_VRܚcǒJ~ wDžWjjviq|{a9QR $+8'k&5RԷNO){;w N]=6q8F9W "H,:yx#bq/r[ G>ڦX5Ѡlqxͼ)flv&AQʡ1sisk/չ^N'`WSiW3~.cS~z)T'Xi3ͣ$d>t*ЪKz|{iR*Be cF߈OߗFzlT;4FM̦Pu*``^h=THgyBIak*ob|1]ya :LE*3:oV}9\J5V3IĎrƜ>vh8 u)B|T%RN*I >0yUL/+W l%Ӭ G:`*ܖ;O+Haku)jWvW9kɅ3Jz7ʿxwF}U 70 d~Yc@|me?_>= hCGO怌TpW0<Y${|l },79xX%I^↲b9,Z͢}&­%$ VjKSMᾣnp#N@ t<,9֮Ww `Îcqg$5hi9ob0 烖_Q*==  g`t rbkR@ą|/eNu5GIhۻCͫ In m"t̽H 5d;̛x_kԒ| [Um6z[,bŗň(p_ y%,d|?we:,.%7҇Y;B(yyLDn2i=Te7, <цBP]Q"Ě W2=yݔ;fBvc~V,0:/i-#N)q7{۩ A@@GYOGJswؾ_S}..)gn62u)Ӽ6WhrIcã~!(?_&5:B`M3cz&r>Oz~wsW{R،6Pb( 7?hw'["*7W{"N/eBxxA:,hFS j\ʫY?HVɢ`8@c7[eR](r̝돂g. K]zΞc A8uW7ۯse0q,2+e ЉsL['~>f/ ]tpeʴs rd]T^TQW6 nxܞl^T7`u"|/PAS5K `؋cb![n~@ƧKԾ*'A;^ J~sZh5fZD}.'5|{g عy3ԸĽLEXuU?=nΏpWsѧB_g7uI.bxA,1nrԚ#Yy<%>MD=}41 BS ւS_> ߏH:'nJPzGrUܱx#ugRvlaI^HWP>qjgW8 @- 3 |gpM]GxXi݆bK (Tֺ@"@3\> c]WUOfXC0ebu{V^⋕j N\.o6nVM3Ee48_{yPgv~eYrN/#eLy\f}m}bivG8w z?>x_OGw6"/snCGUKȁǤ`LW?2U$3!7OzMa7fʑa7z{"[%'y]<-Fں'!jpI )]VD&%Î={.eYAIkIlHO*A1xH8*VJ:T<ƯCy82(23\WS_\^.Z%/+DC 208?3QK( 8xC'W,R&7t'dW%M,'1)k0Ƚ)5{ tU>Hgt=j{ߘvh%tN7݊&o} clkML/]5CE@י6L 5cA\Iq,ݿ4d">z:ӊura6 s"rc-12EZ` >>B̷j>9EEɈ$ཷy?Z878qC}83V^Bs'WPGoH|xeKGk~kBkU SC`5\V]puڦT&UVsٲҀMH>MnJP3p=.3h4SvjP~ E=AO*8Xr 3$)NeK 3#ր!pM& Ҽ 'a'K|0I y'0pt|POE E Ze-b:sy|H,u/|:OX%ޠ,oqPTWde6F21C"j5ټdw Ad.u|~5NaFE#'l+'ُ=X xm׵ͮATTA(|2kPsՏzQ? +[)vUA$t 魐y‚QዟvM-w9'_z=s7ҚrbfӨPzU| L DlvWHȉAן$c&`2u_}cS=wn>Є8 4Î^5?BoϚ ]gBt?# y_S9ϾnGTsi"Xq0_^ %(3r 6:/%D36`f|#08Jn_&[SQl\zu^Bxv~71yWa|zvUO1W;!  ,ԿAJ[H$#:&56f`L W!=l!'uIJ5`;Z#).g(WNz`>',ݳgOdwð"kgX;鵋kB }>}4t"V۝  Y@e *@On#еĄ5"ǔ|3Bƨ{@'-QkʒWźOe)9`$ =2uIܻ#(|HYEa6B]7́a($/U&E ʸxRY q6ǬB[R|7,8DS oZԷ%RAɅpd0nE=?x|"nCoތS+H6ˈ``j)A,,ck_PEeWa~yjiȘo#@짩2Rki9/EBX;Umda2Q̎WN0ܚ0^^*@.B$L\k0ē^bhˣoߎ{d+/ma=""+gFJb A(44FVj',_m+ IqwK=Z30e\#.T;մ-PXԷ~Q y!R\#ȗmn| SBmSŒ&'cT ~'T98A)ɲU.E&n jTVɻQOt[cE !xa7} ]};H[.y$`t8\I#tpP>l6ɍe0|]5/q6G׽e ZNRo KxM^t 8.!&D:RY`ЇDhql_Oqi fY%h=^6?<$?s sqMƮhcdp4sz0奘ߡn[*F%cM*Bl[k Je,,DZ}ahZx'\b$ck"\0"×5&zpdѪ $N- #Qlj[4WoςGyv12DnH)T0y T*qX߬62 m~` ;SkX7S2{*8$c3k,Q&|$B Z; quB,% ˶mԚ'Ś>чW{˧n#mg !(hj͍>$ClޏXbCrL *q;l=30 :!B |Pj3k)X (.}< ;4>#w,B. mk( Yv !˛鰪[)j`a!cJ»e2tS=4ȃ NW1d*OUuPFمN']ԱNj,rAP L\i5pJ@RkhoVipO(~1'KlI=2Qlڛq.V\ q5 IӅD͸AK]2;.Cŀz);>̂2e!ob$ c9aCauOD :8{u '̅|xV'J|\Y4WgV1[x+ L~3APV^@\fX̄ԨwCx?q0Z 8W 1-&4sMf:MǷw-!JE9gt<:)Ù(l!y]P-T|I$^ecg-c#&q#_ףE_bl³Eo_811nG~^OdZózXռp;ŸEz%C\>ǖ^̮"jېG//6[! >Қ<-] @vZl rN$饠Tqj5/PM>#gE]|M6Fg!~׳6glbƲ-R}@?FǞ?f I!:h(STe#Hm§'Z-?yݸ&E)R+>2YaGiR/)Ŷ9@F{R£wP! Jvəd7`kd-|@p}X`ceG#/I(FsU[0P.=ӣDQY7*4CY|`<3/*ŘUA4+Gnb:WO򙠽9G ,>]xzuw<(C%A6l|t $T{6 .CtMx%UK oPwT2ojU tayiUJ`Oӵ1L[1k$(DӛyԕXۭOFɕo֖/(j\39+6 0 ҂\%=~І6f}{j~YVjaEeo˕ \l{y5]2AߗsrIѻsPu)>/J;wxN3DF!ǼV*j$K\đnoB 4:9% mĻkc43/ ~`s kU/E#ȕ_ԖY1ԢŖbS6(]mycuFoUtvO\նK8v~tnUEƆ@#~yuNj5Ǘ+p."p+P.w;J%hd1[3oގzY钸eY F*Cqc[7B [`01ZKOV\XdDtJ.^Gh W$M](Oxs8=,| 7НiFeٟչB.fG•NymMukĉcv?jXÝE(:DLksJ{$vp mJ.5!y7[ugD\p BN2D]Z-ix\WEt(>/Ąqnsx;[N,7QYfxnSLTIKٵ0P] Cq 'q(ԄxLz^ʦ^{ Er/J8Þc"6U~=,]?.!t\?_ֲl3%ƀW.QMͷw1psSSHev!"8YԦ%VYS#K:i0RbY{w4'15֖JV%_HIȿ~N&W7P6L*ZW N|i hZ(#eIh݈7|ܥ7)^`f''-+ݯHOc*2Vs@F/ׯь g/l8pr/Ĩ_x1_aqO=N>w3?ˑ ~{ (h+3%K2n.:sL:>?2W3쒑$vΣ:u!D dSd r0ސ31ƘSg[nKiMY" O\Sc_5jB9 W%n>ju 5+LO-"ZܻxTC D_m pְ2-p= ߠz8G½/\*TR5]94%z7cۮ2E0o2Ⱦ*:<@KIי`Īi D NewЯUU @9#4Fyy% ,!a#d%pVdFyChUiOhLo*`y)| ߜᑀr36! eia{78FrUZoOF`g 3GL\X_Ǽg[nh*a Qh|_:dbQjMƓGgJ*(ݼ]ї+U#qzRAT(VYa\jtn^7 u"](Ø5OVdFxL=|O PXT-<(ϞkJ2I,Y3(WF[mIȇ;2l wS@kH`G.191.p\+0 [Q)ܟ֩3GS&Vmz@< 1#yi;# yy87F_;eNJS{Zޚ(M1Å3]!MȠHۉ"f< NҀ_&q<`{1\5)1{6 R52P0RhdEMD`.87Q-ȅ8uҙ5U`ѣ `4HYȻGHBRx-L 7ĿurOIiK`QA U x:Ąkzi u ҷږY8Vp~ Xۛ͠؝:w+hf2l-<9UO0m!/Z3BSaP?-%[f85bs]3=dN?2XKiG#C:M-'lPm.Q8LQxUh$sB!@ΐK}FhbXj>iΐ.dR23K8iXR o5^OzKb DP&EFf]} O!NR7u?Fy= NMH-N7[F~)nJFc돇:# ' ZN b-ƒŴT=&$%>Gq\[K+mu8kdDw/;>W7b`4|cNUs/nyi<$MtǀTvE.3,Y*εHF& gv=eAxm7MV$[Y,S {4k BHRFCQQ㶦1~yKOyg,m@0ݺ}(9>!A9Hɢ{.`CBj&ᰂ>mjSQs[ʤo&sOuOGtą[Jl9Hd)̽S438ǔ ~W6X_ N>QoGV._qUo/cJ5+M-tU!B?IJd5AdBvޅʏ Т4^=9/Gg2Ip ivV/PH:s->?eVpuw Du4{}N zpa]Hݣ7ķ׫]pmvbs8̊<ƫ[aJP1 Gċ[.!fh_?RcQ.CPYupw_zEɾcU"oު0܃GXk1P?)E)CA E6嬶V=U'R% ]Q2xRNBUpUWtI?gW[DY3+I/7pw2c/ 3aȑw:FJMʒ}%0{d$cUd=ئC A[U!9+Yn-EsE= U:=ߙNϔ{,ѽvET˴JIݧ`^=ځ C΍SGxzVqc3^=fM!vǃu[l4JD1έ?7̊ |XU(_ޭTRϲ @F͒Dt_Ԩ+ +L-d&m{PSB1 8QL͐C-6PH#*a2ԈrIڕMޔe4KPIы$ՊoF|~_+Ͼe`w4qٶ 'ac+F| u& :{à3u7 jMIhCekÐUdOOL5zb8zxMp6sv$ t]Rb;?:*~{>@Ձ^ 3ega؊1js|fҲSS+ɯ㠸[ !*y1lOv/k# ٴmXqPc1w'~ CN:1`#KYTnPAeE`3vNJQmƴx%p8Me"q_,|3:/rX5t{G4¸pcXsy0햚:_/KPRK\aR!#X<)~W&v ѧ5tB0'Kަ+|ݰKo/F^+PhW' `tRdDGɰ_:)(nP3C$RX*)x]ih~ŐtLfi\w ZdJiD: /du> %zfv߂R7B.嗑k%,[m`$uؙ*s3NmY5=B;AЈ$+Ca .V+?o('dsi{[$yxs֓~|MK u4'jRY{^ʚJik@U6_@Eqex>Ө_)l<[seF!U٦`ESOZ_E\Fh_ : IĜbS JDWn}LGnżڝiqtZ}:s+Z5VPcY9lEkxID$Lg1 !Đn]:Y;~(ڒ*k*LuoD@JOWPJSԻ%vL'>c*9z1*E?qѢp qe`P6r/!A.m9`֫:\e̟;&q^*tL"4lBo f`}\x&//wߴ#3Sțt-yx-a?ˮ6z^dߧ H2Tj|\/|)aNYՎzQ)\rYn|:| fMޣœNX O2C(Pw+Ua]75rBm9!v I<}rkHoԗCUN?3EBOg,5W\?g>@>z<?iJr;QpR 7H4-gv4Q0FED]>exP&y5n: HqijH4.