samba-devel-4.15.8+git.527.8d0c05d313e-150400.3.16.11 >  A ce7p9|p519%{AJ]LRknS%|T4&5R4R:}9aBr] SკCs']OLĞ2<^3w ߇/71$#_`*Hq.L7q! ~L}bMvK~N@Ү{%d0<^ۖ̇7 ◌.REtYI*Ot0J!'ƘĖ r */ӌ50f5bbfaa69ab4ded3221245c9d3dacd64c0172ab5e1587b9327269cc5f8717b9018c3b01fc8c98bcebf878adf759797850faa637\ce7p9|oМ__ҹ" Zv졶,*`sH: $ )TlOӤ3'. k&/CUgJ2#9W7ʕ> cP4MHlMœ754Iדi_%Âܩ&<"(jN81pAl?ld) 8 f/ Ee|    ! $&(+F+-$0h01(2 8296:GJBMNFNGNHPIS XS$YT$$ZV[W8\YT][h^a bc'ccddPedUfdXldZudlvfwgXxilyk,zl0l@lDlJlCsamba-devel4.15.8+git.527.8d0c05d313e150400.3.16.11Development files shared by Samba subpackagesThis package contains the libraries and header files needed to develop programs which make use of Samba.ce4s390zp34ySUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Development/Libraries/C and C++https://www.samba.org/linuxs390x( p=A@!1N  aF ENTv |H)KU +d`@t2!CY~W +g > v&HI!>,'I:l ha Z=1y<u .Y3T4&{66)w+3'A,;BG_AA큤A큤A큤A큤A큤A큤A큤A큤ce4 ce32ce/ce32ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce32ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce32ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce31ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce31ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce/ce4 ce4 ce4 ce4 ce4 ce4 ce4 ce4ce4ce4ce4 ce4ce4ce4ce4ce4ce4ce4ce4ce4ce4ce4ce4ce4ce4ce4 ce4ce4ce4ce4ce/Xce/Xce/Xce/Xce/Xce/Xce/Xce/Yce/Xce/Xce/Xce/Xce/Yce/Xce257f48e6acfed5fa9841df0f458c77820b6e24ed8279bb23819c0698df22bbbf19a87ebf5c3ecf098bad8fdc2e0c08317efd3ecd4947169677feb755c5f86b325aa97c3dc8a6da5e8d196a73bfb4bae250089de7237665a3a6dcf5512c71503695cd7da44b981f9782081d3d97dc2d2f26726208f56b10bceaaae6e1a3b497bfefa19c5bf4838b4013a16d205238e5fa9819e04902a006a08044a0da795cbaf34f53c103d9d508de1883fac4df0fff12ac27300409f3a1c8edaf31c05c054340a1dc2974d9c574811447befbe13fc0f8b3d8906fa58ca173857f5b73359ec30f161766db604986021c872a81bc3e6dc403b8960c06edad4595f168293005943b8486186e935623059f05839ab0f3604f56687ceab73bf9ad6070e58a7161041e32e3a21a55901cc3c7a46d6560c167ecef63390fb04b124e508eccf8156fd650dbd572ab4954abffbeef5c35b30e8c5806501278b70a08d6041d8a5685a69cd65ef487680f99891e461bcaf8245acdfac7964fa40fa4a298184528c2fe2b51b3066156e28d7375c095735fe583c41fe10f68711a286dd7616111bd0ba9a6c39eca72b30f0da89b141671dac7d0b96636639545a74f12fbbcc745e7e2597d71b4c7bcfa6e9c2d3666eaf6fbe6b63194f9d4b8991619ced1de631f1d7c854271bc4d7d6caed90f3ed522fb13effd5b3f9ce1d10f57b87a233f8b1cb8bb000a06b812e45f1d76df8d2fe7405deea4c26e6e1ccf3951c59a55836952be0923e7928b343892fe61c87666774dd2e18e31d70da33b45c5986aa1c23a6a853a6cecc906960aa488b92850596697a2ce4811cd350af7aec0b5278c15b3700ff5759a3a9ac8a09b87e376224e944e12a2067e9fc485ece8ebfbc7d5cf0bf573e0500c5bf24c38a14ecb5e00e24e7947b8517b8f39a652b5a4a7cc6ed2dd04dbc35210090e571af576c5ac08f897ec08b3d0d2d5d40952aa94d082f5550483c051b99b33ee65aad7a50a60ccf805be82f6209c702e0e7f73a5ae774d0c68b57b28dd1821c1ab067bcc678b898c16d290afc34539c478fc1f6b47270a45b389de9fb9ec0042b98e789e2e76a17d01c1684441f27e27f5c54d7d8d1607fb9cede012344438922ffecaceea8800ef2175f1046485790f995229035a56992eb9f80f586460519b697827df8285c4ebf06595b743e148919677ae2a40442c80549d7aba0bc0b696ca55cc095723a52645cf7513c55934096218760deb28a607b5e85f82db7c1ab580e91df20133ceaa62399bfcfa07ae216642332bf119c5a28639f3e6841dd74e2dd515f2b48efd9117bd5054262dfd09a3617405695236094798559211d988a68effc888123ae63e8d2ba5b96004c14b3356dbf490b4e731cfc7a56467079075b6004265e32c0338f01e95f47cda607f72abd98a2031f32f45a1470dec6e13f4c8e17e93041953c7a33ac4dadb193dc843bf0dc47196230f74fc5a9c4ac1989654849afcccbc35c0a397ed9b8ec9579d7a3539a11d9a1f4db4d40dfdf2846bc81f966b17d69a728af436e405c6653b76b8b1b0cea1ff3094b88f184043efdeaaef078ca39f9c1b6ffd2a287d8380c0ea5cf53ceb43040bca0c4f8a37c75c1cfd40923c16ebfe2ac820e071af1cba5cae4b019dc46eb22b6fc37174d15ac7b72c723c10d44a520b2054944d0606d29c16714a4196910a433f607fed4e35d63918562c260077a6a23b99eb7ea40a5e790a7d97b17c8adc0fe8152598db810a35a439e0fd2184591f449c79b6bc5b5468443920523ea943440534df04294b940ce1c00c0a68cab9a5eee13b0a18e6e5b9d87693f25c1f804ac1878bf03800367d25438369395e7f2006fb647db68043d1590be759478e33b123ff9a54bbcf1dd70a038467eb6dd4dee91c9309efa27bed7b9d371cc936612a2998c16e815dca6ab2131a2f005b7837ddaceb2598db386c1d34c1a777baf0d741ea2d153c399b4b0fa22367ee1921737df26ec3e9fea81c7f525ee4076db13008901c9ca9f404a6db835aabe1a026f6f3e5c05cd08a28a339b762c6189d4af93a1b6a87f9d9483d5833fd883506b51ecca8ad6df0baceb27177fb6499a7918703b897a45cdc7605a9ec9315a0f82f2518db30b753b0d4ca10b18a94c382f3ec70dcc443437b2dc9e3ce610ac30bfc17aba981efd38215a457355b1f19ee2e93d26cfc3f6127d4e633b3d89ae70e214c6869f39c6eba1bd4d835c031b67bc5c4f908e60816711e8d87e6d93f84fea1eb1df4a7c2bb8a671480afe65f9dc7f671e0e15cd8eea8e37927520f3ac8ae6b63fe8f7aea81f7680951eec3ab67f4383db52789c38b254cd5a9e4766b17aab8a99813258ebb4b147bf98c9f0b9ac8e9e07ad86cc4811fd17c0ca05ad6fa67befb082b2cd23859d7002fa75a5794f15fad8157402985d19cdd5ac2acf2ac731632b76930e055b6edbed4095de7a0670e5957150ae9ff19eba3f0f0c1acf956f394afcde8741c7d3eb9c1f0d24e77ba69ff7eee8ba90786ffa6c5f4ec183f16ec4fc964c65b35a84e0be1b1f830b8494c8e895196ab132fd82e055cc808ec43d0bf84e5bcc059302e71c0e23a257f197463a9ecad24f59aa597f875a287795dbd2ce8b56438e84f9976bb4b587c364e2b03cea9ac7bfe92f670c4d88fc1b382789f66d991a6e526f4093a1972e1391aadde980420a1dec670f3549f87169c890fba90086de0d8498f0fb36921439a3568cd3a29c34bc8fd9c25772cff89b4edcc989ff5af4189ef2e0ce0e37872c17ad0196c4101f1dab6f2233d4987af03f7dbbfcad01f857b4576ffbb67ed2f4c6cbd9f0a9cd2192a7cd36f8201ae7dc5c1bb59244752a7c96d0bcd9f3e3ad075aecf96bc9006c8087a428c2cbf46832f58f5a9a8a1269d77685a6ea46e21b05e9d22e79fff5ff59e2f6fd5ef76604c85c807b4e3fc0dd84beacab1ff25be2672650e35fc5a2a04de281d9dc535f9718a0c12832630ba0008a46bdb263c2610acfbf6da60c6d585687581e877d06ac2587e1c560a57a924744d428603f832aa43148df878f81961c305f367353717bda17d2ab1d3df620a04711fd5a61149d16c19f34a48740662395d01a17ad400b8e6af775cd8eeeec7fa786bd0c1c686c5562fc60c40b7f0fb213627e0208eaa36a7262e7680bfdf38ab43a302de7a5ee1b18fb5e5a69c693660e5ab407d1696c7b4ac8f6ed075a178fc967e2e68e1bac448bf37478948a1f40401d26eab750f4c70faa63142713b1ca959bdea59f5c83e1d20b52792246b46127464459c635949c3f779518d0e830d9f34a33bef4b8d49477a4a648a2d279c88584caef10d814fafc233b2ed62e1b088b7b99fc6b8017b38dd73cf8dc94a4e97837ae5a7631da503521a5133a57f0445a4dfa2427eeb926d7ece4119a01cd20ba4acec5db90984ce61844ebfb044780a402cb880b08cb0e3b6d709b17117204b5ce3a21b987f0c33c9147e5197c8e52257325852c5c181908a3f4082b5520d1cf8599ee8c5ca7e8584f8e6deb53c1682692aec09dc7339df4507a69a44fc4e889663a695d0e42c4ca1819bd7e814f21ea857ca7a1cf61daa69affa14cb497273b24b2f9adc344da28391ae7e27ea058e1909f8fd85bf9eb7fedcd7dde1fddb48b6600c8b61eccc6409