-Vn2KaNjqF uO:h\S$1r\yM„}{q8~@[gN6ZL%q%ohDѬ'?Ȇ)t:I?4D0ȏX{k'4>4Å/#F@ {)9t U'BaT{_$O ʜr9\;Ml05悰j(L65Ho#Eo<d~Įeؾ,tOjTQc6 65cx#4OCp_$R{r)A9ҳLpt3+Z`xgy0dVq/ptd#0&O1VtA],ϣ=dhѻUsΥm /KY4ev-vLf9OHEmu+}eDE Cv~ulH$r./Յ=ABnmYxpnH*R #M9/Dy\N]#ӪU4) ̇5S~>.p3YkxB*lW̞ 2j /= 4QbPuWY^3eyޏېj5(IT;f.d(Jun. L&HiI4 K{2$T}ы,(lom|6t@ujj ^5a,)nWMŒRتIQǮL;wjYNH@ĔiIs2pfē5͖6b%3|C@L։kc-bɊ,i:% } 6^N6l@U3*<54I(JeJB#"Ƹu4%Xcl*3ޮh|zE=J+ɓߩ ȗ8nk{GVSWZ誡9h\:ɂxB6(r#د$8^aS+7SΙLG| PU0ʠKc_%JN4*%:2WH+z XSHxrR&(Ό$AUMEʽjAZrR|TVS3>ȢE$/ OV`Ošs-I}zVIN Fgv~o|r1 ݍG k4$wիR7sE=_ :E'B7]WG;ʙO~ATK3FɩAX0P_%'t61?W@ ň9Z&M*r}"?El1O "cd**Ė 0~]"Q kⱼd] ,uKCM@gpmOYl8DB nguO9"ay fI~uh5 !} \׾nz"'Xn*g.\ fֺf $ꧥ`|lL>K^QE؀8<-DJ7m` [۟͂</X,!5Ww}Dki˔)sz[7tm 4C5 ^A0d9 Ar旤lV M#$U_(_`C'W}6i{dj- U%EB'A2Z\dbd1݉7ۧPJA) (nZlSjQ7QcrA#)'$) ] H}MZvxLZ:uoWJQ cHZnVKki5R]B]*˟={h$:pcK'VK\(@S5ݖ3߿^"J˖$||&6J KmRD#y>|PbRL>+]Q9]]j # ϻ&M斅)8S>ӫ3uLyDTB,7xlCO;V=E.5A\m"R!zZ ݮ Vt}&i5^_+t}uz+56L(D %tfQ=7 RYB1b;eWԴob9*Q1}>/\u }-8 ZC =F^e#@ (kk24V&cQw!`G}2SPS~ſz&W̥<š)rs24 >J)KFrA\Mz1`f ;ʦ.[oJ:)R=ȏ֙4bl Kɓ }.:\5bq;7 c4z1NeNj絸V@ 0dʾҥߠ@d̜ s)'{W* sz3Z%'=6@dd$G}vMi B1˄GˣjhaRR> 8j!dǫP݆߯s?ae8es'CٔPoysdiq} odz'-=TҴGBć;hQ#7|>J*V?1ՊO{UU T#Mf[⯍Eul0pj2vLĕ,}plT.Ms"/R]MLtmPtA*S*qm +_iI|GehEoh0VA"q8,3Y0҇R"sWӺ+PX}8(9XsPn: 13|#kw<kDx 8@8 T/]PV;tt7 I0z/WUHIZ՘h"N6Dؔ<aKՏ(gy4~18jX}\"w9e \!d7}0^_޽a2t[8??P,EfboRVAhP'|m2~7}8}tpr#x"kU (rE^5mzo›Z+Qĺ6 2W= vHAh)=ć"d= x՟hW&okƅ^SH}肏uJ|m. \}61Wھ8dMa8D~gZ<ߏJ9[ZdTm$aW_21@xUC}b>̠4V Y)@Z?O7 m-Y?=Dڷr|S@XT,1Uu&Zhi*ݟt\!ŨF&L"V.U1e鶳G':ܿG>./wZR:#̟yX ,2_Y,h8in+!sWf6sWIB 8yH*ONE .Ԍ+kb?vP%ɺEA[sbDx]?ū-DfYs[R{4!AʒS)c\m;j &<+_vҕ4Ǜxqj# ;s-8v .l&Yr+qΈ:I7'#;"kĬwʔ|Sbh :#r(1MG2Iʅo] { e0O|>FҤ8Vn|5zt`,kVYMUGJmndU8J*Ruc,+V  lad |ݻK;oI<3L; [!P =9= yRtPg0bLv0- +; F^V&k)5ShGP^Y8a65N)zQ@T0~ܩ9̴0bo#FCjX3>yRR7~oiePу.|nTa9k:)DhCh;%ߝE- uan1,LnO($.z]!Oz%A l^ړ'*Kd"o>B R-#;,y[^yJ@U%1 h_w@]!3F XbD 8aU<;N?](#n2o GC867xC&2`Feu轗2ROksع5 %HBސFt'&iqҊc l1ܳ =Ǽ6{}mKק>m[yscHTdt=ن=~,s) j)tk t.#`~#:J?%R?N(LaԊT+ӫV u!$x}UC%2_/ɭ'c @; %uߧ\ Ux?$΂! K?~@_sQicju3(Xgk;A퐃G_:6@ <Ȱ_DZ, w`';?2ߗ7#VK^*_.?*28)ȋBv!gGo1eR7'^B\mSvòY@;-F@wpy.2=JY_S;yGWcOhuH۸&s39e!]*d8PV6ILJo/vg)@8Yȑl7ڕ=KSLz`O 1`912^3-gTGp5|\T-&j?JQgp$:"tQ@wc]0*$P!lSE< kWAm =3exrIlbcYP1}AŮ-3ze*)CoV<^J1I#-hWloLtў gwwk#,qĥwDq;=\wOVGٻ}W{PjqEgcS{M-"r"ԉ9@vJ,!cl؜]{~jk x׾n5ӽf]?(i]VԟuY:]PAtMxgAdA\o LZ. ދ H}gy!mWQ·zb9V%\O~=X߉vY;f$9_^yV UZW&^)#zB壛nw}-rm+Y97/.i rvm}πs`pkyem@ٓob=' tEBDM{7lAf+}X)[g])kɆo' R]rj&!eTTBBGTMTC]Z>-w!sugXSwj9,ݠraq ʕ \Edy9.OɬrSfnT:Id-= JE HE;BW qd^`tfLbW`pTj72bT  tp6}@iL4^vSSTT6z?CPp]G7z ٗZ=4c84! *zl=Ҽ!?9a*D?J+0]ױwMLu;< Ux\?#k풟>Lq˄-7LzbOTߙ}38JfTP:\ M+# M;G$xY@m4_8J_9}@Su -+ Q;/Ω:ԬZ曒:3>>VEx2M6ٞ2)M;߳aE#Ґ 0dw^?>_;c/Px| ?7Ifܛ/\QtGǩ̼ gfs<Y ۈ6A##H8qzWYvRfn7g؋= %2HtT @Dď=Hu.1<:2ji)Yq5#Bn 6c}CW؟o}G+ԡeE5ftDG ةazۓjMK_[USz !DëW ?9/{t՞B[ 6)Eu`2`<'de6ۢ"9r@IzŘ(^mnKl%O6(j,{3^o?U0LbjnMe&v8?acɪj+N pcl_ϘI!vbXVTOo5PK$Sv |~?KѠdu>ȶZqs>|2y]Py$Ty%xbϩipYbc~ME2-K/}`IK0@re0*BBxUA(i?VJHҠܨiV_b2օ*mt1\ڋ51a nLJ"ɦ)]CY)j|xDMMՓ ;#t2ew@aIi]7Όtf[.C.[,X6kMNWCB_ X)PACY0Vͭ]VzHd-W Zp'rC4v9ofsrtB2M||ٛ_RFV`eKT_͘e+5\!M9J4UR1ҘWnW$.NH;QEb+<ݽu=Ilgmx.|! e?y7n*ǿJ"`Jj=? Fkb t& Vzl+/QYY5 ʔKe9Qj&_[;u>8KM @p=`8/cOܷ`qIҁx Az \n`R1=N>Ww"AyZE-Guk[ݾpȣ x3@Sx̝1^Qa?K !mLTCtx=##Rk@0HVyDUX /8s(^#In娉73x/DOy dQpl]|op[ߋ)9Ťƾʘq,2p.03P?oKgmցY'Z^+{vmG]sFzh)E]j*+!VsEnY+l0SE;#):{ HhDߘoM0qHfsc`1QqƂLEvq%/r/] bf_ְwY؝x R 7[vE3 [%]νEPO>\F %5L*.R +yAӉ-@F|0 bZŧ=Qu )^q 8l]4L Yt!;x5oY"I)g%@!$~D S'LC kWΧI еU ښJSC e^&%s/Q^ޠ,r))Ý\#r. [ 4؇_cUPǜ')4&$8 EJ41XL!_@R"r*9>S…|ҵă&ŝ"Wwșr$%Fdm?*"Z)jͽ=B|@WźL 1KVHi-: oWx6m P[,!xM8 0/pѿ@CQujFkVfU\= ۑ 6ˁe Ȧaw)=z4镟w5=jA#yL'F[9<\K.,ma=Y!詚sW<CGH ' POh+{R3;O >H_CP)S*tA=GfLnfDɠOg,DжȠH_d/ P :x@U>ڻi;ٖvg-TpZL(ő I|b Qq}J0.e{D879`wR. :[noq)A ЍuV @3N5(oN@%o!lFy'/ D֟8 giSӁͯr$6dM;ێn݂%;/uܒaB@-s(=C*ٜ),vWp~?S8nѬN,.QO-J9u!@g1[.fF%}n'~QxQm+d"(l l*!x%ByKɮaXc;=F✅j ӯ7G89 ~Km1/h Bd٧DD ֔ߒӃszؓOff m]H$KQ;X8erFVދE`>{S ŪEݱQ]ɝ+1s 2bp/J[$]7G=<W*Ǎ|> 5QKy$lG|02ӰP)}DO!ž?zzT+d-tہ>H2_! l(9>6IL.Pi8%jF `j97pr\ >@5"*}G~/->e\(0 /b(s+F7exG? Pmɬ[Qh৯f۽1*ָ4:l߁adr_(m_*-|5*q,N?#A.q?K4=jxP!V3`3?' X'%/O\:Ǟ{*Mh )X3da ˭֋mo$mpUA)y]zFݑV#AGM+l@WBp*_k6~YSN'䍋S*Ϡ9~vd[e!\ &;l7V+st]T`EB>7GRuB펝e/\,J{cH'bWr ndȢx\S+K(JM-7?kη3jh2Ќ.>@!dӷcc}'_ҟCGl9:XFO}!N9 )p+fW@0Qv:̆$:1bO툿-&&?NbK9&C; TdUņ [7Rr#-)M.虄s')Ф]FMjQ҇$;ӜGĔ8YD<%:3||vW9b`!.(kxioٓj,"LѸoAp x?#պ׉Pwl\]kSY\rLyf 3!KCK9n3 4;z]"(P]wL̛3,eY*Q큆!"zQ'jVN}lD[7;8= Op9C8j3,$P' &CǍ3«uo#L͗R:*s۲˃[L1Eȓ3Hq[^NN7$k5!TQPT%B l*d0>*~ڂm-KjַgZ:)lDPc+֑U׋<>ԕnՅJDżRI$#EU~Vw$+5gh=X]iοkao~[ヷPx3%_qdf2bH Gh)myʊf20mM2zt`~x5>]KZl-Z=KxTr9Ƕk~ ى5qj[p:+$<߱bO)}:5-wNWl`YajYK2?̘C-!o+ü&؎a ԢO|Iu8l$IƶV&Zvzs!*v#|˼ Z{T ccwzq@s=vP I?7< W`4Զ[);eWCS, 0U;'w:L4oG.#u=I͌I$zHƭ$-=.H:>T j4x{+uиZH92\6|&D9(AaH_&_E7,;MiYrكBh2=nnϸ9+ޮL>?놏Kѻ&3ay~}Q}oM gN} i|'9N&lf =4Ox_#i| = s/%rל^M`TTdFPi `BP*? ~%Si/I¶pG֠0oV'- ַZ iF-Em{I7q8unJ:Gw ,8mRCQl)r. CNw,sz酥:|ӗ{ѕQ7ˏ3V}=G*LU1=Bz{@7D~?M/qAB."hCtoP>LCg0[4/)`Hq-B|==hNYB=sOtY8\z >X^p>0&4Tߗa/SQ%~oْ8-5>(-{#rc ua)*e$rĿzbo( 4 aɿAQt(6Yжe(ՃV_pYGr'#ݒg7hv@ֲ%KñFOR]3D"VAcɑs<:7cґgx鯔4H2N*+UGYY}B1yBc1ތ :d\ܚ%렻('wrgt䏎pnv"qBY5G[~Iθ9l*gnhਡj0hA2 bz~Ȏ0K]IY&ݝb'3^H]У 0I|_;K%mBn5DŽߗV|l:bGpKT"=y<ІrDBӿeq2l"4ُсg rx1I0`-IR`/m9h4Yӂ+Ud  6r]ViIDO)8_pȡ,b4 p=Eh%H6VB! c #נ }T&7{w:IR  쫋LW.6 1k-BڐI6po=Fɥ$NzƈM"O*lP0sWw@?-w=p /3>﹆ Cw=7YA*\TYgY=CM ~5Aa&ɢ?*!|?H;doܝfS> Qр{X0Am[~iYKhWxif8ٟ:^¾&fwIOJpjz+裾mGƮ:63 Fїq38Fnk`mN<>` \ v8qۓV:1ՙa;lvޘfZ$s}A u"27fKtuB^RLQ"*_ߜ wt"s$~Z`HĞrr0E#G&mE!_T@+͑}kF {%lA CA{o.[Ƣ:/T8֌Pl_#wB{r,(4ӭ)gwOw8>&uf$@Ʒ_hUIJi<Yؔ%9inek=~PalPeOh W/5u&|]^Аikbm/:O%A+mof(3uKKq#`\j:׎Xg_jc :H%6en3G_'푬ij24$fn字Jr8 nl8fÎ"aP;.h|(,1IםuLɫlfgt c#-xQl˪*Wýi4']Os*ɦ)uvӕji1 ZH mfU^T.9Z>dz%SaƓK,11ӲG V,qW_tHת!5{K>U)#z!m}3n|)yxujե;;57$ȼ̣m"3g 2^+V/b[>>ia6%<4jO*9%IKn+ueJuhSq-,L~GɴQQN~#"`'qj5Qو:]6b j̟prG[:ĺ-&δxRŻ^a{jxǢ-օ5prv_nWCLيyH"RSbm}ܭ> +oKz46yLi :r?Dyl; UQW\mr!\?Vq/=[]~R*xfy/{!R/:Vk zC;JϮDߞ4S%)dnu% 9<*2;FMʁwh^C yȌy7o{Iu9U.̈́ӄ|jZ#reqVzS_Q\VQfn&p|Yzp 5 $11›ŀa]^%dr4 xʅQ@<= ϏȾEiqPoVG/ vp%*OWd1bu C똼`k\cOy~;&1^ yZ3_7Z[(&;!Y{t%OeTj+X8?z]kD/Fn[? NH364\AŃK<$6℥C2cQv _XM)|f3]8z=1@^E xӪsNhsp␄gjd֑ӪTnWO`ɍ&Dy?c-G9Ho{E;cNI_( A@w{ur5î>W/cFM½o @)q1{*6y{9qmNruɠu,fEU\: dn<`UUJ@:~Ͻj{_7E_pdՎMC`5a{2Qet\%MkώW Lp+ ] 㬀\6)鄵-䬔y_;9"ev)1Sl d('{C hv@ZO(q/&X)q]_A`p@?ʩ5g))9TE-gT&" &dPo5ȚXkwɦB2#Q8;7l LJ Equ5Z IhoKCspjJ/i%P֬ F]TWef[h bvumm. ,U|Ǥ8/ӱ9y!bW 3o!]T(y_uƘ:G3!Y8yKG|8Ԩv9-)aD 4 mԫߺ3U[lm>3ir%)q]j{ } (Q/>sMAJZԼex8QC%%1e՛ͩ`@bKӴ"N6;YE%{`Md41F!|^ otl<9C0H4FKh1q!Kww:z 4W >uMIk ;(А^ݯX?z8F~ I~WЌQQv? 4*C8ut*%igAYE\ƃEo3]᝶A,)ۄz^ّ~_t r/Wj%!79o5}}F2Tƅ ֜v0  g uACJ~;cD='E@"\ Oݎ?3~_=6nL޸qNl Anw5sٍ.Y/>Sf(ӿ=͌P}43Jm9<wk%p#JPoyڿH/FTWP%6cm&6DT'\ !+{жYga4ӕ uY?!C.3fܯLbj{'_5rO[򢧿<ᗬYUMȧa:U 4>[by<26"V_ƃ͆;~꒱~йbn6ʹ.OwvXY^>{b&7Nxz׿bRf{k4ΨAHJ^+>9M+BKn, Tܻ4[lS Z΅>qY;g,) д9e~b8&](Үr#uOŘ2ux6Mh85.׆Ptq\8 mAR0AYAC9!XfŦiV S/ ,GA*V Ɔ(. $8@D2x-A/9s Dȝ9A 7W?v,#N9gM*H#9%cn`q&~PӟxA[e{pfF5"k1&Ր5AbA8w;!|A/;@"gT0Z7]ok]׍l|Lfh0dXi JT&g5gGȾ*V6~Ҁ<s^w9bE/eRڭK8D۸xYPH R9d/!@D8|qa:4[x94|W9Zh9@܅M!&+]hm%zDj3֓$fߏ?Xn~HûO@Hu󹫝]N+vӦ^5Y^dt51Z}Cv)Qٻ*8qHU0q:;`VLAZ CVR(l&gnyBWc+̫~BDG}t-37AovD Fx[\ZC0|=,>ldd9(H-v* Aϟ Ifēg^ޘ,[U#&-;vHmWe!!3@_oumabAK:+gw,nj[Q@V=g-\`'@ c`|놺}Q 'C3r9<9LU ;Ub~Nh5Q\%t] P]kE٨9iK4"X%D2/ L% UU>V[j#q+R֤?HWMc-j?0y#W+Pnp̵<3_5M/7e\2ac.h",' h!Pu,vxu|kֹj\z1ly+jM_^sN:u?&i:lKm|ؓ VK#ۛH]-Xax@geaj拣{2_ŰҗF̘,kK~><1MY78ɄRۤ7_#quYB*XO"o,\%UmVLk׉+Ba r`9DEfk:ayKz߀FbJ3 j }0FL~d<00_o3`~5g**{T.=MsY0+Ǎ >J[d|S ?|7,8|uӠ}" 7>%]bHQ_?]p)|;Ho9*1ek˦S6F9Iخj z=z"锍2EZp* w뷃yyiz<~qiPwDYΦϐFF\1\A>@Rw]GE/)6MԨh4M]cDg߮cv(ySÙ=7T[*vMT_hY<Îx`̍튣>նig$_xvxv//qM5- d%-̄lʾ \G_3hRxK"[>"h=覭vW6qX6b'&JuȈݕ|F ;T5|4\l<.:w&> Ԏi$rÛM;_K.-Jʷ4ڲx?zf'EH_5k2B # pމ5Q8F{ [{],kha7+ u-ho:ިtP˖~3WN أuW䒍~ *~L)R14&~ l5U|i>:lTmU[ljS4QH&kFC_H3F|BbJ4Kn[CU&5.QK9~!˽p'Khu#e/ZE)_u~UM-b|;-uEUXLIK! Ym ˢ l(*#[*?Bl h͵>w& %ܹ-+QNB `q,md^6z(vʦt Op)пQRzxԚZP30j(0⡓}j @ɳ$Q*필H!Q)vRwaPlcB.%'%CHZ]XK{iǣ3s׀e3¤b_(TweSZõ%Gni"ӺQRU%wKB-j_"3KYdFXk=|n@b3aHaA])C08S8Ԩ˅8De!2Mֆ-i.vR}rpo3bƴ> k7v/& bK{/, q A<w#//}bOL7*M? -%(/Lʴ /G4 (pd Fm[}8Br ثK?u2)\wCJՌq8?!Lr!`"[Ir_f&d|E&lCMlmEe)WÃeV0T5&p#L" U7k OъItwG&l")jL\PT_z{97ocV.F?|}ؠ *N0)wU(<7X} 7,z_]Z+9fj;O. , 72_3n0b(hČ p0r7gƙ~+?lO#A[}xH(y47 4^@ef.dSC*ȳb!K]. MG$+/hzÍZJ}Xr+{_TxbB$> Y-VL IwO.1%/ЄC^#/;oӗ|gsD'XKv}+ӡbGD43PB/;g$~켜i nGhpTt SְZñ/8r!BF=qr4)3ݷ5o?`kgtn18uFl<5o⵶D2)އE.t4X1tFuk-99Ϩê g5_l>Qٍ J/3~g 7VDh!hZ%3 WOhJ6(c"O9TpÖ l?䍍Wc3"{cLDJ;k,) '8yY#!,MYa٠f`J岜' 4{IZQ~BXs2H@4 `8z#;!!b!T;ԏ^-PV 4f2\)|'*l0SvOq Zָ#sh!2ܪC"p^4֐f*im:n7hY}/4̆fV@k^q=zn謰"ԝgWV-sԍTg;w('>ͰHcct$o-i[˾2dեC+tp'06Fwe Y}ItU&w'` Z$hu;&(𺏓RXjm7f.DԜH /9ZLAaD.$D/Zp}'6x }ٍyP+vU4HVN(/X>:4HP.͚fcYU:IG):@pM2hR6>Tg"+NBo1YDG6rY,C(l=nQcc :Xh1^C8NNb;OgLN`Q˨'{}NTqHy29%& n\\cJ|!g#!촢uQg~P[KxPMuS sj- aՙŽ γZRKi^zf`1MԵ'!v"=bu7Vꂇk8OE|J7l_Zis;mhEH7%`ӶWqQ8o09Vx& FlEg!qX"A*`V(/aT.h!TE68gY?oR}mŗ??#ؾN%!,%џ#O//_E)R$n@ -4TPm4{^[_!Nm>4288mB!1G2=I}v_DUAzy +iMeޮx̩ɺepa-}ge?,Isp=NC[{ȁAztOr! kf<" UVZsl.Fyϊ_A9~(JH[$ڰAcdG9A>Ģ, X@ _8ؠ&b` )31. %)ptZऀ~e' ַu+]XiI /n C`VPS M=߫w aEA:,G M.Fsj )) i)GnU.iU@14@D#旺'tO-FD?{ЫgV`mڶ V/ІB HP*cAY;xDie׺ Z>#vB#+hBCcA}8p=2AivAAtR,=|6w H ^Şހ|'eri),%&?ݠA"B#c3SYn1p NbW+M6;AƁna'GQEe#|:d"Qcv:ݝf"yJ87褞i/& RTM=B$EL3ȯ.y: BK BTg$5 & 29Wa]{gQztT6͑eIu5h4(+l p>CWaпhE*Z^a^n.|om5_8;S~or*YbVʴ8bE8Ѽ3LdTIW#ؘ[sVAkT?pM778ND~|&E6 xTG&mI4N] 7|o?`pvz\IrmD Kk@nZ<3(}PYҋL> ɒB#Im= .pF*擯 !ka/>L1l06@>RUEzv'0M,i=MpR3؟x"W_ұg7Lnh_1(qjp-]JA֠9gH&JK4fOq2C@ kp41% |p+r㢒6Ӫ 7˿e ~o sZR3?%I2&-W?xy%(WRy!WyPLn ty&5(&d<|f995C[{Qt0ggA0O訕iq8P KW).+h^p)W@ GCZ-!`9?WQ?PqC/矧uQ_ɏt$l"B N ,Nߊ0 '-=5ۼ6Mh=!esż .hrbs\lzpjhM2;{zdl++28}S9 ;n3]DYJљl W]5^ݓlyԣa+Ƅ']]*9Ҏ:Pb ,8 ˶Um4©bB *3ch(Y5¡G ˁ=q$-Z`47A)\ˤqje~{d+mR BJ44ɥ :m zSȭBhL,S:T9upY RQ).