a5a5391dfba7e45844c4f2da58e90d275e42aac178717449816161fe77e2af95aff8ff703003f5691ae2280c0809d15386619c3aaf0620e8697c3c0d494cf0d6a2fbbde841699930bd1f5d8c43118be577f601d6cc6d9ea72bd4e42fa96b0bf03b1764946f28b3deeae86aea0bec44e3c3fd05afd367128b4e2513a6a73ba9cdc263d00d43eebac1c05313154d5bba4025f00fba9ada003bf6e08ec3717c956f9a10aa3bcfaadbe145f7723177bebe2a8119752430aecb7121eecb4e1998b5a24b456197855a143c84f2ecaf31540b1f5457c0a2fdbfd8f53f9b9b119b1918376d12eef6aa5248f7ac7d7deb71f336a52fac364750774f797c061e915eb24775ae28d1738bd86f5a5b902862b25dabfc4618da50b85e66272bf52218a6cd2e26338d04c25404fc53d6b230205d0351470ccd8809d4ec02d86007929edab0432c4386098ef7d1c09bdd8cbd6e9b0ff02a77cf2d3de460ded50b04f15ae58b86ce48bba579542df1b00f69e97fe1427fb1031f6930e7c3b058c09850bc72e8361579d8f0b97ce6c33df91db1edab5412d88550bfe89e5d34a73e8be26c6cd20a922ff73294bacfd6ab37123f9f6304ac62b5f3f2c020b7cf90ed8279bb84b70e146d0a47d12743138659271122b65de007d76a54634fb3fa657a0e6c8a3cd600d4be43800c4a74bb5e41f57bbf05d01629d0cd9856ca1c5cd05b52579c70d58b6328de9543dba02672487939e41e910f508c1dbb0923f0726dafc2b4fac411ed2b40275fe0fec3322730f62b84daf91fb23bbb081489863168493d1d893df191dd1a0597fa2bc7c08eeb7f3e7aebc136e2d47f375bc7a94c423e7e203ed01669588480e86e23f853769fa041c6e221563e25dd20cc9aeea815009335alibdcerpc-binding.so.0.0.1libdcerpc-samr.so.0.0.1libdcerpc-server-core.so.0.0.1libdcerpc-server.so.0.0.1libdcerpc.so.0.0.1libndr-krb5pac.so.0.0.1libndr-nbt.so.0.0.1libndr-standard.so.0.0.1libndr.so.2.0.0libnetapi.so.1.0.0libnss_winbind.so.2libnss_wins.so.2libsamba-credentials.so.1.0.0libsamba-errors.so.1libsamba-hostconfig.so.0.0.1libsamba-passdb.so.0.28.0libsamba-util.so.0.0.1libsamdb.so.0.0.1libsmbclient.so.0.7.0libsmbconf.so.0.0.1libsmbldap.so.2.1.0libtevent-util.so.0.0.1libwbclient.so.0.15rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.8+git.527.8d0c05d313e-150400.3.16.11.src.rpmlibdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develpkgconfig(dcerpc)pkgconfig(dcerpc_samr)pkgconfig(dcerpc_server)pkgconfig(ndr)pkgconfig(ndr_krb5pac)pkgconfig(ndr_nbt)pkgconfig(ndr_standard)pkgconfig(netapi)pkgconfig(samba-credentials)pkgconfig(samba-hostconfig)pkgconfig(samba-util)pkgconfig(samdb)pkgconfig(smbclient)pkgconfig(wbclient)samba-core-develsamba-develsamba-devel(s390-64)@@@@@@@    /usr/bin/pkg-configpkgconfig(dcerpc)pkgconfig(krb5)pkgconfig(ndr)pkgconfig(ndr_standard)pkgconfig(samba-util)pkgconfig(talloc)pkgconfig(tevent)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ad-dc-libssamba-client-libssamba-libssamba-winbind-libs3.0.4-14.6.0-14.0-15.2-14.14.3cM@b@b@b@ba@bascabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2.libdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develsamba-core-devels390zp34 1667576981  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e0.0.10.0.10.0.12.0.00.0.10.0.10.0.11.0.01.0.00.0.10.0.10.0.10.7.00.154.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e-150400.3.16.114.15.8+git.527.8d0c05d313e-150400.3.16.114.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e sambasamba-4.0charset.hcoredoserr.herror.hhresult.hntstatus.hntstatus_gen.hwerror.hwerror_gen.hcredentials.hdcerpc.hdcerpc_server.hdcesrv_core.hdomain_credentials.hgen_ndratsvc.hauth.hdcerpc.hdrsblobs.hdrsuapi.hkrb5pac.hlsa.hmisc.hnbt.hndr_atsvc.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_misc.hndr_nbt.hndr_samr.hndr_samr_c.hndr_svcctl.hndr_svcctl_c.hnetlogon.hsamr.hsecurity.hserver_id.hsvcctl.hldb_wrap.hlibsmbclient.hlookup_sid.hmachine_sid.hndrndr.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_nbt.hndr_svcctl.hnetapi.hparam.hpassdb.hrpc_common.hsambasession.hversion.hshare.hsmb2_lease_struct.hsmb_ldap.hsmbconf.hsmbldap.htdr.htsocket.htsocket_internal.hutilattr.hblocking.hdata_blob.hdebug.hdiscard.hfault.hgenrand.hidtree.hidtree_random.hsignal.hsubstitute.htevent_ntstatus.htevent_unix.htevent_werror.htfork.htime.hutil_ldb.hwbclient.hnsswitchwinbind_client.hwinbind_nss_config.hwinbind_nss_linux.hwinbinddwinbindd.hwinbindd_proto.hlibdcerpc-binding.solibdcerpc-samr.solibdcerpc-server-core.solibdcerpc-server.solibdcerpc.solibndr-krb5pac.solibndr-nbt.solibndr-standard.solibndr.solibnetapi.solibnss_winbind.solibnss_wins.solibsamba-credentials.solibsamba-errors.solibsamba-hostconfig.solibsamba-passdb.solibsamba-util.solibsamdb.solibsmbclient.solibsmbconf.solibsmbldap.solibtevent-util.solibwbclient.sodcerpc.pcdcerpc_samr.pcdcerpc_server.pcndr.pcndr_krb5pac.pcndr_nbt.pcndr_standard.pcnetapi.pcsamba-credentials.pcsamba-hostconfig.pcsamba-util.pcsamdb.pcsmbclient.pcwbclient.pclibsmbclient.7.gz/usr/include//usr/include/samba-4.0//usr/include/samba-4.0/core//usr/include/samba-4.0/gen_ndr//usr/include/samba-4.0/ndr//usr/include/samba-4.0/samba//usr/include/samba-4.0/util//usr/include/samba//usr/include/samba/nsswitch//usr/include/samba/winbindd//usr/lib64//usr/lib64/pkgconfig//usr/share/man/man7/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:26478/SUSE_SLE-15-SP4_Update/a963c9aaf700de2f5fe7eb5160d56d19-samba.SUSE_SLE-15-SP4_Updatecpioxz5s390x-suse-linuxdirectoryC source, ASCII textC source, ASCII text, with very long linesASCII textpkgconfig filetroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)  "&(*PRRRPRRRRPRRPRRRPRRRPRRPRRPRPRRRPRPRRRPRPRP RIKiU{utf-84b2e09cd9d11d441b38b115429c31fdb914a32d8a907cf32c485bd8a30a702c5?7zXZ !t/̤] crt:bLL 49=2ψ.tp8 jJr&\Hx6SS_=.͒-:fvEe,1ro+<,ux!We8]aJaHZ>?:>aE }8FV(693]1끚Z#:-[](Nٴz.HB ?RPR0[>-0*uǙ6GP plфHJ?pfxYj1\^Ǯ,ron|iouU0r=6YH3D fDvV=ɧ~ά(U((o5Cv#XjRjX`#X[3U]?/w''Wql?hTh-ŋ,,.B1_ G^ifxkS9/SDGU=2TTw*DYL vxW71㿌SGTbWyUB*|6||頄yC F5@#GF|&&{ۚXCjX||aOk!@Bb6g\ UH0w͝2X$ABI!`A*h7򟃛Hו6bC.;[k* nob1>/u :Gw%IL pq: dsHD$uڦ+' Qi3Y:&:'S%YK>NS 4"f2'=X( L`#~ŮmKvl_$$jy&_3tG`Fl).!L^|1.4xw]5ɻ?"V!]J (}Pf~[KF7#/~ͮaȹdv]+ 3KeC2a?Z1t[POҶ) y[$Dz꫖e;.(c+ʬzȶ"9WҐ=Dh,MS*:".բ Rq)D`4uة+3F#ngiw{*-  "rͫzpՌ)f/1G"\&@!R1ROm'dz0 箋rk"pARmWpK-f 'G sv|*JImrJnM=\tWsCr)2ur|vrϜ|ڹ"c!Hȝؒ!jf 7v sυɗe[RH:T$ YI% @;I5BL Hoj+Bwʉ.P:'-YU^,RUAsrWHiI-x =㺘PB/iK)|aO\KxS`>o|@3a-ijhacfgU`5TzUϗht.a9mvE,ŋb}kd Qn5!%#Z=Q۶1;z0^RmP[/I z}X;`M Rvb} ؓ&3wƼZ"ƀm`u!LcZ.ra7l[g꺧+jI Q5&nj T wwI*-˻׫峨NPz&ҮQ7:AdC0[ \09̚Y",>|eBp=;:L.nyb)3:eo-[NVHu}Fq~όNuP#+RbٓFV_œ~EӀ%ڡ3iEF4 笉+sq<++9tp^q5 ׬,tO 3pE,m1ИmĢ]ISCm_(L,wVP iY,2$~gwtwear]_; $޸Օ3B#xqFzUN&쪣vybM7*;5EgT.W"{Wf ̛h5VM dH+ Oc[!ݎB/C ^owؘ]CbXx9i1{KkdPSeMg[+-+R\ *5 %nJFND9l}ѧ|7Q _*}}ŽOiY}&| Z;/xqW9/7_6{Yє|V1 GDע&W`³bL#Sӳ1iezp:u[Vڽi"8s0N+7AX[f[6֌!t,M 5.IeZ$]-Mzd2؀\ 1{;!lz\dBvX%0|̽ԐNiNq$sP}$pqܩ-p??lFԝj 3 Z}fLj$56 -zgE&fԨ;Uz^1bGgYtuCү #H2NfkuB4A8ovǃY_L?hb#x*dWa>[:Ng-<;pBi!ń 2jFKnvcwȴ~{Ļ krxlI{+oj,"#tn7%G\^^?6tjaɍdeke~iVWj?~P¼ж.6) ?