&A㳲F (SIT>+r( >_ ]ng]TO(2I]YbˏM]r9J6h5z( 6/f:5vKXeni<'$ C#/ڥ}.*:=߄o^:yx<'WoCL@de$d.@،qZ#!RZnVMå&՛Vf\oV5sf4v+JĝtQ"%Eӳ;TxPnTPCFy(mP|䧗[Bq;/$Z.nZskNA(x::[:?d5'`sdINtRPg2x&w/fׁ q>)8INMRy),G0RB.~~( ?[b&캈ILB‡ssjڽT_w߭Τ1 +*tÁ\g@O ] gz>Gڋ/yQ&mV=T,(eY6p?AaifUU$ ̷mbOR%1u[~K&h^R{=*q=|ǶBÌb9{v%Uq+铏}'3V'v@ٺP5M虤â߉1"חb` ؕ"jдC~,n܁fTVzڰ ڛ(r-f\IV'`4b{'̮COpVoȢ|j% R9%q]H/ebe%Ҥ$'mR Dh2&#%1}VcllK"./LEEBpuG?-~pG=led˟@~x~ eҍ;͏V+nѱm5#n9[{o,3:Мȅ~=tFrȭ^E2t*@]3x8 y':RpXq;tEJ LJfx8XlO&GpAJl=qd?5qüv,qCۼ%U32``rͪhbw_nQtZޝ$>j%%:[8Ŏ#l:Ӂ>O"i vw؏Oe Cw>LpAk-nBB|o6Zڔ Z'D _ōr-]OXWg,/ȔơSY#)8q qD}l._L6Y2(]QBzR_ێ~j:Ə]mɇk[YίnݾШ2># zfQ֣;D4cms8Tj 0Uep:&cfE (GbY\S8( BMxMt4wj DT_[".SGa]k@14N/|`gz[zUϣ+U!/&fIpp9a*-04.(Yr@ @l2pN枸A?z-w߻+GK)Klܕ @x!_x.*$eO;p7^VNlVɟ̌6_=L Mǡx[6G'9͘kΒYG@(_z|Kf8U:,2vJ$ꁣ$7i{"(5=';{t8i/B.1=UgY. LC+#oMw}m w;{%~RjoChbM! bLP-pFkD!9nRhb'@!QP<< h\;ml0^ hƔ8%`WM-K-YwV!)̋)=ڠCbf>D*OnPx  q+&,X;J/OG%;Y(H^U躼7l:jwPߌ*jjJkz$C)k1X-L ;o#:~mNd;ρΎzA9gyzjJy2VL!" ۯij}Cʆ6 czxH6U6,LE2!:C 1,"o՛H;$`dz4*Z|l](aϏ =bӐ` 8Fʔ\@5pH!&%2ae5խ\qStx)ZRUt0 .`!>I*{9dymtX֠]̏M; F&{NiQ ^;V&Ul~ΗrÏhq O_%vgSmѫjiU\,{ Y)ҟF\ |̌ɽ]k:]aB(m1&H(H=Y,lЁUeUՃyO+S/=,)2OczW 3vAy,%2HfE;])4*4hGs/z+J0ez\wϻK$d}4pS#7SdgΖ-tMk3&,a&}v~`MK~ AL^-x՘%֥ =Bj%ٿ`G&g~z)l$ :h~SkTLj0ZSZ gAd8e2)`T!٧ iLG kt礥AMK` ǣyF?J<FJٮÑ$$7+y, trjIu=J\ŧ[P:aIZ $I3׹yv_H[?kT: Z̭5<#ɴ U|sRm~;:U );5nL'?fh^wmJpl‹dSøL?[%%39 1c1z{ <s%|<=~w+^#8_K W*bDzGz,`ũJ8zIm\Y-JaH::-tb|?#_ +3u'.MϐM,0}A84I +] }3]'~<> }QɆb$^!͐`唥Sfko%5R5Q9Q`vc =,_a =wM<p5 >%bOZg ` vmB/ U"gacd;+WaX"Œ`JCVRfV4<&C d@)\/Ġ#Gp2 GwPDlN@;ܒ ʘ}oǰˣW;l_̱J?z0`D]*+ CoUQ.o w+c#y!p b |%>tV7A6Tbm0Γ ͷ W#\*Y%i3㵯Τz~BŘ\\r=Vt%mKQ^yv%:Z`x 19"^rɫÐMJgk¥Bb*~xxxtl:4 'z|oD.nI\,c8W;BcTpsE#jds]y/' ^6hvJA.aJq6-+Zh*Eֈl/k9U$}/Ri0Ylͯ|>?F#5}yk '㯈VT:m',/  ##LYKeH CѰɍ| $$S60*U A<*w(MOcpىΆ RGnfJy TiY%""Sȳ;ovpJs + ,ۏwgBD S2rppu'L Zkԇ/]/,( ̘+Ba43*X)vV;{!tHkG`4 w\)W|X/SJ !˿6? 5D> wt`j6g%4҄ڵ)ZQᬝA^,&&hYGhvq ZMUP 7d/rAfǨbUT+[ {>y*ɰrbqWVj܂u5&?F4<%JVGW0ꊟ_ܶX4ޫL ]r̯zYO5~&wkh~Wȏ*2Ͳd75|cPp )r!D y$VjhjBfg4ɲ;"됉<7g2p ;F r߷ 1Q Ff0]ݮe2ͬu/ABIU#Wa\𺭰ɒ/8ci` \5ynu#,l/ɅHf$-n||%},A?y!,HDze%\g#%5gb)G\ /:RYsc4ʈ ':2h̺( ePB+a)ؚh?"FbEkn-րj^5)G".FjxE4''@pϖQ ^u_atPΦDoㅟY"H ? 04|⹠AAˬo2byb<] @%qGYg"~kŠԉtPP޳m^c%69 Psk? M٩ZJ]Bm/SIS5M'+$P=mtK[y3*%Of}Wܬ (W+?@A X0eR2%+hzӠ~hJFW"k9]UhL.ڃSբ 7!G BTc]UC8Փfn R+QxlĎ*ѪJ`-S^9 Hɬw|iKZ[LX(%C"EN4]6okԗd.e%ky6N4ԕa@w3*?-D!2›mkS΅̀*H7!ݧ!yÝC ]_g-D"sBJ/Îo~( g#zcz/®/7J]+l2U-Co;?Z5 ̵ʣFP$L>u(qc1k"x@zÔ^;O# t9u2~(-o` ږ^-|DUQYHtefSw>5`}$by_r~8.G xŷh+p.V/kͶJW Qb;'ܓ Au!h>+jA7*ɁHu7xV9tHK|h58;%] G^{~0_i+?# !\΋p=J. 3L 8ѠZЀ4@||^{3DZ5A)BOлp|9jLw"mzh*ͯdz@9G"@+Xv瑾>W@u_Mt6HCLuϩЄa2*_.h`5&hK>l[˄/d*5%:(HjsFGLQo;7@9"  Is*g7WЗPa&rMո%j7 9暷P{qg1X.ʰy0u@I]Ͳ? #M$QE;*DbsIw*RZ'Y/vP4a,G&SWL~\M'l=(SڷAKV|qX>c`fe ݠ-t/ٟ Ln!&.m,Gn^Luݟ+&Iǫ d+K'v)f4vM?^Z-4=ۯȜ 4F#z3E6)|Hdc <3! gwY"&XKt݌kvw;Jw 4<9_'b7T,mX<ĵM[dfW+_ T5ڑLM15F"^F7rAѪ,m>1`7`nTOxe(4ݺ_G~g !Fwx +GJG i&}%Ej1擴fϏ""3Q\<|y5jqp3\>J<pDG)gLaHM_nvfNL]H#A ]Z.R tgA W^+%1@mTUuru,zcn~ sZ71Vn.}A:H6轛uAY<׫V$`6G$}\m4&T ~YU]DVP}Cڻ8xeKb>}r1#xHv~"kYèֱ)J 3֢C̬_u=Ϧ ,ͳٹ=],1$Ok)YɰhrI"U&,Agx0\њkF;eWFI_ArVoPTm嶭/Z Gn@zljyIqDSwW(PNkv`Q-&X>.TaP3On렃r:Oh7'}nyg=3>idc伄 `L=0A B[גᱣ[v+np0㪑 ԣw>TekF:+cxu8I5JA;+LM8ݪU4Ajei,i,>F^Ncy :[a|| 6JG_[̨mh`5tDl*yӳ!;Y)gLa…3)H кр+E018(z\,ٲ#iSG%?fu 0MKgωRKIw[P)C"C=TeWhBf$(v(IQXr]d]|B!9̓B+9;Q4Ύv,@to1yH3|cUfڙ]4^?ŝě ckHI1ի2 %=\wp0Ć,J<92b&C! 4iW/s[Ľz"ZܗaiOϵ_,pg4\ J!^DYzvm,= q~ktpu/gh]2]Ӑ{[H wcsַ#7xá5z"uF;Dϥi^<2ů qo;H޿:Q5ԉBnI!Ee: ~+$|̠)LjU{=7L^ F*ػ|t8B*B)D. lGy Lݳ鮴mv䘯^c #аy0 6OҪF.<t8 !ڭH 0?mYKM[EJwwء@f B님w9jƑ9"IU׊>-T'+NBa3kfwBM(ALm{4 z!7u$b1tc0VID42D|/krctL&Q4q#edB]=+q՟z(^@*oBR o{ۍTm \x`N/da3\:x"y\VY6ÓN^ڹq'0{HF 6/u۫Q?_A#cJNIKWKE?ǖ0@'$^p$o8 |mpRZHK'4J]MFP9bR&%O v z!Y/@Ν[Ոv*|(i'0kx`'s]H+E6?B[g&z:X&uVId0$K aHz003Y W[2W2qJ"F Vk:!'>;DO 2@[1a{ZTm1 syP%"Q`kS&X%%{jb,Z֗U`5-xsЄEh8rFR47S:593[V8P:E#.uDOs @EMC.:/j5Mfy1‰}^+f2Q_fi zvɎI&`53 #J lD͋;Og3, րiM9b4:e]0Kx΂T?%+XI@S7[ t -ө_A_^.{"+yaZȟ{& &8FExD'2q1 %Ɠ#z}9~}rw{Щ6(\ pGٖiW-#x$1jtET$]%Pmjc#rQ ဨn s0_9G0^h(R/{3j/*KR"DYB}#+-х`eV;.jks<69g\7z;+v CO>qx, !.С|[v7mC;ջ[.<~b?@ % 6)K-m.*̕NV梄|'ڛ ϊ, 5eesį}@imvݔ66:yL2aզ]SHǂ?m8.1MV "2W$/]+(JWX:!?Mvܴ`Hy)oQl`o"x G:c&f a c@\O6۷,oԻ])%LeX7*;\p1S+tMn"-7:D:.QZ@ ދ_{۫OLI#< zCƑ;OX4I~NӞab.7mbz7sJ PHcdcYՑ_)b]v^,;XMT%#P@Ca#sdA__y#r&A&/@\ mkLmI',(GxHx/bTƒdqؕK޻Zn e]7~HN(Y޽}}^MQ|]ՍTϊ&ǖ<+CQ\!ܒݗsP7$IfC! QTz9%n\b/n۷a~!ZFҷ`jM,9 ^8X~ۗ3\JDrvd\@hۓ3~(D͓qfBS"N*pJ`'[$s*tɊ8LhNqer7)AS(ΑL$Gvk$9"@k%I{6Yuݺ\ѩE(N-S@(le^$$3sRő?e_((ER|2 ``+;[`L]hOO e|7fQۺ -5b",@J\Bb&|#%tPzA&P)\b0\h"E0ZrIq/WRB'0Tlj,zfZSJ;dEu0ǭ~Ta.Ƥ,a!M=W렿 '';@wl"@d%#,}?[2X;PށWg$$3thI#be$'{&v&+N('?w终_rc/D;r{yg:D墅VJM3yf"nLqgɠK7#$IyL-e#_e")԰ "T[/2#$HR2(r@Aa[,r|0:una0p Rv`,ZDfΤx%$5y; 9 Ѩ 1EdNj+MfI`nd0@$)Q $z&\Oo1(PkUgK~O\qO?J>r?}V L}Ƒrk("s'T:ҁ{p\UoL-M|>f(̻~] HnL֖6(+@qy" ^(3H?\ JQ09^wQfPYPpHk']s:;xT]gF$u}8^EK =;p`d|jIA.i `-byfs9pxg~<\mORۏ+GMU=f&tlG3$J9l"| BMĪTMML=58fį\5&sm?Fx< @I{  Lz&1{)gCHꠝF`t~".D,&3U_뀬]OJTƾ~?3htj.]%p#&.2cqʼng2h|.SgV0R"XЈb-ƛNF Jߔ#[:N{}&Bo!CV3EVL6M%Bu,iJ uwt~"wi =d>/}X8:!mڳ}o[ߞdk?FO YfFчc(cJn-lk[:IC1 N' AJZ7Z lA#J $ZԻ6ah(PŃ2-Aiĵ;h ] a19KfS ,3uN!uϴĝPe{|@Z25`)T7[)2ctΗfvaLd=k6P NOpe4( ~ l^y_7nʍ|S|+=!sO֙Nqw8_Փr}؆a<xa~#ᠴ+,8(o/00$&%QoOQr;S'Vwž̿6Ld'wG,/^4> jZf ʸt %%wYG&N,g夤V7"{kDzD6,>%gC=hnO2Y`EpRկGPJ"okLVc3zF((CTuyECWBr~h8 !Y;CZcfa&Ow <&T&*I}#mq[ަI~JcozJW£z* {6Њk}e&+3ngz~Odil}Z&-NGJ# ӞJj ȩFsxCf:Oa煩5=%!9,0Z;!㜙ofoRRWJ~YCގiR [1Zz,Gwʫ]ⰀW")+;;_z`W٩IF3O)9ݭo]A/46&b&_!NHoQt1¾iP/.MϧfD>VjO m [Lv~_ e::鈛kr^ /) &pf& 718P`>-kk,m>l@5)OھT޴_<^mu,CY' JR+kc8Lek"p?#x׫IN Ye|/~`@ /fVe:yanߢ|xIF9s>Q4 W ܃j{zp i6CY qD''zԱ!9)`gcZvaದ-`0X0CUG OzWMylUSDZꭊ"<8Brt98?u1Mr+<\v8۸`r("yJ#$ f$-5Kr"ځMAH!t3KsFߜ.t}:ؑY=$IUe<4RyA턜* 4n 68 "pAb<T}֡@53U8D#ŃmLkY pUuڦg:Eo-i455PbsJVRɧYn}<2P{} JBYQ䖦jif+XҐl =p$SmN,p#͊Ѣbq382o xMQxv$ Q&1zkρ.V ⫮QutЯ|ٯ RIQU0Dٵu]42hx>eNֻdw|;n0fz}SzĆ Ѐ˦c!|BMϔϲz59Kqg~++݋m6#U~Af͍nKz!<)m`?Jk:$i'am$ӎ]Ë5b6M6j\BAt&l~C0ɼg1 mvYgrtQ/prS<3 u $Z%s皋5Fv%E 4Jp>B7qۑըP/bsߜ]~̩-Z7RF 4OuZ֎gj9Kl$B0º|/.;vhv:sRD$pc3Z #`6F1~=Op# {͉fIxYCn Uf/3t\O^| ~ǖ((a~ܯB_x-;S9/T6w`*5ͰOq&M̧s"p}[C6qz09=ag[2٥lQbL'\)s|8KE KF$k'5> tY\кJI,BhKAl5,'Ō5pYtC? o-F3MkF#f?6fUŝtu*y/`p8K4I4\mH *,.q^TőÙ !ɾWĆ,xWL&'HTeƅGmiׂBvE4pYwmNxH%%@(_=}"cUV3 b:b2E\!V3qXMG3 .B[f @j> NSd>٬hcljꥥ]NޚACίǃZ8CC^x& AGIݠD*[^-gl2 ;^WA>q| âsh? 1=U}[0Wwz(: R߽2@67eI^ǣ`hb=& '@{ʨ8ai5MOI3k;֤OܦyqGc/U1&%Q&cWg޲QptЕR2XBJ^Iօ9tڄy!η%E}CZ]#./4֜QVH*oJ-);kk>@68dtbNK Rv!={E'rt0ԛ俈%4I 4 OpEK'O$7dTO:hmRJsp Mb5|I|rE#sMi8غkO>3٦PhWKhz\Z?VTfuƣau`b4u3qè;ܻ '(ۣQcƉ/J({U9fnD|sj ЄCMQ*k|)!iN9/pүɚad*:n ^'ɷT:"C  I7!TR:WD[rRR@KR[SBKI.9{M"t&8(BBN8hEFJ7[ۘP__6.Ga(jp~ItrzIS]`ŔW% !qtJ ԰z]ر8&<;H"p_?M#p@πe +4#5[njE_M]B!FZ㼆̨AD]<<aѓ DaIQ$Z%wD`q@)IH{9b~D? ̝"B>CG&5YwMFG>yxթЙ~߶P4}}FT]Mg2NE$3;\yS٫򁪖ٖAL Op1m{UZ2;!Hn/|1O)sW:G !CNd:ڋ:2rU k:/UM:rRoN/LG)= !^+J SVS iIe9ܚ׼4PuehJp\mtibvw?A'ƷT"bq~:Lw|הּ䵊~r4SS j42>*ճABtbй^ÕЮ̕Jq(!qL?rh^G OyyA>i=F_;u`3ꂸlI1nT;pnpecG; xUQ>QU =#F=~FgzfH4CL:<sX7CmeO%i0/*yk֠IvW!ƛv~Ii)j^UL_mZ06k /$Ɂn_͂9yiEh+|jLG,l`? zfMaۃ$4S>i}Y,f|p$T$32#gi'+{QjNlC<ޙÉ?ݳLb%T:6gj0u(|׉h:?"/A3hlt;W)-Xf$.UPXd&:MePRX":>_tKWJmMѪen Ř gWzO/^ oRm|Կ*%>ܸz?q W+gl!wϺ飽D]yx Zl{妥{?^2OfX8e7nyա®߷'_ܪWd8xV `ԟ5٩G}o"dTtYY8Z׀GKr6-XzE톸pz\ w ?6\1>f%\nzGy): M"tԝ` a&Xa Md{*k$Ѐ3H %ĜR,GAl\֑l,(v-R=="6#m Vъ*×$%\]Zrv$(nAiB]3T e&wD>:JVp ȏ3fZDx(>}lB|H+ݷ)#GgKh%s(|2b Dzp+@h a1(R~ ȓ~U-oyR]17砱tCAiųvA9K)BAK؏"S7>' t檍g Wր"!b(2NlG7$T͌e-][x\j)M@_:$26kev6bZ}_tA AީXOMdd$7R.ԨǖmtEaqBfB~ƫ<!."Ɉ3cC֥;vey<qY5$ ,#vp174oi; .}[p ~r\ /A3;j >K7\n?&m~xGh--)\$GQ ĺRÞ| ,!d \a!,Ldv*Z\K0'K*M#67i}XD?!`4wk[MpTh>n>0_46~RSRws>H&kPƘN p_ r99&W3j=$+j#tg\>C<8z S*c5 Zoɱxϕn n*q(=ް)qi@t HJErKe䯲d+MX̞ ГI <:<CG nxP̐(.S#Bu;gk8Z{ 0Ol]O5mW&>;ҧ 4l P}E(z!w+N K^`cm{3t+z `^Rf}BDPD N9dK}̴nx`T+$,G35A'!QD!,m8[Vlt׳oԇ9Pc 'XX )Q{vE[n(^Չypnl zGfUkPX208rF\F:3kDRwP1,LfՆ}od(]W,Agf8228ƞQs䝮e)X0:#>B *A,oq{ o;RWy0\`BE{\GQ\~ UHW{G*ey&CQ wfaI< 3Iҿ:5iΆv2tQ(} p v2H<޲_h޻>ol]}1S(!2θD(B㦬CFpgP\^]R&~~^q5-)zO)mC؟ٹ3C8|8_\lYǮ`H+8a˹v %[yׁ'e3mu%Ł>ם8BGmJ[!^3z+~+wh>qYyae= A^[\;7la*)% Pcؾ^xEu~[1sܐ$+&&A"h #'FS)!WH6hN@a@OYlΔbj(ޯq" D+#i}܃G!u4Cn3GۯA IpFp,DmBzn Ƈ~=r2uUT9ӵ 8&uI,CkWgJ(|B1,Z͉{xMёOg>7dYځ@Fb/^NL [eI7/_S#YpSy:X}O(R|vQ^ @_1x u)[X*;Ⱟ,z.:)'6V)ҍ(5)TaBj8q,v]p f`cc\ ~I-ZFkŌbGK({"!L 6c1+k`9<׵T,acź_]6R21DMBG,%*, eNIڀ>8a%Wa>$PB;4F0p-𢏪Z Ӧ\'ڿLN˱s˦%Gڃ˅~KޫA(cbR/D7G3)jX#; I:3_pb iKrŵ>@/g(Tɾ)v 53CV b:;oAAˉ-Hy@6jp0G1uHN/zu`mM16PD͵D̤;+" leRwX 3!pфCʼn\SL376O#rGf^X`B`!ݜճrUk~^ė.cB2tBOu;\D+ja!t}_Z+ UR'0Rr w7[Mwm]AdLj}E60|A/sHTsuޅ.:Y[&~Oҫ~?N1Hm|Wc0p~(*&=yKncW:3瘌Cl+cM5*elNQ@N/~纫WicYe/ ZiSux >_]Y{\116E|C/Y&=hl SCj}Fϥ ~g-ojMʶkB=uDn>gtO͹ʠlb h@A.r+ťg#jqt,:9<;.i\+4-f›%S/%(jB83l`1߬#ۊT |3eҦE!wZ:cJcn0ndZH\2~A&%oM!o-$NBUd|tSGg=2XQVzTj)+!쒓6Blt_f?Ǔm Cq/_.=Etʸ֑,itnK6xKسmO/$Q 1qx<ῤz}*ӆWo1ajNئʲK{oxDe& P^hʇFYy*Kus33DB\Lɿ2Ίi|6m9?Rf'BL= ş9"Z2 _x2u泃Xqn"~_Lj HXQjX _B~)v<\޹WK"\/hkyˎuocn^I&`X{pi D1Mz \h$pba *c5[ԵTg b̴fJV VY4U9qW.ZguN^˭g\<kUЌ:8qF<(sGD` !B >,E{@ޏa^(í)(ԇcW"/d Dדn<kǰ!|j'yTJQ2\H9HUDSTAj?'ޫveI}f,FUN)X3֟vj' ]iwp$l-k O&X\A;OA:kRsH:DoQ?X+C A̰}Mi6 +fK3,~G2G6 /rL#A>Xaax1\9%9 V&X+.v5!@@%ĥs=W(z5(zfI¬%4.K&֕j|wkC oCe!aX$(Z9kc*UyIQT܃Aq+:werr]WQִ}@}{jXZG@' P1wr1{0Ͷb^np _.L[G|9u9+?{"=ɶb[j"'u3?N$6W[tPQoX?-z8鲸Bnm,8m.Ao@9~X¤uVơpLdt߳o3JqDVsϢ u3@!o&Cc{fq^Ndw.hjԚgQ9ZG'W5;gڜOvyΚ|:xXSi6K\|DPHQeQ)ϪQ4(W &Ѳ>*;`$j;O ԩ s*w<-hR.WkS[vMAʊR(.,zIRU#1S{lf.{>ృ?@ ibI67uLGg0o<[3?/O?뫒32ڴX6vq9h)J2+ƳD#l"䜴bk,DCҘH!B8,UzAm/ "0\cxi}Kgd;2'h>T,G$ɶwɍ1Y^sSFc\E-z~۷\ ƥ74Nkêelzl HˑdO'uWUfG`ƐJQrh-HV'DJBI6o 1uUZ`8_u bn.I2 bd,߇llZ|L 8,Y"ڢ C׈SI_+BJZv'(ڕ}?)'FWӍ}MdRoo%s⤱Byi0~r]=6  :J5ģ6A"+ QŊR e&sͫ߀Ɍ͞rD]/if'3,`vіU$(#.WsS.