&V?Jݹgدu+W'Zl %V , Js|#sIUڳ"# k|j8φldz(C 27ǀTo,SIy2,V6 b (4 C]GIk3:ˆWŶ|E3#ޔEe C%9l/Ƴ'ÌոFK8su})B&kZF d3OG ܓ\DN7 GL:=sjd-7l;>XVCxԗ&L (M\%v7ǁv@;&^I%7?p 0=0nA/nv<JSJ6,}mmgBBO]-AnȮ Fd0frŶlΜ9X*(7T30S>0 Kz;H &:JD .OudC`I~$W bμl ;x3w^lZWMm| M!GM+D:kXZ!T:׶uȡWOg^(^IqtflX6GVŷ 7 E8LUXwAD1yuD &uwmuk@Oa&}wIJ k-A[ ]7 >qR$8i%{s4]^0nsAdn<к{B<0ҼD^u04A\WfJl92Bi`=>[H0 J9{{f Kcs޶e1+sގXRkTl &ǚb=MJd> ]g*=O 7Q<k6T!yqmcCUeRaZvj޲U6xA&kwUh"L8*!@,*a68s)v.|WJCѬ]:7\y 1S:u@e N̺B zc-R8%E {YH4'ҁٰ<@71!zpfL^yA˖̌YƩH3KF<@lIHdA*7?iI=WtPpɥB7 w HZN)yHsKMw[U,gNM"=JOm{6" v P\5b{-AJ^@%7wWlYnD^s+mT7y,^&$d)Xx?dC"(xmp;=-uϏ~ǺB4=c۠4S,|,NQD8 {hΰ̼K~%Ci,F:fJb,08.kD9Uc ~A6<<6J74 (11wloB0Z$.[5Š- Koʷ.Y)A^ʂxS7Ғ$8l@"!].&7vYULvl{w^qC𝕒wꏒrz'EF ]J JT -C' w1Ө&tZع%v Yr IGuv>@.)4]lrvS 4LTH¾W#ח%3Jı| |5%ɸ6#kf/z^ލOk4駌dmɿq\孳T*MRM\(b4 l:/mpVSݰ4%ʥ>H EB-3| U*E* 78)iO)n"I_.-7+ ~?px4|ZMf^۸b3CG bfwćG+VGW![iAg5t(W.\\23~H to-T,j>9Pr`Ȝ(b5pXQtɊx7jb?SAfj~֭}%K*~6|1^eEP>1_*\2#YL3mnnrn[wgu*XyUox2Dw땬[R LZN`$LĈVBk Ͼʧ+Bړ㞺8"1y56.龑'd\>w E.~NrM_;}>4r Uxڧ瘘CD{/jfڨgpg0qϝ/["IR&?@/+[?6Qw. ޭL XNee&(`DdD4X-c8:6 ~N/da]qtvx n/qB.De~?؄:o_hP4WڣgB58oɻ_ 9ar. :m# vm}Ώ^o;J|HmV;jhohۭޟY4JZö Š8$P$Qys#sqPlr>*F٭y{},o(‰rY~$)CmΊf(Il%#Y+9|vTӽ_buW å`'UQ9דPp>ugX˗UF^@f3 LxAA>3S`wI:RE%kJ'. ߡ̲@˄ pkA'D>07q&r$!y<%Qnn-U2p=4m'񯱳$̷ct1W݃Sue쬒LbO"JZk0lޔH%0vw_) "8صa|ڴ 6,-ImrAr{#g}W|:-x{]¢dA5PXe}:$ckRY6|E󮉀/8a¡CM0*7v V 4eJvͤf1Q¬ɗ ġbmkMtsy>,J uVŖí/uGۿ6`^B*trD6#,t_: ܺGPN6|Kg,]LAdC~ r~j7G$-l (˾<DJs+s'Z )ςףHMިHYXJ:$%K]}'68Lh NdwrLL4O}Z')+'.G$W5Xْu0^詳gv|1xeMlo5a X`C_tm>j=Xq1xR=̿SI.zrh˪T;싀]]e?ո"J3 i 'gZWY h9gdxqCAR*}u)4y-hVMd|);""ᩜi9BǴ^nRsZb+f?ŋa}"MCqIYL6DO\Fum 1fEg+%nD8>ݎOQ@u#h8Y:r̃vjBg;@o0D-gݩM:?l%,|55p@S~ji9'0Eua`D]8>ڤXp<nF‚nDZ~ ?¿l aֶ9VѝM_h"]h?? ~/($bfErjA)jQq z%kyAш4Od< F~PZp--j;R"%T8sB^ '> PVkd䚦 [g$>iT ʍXуkddHR<6؆q0V+iq'K=cIx%H?Pkak`t9qQ//2xf|!2ܴ| al2~r23zx1?'a*ȶ4]NB]ҹ1ѽ [t IL{\A1ǔ̋bNt="R.:a6)!~cWM fĎ0'3`RZsrT#id D.xLp1*총 J"ؑ|‘m KZeQhmibZYB|CC@lk_:mEjxܪRz#4(i<'72[܈+XT-̌b ng7rMjQբ|hΆ{͇XZOL>;dH{PK]'^I4Vp"gx4;}e.# go?yn^SsIwD?A':%mwb'uM"ǔE|PNZEh*v~}*4@8Bn㵏1&6C\+ҧlDF7"qا.gD:l)eͯqbPO?MmY:b?߯q9P5!tL G+SӁt&Dmϳ:QȠ 9BrJ3{uW'ۃ KcYܷf.ôNQY`L'>dx4Sr)L5*c7(Lshکm0ؒIi{1 ӑħ8*wRBHu98}h6"sfZDize%Ǣ-ẕFmQ*UyyW9h2fq+$"uL3]^M.B֒@_Adazie㤛I1aI~FLHf΄\GIuJpj UnJ$[%[iv#jd#eSuVaWLS8Xw"(l .xR)II_o#ldd*}#mB!J0xfF2Jo#GMǭNKQչ4CɚsW d^si`*e FԋozUVb/+74 ~qW?:9?j%-45q3tD]?Z7DVZM!`(PʛWuMh&hg7h{_FK/{o'~!(XϣPC;k3 sA1TGƾx3Q5~~m3sv:OI8UX *if蔹W%:7pϼپw+;Pwth1Hb'*{w>9Xe"͵w8/a >>,qB;l(Z`A< -4ϣ2:S_RR2n&8`#<*BNM '$> B:@ ۡN|OOP%J(2)4֜u Olg%YqkErI7)TI'X#(AKڂj"E| # a$?F0C*Ygp6&?Cu-m(:T-d ‡q)u$>s%ɢ !_Њ/䝟pGe,m;R0Z*%>vże|Fb>LjF j& V,uSf=RJ_:Q %/Xwf<),Jۀn RgM+*a}DȬŃ9}%_~H#+h1A}|,Lݚ U<'5 ðPZYuLe{ W5fzؒwAwY-A`T2:cŪ%DIV*.Vlbuq6Qfy.NkpkkCCo 80#'p^Dyo% *58ʕdЫrW:C)St4&tŶ;Ap9`^'* ^`mXJ_Æ7kLRrUT6V)yWʦۜ~E'sqK fJXkFY0NGSKU, GJ`VT+ZP*b-\0,QB rSz/7[OrG2yRO!*Oٶ+}nviSu_a9Vܥsk=u(tt4d|/i tn#qPΰ\8UQݼ1mpJkuaWd<@֗9H(M=pWe8,As}K`?T bPLg럪J&SJM܈[92ϟ΁ ycQw#tC5n\4ɐPFjnUitnwʨ3Gɍx*+{+e}.,뽑*[gQ!7|0WhEFRҰ9Bil)Ý8TbyT*TQ{b`h;E۾H8D<hHܬ#f,dExgѡg1bAd3w|!Dlhv !+'3aj'Qȓcb+ oxc'{Ju q7y=[ɟ/ r&6W`9>&SsZw02lt!H*KfspSkǟbQkw]nCD92B١$w)+RL^O5Z7}\(S+襧$nZ1'xxrOnSj5XlDX_sC7QA]LGx鍼=Lr)ɰc%C3dY钢n`+YKv@Z} _#BDÐLfm%/Z1jEH$X 6-3P]@R#Z A4 пqWCRk_]7xx@ A$Gw츋J\jx@$١BJ'#DR` >!jVƣTjE*)I>{r3~0q3^tV"v)-&8qN*kK|>'2 ltay\DU%[ȇ`PL#OT\k_f 0iR0tjSaȏGs!H`J+0{Ȥ"$E |*ӢTM[څnm8xe,όew?%%!=J{G ͺS9hDoG`7D޽4YI4@ߩƌr囩kLA'Ĩa' % XӸlgCHՌP0P25u2!|ɍv_Tc1/*8CK}}`k9)\lB I-InSZ_nWI8oQ5)zFg.kmՖ\ZspRhŨE6p](^u;"PQC#IT]A#gzN팿-bώXGRT%NvzS[:$ޭm⡁f/ ~jVWyy? '4@(jS^>hXβxǦv`.1noq 8xʆdP 0Wx3ՓfpR_D+nIfY܂G,GYq? 5v+|`{;$62pʇQBo4ez6pM4>*.;a퍭1dtѸj,_en^v#݇ <Ơqb'Cԭa][rXOK` 9̳̄K3UbFbbڑyOAӡ5Ue-k'I"5hBʭXol;{*~"RdU{kjr +a쒂J) jǮZphRIؽDbz-"q]یZPA{={\I˧ۤݜ3Zh3d!t,:l͢\ݳi:喬ƠY!!N5`NX=Tdĥ\Cd8: - D4uL.WzHp ՠU' b5OL@HTű)I'\\DO<%K2mSM?A)VT4߃%=y'?5IVy%6.E>/*KJ1qLԈ=:XHvJbF q*Cӹ1>HV> J2 E`y2Y 8jP[يP7bJM^8] ӥf8'GEx'w(>NM0k8FY4O >?#" 5%tD@A4$#Fl?k2 g{kKi1'z A;P/ \RB[P6`oo3\_mUMf4Я@5y "j$}dF"f e6N- X2VX,4 6qZnH({d!4B5iؼLqk- k°W.NXL$BUT&d^ <} ~Ysʋ}PDDrBAҗ&XhhёamI&i%*3WpC[x޾MX4/ !V2n)r+u8K[d2Җ5UVGzrf0\ wTхlG0=_~:n-ٞ}F 82Z3<ں zHyu BpѺ> yb{-6g+Z L{jSV,,#P5ډ+9bzFstN,aYRp^1Ex- /orE^՛9\z~cbNߜ*mll],ef &GrpAL `g^avKi4ѱH`Md^V,6i)y08 Th.6\w{i`:K dy@=4c/ |TcŢO[ ZUH"tYɈӝ|eW&m.?"6642zE1oV$f^ C r-$YO?w4n}y;oNa_sۿ^/jn鑃Q n'7BvȝiE5?oK㺯k4;܉Q:'(-]q_ȼ{f|9yϛԼ+!;p f~%}>>pnJW5Xn^)Oq)ڹ>"O\dLVF? lC71El>]>WaE>5N=^xA!sLg2,("$HU9|C„z7}h}t+I<TT%Qɗ# Lq~u0M3~z`d_yD&Viӽ' |u7wN .݄f܇ =O$,8׆#1m9#(r/$1fe"~ fxķl]^ @= YW8 <mY"OT톴 {jU߀ Iy4uG; iLB.9vUA̫(6tߖ{I)uC7i=7+i2́ʃ4C1g=aޒ^V0\q}8e0xF?șXb c% @xA;Wo30k_%ܔ Zld4Y<*_| kNj⁕7\xǷo9,Ƃ/`kJA-/d9?'LqЌ}^^"m 7NF\G&407;>k!d#xHjA8?F6?޵&ewn!`ﳃyDS*j\L֓Ldgwk.? >E(qJku[QD0FeI/,$hb1Xl3D6Y#O =޶灵Gwb[N]%ofW߰-7^,1S[}f#Z\Wb>RCۥnaܐƵ0N &*3CC Eo,!`1'J,BJ !_o&QMi>S$I <,d; a6upPvS'=RVޢaª+Q=p=~^H SZ*. -h2pA:V.915 :Bnaa<3)Pe.YӜFT-Ⱦ.:H-Aa]-pm!F/~ B]kΈpKI/Aإܷ;p\p'mC%*]KܤFP{oQ`Z<@@|H F5Z[mP/lҥ@|,^;q CXرN6;hI"y㲔΄cFl"[&h@."xoA%Ɠ:T>$]_SN|zP-+fd5[>(c H*S6?^j^t{_81e1yR a1 uۿB N,{*o0=w 'ML')K9i } WR0 2;{Mϋp㹏 }g<هH4pƧ2en|{xAn,5 '@g: jCC%ф~_:9hNE:r ΫIMc{{ OKөu9%a@}L@FkQI$fVvdоqB:A2gsgukϣܿs} 'AQD!0P~b@;S% jؒτO77oO'_"K&}k06U~N #>F[-yO5guŞn!),jtv5sq'eZ+Scym||k.:6N )uk{bY_aߋ:?UG)▌9ūf%ǔPX{ ;$ٗɢ_;FKU~0m 8݌;Gq걦Q|GG%F{o$'cp1gQ>b$n/J+=r7b 75w9ZȲliIB:I #D#Ex뺲UM0?"HimR.)7 7 1<)£ʡؤB :f ׯ#vc2CDܚ2yqproc+H ێ,֚J::d^z.}+g^߀*J=3L6-J t${' @Iq38!peDRb874cZ3'՚'CR{kzyM!5|k&.k.݆)2$e+bFWjnf/C/oٙ*LBG0Jvʜfc0˪Sb~h|Z9y@j8xPAV,I]f^G*y)\*{RHxnt~'TIm' }4&'Vfu ([iT~e ?cւe˝=6U^ !Š?~;qWmHP 2DD\GIT@/|A ςaoJnO@ʵ!wx4ybE=2mz=6 mǪpDh۹0q$_1P4 r4VJyC`: ~#BO|e Ü@euV5i} H2pwUY) w"Gy#7\mllv  7IZ[o&0@6MN5c =j%vgaK_!e[3 N\ Ϗnؠl3h`k/sIZDŢ{lN)-um@T&p* tbmY,:ER39墩NBwXZwV@R 83RnR6+Aߥ堍:3)ثJњ&.| %I%*`;ޖ !(_!ev-Qj=x2$܉bgjiӆE8,:v>Ji $4) ?SCwJF a4"/]⢙Py4xj\,xT-=bfP$hE_r=\鬃6[kܠN^Q8*aW &'>1?5eB}܇P7;ygnBX?#ƿEf$*ܨkHEq ^mCGP!`.sJoީ/9ّ*/ ixDn@ÚLwj^޶ Ϸ݋YiT ~S%Ϗ}Twy>3Hl=} $՟d!/mR%YHAG0 E_v=,[FNͽ"p6/X|Ыoi2mf$QwQ øvKGLs:4QihO~Ir1F>\C4N6D&+ЧѽUb$j^v!LNP(Uc @OF3nsW3q|NQQ 3D/'\1uDеϨt|O-@akTJ5=RИ`-6n@z̵U$.nom‰`|Bub/8|mUYtL`rՆTcG]GB{pژP0b]ɖ'"A-Bȵe7 yXd?6CM N;{̴&}8qMn|fvqd= &]Sٳj/*3{fx̋ KW7 Y+Y(}&mUh̚Bڡea6N>bkZ\5>29 hXRzfKo ^|Qj4HHwZ#8:bFEu[wrW򜂯jHTr߽D7Gi5 Ng~gA@8K *o^t{m嚙wJ(@0">A;$?$%z^~\4d`CV!AC!xYIO5[Xx=E,@lzy6X|ҟ3DV@ƈ>hUެ:jt ׿f׃JRЯ} 25Hy-t,xIKnQ1~ M=q,sRZɱmLM+ G?ti:O?%5 H{{WsIzI QI /^](t3yR">x{~zRP*sƏt(xSn1 lZ \ vj;JrQt |[p7Kp:$fFZ+fw=6M$Ƌik+q3~;9d5&V5]X?Ǫ9([PŖ2^x옏1O>.b!9PC1hr+U tݚ6 ަ8ˡ^鹋PrI'Fb, w-gS֕0U!Ỳr1 oCēY={rU0x+M57bX5};'Y+-^gmp[]ǰ5d&?ܓ{Εezv{6 -4 Bp5.-'R(nǘj m6$fܚ'28\9HCwLnA8zn8>1;qBÙ2D#4@QE4Y\KxA-:V#n)ϯP\ UNlit4? e*)R~Տ؃7:fnÀHEAܔB+'jN>ŕ% ۽SI=B\c 1zU>N݀HRlCMKO9KH926lq^ro RhtW끗m/:3gg>V]dly${bDKSӹknP"ľ$wWym; 5Eľ@]ƘXDOI'Jv7$@9g> pD'&0l K=5DZb3Q#!>7jbkQ|N!UVlv3\ib6 R2bNf^9F ,'=qxz.r}ľ}Hk6[#7`B⌰BMɝ$Oᛇ'V^`U:[YU[$=`v׾ Ћ/t`BٸH_sIpT?6t ȘI):sէQJZG,bLCsV n o"yǯsqQ1op7Xa-fKޝo&PBbkh-e1nZE@E!E^3W9r( yN/i ۇ`K՚z:rO=G4{ja{0kWG6t`b=" Pqn7Gv _xi4*2g+xc}*7یHd>D2rIUeFDfI!aV$)_̓H~mG{|ϸ>O(J+(>:npbVQ1B!Xb6ިr/qف) jl/ɫ <~I-AdqdDhM5bS^$Z">{[>_5L1IrXnNL1$FgW27X,YԀ 2\3u WMy=r\˼eLj>j.