(E>AȪE;B9n`%8YEql~'Tvk]Qq vux3;;6nyfQ&w151)Be Gd-ݚn 9a0h>=Y ӸdXbiM/X#پF ,ZX lRBh !g'TQxkF_LUWQ&E܍0Iq)v:LB`\"J~A& hE=x>3{ {&A@^5h=w`Xbu{{<;h, \Q KQnWz߻c7)sN$wNF`:uEIJq.3SFbN@ҫ*=4? #S'-QTn(U% O"N`Pl 5@pv+ Ӥ peb&*d:0* {{#S4fkʈgh8T@>zK"\/] jQZ([g1xZ~BoImӨ/6'WC59'sCrΗ1AC85I0NEU>:o䍏3LB$~6 g/ѱٗ 8hQdDWTaO:JCv"k/AT4*AiWӔhj@Q ~ʻ́ȍh%&`YKֵƯAX/{vQ^C<r;CYX)Bo vh's$A{ծkDW9ƪ3S"h]_M85$䱕H<&&mGe<*(r$AVȡ|2Jฯ[LEJ褀 uJ9u5 VA*nƑ4[mI{-+ܶa>RGgӗ@>5{G<߳#q4;oՏ57o' e? _g 4צا2^Y v҄\d+E41"uD%pz.թ/\mOʿ~ʌ!|}9.VW@/!~$o{"T% M:}iM&9edWD@ =HzZ4^ؗOsw_~N,5wN" wuf_lՇeX(^%eJAx)(&$~xu .Jө b~ CI+/.F` v#I~ ')=G_)ch+ҐV_|sR_/\ƒP=Z"p{{")¡ۿr~|D;Q*]Bd{rAHC QHBŠ攩/jǛ`@z)4MG8n9eW~"P3/% ͛wwuٌ^=tܩ^[5,Iw0[;{JI>0~tg'(_ !KDZe(]JОjx_"{ѫ9nGh8fhGG=,@[8]_~.˻-Weaa߱Ph0o;)AZ%*ކRW[Hd޾g Jt db/e1 I.K95o[T-`CXdl7䦹2' 8iFuERZxL#MNaSj=bLs )發-vHI9o!wwWEd~Vx[96v#}3gI`ZC@k*9rhD H~/jX(¶ %BٍγUL[yS΅2gm9̙eÇ/rp&6z ŭQ SiX Hd*ad{Aa4=~_fL^6F:&/Twj-x! iuI080o5pTޗk椣xuء}C 2Ѥ^xBS^PAFƅDždeLoKK>4k2,]Jq̶D.Mwb g=)] pf_y59^~CƌK@'/+i}N-).]F;-Ubu4>xiX(p>4%(veJh@N'η/dCď~7o #X7 |uv71Jdk'x͌Iٖ(o ]Hvrv=.]54;N0PWWflh=a yf i {1E'Hԅϭ7JB NP&Z^[:qϕi#^N̬ }c~L^y"JIA%Ng 틀׎Fg8Ӎ=[TѮ_-V8`Hc?Kcp7&Nُ7}(gSvQԼ@⋄d +oinPPd. W>Ut|'y&r,ՄVE(UxU13vB`?|;Ut _Т8߳kE&?DYƎ!urAWaG]9nV :JS,r\c_'zoA j΀ɥ@G=e!]9q2!GRI'9K&PYJKmtys&:N҉GP`D`Mn%HKo^qR!_F{`hSr!Cc*-J%bp&@ؐ5@Xƒ4=y%~#;M۸AEH!|(x{R媡0p4sD]y`PK=3%Z/'W5MJ;Swb c;9Ŭr:n<3|?Kn,z1[m%AB3l h` l- *+;w^4>ju')KeJ/$MCvLFJ^.̔97eNoŒ\A byٙbG70\QqO'p;:$ ہi E5] H< 8&vڗf"yY5|G6k8.mxNa8~ƀ{F9XBT!+q>`!rmA}j%2d&4n 95PJk-}d^,/.pG.J} Y63 fəMiQm_!&zjÓ! ]ܨPnr`C.8eQYd;Z#d0>J'_qRoxLTbz 9Q:5W U~HEd Q3T)_@_PFz : ЌsOft-yyrĐ|5iiҕ RKLMXنzm,է_ 9&9ܼ 8 <#tB"PjUksL}X[wg&GlJ`xqw˅l83{c͌M&|a|H`?MGmD~"N|/-Na/dhyl؀&v@ERM꫌ފ*W8#d(MeEAX~#4նvAF*e[&9Vl0yzLKZ~Va[#/bea]½#Ӿu>/f˗>Q|H3 ͘yfQt9y(Y{:Y|spAzrM4"TbO3Sgl~.S磫I!֛LRGI=j Q^~4[ͨB$-WR?+;qZ4a,0HNˏn$JWkZȓ0Љ&w} 25<>q^~+WaܭfH_ *2MAYR׾goBXHua M.H A`ۮ˨S(Bn$$3"w(cS8qXnS랬۲H8 K.,44Rk6[Locov緣T]цo#QoT8<\V{Q}'P,J9mYeJ{!~Zb)2!%-(C[兵;Nщ`H6W0W1B>H8$VT2.Y80B}*Oj2wSvLVx)l]z\W~VçZ3UȌAq +P}t]Zy*vӼ Y_j_B(L MO\2?kLrݹ͜>gb%si􆕡|Y#2eFep+ t3Hs&{ZSHkB >5pynlbc)/Ӷȥ]':OI۲BÐt+l1_[8ɛ},U,{^7fX AA]+Lz+!܉ޒG?}eՔkW9l;(u!S*E "F P:>,GYk(L5+ 8xw`WWh&oZVciG#*B"0hĮW)Ͻ?QʹaTߦt!I`+dhlŀȊ,/m6'1TPch+9ZL!`g|19Z,;*~Kzzrk>'7t9&h8sfP2bXY:c~{"+ә"˅R9f#dˈWvC%#F+u{/Dg)C*Ӏb;{ȧg{/hTlQ'PA^Sh7F}L"ww)n^Tʮ@#neA\3H9nql}HרC@tNchY%BTuŖ4ZOc礏:Ԉ p-ïD ¿;GaNryx S/MzZ) wkvl2%IurL BB0a&Tܚ;[4_fk) Id{VUXhۮ^*|U&}mI''4-0$dUk6[GU+/GR =0'fvsmz $*s^4^f<:(69,LAh #]s F2zwqWE'x\:}CeoKXv25\~DNXa6x ]fii#덮޻Aߒ)uf\0:C9h!D 0ou@>U%qtV:a^$c=-ٰ=Iu/^RRJ;Fzvڦ;_OÔV^Mi/薽G'#Q0/飠]0q>}e!0޳ 6Zg54œ]G\Q<1?̑]iAOdM@BGj!/BK4-.x~* N6Dέit5H^f|1dOulgf~5QϝD$PmpC{0&wd*K29U@O{V4WT|[:=c֭IAhfvLU)5jcd'^3Tk0I9*{lj۬z4R A; @K@P[(/*sKPZjX6B]Qm3q؉&2/%,pOC U`J4E6 U(} N"*V3UaiR*CDHNDG)ib|G@ nb{Co 4VbHҕ'Lt_}0kH=9NQ!XքN4Z7ԟj_ <6\dD.j'mUxSP)zeFVs~LOFԔ}Γ&96 L `lnt KD9vJF|KqiW)XIF> ]tó'YX4BMw<Ȝ\ X8ݠk^0ĆeB- Njq? Vҝӹ%T_ld; tRhq\6/ӭO C•{uYŔz+NUUCB EAnH0VzJPn>d3((4bEY맷`rdoT^tk`>1#M %耀qn+/(k^e~n]L>y #)Ȅ}˭EM|/z~'^Q+ |V!=eQHV\L՛ 0teS*h\m?5̤wYW( ^K䔇;kO>81Z=(g]5g0SοOPg%֢=ee_(*ʌdgG1Wc ܄$#4}9cD\6DsRʶ1^fTf?:Lҽ  4K1mI^89W{_)Ϳ5I bY(*I]xal*D,-"Xmp};ھjr9i8!R!V^Q61_ ¤y ُ"9tx V{Y3MTi/0~ZP53mybҁfwk8~ kڠ^yF.[evLᢁ'BФ|=\]Eˠo<SCL6br2ɸƉg?8 o#Ed1C]`H8"yD0ыz1 tŴ/8貒#z_w,$b;^)צ#`KNԠ~R xhȮlV{fz7xFn{c P/*A$H?/QN6't4a7vi,R09T!+ro<3#V^0Xu2S6788MQQO?$*-& <=6״N쐃%Ȼ;DsuPC7>J^_8p:?&:( h$j̪~N*?_5x-YL=ޫV8$Ino7G71B/GR]+}@\" !X^'"ۇb=(Qv;h/j^QA]&~Cl%hnf/ɕl.. lX+HLQ]2I$xC62#"').hZssq ?ůХ+mQk, 13w"ĵI^kZ="=COuTbL@潝;F*,Tq"&&_e{o`8 zr@6SBOrÌWCZAזoVΑZ)f S(|<ԋ*>\x\ 扎lĆx[:qƃ'4"@X8f׶Ū880\g>qG4N]uTG^i89F8iI^tB;&~ԮX*"oɂ˙R8滁Q!So bh+W ?\e>'8bwrd0VGڅG&1- } ETT a_UA0gٶu597B,vssmh)@8 JaC |y* jPΖB#xwl4|LbSVlXζn]DTQ@zsHGȐU 6q/%ZMwC-2M 5!(Cn[/RPs$#+༃?dYVm~'uտ]/)19%O*amMYգ* KE6Q`Ld9]3T)`Q_.cl*j}|EJ't=;}il!3[&Ry@5SvLBrv΢aGh[ q4bg C _ r_ i9\?ZD6YCӵ7U^ KKKwPxBAgIJ4NKEw :/gc+y|% A>k6dr`Wp3NG(AWܜ&Mk mH;'e٪v:&u˫Q 78d,q\9[b/$j}~ k9P#4'b9]K5ٷ$DÕzdTl;"b%\FKi8b=`e)=> Ϫ'R hKWCfTt%春e"nOԒ6(k5e_P֡}n4ʔx8Y2~H2C}ݚ-$-S!~-#dV%iȮ`f^_Y NEIL*x|v\o|VYHvdYMATuSq I|\ SakB[]ji )@<(Jro&`716V>R|*0`YRM~/tZ.H:FPCpt"i!ށfDđ O&qړK0am<hڣl 2s'Th} *PK!w.B;BQe[ʤW1h. U D#Hb:lۥ Xvz*xY Rtw?{N(0%vcX] ϯ rt)1˛S}A4THQE;\. qYovL! QLPW ߹m٧ǣDCj"^`ۍ%8Is!Ȼ6l 1XwB90|2Xe\.X6@bpW5;ɢn|Ŕ'=e^vGZ>ghXuխF@eL*@9K^kE{mP( 2J? <.V r3" ֡U-cY$=w/S5EUg{C_JŌ(ǟYbLݱv"'_@7twG>N79<s%0?L2~_UnJ:%ϳw;:IQч|fWnS~""{Jp1x'rqW)1'b-ZN^Cktm 8l[R[i>Ymo5%ZT{\ѻX0;u9a=7eDIb9Nj˺KQ*C]Hbu%B|~{ܨ,Xo({IJGifBQ%y2u  لٶHgm07kHJK7Y2`EROGɥzMhd曮yq^B&!L4ha,Hvҭ9q{(]sqľop@[{DɒLR;A ! ${#QȉY 0Cb"վ Z.>7v0۬cЫ[f=}e]ڱ_)ܷ5rB6^ Dj( -v2MU(4CǢq(NCiόoNDe,hzG:Pog쳇X~r HBv^O6.t:7O@aOb&CzyܦlvJFY%$.'zKS;np9.u(OYPb w`GLfe^4: rrgvBc擝2Y4(;dS/!zb 'W [X"u$e0{%j}ș ϱ?gL^?? ήK{zX_βT)ެgw!Vۘ?TBp&@osd%oYA PyM8G$ њ[~<##cDם$(4GA@VYBru@hi;⒱+4@l|NA+iPFb h Tzn6^~\MaS6`twKS@R]m7n5,eng&k`;%74$wn ԉATb0Pb i?G|f7L*Q!5HhhYzzfnv؊/\WxRjKc~@=$wwK/8!X1N6O7.& ]6my*.1fY)&aq P}o [DZjfaͧ;,Rlbqn(^l,~TDLBS{6C}ӁV,ľH@\uǣ:{Q2o\:}v5l9H즱F f 0V%iԵ1tڍe@7=uA LM m.