䰤&&BO1ilpIYqĶ6@Լ+}{A2$EH\x9>G \{=-|q#l};'U,qwS6#ʧFY ȺU?Lq9  0K{*[[v=áHVA'l&< uד;:>OZȰ0s }rdv$&s FjDu4(2o6Rq~ndJ*nEO2~6wEDjos]:0B7hx -Xd{ys5F}): J܍ThR$qkJ턻[7"]uk%c7^X8f]֜!0g& H\tF[YԼsGuM+v"ft%.͔i׭$ Z{I{3@vdS<*;tA( hyFO9&m)6 k& obHcjDkD [fecTVh3khkWR3D1_k=ȐV? )8,z"M3?A 0r ل[~\jFCrm=C2ڳl &ʇEBE,&ɄpV2 sz}$ #D,zhIcY}eҧX=87DT)WSvPĖ-.rx|WvYt byQ !Ke6\ߠVn}؈aV+MȵG@r2rfbe4Áو3O:"&[;4.{U3䃶-[~ /_ewL(c!Ocؼ`l=PA+3~;Mi׼ ¯%]ꆉwN%)ɳoÊqYMsN*/`cjz cD]P: i|6Ir!=/͂?.9`'S/20EHp^Yjhb e)Ss#c$)bnJ!O)4ȳ -'. Ҫ9OMea]dT 6uB_ۀ(m.˺{7s\ǞX {BΫ~Nwn$AyJ}T򢆉,g'ݡHzcc"~PMINqq)f^v>|jzJ#p])-̐bButl S4t>aUdayP­XvLLsې # ב fs/bUc|d@X:%z_ohh2﷘qJ!%+YV==[]m^2DJr!BzX pn&z{s}^mBcQ.cB)Z-ï+o=2)+~[k qxa`zS ]d7deU;o쵹RM=~U rApT@/@YkA~"6☢0~T5EKur ŧ*8vbikП%[ $ILv y6?1 <);vov2 ԶCLBYfqԱOmDD (ٓXSx<{ eR:+xAgez]>v 6!jD`#mton<j&☎3X@?n>}Q В>i(xZQ%ޤ{L%H=-Y֫Gptb۾2rnh#$ti)z""$ٙ`2-cZ -\HÊU^ w[=qp$IήhŬKbƂPiU]Kw. 52/jȩB"/DM%sXNy @0rݳ>X~!}lz U̷BT>3I>3f4-8mPmdx 6 3<ԋtW-S މ7~ϕ՘(/v?0"S|;}s=/^** NY|U.w/B)|rDZHim|(RMQsMSYU!yAQ=yz/^]p3 !Wz Rx}/ bdrF8H{_Dp 4MĹdvڎ'OTk|\XvXvZ~1yJ;FPs{]3` ƃ\Ьz!x:*4(o-똺%\}@:%|@9m0OKe\"=1 X>sR)lZȏ9lEr9m\^1#ƿikQe@}&@@fjLY @cKÚVѐi&_'GPt-m[98*U\gh(=RF?{ A?H } ZT!Q}0>ǯ?>Fƒ+W PQY_aB'Ҩ'*TQR閌O9  hqxeWDfEFFWq/Y#3+jc&.!v˽r ^:76A m" |Eg_K6Wq 5 +lX&;&|K̍6ˌn{Vlϥx]F 1.H}V-z!Hҹ E;Nr QԸV`CG/)Th-2:$HAtSX%ggO6~LtCntOa^0ģGԐw}[9X;ꊶYQr vӿ7L83"yvPXnw E#Pa[/ڏ +/=EcJ* \aڿ&5XfRq'|0LyA1Ũ-ahkϏluXgZXoX' "#Xpt(K9ۥʬ x}b]B19d"֊JXC1C2d=M)B{\㾮fg$1 @[վZXݴ_G+*v4OT,D\81 ;=(Vݟ/sH5%Uä́r?2N1D^gHX*hG_!axmMk˻8z4|Ƣ~P¡}J5eiU$wq+ Κŵ{rw|s ɢgğelj[)n+tm;A^~Vk[ݝH;M+rIΙk:DU١-rn':PhSVdcetS\2%XNŗS,N0ir{ CU01 ń}q?WY,f@5"-9&zrK6ˈlCFϭ\4vKĞLk=4S_>}`]t[~yeDtjPe|>|hP]ohGqB軕Щx'B?7 R]a[Cv iw\Bt칽S$P҄)oiM8M 4m+MY\K)F_vbܕ#.=-%i3Kޔ`|V]T 8QMJUJT=(>aN%{ȥgyg}%{67D.fy# <* RvdX c |HI _L2'`Fs#֝]i=.+K I0/d=PÔ6E ^щZ8Zl"`b^z͌IWy׳3ڙ._u'-{]Jl,PeQkzHޥ) BSPp.LJcw׎H&Ǫ %+1L$vs}..H?-b݂ nBh@ ##W$w7`}g|(}.w-^R Cr+ jX gRć:1/˗a|ХͰYo7& { Qǡ7WȷW-O$5(n`` /ṍwC ]y,ON0?Ie&1O #-wݎOFc 9|᯳dƠ@FI$煔΂P Y1OvCN@ bdQ!ȺDr~C gQ\M?^@t4ka? P۸ )-< QԟҹTז@i *G2hF!_>&ux~<{5bJUAQppۭܽjhaɋ6N椟mN̠H$Cooʣ_n:ίM-ʣ~|vQpcl;POvy5,)(laF=j[,Y<8b FWoHbώ끛 wɪA4[NļGeɦPQ։ةKkdn!/saHA>,D?JM׸wDoL "pZ6Qb;?4%q[ OqI7?9Zl_7E7m=d4&dn6(BNS𤧇!K7բCdOB'0 <Բ[?av& C/`׷̿J<{6\vh7Z؋`h7C?`jY/hSXa9q1gHA=F-u<1% r_7=yK2râ~[\Z& Ua&YiCSׄYrQϊWSx%e =bF|^TVgd8T > ';cmBCw:U}aS20!k_}z .Z..\CP1D"2-'eZF-}*] ҝ"(+S;NxRX&&DzhE(8q &-#kfFn& 2eCYL*v~)Y_Q M-}r6$ogPەC=k-An)X~TMmSyore\#O` 1Q|j6:Ti䖁p #vCSAӖ!=0Y4 f gJz3tz 7hzO&.w5TIyکfb%jՖaPS{t;ǖ^޽0lA ^Im>XujLa]u+>JU=eWs5D;'&U./|Y%n4O)mYG]赧b{9>PYDH=_x΁?[BB-x+.5;1?h.,Oz(JZJf%L;XZ.[ $WuǯPABN Xtr\JEk8vEINn~cY3[P#2)/]^ި&|AT_wT61dPFܾCJq%\r4\(qUvxFu:`3ƳQCyĿu1(`N(e\.#@a. [¡ ,4g9k=>*Swk~-=f@Auxu%g&4Ā{Z=čaPa嗄mfB:^_V5 bnROd1<ŎUP̀";ۑH_p - I/אJ|ݓLt_AB})*Z'qr:tJ]ňU;\C9rD1@ [&%:C)x{X Xq]&Tgw%-0Z2Ͷd:MBnsР0$Ѯ\Nq}g[֘?wiwUxV>6I73W#a'ҧg?â3h~%!1o럟ޕ@` @e<;_(fiuxНSibH>+t*Wp텤۞L]\!d嶣P5T=DE)wuk&+l_Ϟ'4< ̔^ݶ)8Kqߠ dBpF)##r*Y tU\uF-&S]]Ynx`*J%7(Ó\Sy{͠P LI՚ k|h0$h}xw `,d\ src#um7nzmý/<Riyh5]a!4 S6/|3'f_.=Gր"5y|t)RA$vG9g*8=:h\ [Ki~?e}CEk=i~%;c827b&͟>`sq}Ǜ}NvDv.3`‹BC .)}=c@T` 9.%X(3ؑ[A#&&sVI4ColI(n{MA(/_+A: _\fo0jr>| y"F@B] (.7׊/?W"qqו*۾T5Y1Q/1F}/KQZW4A7hOD}WVX)}0fCIJSV1/6/K?v}.Y!9S(P^ҡr5mnc2"|&GϯѦ0Hh ]jI !~x$NB"P|`C_ *oH^ٸ*݌;+j,+b[mykqIyF$a{0Ke:4WH^[C'@>\V@99ϙa$"YU] @e92]hoQڸjwQsY{LǸ.Ӗ*-Vb$s` |'F0ag)M.lǬ&un[u`D<%[ySg-E,o (N/E2i < AQ~qÌXC4%'AIф۰ 50G]uǣO1헠1jG?6cܮ#V1 @^8(u衝֗K3۷M٫ree2Kn<}W8ljry_I@{k.9k(%jMޢ8pO)aΌӮuMv?Bi(.%A՝[AqX Q0D9 ^bhLdqӋ+=hؓRCWAiQ&C̓1V5 ;QV.uYQ)dP׭rad͠eާYC0{J sSBءr }e\B~oОrbGآ&kV[һ2iq"Hs"'$8UqLw[<+FOG卡v\*<ͬTn,du+ȭpJc]@lN'~%w,:3:X8L#~jӡ܀E}vZ0J* / gtq;4^v6g4ٙ,(2n4 K WhjQh Po'9B@16eG@.T&x_yjr|6??8 יd0,ZL SbjN 2bYoK(s8=,y"cx:1ܱŖ\\JtSU~'pLJ~T]+g\ <2t@QjUd CWR@OGF\!MQxf-(f}ZSLǹ=nfv ci:Ͱp+H~_=3'u<7`!z~Lmd|i]'K$~ȣ"FZtP # g[ #n )HxR[n) PK]EDV3VU/yFZ.H:B_LX퍞Jo8bHv?nڍvAj:\ǿ@2 FbU:BGq5E6U'rhrf\)tc OmXXѳcKVV{n6{e&GxEu f_1h]Y!]5IG.O՚7WG|S,Uz1..7hKZaX]CbyTm愽Qv^;j>{eD}K5<%t"fY^.UߨP3`B{L{fOǢB{ty0 YJH=A'ZP ivv4o::ofb[;CHi@“8ZK@#~BYMގ?瑢/X-4NFL\*R.P@ k?8cH!]¡Kj)04qX(ܚzgTsnQ+g_RAglBW+c"Xɮ.l$Gz潮siLW%5c 8%`ipSA/aϨ ] TVpwaY =*$kSE}#O?տx +؄r˞T!fC#It0q.Au 20 wC%dT<܍xDzaٙ|4-t=Zg]f)#1v'Mx -wIé'q0*N.I q~K*·vDԧ;!?7ô=)w!ā2'hᯰ&D}1Kuc4g5DQlݧ@ N~ȡȿPPNY V{EТ^G F ;#1JghQXTIGuT>J@ߤ?8SE[)V1ա\D܀d~$0,"CJ/=A \'[MJ$Y88I< n9T}l2azס>ڬ[T>9,#DيBSmxgN TbI?{QDOe? e 0yl!wr#\+2p /wWv@cv$2*l?%.0fѬxJ~k kiE̔5&b kPeMaB*{HJ-8g6Ƨ.MVv U4D8؞MWՁJSe^|x5)" /EʳalRsq|.qZľUsrlPPe9y}oaZkYZc6äIžw}D}ggOQ; h~0;&h]  /ћN.Qv*Y}M]Ps&i6M.|xL_޺ޔ?/63oW8"]&]@>}2lYcn^^PfӇ\ jJv I= `<Aۊ_']ń(kZSCVsp1`30P]Y+opc6te4>Y ء:'%Syyp8tJmҥ(QnʦW 1D w%}hnr敘{GZW~Q8 䯓2I7V=6,K.*$ru   14qj"^\@OYwC^PO"Y[?ɽY(~fDUbRZTR> @]8@ދ?0,_ ek& l62!\9c y ezk<jyS2eC$&Gۙ#Kl/8Td~PuU 5̶w5ٗ]xTҦ7vNd%G|3JmI]ƋQh}Zަ@G5rPx# Woh9qݿjMNIMCϥXP'JY#.t`cX"w>Z}iV=J9I-ef="k7"r"0{HPBϛK%OdTWHO>JBZߛb~Sm7suw6R]VI} NaН["Xa7w| ~ޢHbnPn.% g=$^c˕7wÃsh11 2o j@j6唟LEiALu>9ve]'Zrag587VM:qc|M]ރPp+*d_}pbܬȥGC8 *g/JՌJ )iw*bPPs12b1ToWeNZ\7ɵ79S#$;\QI=M0㣒\|o0匪DŽ!DXNfXSKNE3(aըQ>wP+ym&a2=;@*SYJ}wދNBc+늷FZ d[[ @^:H%лcm~8ExM"bX|OڭFNs8qKG\QXxbNlF3t~ \72W}֫מ=໻&].t?@8D$c>¹-Xu#DP^j&di%#FNpEyH% rGaz]4ˬ1 flY1aL|ж˲79/- :g,2 &`=95=\-źᶴ."Q/l4?̒#m@FLj `{އٱɲݱ ~ u4̘?b6 SXH'³kJ$Yg;`M1g(c}C(;oarwʞ^9^`ZOͽ4$̐SD΍yQ?BN*Bpgʢ gUfRóA {> X.ړЕٽmGT2Nu 'GKj5|݅ x4':;{#@ɑ!d'!g};> (m6u:Oo#ξ*'E T!-Ұ*o G > Gp7kk(r0,p^N"R3] }Ly1*u8Xe;"5K|QҰ-6M>eJ@x4HZX~m2GzCkz .y  .y"(7 8<ԁBMpGxd M4ES/JèDɊUěÀlbm7mF~ x.Hڷ4w *psb/ P݇P_H+oCJDY/2Hd0U3==\E oVe9.Ȃ0Q"7+`DGwN2vE pUrc%p('N ^4d{DoQ5Qk( spF J w͖YMSf @i `cz>L $nre,TtP7X4^M4GGcόa?y,&xEH=$?aJ3Μ؉#UO tYL߯;zWdGD(T~A#EFo-k 5] O% j9mǃa棴lصPCMiw5A\}{>VYÔ(ҏW W}X3ʍ&* 14tZFAxT'HE:M-B#:\T l%&F!WTaN,G<3&X*Fk]FFfS[}>"X@# uӏ3RMz;v/6i`+p)U|ѢF#Qz\01H&Z6Oܴ3K ;09W//!w3tFc܌mo+SWKFƌx6m\PYݠk~s  =GŪ fL{[}R": !xGw8s1x}o;oɾ63Ν+H zy~v..!"/)ruyOٲe}hpc9:⅝r;gN9!kYU0\;Sb]jڮ2"0"VuS2>LW6`6.Qu_&k|-ޓ7nkzV]7wt$BHz<} )f&3<\&ЧWxd?j8~MsG/;G[|Iݚ(j]V {$.-`Qky :1Qbaψ@,RL*|(tF<㊢n($ +YuU(:qoןA5Lj-~?_T$.bNBROA֡ϑőK<؜GRi)YxpHcoAƥGxnLY(:31W@f3MfC3ݍknNdM_&mYՈtH k<;s9ўW(jh,?0f)H ؈/Uɞ& ̌,Sohjku't=!7]Z˅ ;S`H*o=]K!uccs5FMŸG]''\Sxe֕Hl ]D~8*džMR ˬ# '<|꩹c|w=)`H_A1<2Q Us[ 7"Q x;mS*}mӜnklqG߂%Wu/3ׯi7v%ϻc|.݌d,0mMĊP VG:W(e%-re!.pЭ"2a@<{Nն抿.+@o;&@(0!5j$qs۔O/謉 :eҼ79Nc̕A̔B%`bV.^lJ$ςJ.d =:LŅ3,NACZF<3#Yi 9Պ ;Q|C%,0@-1j@|Ç>CRlY-$== p.ͫw)@GϕBμbpRΪMgr1&<.P;; Wۋ31n _E3qZ Gd؄6cZ ? 鷹O]nMl4% L_9!<-%1ǀ ԑϒLBnf?Ï$TnɈ+@QKx=vc L+ N~k 0R†3"4!֍SVUIF~;/+P X|m;+>e?]%{Z1 SWm9yn`̈$O\q\{Y/1 4x%J_v(}J؞o-OՒ*#VX!s|KJyϿO0\m"hVN]s8f0o)]!y{GwKo>KcjoÀ+oӼugcd/RU+KZ K@( s vO!#/)V:~7Fn}AuX ;͝Dԥj@x?$,2e-4njO5LY RUp3(ae#.K:<*B7 GcFF[1b:bХQ0`we)eʹ[zBD'T0)dGPܩs%?mV7GFBThxYLI9(ܥ`c՝ cIϋ>#˛QnnC|[գ6&!Qrv(4a?} OMu1㵞8=R{4ҕaVe_]%>l0C!@5U`c|d]$.J\YVYxux oȳkKБ:.[F>qNgM,-˨Maj^9 [u,!.