#4b2*UE4|gcNIQ&}E~N $0h ={i׮2Pha ex-ߵ)LNz4ֈcєxqQM1pμs:?uBdDqVj{ :lstW=#JuvJ=LJWZT5&I!љ2j{1W3~P/ ΁iobV^d5蓈$9V!'d[Z Q8<)x Ц g8 Ul^1[UdXяX6x$_–9 e³dk1'N刦RJ}`3ר?a?_oR ȅ'1[ u јOqk"5J]5_#$L<-qZvʝC70-}^Ϯ,i&n zF;{{6Zqta=-=x!ѻȍ}ghT_hFYHN2scJl%({g {Ž)xFֺ D_M`,zB n!hL_C$&ÌĻ8JHUfv{ַL|#Sg4# mo f)m }A %=13) 94R݄X}DڸQa+N)rJ711l G^jp:#|V$ ֻjj$@duݟ6&!2SJ%PN22wLMŠf|#aӗ#cb<dz 'bbH3JX oQ5GƿQl{T`DMY1aٞZ.DCF];)tݸ[2Upk8_u;r,Tc!K U CPمc@,n`zObrӻMn3OR̀"$*m渊(W6<mwk[I#"!+K\$嵚6ǴoZb62_&DcΊ9=;K@WY;Xmu 衆%Pfp)nƅQZ29p 4fyX8"IoAP fL2鹟<غ}Q0]O"vڌk&~b FPJY .E n'*3|Ar?N7ڡL]b_7K*c܎lg.;PZӺtЂiQ\ۤ0.(2>>6<٠7G!Ϝ_)rIwcS!+';- 'bQLg4r^ٴ\f==?D2G'N\kR=l.gͥݣj!tؤ'=>/K&&-Z Bvsd1!˃Ux{D#CgjflO҈cm95KN+2ї^RyU/+6wa!c8Raj:8x^mͷ|>#{'O|r R$caֆX("3y=dÿWi>.A7o揠P2kcǶI#"a$ O때N/oq^ph@"n`tm.waq!'ۇzCCR*@p"{5HrJrBK^G9ֵg2nҰed~B1|7IUiq5 u'8ԁ.G_rbV7u[HuFf+cBLNJ'u(CbQ;߿`ش"9{YPB!8>+*o+(jng@gۻb]80:y" L+acG5x=1.\ul )lZc^Ϋwd|' 9B;嚄iF|Ϊp]ؖ0icϖGJcjp^1{\~_b'{DMKT6,|Q|%a*vpk#]:Ę iAJҬm̬{L҇k;ޏ̿ΐS4"ӟ23DAuØg%:RpLJx9 s>>5 С\w{H7qXOf=n|xȊF4L7zq_T$ ىT"%TsʑMcLWt?*-37Hz1tLܽKi7o)fhN`XB *Ϣ0XWbRڗ{E?T.^Cl4ܭ֮B4%%n4M6Mv+ӣ-|mt7FB-U(O VHTA>- nb|Gi[0o5W)"9¼ZNYe`nn)#yxT`oRR,C]E$YaVag.-*Sɇ7G:Q] Cm$ S|PJ/hm,ACmC?qon8n>|$F0(x0X-| WeET{u5>G(GOY_ xBe_7UR7{Lqp|| oх Fɢs빤I^AUl`R8ψ #jœM |ߟauCuF g@4ԁ7,.[nt}&Yc^6b?>Z_,-S$d$"i%{ q\*T a~F3(}Na-Uε_eD./k)bx*-s$FVB?ÏS{m߯!hh%lc!!ՕLԥ.ٓZCcvT\p;!Q렗 5φeAmWل" irtxsGE" 31HiG@6sK'X;J:ʹՋp[vFja.x= -<':bpt %Ǽv^.__13N[sR #OwHzA9$}oMɰ{eM Jz;^@s %qFBO -e6zAXӫ՞)jZsސ ι >A\R0 o8H!z@8$qۀM'VT[4}qۅ)鱬[de)nX;;3UzKN'Ϊuw&ш ?hXKUe)"MeO+-k/#9Jd[4@e,r\3/[5|gAfӠ!k 8a@J>!~.|!+J+[ sc]Kȡ@)Q`[չWd i/JQhޝIJT|-$N&xTqU xCaв:8q՗}O'$ǛB]HEbދ?+# |ۉ=4^Vgxn'O~j|5[/= _l xm5G:2 W(3<5j⃱Y*K_߶=~mX:X#ט1gYhFt!ېH!-Pb_0JS\GiT]'zm/fε$Wr*>_JP޳TaaxD?)iT>n]=cGd\3eZTK3CRR7-[J㐾_Y,wct]$`{(#P:di^u!|'e({67KP=s)r\o$UwphOedx=THifb]5_>P"1gDy144,֭Q ?زp9xV8K̷j0N4<9xdΰpqz͉ݪh9c+*e>,-A!L~8&co:p9NК2(L6 $dO'K7XL9C[i#l.O ݯ4B 4OE+4Y rsg=B&j6f*#r4#@r:p Z#7=3xI;Gl ٗf5 sK+}hAuuҩEW 57]&kMu3ϣ5Fh쮂AS hI\]_b1~JB8$cs|bkUHEײ헱#Sۯˏ_ ?n2 ^KMŀD.K 1K@-KAAc;35`-isa@9ٹF:`)Bf|9%qzg <47iDDaDYbdQ0Hַ.,80jp)fEO䥁 i5B =Om }f#4fjfkJ TC~LԘ/GwJ:9b|XZ{'I*;bUHxʺ!CNG@u[>hM , &Rq`iYSQ! }akSb:"w&ԜTJ+(go2@$A3>h?T~/"뭍~4R.Aص LUovP8U4o@nk{d$n䪕Xi6WF 4@LX yОYOJXd{hnC8!S6ywH<͢do}V*oN 6z\/.4DGJaXw fE57^}“Lr xaPe}F6"/n~=K؜=^Q@%/Cʇ[8qf l 5',_t BleW+ <"j +'&jM>_^ŐOGx=~颿X.Qp*[YtM4~n\Ǭ {e Aކp7Ѽtp43oܩv\B}T倝|hc"Bjk q"{}{XJȣVU+q)nk.`uR ĭC7y_(β:Jiۅ@ٰevm6"k_;hym O#gMg^ʏ1nE tkF]|YZ#""q2lRdb)^@qikg0NH!XOHxќ2x]~J ހBF]H&p&I 62Mup"E!ܠSрFnCak0m9ߖu~66+PfKy Onb4f-Vp?ZM?Du<^<=J;EٓƪoY'QͰsV`_`DgnljØ(Sܷ$ f- {a =]yR+ϾuW[-j^&{2-hA* ?4n,o4ũzL2p&fFd%d2%>^Y+4~ȗ5WW2@P7I*|$<*iCkf}e6'"Ӧ(g͚runX-uۼ <8r. 8]qlj%F+z,E/UP[V>T|qU}!eEP*'2MZ V3şSi YI9 ?,s]#Q\-i;^F}f( ?9 ^rՏ5v|-솦 UgVœqηpkQ&3NY~] = H :#@$}~xIYkY` k?ǰ~Ʒ))6jKTá.?_8JűfeBsn_>ɷ 8E\)U0F$|Ʀㅮ2E9ŧ囉0vIp4]k|@Ӵ|Q;Π~^ x r{`45x;e1Ci7T@mZ/ThKv)J6"Q.2@#I-lRN㼾ߵO˩"Mᩍ1S;(LNXz.1 a*.\,#@D&?u3+|v\(^^#N@0ٸ!!U&n݈؆3oeiG.Bm/d~HsMBDj+Lؙh`gHq#et~L'55 Z@>,8@eӭg0b#BS\a1OCm߰5{ O(E݇#I SSٕV8h$͌?po#1ךUYшNa$0sr,e rȚpE8t9}YA G68o.>WT1M_ԣ8YY; {GR/"s25_(1NWWS7㒡MhB!g‹lˆ;s{{{#OYFuQޏ!Awe񥅔V"5z"m8Ä i bS}BU v4$5kT7ORm`-cb"JD",EKN cgcqQL}"?*b=(v7:y2%[^7ڱĩͰ[9i<0vJK~s";O3ll-ֱ@uVbipP?Dprxq1@W7 * |mM~=Zhk EdRݝOkwZZƏ%U97L%F0ưIl5XyqMQѣ1?,AN}%1xkUMmTII}%=LID̅5AۗM{4%ՂeME\K?[mWR$cH 0.?7Y;е; 6LsP洷?z'|Uu$ѝS؀ ^iǹIgB7دy ᪥J%5FD5NVb}AnMw<}M-eM t#)dEN)ܒ3}eJdbcVK8d!4ZʊUzV7tĚXkoc7h* ⌓ H!E4G=אRlhU30`1I[KvPBfw@ù@2? T>[t p2fgC,sC[icf^XnY-wn>KyE6S btYH) #L$UbYtX۪ L h{ c1O~& laqs?FxhCn>! ⁸zE4=?2ֆ^Qb/1riǖ癿 w8Ddȫ ˅7 FG/8-~XIA]Iʘ'C=^S,>Oa R:O+N%o {ժM宅D 0<p!Eaݛ0 WP -¿(\WW .ϠU&GW4TU幔{E%ڀcTuVhg)L:h"} ߞؚ C"X|Хea WHQmz+_Qm _V/Rap?ԧFE93wOL.GA' W 1fSWsFq9g# 'G~[ {zD_}s˦~a!AUU$,HA# j82~ye|Vw{ M2Ɗnlw̦l"Es#<:} +!r윪*_ JQ&d/K 0Bypm8NMI4e< T4T5I.9 ץCn 4+C^6jǘvP~[x;q. vnHJ! 0ou Qf|I&aH I!T]୆x;7drt 9hv~O)vaqϾaI^?Em+,!(/,w7óH=lo ;71>xPxUbw,eٰ ދhǾ嗾#ADȅ 툟]r4zINx:W3'=>qడo.NjOR#ț#Ѳ2/|rs^taqtYIc%8'%Gv4|wr N|lKvav #^ 80.C+G ;|q简o+>b  tvFr+эm>/յ;zp֖>\nwҦ1MBLxSP04YRd2N.oeR ܴ0L W%tVTSY;wsW:?R#ءP|О1]OP?\RHhyJ ֻ!R@JD݈y58evR1IϠ 2DOHzkMcЮC]kB"(4ש ՠelO_Yp[&RɺR <5~*"[<~Ȍ>[Uh+qeh]"X+3h4t$e'iO<=Sx#a'wޝh֔[?F'XLԞlOsi~dFГO]ٛ6NfĠ1i'H5߉}&<@9cӛ>tGMIw)\1 g@'žI-Ӟw9qPS*]+uE@Dr3R~~sd'QUM3c ѩl@3@bG l:F-?mʺ'"3t xc:W.O.p< %AwZ_>1?#c;D9+Mn00 l( /uZ"/0^pZI~@kdHh\S.()~ ꅩXY?KBX]zԾh4j{,]'eksKy$ndEWFo혲uPQ(d#nG!Zɲ;c0 T٘#GޫZѤup{)4T6hk=u^]Xu" x&sĈoD%T_M[D 2jɍY&j!wR)~ ">)QIGШ#w>uq,M3)yo<c*ޕ_>AK-Q\)y.i m}A-!| g%.O$MP FR$LZє&kݛ0Ai^lt~l5"b-B,b~zKe80M1co G[`宇d t˨X>5!m D69SÙbvoۤr:x$հXπ. P0% RS$|GfI?`K$_b*@]q(@Ӑ,}? m fR9t3zk+ 9}vJgrTZAɺY Jh8,<rrm!EQv:@M}iB 6.\Kb %t߲~x~;},#h*R0Ӎ^XB8-Mmo-ݛvGEiA6ztTnՒ]Q.Rtєz') r[HCJb1t~20τC3aEco\isNC7Ҵ?ݭGQ:lm [}vAc,ZܰepN=l*uR:4x ¿{g"w7+ ZԬn*UTTs" /!(5hՈ_=X6%ڐ2,i|H'i=Mmo.d,7DaNۃb*ݻujor362)燃6އq۹Fk̓6` ,j?B JeK ǿzmLvQY7tWfTvb4ZGy2,Z06ܕo>J7۴(IW@mnc]{E3ߟF}C!o$nH/VvR9]ldv/_ |5+:U*c].r n ~%{u]%|a.; ^-݋l_,$wɿP!