պLCB$zzX2 T@16n˷ :2/HIMBUGܤ;ĶlA?3pXf<$g6(yFlEێ` 'ЩS:xME gsz<ն - >$5 U&0A35_/-{R8Ѯ\ l W*Yg$=QM\fYօ]XR=ymm}Dz>= ~'AuiǠQm\W~4A4ΖIqL\au j6q>gFq"D-Y9 H1_v3-cOH8/JӇEt; ޙjեL'Y!0K pJAO*;E@\v 2sE`թ:UkY  A^a(+ 6ޞqPP949%AxkhH[hu{c2(EV=?r6!AoCЇ Pn39NoٰaE\/ec:OFi?0o;O9  Kɷ`V(o{W͂J VK.M)x$V NA:?ߜLmA%:$m0mOl4yl\~|OwMY~'6U2K_qH$CxRQl5x"fզ[;WI4F5Mk V]@δ3 lJu3!fY"Ed)x̧?K9z"r"R5 x=LX t_]c'X?[@}L <8R<3cz:8emU,4?ղ.jDϵyoך`^ Zz䆐cz{K.zOXVrOl1Zb- (28ݜ#R  <-uX경} /P&oIaW2a]QsbHiȚU8q _ :'C9pB@bӴ$O<˧ʨ(/”Db#xJ,7Q󲶣E,e]gI0 A#5+alK1;:+$C5&4.!W0^ޚ1SAu+Jq/jZH f%La[A]oV[/2'a a NcrִbC,Uq|KK\*+Z{6! I ̾w>:/MΊ!\i&P~N9Pٿ!g)|ðEѲY'y}$4ZI 4c28K}a4d ;MЈ?M/z ji^sVh] $yz=`dr44d:w8X^&T/g0uBR7>ࣿz 0rm(;>v7}ߛ .,`\JlpjE[l5_WX‘o띩*1%1B|z;R %DqC\w`֨{ Q„q#Y*̟_r$3?7SN"=9`$['w5F̀#ν6>q w ?  J\6;GbeT?J|sxt]wFen,Eиbdt?"g[Rew Ē^"yb7E|G1,1؋Vؕms8m&\P&t`>@:o9Fs:TW@ Ϟ63ʾbZԸC$av 5Dy#Wv=iT )g2GIPI}H73'4Dt+4KA9"Q]b_n}o!*ҩI1Sthۥ@Rk%U}Oz/-xJU)B}rk7$ܨi ڞTʃl)tX(Ti46 &9i˷+쉕7G-;!9GrчaPB~-YGsSnS,h2A$GP Bɲ b OOӴa4*j:O7}ƒ t0!TbK͢[ђX+X癅Ggñv95譲(q䑹Hzݶ8-f속s.awWyuC6 _Ȼ)]&sxD@Ҕ:~3̠.5_0!q Śrҳr,H0|um'کW2$#"04#gG͢qCwgoGEOPceR Խ)#_- `ScGp/6g>K^I+gՊy ;g=Kt2\pwBiE/SZ!PI2iM <͝{TűrUa;j0=@I ,JM|ݳa`=V4 EMX/hTBޜh?M a6(9QF,~Xim9*EO>[ʑVJMv{rAdؿX&y]T/9>g[vrbRT_LT22Goǘ;hf,19Ʒ#LG=9v99$ʬۇsom^G)pfs_Խ&c),2JإiKYL/6FG,;$nj3S&]ʽ1ͼ ԧcoVq-U)y1 ʿyzIKv*f5Fi#]#H|2 ^ (b3$ocՍ'Due8b4fx[㍙1pT\5sX$;V 8$=?O8T;2z.rPOhAG_ιzxUqV)Eo{\) [h%<w6s'}꒿.}KUAIX x(*$-|/ţaX`[0lu˥Ӿ9ȧ.$]xFL2rp `q>Qx:%eD<eӘ&A]}y 5&X{I efbΠmFoP{t!͹FF" 3HE9_U\h2Q~{axwR&v> EAY2 KdYEB@?rd'pN?^˺.NEyeb 1,c Ez 25aP!Ro~yx1N|iHp9b42I_׶UmHVT,@b6|w=9 7,z9 JڬU._1!pnn|f>X?{Jr\AݳiEJbDqF4{syz]ds#ş&Vn-Vn>+fTyoRfG8ê=eQiR 1'c "߫p#$ld~vek:. `(g#7xٔ|68g:QKw>hhKI#E$K@A͙S5Q`b é1W0ctT4"#OLbv7KFTaGYtc22H9. rl5OK"41o젉0qX\ۢm=>ߨ{;>*T=%Qs-fc-9'ae~梣U@G`\uO>*,ua7v\"j jxGrPiF1tv)t@RX>Df#]r6֛)+6ڸo Xe z6UiJ5 d/E+nG/, zW/ե"g7Xc!z @hk}Z&|k9{|۫8vܓRyШ|aub2>lm:BUW ӠP.yS(CSn} &ĝd{찆N']G=J~s9S8>9!$"x3l<΍6% (O`6v?2)y(>x/ɻX3 eۦ8- -]@[`yYjoan [/eNӫ,Z(@6ٺ}V{-'eL`~ @ZXv )11}CƘRlxW1Gݦ{bIz.kK0+tOe{]Gye 8H ZxKƙ{E6bֶ}:G"ҪS[xr@vih irv-WkSņըCq 7 >W*P>Q>eٯ-)cV,4jiF!Brs<\Ugكd9ts.5971r;Pq#V: GzA<RwDq{߇)/m߈3.pX04PiwT#hc:} 4MCq[\}Yg q?tX-#$m;_H]o `:,KtK׌l~=|LjWvX)]l' 0#3] Hu@ b+t-<5}?rx##~QI]jyj&yPiwd'V VE@'wY!o. 3VhH|_(ct kn9~DW+ E%H俯RD?i;+,Zb`=\8[>]pST gԞGUCd=>ln [ey6A2 s-8n~RH"=͖7ӥQȓsᡏ)^i"Sb tcؔzEpc)"X5\M%rzs7+&^%KU!"|(תr?d 筙]eM0+sUD%>wލ#RUkPjjg'3dQb7NM3~pRnhC4MTMJDʆ h6/;+@s b>W}>|KYsپ%50k b"IDEjʿu[Id wiS.;Z ʷ'L1rz鴜 ru&č_H0skad"y7EXgA7, Z*7ƍ=3(>ŀTyyCXw Dyg6tI uxlt?w$UVҲm|M&b7{s %lA08yRqE)CD&yo*J䰴ePLVPoc$ Vx>%:f%iٔ*ai%_h %ZOӿU KK_Vw.~/x4@bC<a'PH:%neܘ#w-5ZY\ͬ&P {jR&;){l+o.ш<\$RN+BkAG?%u(6o$^)b܀ɽ%EJL.:d9\Cu Am~pgՈ:0 hZ4 y:{2( A˩.Q\eV%nbp)3[h7O!pSH#y$QC'7͗$2NLhϨk¹:Č(RC1mR}uSw k-G-yFH6+ ?zsr ƼuR^]u~!T>YatKYg-:Gޡf`[UϦE-:9 qh)'Pv}ȅQ)9)BZ#{ᘤBu/xq1 Wv}O/t3qmshj\}QM>gWc=}E&щ۽>2OM6R?s8ŕ7S9_K=q7k=# mIEK&` ?__7)Qd zs%eY֧/%zަ~x:t-2{+<$mjgFOQ s?c=5?F`T7%2oPh%;]1KD>)PN>X英ȸI6i:j@tvmXHY|C OHi!^{—7`!{?E-&>UhX_ww{!V* m?gek>AkA)jTgv*% iX:^P/t⮚d|$,Ep۰xQt%1(=2ս+dG輱i}twMW2y/'ʊ'낆 4Ofvy2`c^p%Z7l_ډs}B`AGlrulƄΛhȠ5 wd{Te0Lj oR>(U53ՊEZG6ΥY˯S-L}xfn/r,WoSƉ\O;^[Qlz3ɴ"IvIN;绿P4M塮iyIuD.,FϢ9N?p#H< 30:5G%H4iHz`UQf`MF | bN%8p,kw6ҙ#9sA/GĄ?5sB~$o#sLz4'(2bUrt`B3]B)?@Ư r܋>A =q3RHkfENi/_daы(UmȄ$O"%1.E7zZGga2r8V .B:b,1 Z}-3_f?I40@or;Vr 0'Ia&%!q/z)IHv%$w5w vfY_hFx(͏>go݄շۗO x}oèX%~H$ YC0L|!BѽeRX x*t%-r >yv9QxwK62/%RD5y¹'O Y0X᢭p4'4d7b,q?˥).!f<#e6pΣBvH6?r4 VDzjQɶE˽!]`׺vmXcWYt?1]pqb!nW!0mj:~LL)߰9bS<*4[ICco$z $[^Eh/8 X^OBԓy?~Q!p~V* k]| 'ͼeOy炂XYd"!A3`&6+38;wk #ͻk1 Lpҁ"I$uYzլ߀GLuUWWx^a@Ƙm[XY^"Sn54CoTY@'y<[6)>4fZh+xƼDƁCVfw2iK^i!Ei Q>o8\*#Mm"^\lwq;Su\r^F%moxp }J?OJ OH`[LPFKz](mJO@a˸R6 MXiKLXѳfg$0/&OAG P) DcKhkt%^ņ4F.;j6"ijA_t=U';̊o@"Tݧ?{]a(Р͋VR|G7Q/QK DFTXqm8[ |)B&]Ʒ}||} s8(3hvp;Njv=^ ?~~A^ڝDg ?EA,Wv[`D+TGO&r #`5~81_mf 'S~WcЭWÆm bلeja i_bX7Xe 4Vջ;=eeN;ԭ $^[Ewjdd9/m:W>\u(㺹gDrI3 \JJ*¨ҷ3µ>rn}1WTxJ=zmx̩J>}`{EG([GH.6qo:K 4Tk`Qwl!w7jO ,Uao]AWP'݅=Ş9X0J3$m. PUJɛ\&&*faYjPpv(#쓎,#k2O"'wJd?.:="n-NR"tx t,|)q1xԻbw0ZbYYo0aђqװE'X$%~r ٔxo+"zE* M>Ͽ0+ P,>gMZN$ >CpPmn/zX~>݉q+tQ*3!3뜞&' ;J*Sk0 ࢊ(A"r jƒfdvVҷ[cSR~E[VZrQ|:7C=h .7ݽ1w}SZ,M2'RYb ֏jl f~]ƮHe㟡"'xp0^GqnHTfнK >f@V/+QI~ )KrIpZyS2/=crq~"_!p3oYv[j?/ߣ#URMvgXLIĤy-Hk:p>xS) W~j[!؂ [_hfPʮTDAFAIY6gBZU=y}7&iӅ־j4;=Ybc`(#,I*+b\ 4P4XWtd{?懳 CU !|5޻A/ϊM"uVHZʀ3a+N Z6 b&ߵ~{ج!# \)X0jvY/`{KwAsqR`pwG*Z".{t:jZjkFqX3U 76!Rz!vAẤ#W j"L`/I]л Dj4*eo_InOɉbݩ><#2=?wj{#tZJ<2=jȱ6Nc4!A yKRF1 3LMOtiP{fvN?qG Bz/Gua5aQd25'(g 4|k]r4-,jlG@9݄Snr8cET]*rF5PU apd Hul3Zj\E.,/ÑӪaB+ Fko$МH3b/Q+N$Zwǔg(`|T#"ǵ  ZUȒ"q+g,1me#v6 ~7烯cLQ3ҿE*[`Z7g"1aB=P5oVSV96٠NQ Xw OoOfe%D~Y韕(Q#,x䥢- : Ƕ1c^Uyt6=;brX_0Pgi@|'s5Ϣ)rj/V\rWE wT)L>adMyg.l/H%gC x4i%69R5Z$S*.e LdLO\@dZzc^y-G"%X{k\tOĢRl t͚453jAEg_׈}>Mp$X '6s0ZƅDw;l*oyEf1fnc=K.ry5 Y\A~~ֶֽ3Bc5Uq#7 Yv6{fkG?8Dgivj pX5#36SvꯩɉE!g7xX Q&wPLb3-ӱ^H%X a/Mi1i>uR}/Ce?`/|mf*2FUm!LtT_E;Uy)_DVMoAEH{ 8Q[xĎ[h&՟C"C|-F}_> =j_xsp}NqHU|);0ǰyl >H1Acv~ m+bS_PITi⪣AcTgOp|^H,]Jcg ~RC1E_IQkmr.j$)# 7'`C0*mLM)gح(_]i -Vn1B7GW~6"rYL'g H"PEXA3#Q2hٵWneGӳJJu%vSB+~uU<ς/"/JεVj[$r dX3>w

9FN,f :fcL.g?6u섩Z\jg8+\r󂣈vS'z=nЭs\\f>s)c)s*QBГ=]P r{׌ rIQ!\B'hOdKGo]X1l4I :#I|L.U(qLMAVʭ>7t |!ثJs_*fgdˋM+CWK%0UgIC{M<Rz&i' 4 #N2ӊ ouMҗ.X7uw;3; )5/1^ -0*Gl9]GTB- 2*FncFf`Sߗ4.|q<k?D}aqxB]6GL=旝&78 ct03ߕ'6Uzg#|DV9Yb .z-Bvl^?{P n'xfn!Rn5LxS1r&׭DY^RyET$NsЪIlg \]HS;(ot]~Ӳ+l7{g;ոƑ M.`K.CL"Pb?Wo"r>Gjԫ Vaz3JXIh"J]w 8`/q|}i絰Im| 4wb/NL.%+(}%* *5At P-K"xQw807:eESHYH+(0'=̞mXň6=|h8_3^hTw?xԜ]Xvy1FEȡYc;.~Nɂ!$*E5GsKRub΢70d$AW؉?>5t4<==lG#16&巳n:ϥ@pWb27 I.۫ gF  PhfyatAP`PExhK5BHxqsXgu^9a 5$|Ol9[F?m{&>M TM(xr^t䝏gcJ][K|ѓ{r08Cf$"C]HQF+ǪO0~)y Z[ɖ^ R\¹VWy$u[=I>M't% ) "Z$\'JIKBh:(rBa$5IT ֜GYE]յ"K\Z nahl!1LQ]}1hwI*W2Tqrs&4گ4U%_hp=G_ܶKohxJy;odWbtdyHK:'&L]e=7!P"Qdf;Ta9ň]A;Bur0%Oƥ W ƫ\EJ~r3coC-18hZ5*"P(diz8xVlɍWИMCӬ߼paiOdkNB_nv%1(bB0ĞZUMvt/g/;=k`zrpB jvVv ƲBgF՝_}YwpqhsQȪ&֗ڋZqc$~~Gv3BABd#-eU8_I6*6d6+98A9:m$ދK,a߫ ٳT^4$02vQ:|Z72`sQear:+~A'i" K\~J |cSLd]{]U~o~ghbMCғ_<`pL̞ىјׂ$-Ylh˰R#<V ꂟ9c˶OAuʱ5nd}|.*TbE\Sl / d'Aqu`"ZC(!`3 (qCxQh2Ȝ{?mmS<AnC`$G[i%^ۙB()khxB&ӆ^a||V^W_,w'!=<$}.ٕSedy!%v{X SvrthC m[[CnLF=4-q<]QSj6 #kDdyb&Vya }&"vҘ4C/ J!cWEaL؛ ~h̺AqKme!9Fl ,=K3'YB5ʞN]i>:9~:}zk.3{9q|0!7/Ib EX |nme4)S.{&u jj )o2);j.q0O, DK]`tm=*}qTn\㩑QJWĦ.(J _LY-]w07ҷR>YVћ‰Vn!U,\Cp`uCY[!rYS3 -T,V9?V`K1cЖ#IS\V&sOG}u<<ɡAv"H?}ھCRuő|xj4=7FX'\ܗr|1mLEym\/J6B8vBꠒZt c5L?ݪ.n=,o?oH[?C.af7e^(OX#օnSiFzH\"*V`GF蒨"'uv8Qj-00t{IXI@)vl,4+ŦGilE&)YI9i:FiS%4H}+?]N jaBmHWJ@`\C5'^{MrKd[$c&am*J Y-&E{A w4s2&waY`5D]slcmmJ5h~[(.<ۇ -o7#r%/*+wKěe[àpQǬde8|W$YAjY$/'F)xYs5Gf/xq˔͘<#l[h5DhW}ɥ})y0 Ǥ>S-WN::䰈.]6|lQCn)$~жKB/\MӘ5$ WF~`"qTӃZWJ!Y A.*Ij"zN=TXU yҊ5/=xl=8V h n(bY_V@6K#)\+ ^؂ u:L͚ ވŗk֖JV ZF.og#E$T| Vh#H"酀״ j2~ 9 һX"S?ߝtikX W?M>; TlUj39a_!6؆0>N% 6F!{N˿_]o- v)M ,]]#JIw}? RpLBwA)lgOzw宬~;72rtLS13 ȏHLwvHZ:kCA2 SDbx+К,R|,q wt¦ 2ZdwPUMSZֈ W ~&[P6C1!󝴤Sl]0><\lno )CR4b߄KK5u NZwxg+I=5qk"!mKcܗݶc~OeC+a =|M 17xwɍ܁Y1fأ4[1`j9?3E>b˨3FnRW΋gN=jL7 E9mtby9׳P9x7[xkQauLz:{RTLHrXwv%ʛѼ[Ӆ']G!HƵ!VOA -|caaa/:gAZ:zX Qb~ Ua>G;v0lޞ> Ѿk2BR引X<$yGq0JFj „9 k\!(x]s 63IX/'l>T56L?w|19Ne-, ' md[;o~p=ug"72?w Ud8?(n;`U4J DF3qQ@p2<>|eEJmhbix`v XZGB7e ;{2ʛ k\Vϣ~q1|ڂkǤM7yz!L̷ښDJ,+}|FXD(? Eӆm`zgv5t8s\?.jYtvpS"cՒ#+"mګVd@C>4r;Wqlu.b$Zh\ٙoOGG;]CYZ9a.Or+θD9ix6ݮ)SY0 LTPؠw?N|<jx2u)i7[pB~ % *ӴZpu}U9TW\\a[)υX VOtbQ/2q<U `B4Zᆁ-` <6Yh >.V9Uq(f CD,ߒ.@v 5~]{,P@7Δ <7jtii[ !EPܫ#HW R5ѝ hw; wj)[V>/=vFnoοS2 9z6{NHaUW׳l9|g%k%XiV3MfcjN306~D3K`yF( pQXm_H^%q$W!28m˧:h]qRF#.&n>CƝcF-%5!LZF_m57:|dG_:}"V1ɴ)o,pi2G¦ʩ{HQ~U7n!9njf0EYN2~t[Ut]P'A;&Zխ |-i>V YukvbnBS_nVdͯhѫ,3m '~8<%2m4SRLIYfu cKR p(>ʹV"<+zg.ds%i[R2䳉eu1:$yLaSx_KuVP)⧛mHldo!g챈;^w{GOYQMZc#3fH$rq1QNjh!;Dlg5jrlu}Aw_W/DUq]؀Ogi</qv>#xCxcL/[%F-ۮ3':f$E< oa;'ߩdS-ǮHFaQ6Htd&@C]rR9w lz-J;W޵'R<N'\쥞y%%kcP n4K E8{3XeJ7Sοl7pٛ8%"h(% K^A]&{3C6!pF1y)!ID3?rYn_k4=nxrP |JT##R/~vr*^A ,T/ݰW 3`y|d9^mf봿)An #uv᧷7'|{ݓc#FyoѬL :ր+40>!}~Z ag)xt?N{(? TYî ?p,%:S)ut }gb:@*n"".(G2QwTW}l/}A s^72G%յ,2yӘ 0+cI\-0lro `10FS߾ߜ-ϥOKc8jSTTN ?fYRtv,k$~UmcIps% WQ%UsSs{NnKԟ=*x+9%)Y`ck~!~}^2Koqit39gFJ-)Q{Njh#L*qZMog3X?uÆ,r`®!77vcY#^,I|D@%]!WdPWݹLob'Cee*RMA<+,S jOCZMv$ ]Pxc7g'bxQ4Ld<#?T=&.H2{-ݷL&VE=W!q6W f ##9>6 j53n6ʻ(ƇCjؒ^ oGN(WD;>T%K5^Y{I;HL*Ѝj5<_e?TӸ @zGbմhdD;n{:vP1Bi ěqi~}GH>]m7 ҿIyNq.ˤ~ŸNh-i3IQe;TZg )}QuD%^k]}ӁϿuyjF맩ªJo#@8_Sa}q Vݻ/XWjiXseq{qU7E]E0UVE5DÄ͢l0y!!j#E ?0Z6rw i,D[ WPڵL$5B'mx^s["8F)vkFcWDb*_-BkTN&%CmO|TsO"ZiffUykH 1 0 v,cDMͱlK%MV`A7t;oZ=̴+圼vQgK|G[++5;qx߹%<Ҍ&مo @nuINP(8}Gd0/D=.8 TEXf꒐5oig|ZХ(xFP„aRa(I&FV$W&,<Ɔzp,Ƕ5Ma.Y+Hi??K9z@ٖ{b&aӌ_`o‘HhrF Vاô7GnxZFO;[G0`NYWSJtknby0w~ s}]ՏZt岕 JzDvE戡@<~<}aXy`8Џ/}Wݫo"Bh邧ˬDݮm$Q{'G~+Iz;{Z7hXi nF0w[$cV~K 0bn=A& ėOA5S`k4y NN9Y"?%5+q:PʴT t;0lO N0(L@ ~] s$n 3]Ji\沛8OXr3r{}{acI9 ғ<ؕI#\)շ Eдs.V[;rQs0)ESeDR*{~Q>H XV؃c 4f!Atٰ ,S8H>puջϨdOF 8mz$ѡ+$P@9? %E2NXU`~%O `fC=WɾJ-1TΝq H эu4!19;<_jB IđGh|jVN@aDyP ڟ a a NCpP-Lgu$̗,Tv,I2+e05ezb  MҤGoѦL} 43/St1#q Pʪfc\vL/݌'h_rd+*v3otǫQ_ 3^iqֶA<*H/K(fDBl9p=ywшDzրfm+%5Hc Jq4 k -s6QwWG 8]w DӖ6ڨh.GIG4v(їHRD<\M%4z/r;sBaٷdap ^S2O j`cbxQZU jɏ%Ba..H-{`m]13p<+ϻfQ!Gd&VPv΂˔-E'8~'ًīM JJbʎ}tk U^xN;B|!:UQ/"x|Y, ~!Wvo9G1+E97v|h(_{MrĂ-[z Lqj&Ӗ!13ae|axQ\ ÿ=@JA~|ʥ=d:LDיKRBCT="Ą(o[]L|h\&]Gб=ܹ]s6Oc,RލnŮ$=(F*Ιhv86oY#~w⚓_"@"bT>k 4_,:rxO/whU2/\7 ۇ@jDՌ* m/{#x,EfЅ B"sQ#~ퟸ' O p15Λ3#rn٨yr[mT}YqHxMRw@ޭz[rݣ/[N\JZqs FQ^ 䋻Ќe#Eb "UJ' (V^;r,t/F'-=qϱ*y+ptH؏@گ_Q}hť9@0ڕ]sTb EcYJd SϦdR ?0 <;:FjL8|=2j| *H 2N!N}r,>_7z.?z5V2{AF' CrŤDuษI N.L-,{b^FNXU&t o=pw IZ]n]F<,K.-+FF[% +Q`ExzfahԱaB д =؝#E3'z H @m ߺ+-+wVI4P$]7`9ۖ\#B4_P {nlW1ftG4ptiV,ŕ3QaL`9Lм;Y n;tC6|hB H&Z{C:k־",f\K(bhˤ#߹Lʃ]1 o,3S++0">pS )yozoв5z&V c6u/~!_}jtg~0s)ɭ [t9ݍpNDl62*_ʉҜ0b3h *lM|̺aJ wбQCt7Isv"vḩ֔MoTY {՝p5Vu&yCAiR^Q-`>X%UJAH47[DRض%~w<}t1˾SԼh ?ݷjږa@.-Xq`Hox8xt\ ">>.eG{"2]/Y4iAǼj jFqIPTƑ6DV[zP.lC#n|٢'飧, 9KeC <Ml ?њ/&eN s y@pw}%7rWU ? Y ȀU9B0ϲ6;~=Lr,Cv\0iue4uuǭwJͣ>DE˟OB5weL&AjRYH)|~9s||Ӿr<: $wƗimXg!l';9R ]5*NEiݫ`UiD'؜R;yJƹ9Λ(B8s sKw61j+G/+v-دyץK8&ԇ}m kl\d$Q,P4<QQzcl^+_&UUL~ 7ůcԁخe<|`PJq=d g0< d%[<MMUUD&u~x3uj=#vm]܁Ѕz'yq]p͔#gE'нCBsPAdˮ@pB%'s7\obChZ(t6= -'#>CQ9F N,w 7ËK-rV7Hkmc*8eNϯ]WeykmXEqHa-'>S'^kgl G+tnX@4*=xWHƉ&Scol_VH4JbQ"СoW1CfE,&Syf-_{qukQU/,.Jr:`vY*nK>0G3\;.;0]w_3iII6%ώRJu ~ gD̶hF3uXe#Dn_g,_LRd7B@?Lj ^$hڅM!@6Ϫ$KOul&# ClB~@lߦ&Rx͙jP `Se<ɔUÌ%K|y6(5ڐ`ҍL$Ynchfnv#@[mP%ųGz9֩,U_Q4)|">h|j>jlgd7<ap|v.ڌ EtjѸ.) :T K&c#ʃJ@6Exm|7|/Mg7-jOzG%I wެTҖa%*SO^Hm$k_CZMp#=vs\ B0}6m>ﭵZ"!؟Y\]+Ql$(k,QІ4Œ /$wr=K#ʦTw!:H(_!2{m#!ѥoM_ -1R?3?gb5'G(UU#ؿf#~ ¹̀O3f 4$n"A=Ԛ)rpA8>Kz<SoH!sұִ!1x}!uiDPlk .eRQ6FFA# ( kJY z@ԌQZiYB.?uy`PiJs0fťIpc t+Z2mʴ`\Yf6;mQe{)eiN!D/sBp&YB #Xz'/0$:]:a RfBcեw${,z[yGh bz շyU, _9DG ȄJn?fN+Ϩg$_f8b.Fi3]HWj >q)32lJ DV 3Hs;־\c<)^X |ݰWO3>utmzBnGO'L|< 7X_vT8M*`+o 7P W3r.Ա(/}M WM Z:u$'K>j;S~Ц\do{,HM#>l' N"IMZUt˙z}'X:q 9U{aIC%T efDG(~bSz5PA>@Q๠^"M(J󌇳VKoD *\}Q/S&f[{BX^,aRnɼa{+i+ŁH1#e??<#b%F7 7~ pACi>[jfZ`aO2F^'`}H'2j@"50QhYH9Q~ -Q$γQYl{&ڝV7T3b׍*E|G3;὜iBױ*^vRj,ÝNH_L}çfޮH{>30L\0Źu-h\{NF?/ 5D{9--v岜d/={/%Q\VO iyʵ-w(ӥ[*P o.i}em.T"[ X/.hT-1#*Z=S8|X4csС 8Kځ '!-dD 4`j0piz wX6ˁ*L@nP>b mGLN0T t^\vp.Ņ cS?"u2[?0#L~:a2yg<ɹzi3]) "- USRT#tgZ0aۈ>7avds%jLvGy:עz^4ȓϝ]h ty5{^ؑ Z>Уsz֏LGŦb'$i[_!LmiMMD/ U>XscvW-Si(X#G-"+b?Ԫp ˗fSeX/[ ˳cbM:Q*zjÉDKB,| u6\*V'.L]HI" YacEHOi!Q~n &M`afĜF %=3؁!z7HvE toᰣIug]!אߢovZXJmfֺ7J ~n.׍`v2B]zh /71:sGa[I0hp-rX/i69б"H9$SoJU4X \e?FԄ}(/>̡vd0c`Owaۘ븬c}c KHtINV"yKt_PR>sk{VE`$֥.`l5/XQXb)`[,&Mh.`Z:o׮Q9ww&6nfXO4_ 4'۰zyv ⮚f )4;߈%ȻLs,`' 静4^.Ǟ Td<8:ևztJnfUެ=cw֬ | 5yoY kUeqpKOöKx GfϻcOH2cq(kNCV-a]͈?h✊A/tZLlދ]8t\OATîBr">xâ3^BZsnU5aaƈ?b(un K_A_AR={Kk:d2V))$_;:NHt^wx,H6R@6x/w D O X7FR杙D~cp۶#9 mLBz{F-8 'nB}-/U=<$,$0pV}r?8Z&5\V7,nW'<Py\zu(#Wʴia 8uX~FiT=k)^ԅ!ŦrUT#Xat!~U֩{;MM(sR-!!Xb*2R8yy0_@Z){VȨUz^gGvik5[pM}ڛ CAQRKBL{LSԎ1ԬkI՛,];o95j,P@P)pҘHd%=OOq߂F'ДTQ!%|̂ؽu;RDs + %; r#-qG;ɷ,&7Z+U:duB Sqw* xN"&$"ㆪ, ѻ8)@32i6qx΁遻#kX_@CLi->жIvLNniQw-ʹP>෮1Do-i}s:+"BJ~Y Y|&qEO:Mhtƿ-Rq eR@ѮiՏ> xd_*7սR8^LEzX'ƙmZˆ&@ x"fUC Z{T"e"1h]_m =;&;Y)v؀ys. ZD,"Jj~mG 翗sCrO!δ5GË'>u}(IKsWzM }ʩWk^D=+`r?:W"N9덮F+ PjwP1@;)C;\Zp-C;`jJ]U ͺ?g3,WeS*kp*D:B`p2#AJli31(O.W*Q[=#0Vډ4s-uN$J@v3A5UMи80fhQBiIJro8>@~WA50[*;Q| m0󝎕sQW?Wq巘GDqGbۭ$&P܄n$!8CcuazLiO& oB=JHcCۥ)g ݈aD -5{uU8OĿȝK;Z2m%,.Wy 2Up4,k1`ȠSugbii -P*95ccB/!A=5djްpuWV9>!pHDi (Ws 'B 6$RⲦ.E[+rN_K Qݍ:n.>Eęf]ݴew7ɯm ܷܠL6]UWf@2+;Gᶇ=0~E0uOPJuimGMgOe0dYOtrk--!/;j]|j)L^BQ 8X}!z ,Ԩiu wudK85CcnuϹ2LC=:HXHqtVt-;EO@*ZR517U_0s\_](Wj ¢ {k)Klʬ拋p=(+>@ I1y!sUH{ 襓НVCf0$cmXii]#`cK %|U$eTb K|RAxGVkuUJQ~,^#e1}Q|}}t+æގ!WdO9ΡJ}S\OgsWo@m0|D; Ԗw. Zt60Nsǟ.1lEEl %YJ6J + g؅t[189naʖ u9EfNL gp3}y+cLa !JM^m9JeBsUSdJtz2jH8 4RO&/lGc1”ۀe Il%$u&W]~Nh zl䣮(r35[zI/nM8a2]Añ4Q W;,4ZU]oo 1Ԡ#rjf~G @`5..E)*%(n & )x4BМ4aƹ~!3v'2lnh)cPLM*Ǎ1,y>KyE~6v&4eQ!䲻z:\&5e.StG]~q߭]",kp+<?G=hAOVSj&WtR+~~UbWS/3ZPݕ^1p,NUIeʆFP_n-1/Ԗ': 5Y Y%G`k<>P5Q"XcZ*XIuӢS}AAhgDt`?楽66ײM1Ϝe i5ẸE(6hCZ>Yű*WH;7T!)kh\ 6_ NY-b5C5 %5y I9w"@+;w DTM=b>Igd*'#o2ҫG'K!XBtqw27FCʬ Y \T펾 nRSC.Ýs* Ko矞B#0H^ #Z% 3vD%]B-4wW{9xt9τrJL*9n/ٗ46k;;RR mn`bƯ2;^XnH"9,vx ĿC&BÃ2|p^Y ^ Te PؙlOl"։}Q DKoZXH,X @cڏÉY4Sk qУppa b) D.⫢^j0,%Pxg5J^tb+?E:`"dWУtIe >WUp:վ`I|ULc9@U/S<=h 7ИEbfS S0nkL9ӎQ(lCҖ+\u&I-!:xNֳ֭Xo*nd_i{ӷWZ_q4SɀJO9< $N1)A{]@2wou2D=ffjo?x/7@Z{/;B´uY ťŶN|zvuޱщ=8m.KCp 5 c6g]ل1azř[IwE/> aiYҴ4鷪Q4~SY`Aꪤpֺ@QE{iֆ|Z֌Mimz@Dn[lB!n]?W+^G/~ |).8uyKeu;zRXhh ūx>iV(/+TRË7ζ-DZ-H,W`Aޔjcml jީab̍/3!enـ`3VSN_>)OC9UڻK3gHNNO#x/1jiNoT6lV%FMc,6, =J w|CgVQPUg܋=!Z/`lz@\9 z >Lϩ%wj;tL8CYKN/4 ] )Ҏ:7 p~__.Aڤ7"6{yu[29?NPcC P.ǡ6źQ԰1A@gޠ1Su5]`;Q+8uW(ѽ4kXStOE`+]NGhVGGSwVgJb =R>NyۺlT-;7O:6!RڊOD0G#d炰&ݵp A\!427NP}>1)2G85K k+=MA6唺 q?\ڝV&E12.B :$j;R &'hS63VXMF}fUsBڴ z*zwD+`wb~ A>.6ZvooNx[ȸwGy՚4+5t #~ėJF󾙛|(d(y#=,ӄN]fgzN>]%ײc<(+ZNQΆd:ZAc#0cy3d $z^$62q.@MO%h膒۹н;Ar,5~8L>ɘUx%j;<0,i21Ґ/qaӈ$/z-5*>9RS bH]y5wto'SY}#E:TXZ}Swz 43!7{rM9#&b3iLCS"KcŁmO ћЦU^ 78vTdCPᅆA |} BQ^~H(ZRv LML9aT7 ҧ/FwYi:˦`_ } t2*nkE?C JLrDI \oL`R-*|3/ӒX+Gxo+ź5 DpP{ebw;{_fAp2nUu7列G;rdw|l1<&ݠsRYm5GPBӢ8L%-QZ$PhoS )W̬FzKl gϫ8Ȅ_}-Ed&piD\}Sl]L QyFoflw>Ԋj (GDwDXI.t72"o/l;9H>?