|BP|tiٽ-;#DR#Bp(EJvw2Gp(n7n!x7n8_s{Yͮ OY`0a6 :'* a+/,(=\Ls[7c(FS)C LDC{_HSS *AlES!.+:J42CJEܳvT @t3@1]wjI["]OI?ז‎;q~DZ2Qˤkbh/z={.IJm0iĒmA^BXPuapYZ'^yŢ0^ =\?{ =ZyBܫ%w[0FK\q3z18GdggJ jv̧q ,xyfr?a]":Q1o[/SuN+oC?=T!>EÈI"ܴt//~AMSFtw#\De% f8N: LLUz4WF qnuϱg1\_RR ` iM{`aYC9`s`aE߹`Hk*8{X B&t[ ` q3Y짢*cwz4nA̮ϜON }Z|EȌ0;"@\%1G8y 2T#es:J p[`bA~`pSDZjs,"]vTPj'y my=ħW+syJ^(ME' \s;Bϧ rdO z\zv.SS0?l4_="۟l% = u a 1CZE ˻tdF+^'@B-[^qZVC[%𓧧%xԗe ,Ud,0G}1E#E߶n];.N`nc/;n$W&MWTXseiX|8TT-K0" 2C'j\%oa:w/d]7z=%,%$|ft $ Ru {-fM(JFQ\Ҙa6"_(EX$[h:pm\R4<$~SW:\GܥvWrb8$EMN_\f%w U W'y}TJ.:;|&sfQyz.@^)t02evہ:د]|Uɲ&dD&z [ ZZmq! 6Z2yX38lb=ZGᳪ?AזWm+Pe`*\ZFMGyTAx@S bg8;さ<%DmVC9%l@_A܎n_7)m!#n#\eHbWQH^$vL,j_DDs@U6VHz>lzlXP-l= 2|c mgWMx=Q_J/eDD~^}%O}KyS\AWAL3;A|k3)>o~頒$)Inr}QI*eh3Ǜ4kh|]L^_8 " j"Ӂ&n$<]J}LqI݀(v|v!FM_Y>yi& SE#D,mquaFL5J tj1&&h*V4+S%d tpHJզv)r`Ymq5V#qb4ȹUҸBڪKS.罰yɯA5n-L@}'LWPkaʝw~-}cx#g]01(][-T?7sbx i/-?&_9my'Bm.Y0{WE\3 ?::_NY"Cs7\20+x9Cnd(gOG$ur{ߚQ=IawMgPRÂ1i_XgM,mRd{Tm?cӨC^ɵJ\AP,\KaN;'sG 3/ ގ˗[C- ;bcyI2 Z4Vi NxiȦ`B/ڮRtddEᓺ - QB8pC:S0W=;x竪kO6NLۙs)Nmd,e9E.+g!<ѮP[C.nƁa0nѭ%r:ۀ\5ѾIF̗0\yESxM70DǯsΌ{^/ټ !(X3rdV"kœg[D1Ź񉣼8=,rHIt )6῕lxkRm!u\}[tTAZu'˥YU܄,P1Bf*ZKm˂][pn%#Sw޳E}Qam)M8v{0#M=N#S xf{ 2m:|﬈+v{, &ve,Ѱ%#EN 02ǿ)WhP;Kz=%1}< *LP IVi"m8U tl'6PnTx5daM1WKF:o2lދ/k9'ؠ@G`ΤGC,V?(MT0Y6wöpT}+ #6էuּ|dYƎL'u7+VZrS@HN;z&ToNxq(4 zQ%YaX8KhG@:q_? .pR359",)L+ED[`AITE8[^Ɔx籐igаʒ1^CƁgX0wz~CExɎD|'=sg'z tĸE/W8w9Eht084 Iy P'{RcV nVFcpC7 8^..&? 3Um76 u ^AIRKYt8 [Ђ' &yd@%U0/} ꍖ8Pbj~>.]'79݇.|o2K'g.k$,X2W[Kc L %#YE0"%U:qV`2RHvoؙP/Vۇ  =&3&73n3֕">(,vo,r~wռY& GŅGެ6)n7H59=Z^(EF0 [V]Q _.䑑fG2w>}ˋ8I&Z-\*X)I 8.XGbVbefH9unDkP>1ErVa Քțed. #I6P-~l6R Q5i?39ZX7Cxݑs/Vmu[^ R 3"֝1 VX+JX1l\>νu}KYcyf"X%MU郙䶎RX!B wv7-Ԩ?E#} Yɤj#6+2\Zʧxh!+ Tm=3/Ce܍QD+g~َ'&rGR$׭وBT-gu\e^rϙ71e |3-Mx%]@ئdڑh#z#$KՑsQ/YSlD/ȎPV7$֫0Al;="A V9H܍ϕ2YaI04Y'COt@2!Js.=X?K^"'9;!@ZFg G7,hڑ\_jF^*|୥AdWw61yI\IuqBEE^^fʔzWy:ƸM w4;jX,l)J߇͖lY, z,io}A沮J킟|~u)WXq.{)ùͱ knw?̒-ђ/u2T=)À ơTQ&ptK'ծRxJCI z UC4L'#JꂝϜ#;%OKl"H}:r#ڟ&X,%QQ{ꑖ'\Zq_ ;r#|^A5]AYd=R)s1K.C%L/txc !M0]'?pC)m-Mdˍ{o6)Sv@[׮7 2=^Pc?9`1Oti60DHVVAׅ <FykXT7I}mk{^yY%ְY5 =']!9J|X;6׏xi>`=!^( F5u_~R8t0XeCfm;&"[z"qyTZtT >4.x El[V S*k}5ǎίF)h].œAx#AF[@9?zy?O?\; }z3/eh J2)Kl&Xڭ NaUcf5}4|h>=^^tf \D6#OfҶ|aXr#FM!abܲzbe 3AדKu2[˶de޲eS'DR*5!3V-`qB 1懠η8a8>΍6;719k-CFEjvZ}kf7ȶn'bsX.42[-F%}Vb$P*2bνf/9L6EMV9´q1ϗtĸң)DpZ-#"aLr{iWTs"pC5B>Ht_'#>(qvg?.sݱVvƝ<Q&kY)ߕɟui0BZ[:Lby_ m~$R<{Y7ͣ.~1 , <:@+!Bi.cQ{2d{x2MEJ҉CÄXqBmO߆$zEy-f{C9SN\ۛ_^?b>}׃`,<.9m\ow]yɬz=ؿĘᢂq r a4*عS侷zw k:eU,Ĉ 6E*Fպ[I{Gk9?J?\]Rr7u+'dS.7bg4_IMNx֤Ϛ}X:v-ct?KRP+Nr"Zer8)DS2eUM9K*SaEEiۭ /zfcRnlmb>Fʜ7&t5֘_oZ~?v"), CV> eV •," '/2^VF?hy!wP ^=l!kB.! .ؘ ,%[jsN,`?P'ʧfғV"́|I㨟5[e.C 3uZgJ$lr\+}1ߦ Ҡ@z^_B~m LM(Misxy<ZJq#8PpZK+1FO-Q/e[@rsؓic]aJ⍺v@<&2~ FRoFDlĖgguwD&GΦO|'X ŽWS\,y'WEw97aӨ9۳uSej_W^e)͝u<*aKE RhV N%  Px{:zL߅zUt1}ގM!?UMÂyYC ٍL]\ܘ:\Wh\< 8HE.wp:kJ ωx7PɯnYā~xF?l[$=NoBU\];wSUdَEFB!S|Vpmћ]0Ry&d}=+t,|{6-b͝e"VeEyF}"߅1]}ܺ4MML0+d3B#l@Dht ”I2y~nV^s+ܬhG;l-A40iEj> a|V=L6QJrO7) 챓a| 5] rf!f]7[J WuCFX\J ]Lͅ<?b3~p^7$<~?gΰ ulZŶognDZ5P++^2o:ъ?I}ޝZTy(|b۲os3y#iȶ(;"Q$Ueb ':nD6thF cT?8JߡƊ0I!\(y-oVU= )/IC?V7" ?T(HWw܍ae.AB2V[ltUXUԓSȶmHV$:v'vn2*+KS='VcZ#P2t.j(=o8U@DJy r9B m1}B!4j*ZJ T=֨Pʗ?aKZ%IcHC'1- @.M#qR%@kUqVq7?ido80`ypQfr{? *6q4 jvōcO 9z-~da3Z|s'M=Pl8Xvy̚7 (K lz=|C^/x㰳JÈRfx֣zIu*F1QܑM;W5|@'w]M *pXԉr_zBb#؝YzXg. [nO[Ikg^OS2\HLR|/OI+31Uzo$a^SY z$am,*^6VB[jX5&;ֶ^m 2Rƽ32xIMj#A0F8dT~Y&oy{ހ P zP\+婳0ކN,OwN\L=skCg-Nh8ȴ-PKl 9U.FBL4*yaZ=.4\3fdݴH06,%r]m%G'P&Kҫ'8<[0CJt- >Zp.0T9:< %Koab+IXjLjM 68Cr *k,KԚ1Nv=<#:EFȨ?q5FjʺZE rb21iDv`Nf~m)Z 7V Ewe"`3}-`]B EZw^xb_ Z b'M~r/ʇEDRjA1F읋pi)~q]TsWΒxW?HAAGm Er5hp#.Q:g %wt|H!RaF9ԟ^y_1кj<_J3 ;bF-Tg^` @!uM@w&axX$/t܏!8C;˜[pcJ /ڳ,xY{k4;,Aw^cCl"F6C8T~Dȴ}t(9%(-_ v/X5Q\O} @RUUAEJٲx O*Jav!9ۥEE;Kloץ[D%Է)ɧHLlu.9U:>VJ=Wƫ!MG5ٵ;_6WU2PδOM #^dV9.8j™jH0gR9}%C`1!r m; wầKObe1C'!qɥ?:>NvAXKWf?(㤖m pm+WyKK*z}XQŗz\ GcNu-d{b1F>/گEup{Q}KM>g { vE _NcN[)}{N[6\OCLŋ&ȕsW'e;XJȁo71Ebр%rrSoyWEgμ!y0 SCLeh`z,K1h4U8?K#<ܙN;|D8!HɅ#-lh0=H0cY ՜ppERbr {j;7wY<ڧ׀czK1n/i m9UwqAd_uC@~ӼD N;V0?K3J#U3ޙ[ ֏D)yU"}HLi7@FRY,6nժ`٠@zjhG 0 vkрe(z49A21f (}9QfooPt=NgB6YEI?pGLٙ҆S['x[+LNR+s(/{2[ݡ@uDV*a{H\ȶK2^a+-JRKR=&̵X ʯY+9{%YfDu% SKI7BՃ9#$QvyޕOߴ8NgWp uUTs"3qƭ$ϺxFSFlǮYα9I qZ?x C A+XXGĚ`]h\Fy<"7Ԍf@U(rAlƝ~eGlCXȺFcV=Ui^ ~K&h^ҽq Ѳ~}s1es2ErsRkjԸG%uƲ +F"jNGvwDNÙ֖vg$=729 "7ȧ^N6o {WtP0!$`Pu[YUإW {YnGGfY ~޴>K^~c{[V`4.vŽw)Ǒ !ێ˛;+՛:36x.LVsRfFbUMjxFؚ';H$>@֟%x<)IlJYe֨>++'sB vn[2`X NP(ވ۷[f#VruŻ5Tzb`pk z\ I#oO"'G};݊Tdb4(ۘ0Qp8 gMG$4KJoŒp|a_I3 Vn0ؓޓב QOc{ FzI@u4).:$ԠG'- DtSH6 ]C;U~2j<\O'L]8WBJSѐ ƍ;|FCFTw#>8GL^):횲d Pӯ+܊ gjiسp~N?瓅u$me#68oJ/Ǧw55iU&+쭸+՝7S -tLWGg-K={ M XD)#Hn!sj3DEەi46l'1EpqP)A]p+*Jsafq \a|lwRx_t!ɀ(dA2&|t̀/siykv+?6HN +1[zwd>Iu¥*y:1-ɤޑIVAK^z%stFo2"@x)UeWbIDw`fIJ 0 U`_ kòE YZ