}`B(O bvXٍRbDK\v0b5 J@.@V8}+seFJV{ޛd/BD-Jpf4߹N'&ރe %F} R$9=Nlh$q{)itH[%R(S'l-oauʰxT}*_>ߍuAWo&iU}/8?͆6(4ʰ +^Ec}f/M\_.PG~2lz\s&٪3E\,"zۼg1+G%QvѹXP1^'f~ ]|d`#&yi/)F: 0 [u5%.hpxuㆺ]XFuI2ϝқ,&7{.mjh69җܒٛԺϚd$BQJ'3!$2<wg?mpGz[jۻ:ad@xPjV5ndu#N?PX\a{|,<}#o״ͪZuee#3-n&/ ռjurW,*"]*1 -΅J<fhf8^-[ri6PUI^kyR^Q Üp)"rӕ犕OꋤZit8R Cá$C 2l)û%]T2spl&'G#=Qϒދzgv ͠ȗՁ`c/F 򋰱)+T7:-%@\`h쉾jiD;E52%nsܫ=pپ 0kHofK6HeG%n,my`+u絿/:n7|̩eң--&7<2ڷޕ6L +[ 5e!!^i 2$CnjFQgKm)+8Qg (yk2!m==ݑ/njup/E.CFgZ3C[*ٳ2i'3Ze{ aΑɌzRi>cb-sQ㇕IU-o3N D\N|bVOP4w{5pBd(lJV쨱NHpp[4qK&, qlM|)+̆:?pUO~JbT4ѭ> -Iwtfi08JusJڔ ҹԪ/܌ y6|UbS 9#fP0LJg"0ᆰO#4; ߑ3b4v$_|smApX LoxC]vwjiRQR3/ןm|S@m£&WUp^Hʀ$ TǸL`v"< \+w:em ?3(JQqsUO,N9k?v*(q}7nw"+@kFۼ_kZAHFvgO_1k*w1AM)tz-Ż$BᓲQ3sЫР;fcOk;R$`QA5_Ay޶.YHczƗr. }LNa,j8>p %Q[S#} |-|*ԣjOKhqNnم2H.;)^ZB¼`rGi\r//-Q/k d /RтК PjukA 'D "U#Eqs@yg3}O՘5D9o+451&M s&, 갴.pf׸֊8=^d>1Çi [ŕKq%- 0N6D6}alIw-hSRj%r[vGV25\RC|VZO9,ιp6a=9(`.Kdϔ'e0r0oM-xtkC#؛XQsu%KCS8-\bMm73Heʮ9BL(|%\?̟x|2Hj 5G=V{*ƕ-i;Fr@_Y7s9vYy~MM~6c Um;۽7{zߠtRgbc)~%Hg-9&5x =1۬\^:OA']jHqlw-;Y/xʙOxG֚n.I6w@Vuft^WWKC,DΟfY{}ttFLt֕hQPC5 kMo8͡S>9׬-EP&McvϷcz@u;XL=$7L\3JۣUl͕/yK,''z&Gz î;xn~:&sFS0%4cڴ596( /Sޤd-.P=;|3bno9["OeE#eLoTcH4$lWFN=Zz;mKL6TybfK̞-5/̯7/j#Xh5(8*CExUJID;7p̆ķM." MFS|7P?$1k*.J_Cjbp HU& "3g}S"a)Zp( YH 왓hXyqbz6a#Z&sgJu^AR` S}4Gh~7e]J7*_ c"#ˆ>Ub5NNWs4Gz!VvkN [Z d|+F-&ĄIęӳ{~yҭ1ITdB V @nҾ̄=:N},:k4kg1-=JX^|PަzPF#e~܍Te'b`}`ID Oث!؜*Jm:I9 fr o#43ƀ;L0VAfr\:yޓkt8$|P23@u< eu4y[#!GѦM #cKxBFG~0ʉLe)A؇Q;KsAzPlOt`A7d(Z by,ff|vbeQ" My0i2Z6Ek&H`h]#8WêZ'TF?|$Z]l "%Li2*$2L#z(/Nh/} Zv[0曀Vz;rxs4?/!,: 8Qa 橥'H("a v h5φڰFCA8 _)zoF_W)2zҷxBw "LA|5ٴ{E"ǮCF۹􂜹S?c99{Z/ΫS`͙$^L]m wK'ApM |Mz>]vC*Bق"Z7!0ߴJpa!=6wK-LqhV_ʴTI Գ/Hr+׵FjHDs,~f@JC =Y熱4 \zK 3\,@z^F@8HeM o );YuSSoO|!`r`mA38Q`9\<M [w#o]6y,xqQ/zHA,-_ՙ[7$d[ّT ZJ'1ȷO֟octO/zbI:|5d7dr8?yqnke;Qd(/}R865i!&}y Rn(Xs<~ڻ5}H n"V,|LDMWHv*S3.ut;xI:'cqм^gVHu6duh|ϋ|a2S+͙Rwt݊O׍ur%F9۠$>ݸ>&"NN۫iwPRY*?å/lYVw<[6h,]"MmHވ,qXR&ζ[9mX{D_`xx4L!OE'yۤ ko#߄Ǜq #|d?h+}qvG۹*)|2UHkq6yJ0KkT1B婀MGT $hIP^9X3,+'̦/`8fė26[7@W`oKUn~avׄAdK6Q^^z'Ghz!KzWstT]0{%vf4xdO']U4/߹Ԍ!B\uD8txmIhٖ~K8 p%3'3Z{PW [;ړhH#Q`Ka-JYw/a(f|*-4cl-Na.V/ koW|Mh\n09 oHSuƓG4dBQ<*gIY AKGT< S8^VS(d"*="Y~W5 $!+D=3^pQͩ̀ f=9#z@m3g-Kݲ+E!SzDgwn|^JZo=N#B y p 2b_ΌJIsi>;2p'u Et|yܕuN +Ҽ=qɜLrio£5#VSf{:6ycL >/5eU#؞DD5 𾺩ײy|xÁa7n*>SO[¿o%vk1ĀGiSwVU=*iS eK.ߜ!ds׹Z^8pu.vg%y'J7tn1Os,k+n/!2mw{HDܹz6l:A,WX 獻w.c44؉V$Fϊp_0E07#CLV!0J<&nj=,[j[L!W)N3H^g>&5"0<ȭ4DEL<;$8\a n0Px ;(l`;) Y·X|^17NB,O"W,v9lXKvSMĐpXMNգ^ݛ_Ӣ+Dy͌L lrr{@Z3=<`WoO6L~8zH5>@!Dt9w[WXu'qɮ8 !_a{yL ${nlm#UAa-RRjC77B5l!Xvo*+! 4t<ྼɖ%Hsʹxii&)Z)b>aɐO6H[W F2tJfϛ$!-p"Gk^뵮𼆝z3]5QO<2z>ۤV c2meS_LInۭTpպ>(|f-H>>@eYOηKf'DGOgSt@rg= ߫Z ƬtM"mf\0$t~* *S?ހb+((r̤U]#V*u ^vzLȣ{_)sqx1'O O/NpĈ΢Cٳ5=&XHKu5]f=n'ʗ>tOx>n}w_;svdPJ'-=)@nε-+t";XܙB0q_.pU[!qWuAE|%qJd[%$,":?fim5cJ9|ywJ/f ,^1+AgGmѦsA&1º̸ P{ͤO31# joCR]k.J:Xi Twcck11ɬqfL &2\㸟?ֻgEE3Mb-2>(*RSn:k0-4`଎$ ?;8Ehқ\3I/ vU]EVnoKijfzJaV )96nx<4QԝscR ^(d<nmQ|aSΒBMYԙ -"b '1NnI(ϛ#=-4G,s(UрAp0a-/] :gb%`brlL|Zވ!ۅwBM FOulq $A]A$9Pan?H6ԍꆱ.šqgUkH%!25 i!Acn*OxCM7spy37:UʛHg tGjUu.BY[rFP*vq&" Hw`wM~=C:"#xc~>vٖr$^`Ҫb..Э1'-s쿀;yeUH\ 3˞62&5H.G|;x-ܣ?cpENw=zLrw,E  ѻ2yDP!!)LIw1u3?~%mD~b ٹeЭF=w脧ig ^̈́eC8-zBcM-D]VVu E7?Xpo<&w1]y!_GDdJM7|^P''`hnkq9qz'=A/Z;萔eVɅڦacV" %Wqd%¹۵BXފ6w$8D+(JG@PgAK޽>:n(;8ǰ7;r2e:Y&GΝ87 O&{SpJ7NR[WK^q.Z9iE4IV=LZiPBDYaY^LhV9ŨAkG4tǽYgKGlK!4ec;7D)̿ipWt{Nn@bTlJ,4F0ܫ92-ϺfY!] ";=rmZ#L݂ͥak #"AU27O'-v3X놆p{t~e s\y #,= ȹhLw %Fn4֤վW{"ypJw2hi /(ܲkLF@(o;< cDFd|g.JGY<Re6TlRQ}7i<8nL_@WK7$.~`U/|[㷋%W%X"SVH|YA2{{Dnp3U0j3IY DKkt"L1HB~-+p_W9W*#8rC*Odl5_Yf>aC 72+>> s7M?elURgwf݂dөբ>gR_uK5RyJ3˥msCѷ\EYK.;*(eA}YY;g \`r3 [>3ct^s.X\ #4,3*pZT](ypܵ. | /G+ecvZ,#],_=|eDSC&D.3זvKlHxJaTjRbf:x㼭g<ˈ~oYU!{c\Tt0%BSANr3 G7M rpMEr`,c^>%-2|jtu QP 4$UE?"0SUPcNKjp$j_NҌ$}m W1c"*RI-$Dc8;&8__a [o`%[q|QPp'S*N Y 헝OО /GdzSG նW,[6RvF݅m!LYiN1ԟekt>\gz B_kw_[ͯH>+Ek*Z:RG 9# \2}wfޓu'}1ދⰅ( )tdX_VU)2Km!NwvRV"Ҳ ۖ-dL}6Wы'/bAڙ|p}G>LwJQmK 45N!})XDM.ª[{|yr0ȻÔ_F13,%.dl:# $Jxi̎cpL6֪qg?E!ScQ?{T=~73 ծṳ&}3@}yRJ:n#! r`B`ZybeiVE9MEfb`"jc H]칫/FX2Od!40v#ټt_"p ̺8u~D> ^g.Q4-mq[44g_/¢<^)b51Wp8Nw)*9I\@̰6$j'Ov#nx^ځ7\M557S{ۺȬ7lh$9./-8\SKS Qvzצt#j#r^ٟwWBx7&ࡤ˫Yeaম,eJ?ẀMi&FHИQdG p*R^|Q,H9#D"<6x$}!# /U`MRy8v7Y4$ p< :Q1읩BsЂoVuWwIԒM:sKaϼi.JHd:d{؏05.\pXk:nof όm}@jEFIƜp$\{ш*ʦ1 -9UڑtWv٬zݾ=JaG,4P:o~ti2s2R[Iq~blH_,2e`m禸G$B c)aOcМ򖧤'U ]>=Q,y.mD2&ShclrRږ'sBSڰ~jh>ͅ~qF"ec/gMJyq,-*RaYy]Y+^ #K7NaQ!gYgjr^Rƃy=" twȚc&Cd%yÙzt"mӘ7́+1 cHlNA{fh(ҷe- nnFRwpv'~(&Xv٦PVErt~ijn㜧Fe@FNlHi  d9g_@@3 U~M8@*Ÿ996$a X3l!T|]H]aԐG^Xr4i .$M>A7M?nGR=&- .Te;F dGa'"w#57 Fy \c"RU0tz,PɁ$?y7\E7pgђ5.Owfe*,U3l|<, rJ^e({]a}Ig nO8 Dbig='R)sb'VXMD¤Oihfufba@:$[{cpBͻFgi-]k~odk:͡rWv:DQYa#] %2knwd"gQGns׀1A* '-ʧq>Kg,i]-/ G}SWְܻЙp  (  /=t[hm14S*/)1HrTؔ)'$wta`j p6uZmaO$=DBAZLO{xj1FSm٢5uG]`SD2q8d`;~S23[2CF)_qq #ga8hrg19'PL[{K7j"AV"Pv 3qU%H6 KITԵ&; eʆvz<":N}9pw+T2 _d?/i )-[ɿ1x޳].vÍ,jqR7xL^a6#m ?IV qVuET/J:'*@rup`9x{,| 4R,Qi6t`Vܿͮ6ॆBo 5aզG}d#RFܚٝEЂohLc[Q?3yuMxK)}rLQ\.2h۵tܹkCEez:!)|k8i‹!CPj(b|Xj^-ok9O-g?i塁?/.፥^sv:Sƶu0VnƊS^y6ok]G wj lee=0Ed6=Rn`Vh$Am+Q,ZH6EГ єsɧICde N7/ O|C]\`/yq cF=^29\WxFlpבsח=Q-)y[xg5ɑ{o6@?X WKsvmF0l!Z @MrÒt\N4T,UNlˣ%H߂S( iN[\9#HD]Eef]fX 6#CZ3v/cۘC:h;w}Hlkj\34H_!Q SnJhpUw#:R:g="e$r^7̡`-,-[):پ8pkC3"ڤ :(vϏl4)<뾃xx^k3搚@~W:d⹓Hmd7Qly_/\-t[idЄE<[͜j+{M,z)mv)DH7} Sm43HD~')`š)OA'Ta "GтMSaPI)JmL|ɽ1k4ZlheD{wtbQ SЀJo#z_p`t` AL4Ge~>:sC$ kͱLUQ3Y\eX3 -2;_}nbVʼ0R[ uf}?x^ T IOisx H}[wd`8_?1- 7,#yh2k9LTHvա&rU畼b)xR-S^RYSk, QG!=\\U4*wVzR"g+y?|JuEϋJk Di_ja`,ZͰ櫹"]OeB(IixZ:6Tj7!\D% WȜD \ʊ{ 6)'vtD9(SYg̈́\aW)i{<dGG3π/~Fpѱ "azu8M^ahZW0=x\,pJE=P;TBN'jGL7.HE[^%xb(߮~S0 dg|6Q`#<+7EA.ξ&//|f;фJ&g+%Jb}֫Qe>ep$C@r td*K=L"F*Vs&2q8UY%iSXe+1oqMƝiL\3 bq`G[ Co/0eO幢4`"Fμ>ϽC.?Lw0@C>y (WӜVz<7Cdi tTM6G }j4A 4sʕVKs0r؃d)qqG E@\$hK’=)Y!R!/zwgBx@o|-V%+@GnN`XRcr?sQ̏ 8N]U82_h5oaJ >eQBLBBϾ#JO*$/ I 8IaaU?W@[>Do=M=e9$}+Q|zM=@V: hV48 T@6ׂzUr6LU 0.K_T FJ =[&@00>D-Ι9!|*$7:zgIu9MJ{egT\T^zJI̢e.8S5Me`#(P6MU=٦rv+Y|c~҅Jmc̔vioKt34| %)tf]G,߹bJ i+nibc{3TiGB0ܒ Jo%-A1'b[w67&qC-nb.s\\XpF (Ms nT*!uYS-afwBVErO:NWboTzS4޳G#A'g /zek2+2cgK+ZeFRlO.j{#sX}탨{e9Hj60QWȏ3rw:M6̭(t-b~<Z49ؾa3&g/j7Z6聟MmYW.[f"<@-ܨ0>ίj*jd'> ~7"<[?CC"w= 6紬ԙG䗽lұ:3'=XY཯ر'/ՁƢ#Wj|裭VsT)alC073ε1~'q~m`'mIZ d ߣx|˼xo5?{GvJW`\fɝ }UUBX Ho2dXXg1"ĉRξ;Axx%*g}a ‚˽p~7]12BoΓVB _2A ~/|lu2T#6W$?yљ]Lэzgoz7>{1hrs"5t]Rx%4H&sȍBnD6  k vPn0Y'V&@]<*Un~t ㋍E8QžRLxҬB`6) â,L< 퉺8g$2J>)!>O ?HND64EL~ws}7l[[lXK 1qN4M,$,յ(]xYaËY}N1}c^(Kt1$97ͲomQ6( :Ҵhitbg7~Wxxopb \ȏs:Ksq E *O8t"8V m(MX5ȅ!6ٍjw5Ȍ ވXcT-o3VtEW{(`&yQۦͦ`fGA0IK%9V3Sš lQE~zYB0d]]K~ K)5Mn$py~8!$}(`jeb s)%=3,Z Ţ!X UC~盫ap@V:>W $)nKPy-` Xe%Qϝrya %|)nm7tP Ƣ'I18zEӅC.q8Hts}i 7ABщI|Z'1-sXC_uKuC,an7}w̐KI)Glta%CDDNd{{姺*L l #aJUiUz ʷuա^KD*s ȭRhQAljuSI߉Y.2`YŞC/d_~*")<[~oYq$Obex@xhnyc)5v7y|!AyV9P.H,$l .'u3 m={d2$9]UE?OY]E٫Tp"x]&8cTU'91;ƓNQs=}Ԁ>̋Zq46Rnؒ]!Ĵ"7Ŝ  ]s/ڮx%ro(G̍6G( qJΨ.=3\8c]G3kw /W MbH0luq'KȞ畳OPkQ8X!le:yqѮJX[&kj k ۊ7Madz60hIBՀd#-iOj1 kφZ%B&|g=O wxiYOG7 D(_.i_^OJI"eR>S{H59w#w}sNxb=v9P܂ӷpU$Cc#n gxࠑiΙ:(6P(5$WXVͩ#?w~QMXHoFi.i"0 13y[ ^(_ա+c[Aϖ eG9hR~$v2!%ℹp;x}^՞]'vqZ/;C(2Ni 4g8) i񬞟H ie?mlDH06{D#+'qZx=h n[qTl"u's.:e޸ =5O?糶I8M`-:z,j 5xn\NJܰs -@)m4d !_8!Jڳ/D^&CHt(Ba QDaN;}>Aʘ W=mDIƩ/4;"# NmVe>Fk !ۊP'{z~nGmw[Cu|:+{J`P@qt{3-O|]Ϸ@\uA(2va䯨[2sb]\(Uy^k^Qv6"xV$EOqIv'Hpz-D7a[ӂEѵ Mal(h=zLϱ׺d1?x4c{YK,*NLՉFBڣ Ɯ<dJxXs0ۻft D*ŔX"2_I_:wsh #}wz w]3v.x/A=gw_DPU^f| L}vY&ͯX?]Ui.K(gF4yh[S^75{6 BG#;_ڌG℃IYۤtոВ_ WT)RvsVΜr?Ε*Lp{ۢDݣ &tK{&CgIbԈiXXVwuqӣWʉ;.:̗Ko1Zis3 6K4 )j_0ʫsQBsZ!8!{q%m:;\r](^7QbgnDJ[iAυ:O*j.5lbe.z KG@H[mv 04B$7(pDͶGQi22#(;Bp^qns"9mnlVI?r.izdש٦#3dC |R̆Af:Yr٣Av#4` aGݱLb-uzy9q|W*6eS{m aRHjGVdt~FduhgYo$TCûMWh\u옟G! ^DοLZY&V$-2$)[&PEnV; Η9Yx uk}zH),\uikǠE>gI-icqȓ G ШJi-全/_Q'x8"e[\ 2guCnaR'h ˹Kt6+0*X,1 RI&o(p)9ZL/Nq8rge lMK姿U3u>}SrZV0#O #`2C-fbԇ9yʲ LB[*6I-+3(UW09!lRSd״.  ;T䗛-زCmqmUY7O [,}F]F|hi^#E-RoDž(LѾ/I[ H@at`v!nu& q \YӳHB RYx]%<'M+s?PEK{i'`;G%v[C>1@P=u2^/`Te˱w}+:ٚx}OC`}|ŌiRPrm5ucuPc\T+.-CN8`κUsCtz ҕ<72$̼B8PU#ӷ!='4õ4$ =;Naf&!F {)/Nfr4L'ޑ5tW 5Qq3_z>[E,)K9H`0t~ޚ?>24w6($H@ '·ρl64DQ@ߗ}9:@`>Qt|,Uμe72 B`E\l dܭEd[k^hG$<e#*8unW\B`Yȴ(nI'c*&9֚;schӖc=)O[Ļϔ+P:GI޸bWWȟAŇbž;٠yQJbiG)ٵ oCs(_id+'qaE/|9wҚ(i |%ch&R6~v>"`aCqlQllbL+O +'Bh3c<뗎yEFN֔8Pd^*_k}A/j@QOI&ya,O3Gf3 6A),TnB~>tn%Q*ą]@nKFԎ~z8 -yVgMR( p V- x+!E 5F99UVtfa*Eg ,hqCCch%H|.M/qw7e]A濃w9A%?+fnF.GxUh_²@f 0%$SmnXGS3M0.;R9&%;f`㎡6! *S+,x_~L/cU ,6&98ab0l@pW+{t2%k}kbk +VA),FW2ˌ*x%jBiXq>Ìcg^5FnHt@m`5]QI1j[f:ćPUl6$iwjB⫃q:vXltZ6d&(NC8벝%䊯@T j|zƖ9k|13/iH_v8kV&蕃ў#]ӫA+1_ݠ,Q%|)ri/$3: 7]`W l_Ƨ _*c~yףѷ69Jwp)W;EΟI̴+!GgvJ Uڼ9kf NUz=TtSqx0#T2)Ɗ!QdomެDZipY# 9"/A'E.ٕȝ^.){la}ޯQ!Sp}TtQ 6xF:Ea v9@Rv/tRQWՙN;W%rdΕ&{1Zr26N}<4(lZs [N ׌ѬD!hEL^)#.b" Z젆AݾeVƚAr&bAVsi[U8ڑL9 QR=>spxuFL?J"9<ޕ*'5B3"DjB`6&m>шw* !zwPLROiUyJѣ3[}OLm?PQ(tbÙtm懁MƬ:|5cK^y<" 04~UcWe\n*ԎD /iyzL <\f 3]t vX-!:,t윇 (h,ݓl~諼4B\5C$i cΫU ݅klj}E燂;7.~Y#PKeƀO͕K^R` s||k+Mچ8. da51:K҇DR4zQQ4Ă 6L0'FKXٚ=G>-4}_ BYãB tO%GJ |#dΩLU1D&~ԖcGAb5!b%Z)i^g| -z` c+k7c--߹)NcñB )Ȋ\C!TU=L 98"GEJ0Xʶ6ɡă=于дS /Sqm\$,*= У)":84c')T ֏ ɜܐ/3>;Ž2+jWҪ$w|jǃWJ@- 7K]kNY h@Idi!5xf3z]]iu-4.$nmAnWj$[#};p(69W‚K=^a[LToH,C!=8 _)y=I u["\dS"VރG n+4Ɏ,^ vؓ 8-W"!9 /GtD ib V2jNf/4_V>1J}VEVIfPRSɣE%lu{Y[h vZ*Ѽu]/Au->&?=hε]\Gwbk bdIf>)Ev]Co a28s%FEquE8T~gXYUyL7 V EMIZ&1V!EJεYL{$ S45wDEYF" dwla¼sWMɹdBo_ppw֓`.F(Y/6_T@Z2WNi0g_ÈĮ8-_5y٣c xMo:$M@1M#h~qݘ9Sӿn[f?5–!aj$hj ucWﱻipYn >\ %\mCOTa@yAC?ؒvMi<gs$4|Ռ+;*' aydhF" {`,4P:;j~4 PMô A19#Hrq=s}]wnC@P|x[ҎcU4՟.gYܩlьge~m}qGY 0^$a"#u댈yܙC#E)it[ _7c nUk:H`<LǽۦxGKC |3 m2܈&'Qa *p0y~5]glRIǰ1 jH ΋k`B*\wÿ;Т"|xr28_Br$1hr%\BN/)%xwCP 3g]ҥDTo7\.˜V;׳o@=nHLČO! )+:ԆK]ֈ^ƍ*\D8:gvc wORe{=HR.̨h.0[,b I7';sȿeKl 5E . ݘV z ]@htu" aٹxIAp]mH7dzuαu<滖h)~c<2p.ߡ)$ c&*ĥo-yx͖l'21fz\)kv_-b_mupw>&yZѕ Ĵ%;p5jW]#ջrw1edea8+>VQɐijVprjen4{u~WawɝVJY8镀Z]&XcL+ܞ\2% *o' JrXvO?ͷ|/sT,;3;~"NzuJ7?cqH{`Ru8@#vޤ(g,W>7`tID:ŋpep&_ h;wڭpOd'e7SxWǰ,ܕw?R֣I$WdՀ1Br# [UX&m_$Tmf3NdӒjz0Qٹ\_l" ?WEDZ'wոg59|i⨝g0t=9&nU4IZoؠEy0|ؠ+ދs# 7j'_j[RJ{ËV"\)-/t)n5C\9!Aؘ1\#qsB4. B(j vH2kc-фU:jt,<|z=8Ytjiwlv/@f#XZIKz~Sg$Ш%ӄ)f7g[KBHjEDwړK=Z2drunl*8|%ȯg-]%"J!DoN\\f/1K"=zNTV^ #B1K܀&Cbt;|aoҖl/bLhgf7anoKo#;+b]P6 J.&0}[Wa%}_|J`Lj͍߂ pc1 +J}6:V#_XVrNˍl,vʻ8<zJK!QNQEȂrL uc\O(NpqGr>w<^X`0۪N85i= 81uE47> ~c u $~ؽ0}zj9q2pYKXd%m&n?5`uܶ%!1o仐O"(Bf|r/)NfXVgI"|m3y M(:~oGzu6_'ߠ\k軍`%hk ?;g#-E>UH}By[pG(V90n5e]e ߃7dN()ÿ UBf2Sv-;L}N`(?vnMiH.a2¼7b6_Uϒa_3Yi^\r_/ʅ5s>j6`gڽB/ h,R2Qĥk +tdz͈}ýLU j2o"S2}q6(>X>˃6dKk0p8rpƗ*T"s .oR?Xd (&6y;GUMWf!\j]:NpUX$L!IgjF[Yʻ k+#4rDY7FcR=F1\R>uƯ8r X$8ŲJd^JAHV_n9/X"fO'ˁpV&!\7[9b?=kw52Jh<#He(Qo8x5e6/W$r*O<{P㬒 dLA0"w)uE0 a!^^׶ska6_ѧ(31qD+:KOp,CL+ |1kOHb^l:B ES,EAe)7!}49%T7DJ;hT 0o8_t?TuI3 b!<:o#Q|.ә}?tvzԅ˄:/Hơ5hWP|>Q7d>dB*T٦_`te7kThS!HOtK yh=q/|>:) ДX&n$2q"z Yю4؜d#.Nu<ez>(gq{x|/' @W9ސ`G~C1 ?s8S&ʷtc7M;ɒvCUkR)e:$P^q4Ϻ݋^ڢ`2E@(*Lٹ-<&埃U-B2w }²X}cb=wFAiׂ .Pwۈ,q*[pH3[s/İ2$G].$S"Z(GQQIleF /ȾY0jezɄҜȕ;xCo4*!'{ %-26[``c~ 5)mׂqC,~ V_+f,VJkz)JYFhAw&jUԮfHy4\ .=S{xgHMKTN@y1DAqhYf/_o,Su7Y\o+RNǯH[c_ w_c8a:5e [n.~%A~Xh Q#ϰ4<9ߧdYcԳ&cx}D!1:IRa&I3~~u ֆ{2 j S25בd-] LլL 5HLzH66,ھ[m/Ѱ霨pQQ[6tXy04d@j5h9[8>ʤuݴY h9HW\|.תь4T#%f81ۖcwMrHCMuSYyԌ*>ݬ'qG=D VV@H]YJ *HDY VUsZ`4`HwKA" 'H|HD'"R.BYk8Zфf%KQo$ *&i]kWp#*Hʛ3ܴM0O`B꣉x42nr7 _#$Zd]v{?, (ɓ6oH˨:<|'卻`Q. 'r,Cc ["z~$)t;]gd=:ηt[dQ;gz񵆷9yxe-xmLj-/:rD@cҠPʾIk8VJ 5E-XOҴ.1b=mydL ; i/2XPdC)aWL?')!KStHR~T:=9V=S80.F!9޿UiozKnmMO 񕪣c:>{;m X)=CSp*GMy' QQDlS >pWK.L!̳k#m.mn FyX4zv"#Z'N3󯵧/8}GFk& O>ZJt$6_?w+MnHhjߠxHޓ l:KVA;lpĎt4{*ELk `So{M?q7Hqh!oϦ=_Ghyc$qRdQ'BhSu^bGQzL]hg0]fhk 7JO1 Q;6HK:-X? xMY\FlgŇhUO$kvD E<Ć h IL*CIĂ~qriejSAKչ} qpKΊZ!BqkSd"1vɇ;Yƶw&=+#l%/@ BFHcMFh?97ޕ~Rb!DH)= r ¸<(i،Ȳ{h[Pa?-6rѕ(Ƒ1W'BRQn¾-%w ^︤?4}tn NV 3S96Odi%YNy2Ԕg 4Z8bBame4kǪKP>57 Cah4A0KCbc} IEJl)Q ԂEBRoE+6op5@Sp<ݚ.Ե;wM|ԓ\ha~9$t''h59X n?@q\=͉ WvS:MU歶lS"Ӹ*Wu./{3Ru]oVB(pFdksU ㍿;j?F*Ʈ@!6%tLU %r?%.O=U Qرlt nSy6t{|?,- ؋у_56LrjEq;lB/ϖb? 826l8M o!AZ[I4Zȩ(qԃKd ,0~ZA#ǿgƧy>8jCt sWXK)Ғ!ކvPyXvdicAAr$Me[Kj|[U1õVPJ[@sx[T(,p l B+۔O*ƨ;B Yp9MQ/ռbD'N}JT&gPoP'`rz<BBITi4H Cy)'F?BԀ!E>KX7s8arWӲ* T-ܨY<SdRZּ;,udeFa#`"aS1@7S`L592u/18')`7"^J\:rﮚs&l7"7X7W4J+NS>P nF?𰳊h6DN CyN5x 3)8o u1Y|[zTsFQJ[1M&*cMstcMO+W}Lvpom.Z_˱ ڿ_hffkFf8.2myFzȺ'ɲ^\r|m뒷_b׏6,6hY\w4 qmNR4>Xsrh2kBwUX˔nxs RB#4ߛz;' 8<.w1rn+ܝCWbב.(wO 3 F}`F>rmh_5R" m48wH)fN@= P)H,_e: }"7W};2 B ⪮Bl8Iğܑ4lmno dxY ŝ/f2B $$r*t8=%@*K7NXQ|FdcG|\EuJ>IS%tx0{op~x&EpxkS2!Œ5wU-JVni@[O"D*-FWF#NS%[h`O2FG(X!ځ*P/8li)9<,2!*]<+Atq V.NŝUٙdЍ6.!3T>KVU˂阩E}R5~V]mQHB:vAxk#KckVٶ1:pkF3W)(M"XW /{K;)ТKˑ˪AF?I=@5pqb`ϴF\EN};Pb&9mo&wfqV= [0h@aI۷XrO/.^/xCoc3X>u[R]G:OBxCvܰDЩ #/XZ1ۥ@fL\~VzD˖M=sEP3:!0.%7a!a'2l<gwX́PT˒SR|ԑoі0kCw'{*突&qh͜zB*С+_.+9SHq0Zu9x'}ٍWoG ) 5O'>qǦ9w>2}G(gZkݲnrvfg;v!",njnB.Py>o(e'2`ujhkJ$| )W@o<ܩ2c5B2bQwxV"l;@:B4 鴌HϹ̓%U4ZвɟҒ G'Z8Ds0K9e#v2V͏ou~dT֕-$:]qDNtԉsv) 8~fDU'!5p1L9+ %YՇó]nkT-̂w9ޡAx;0NXh[3("M{93PAqsNч+nNj`)pV)d̤v5 3YN<00dE7+{b+6E'iuY2!E Y_(ӧ*bl8=!9hQ1d0JIվ¨`RӨm,)Qs sy&Q ]u.`$'s4Y1g1a2$O\OA9@C_+O~0CKYqJd/x rmӄ_`<_llZU,G,25RgT_Yv˖2 iݠ)_s _[\K~|y3eX2Ҽ%˾7[4==1jH~nvBau_ʛcnU,4V/? ]=/#xcN9s6Qvyd u6-j޷/{Wс.e\ʳOY2CTfcc$STXn&c`˿kfJxlp$Q1`(аR4tH12jB9P}SSU: YjAW*yLP!'r<3t¬UI%tmO!]yCVkd'=Y]s2`}[n V*:f:EkSS$?jNaڌiE<.(< PNkCbM^F_͖wC'<9 κc8pOdH tCGpupKlz}uP= !OU#a i|oG}&;ఓʆ1 倓v;,,W,5*)/6t 9lw`u-KvoSwɾdy$aZ Wo펏b(_C@BDŽ?g*~r1|/ \( F- ֖fH4|ZO[K`F1v̻8DRn0D ѓ+[{B*0i©ȅ~cFؒtԐ-9?ufX MHB*M2ϩģID`_PD0*!ɸ) vPS𖞒 g|dujz<ԄO FY)aP`Nַ|%]ޕ\5}E*#q.x9;?Y~¶ǜmg["qX ŋZüxC1oߚܬV7k/i*A?peb |Ӄ޿^TG%;ܡ\FbWV@9PNXu<#4oxQlڋvXR bWfM'X@3IigPfT K^S h7B ~JT0sڷHDItRXI#@눇;-yS*͋kw$`C!Z K{Z@B,?LGH$F@~#3bz J*q]7YLԜaVUxg).`Ϧ3fEpM/PZ돜HΜw1y)puB?:IҐ=J &~<{me'ۿEF)τEm!F3mYfߟY~AU5!61: Ve1[@hC_4/^`Kޕ=t AKz/iDTAX+jk;5,M0mĬKFtlp  ~ہH hS-,+Lٽg;VcFeæs1Cij ¶Q~، Ȳ}GPջvbvC'5Ljf6L+绾PoUHcV6[A6U^`hFzr U~EVYAY"s@{0b* 4%z#:(|{vN^tFƍ*+GbmpRK<(@-h*eVfp:]Hz+q9h^ Qb5f=[,Xr/*O>_Tڞ |3ͽΗAjZl6[z.ٻS>}VՙcgTeY5fP^×]\(:5]w)DU:l 8DOzW9MwwOq>c&+%5sӞJ[GAC+7܁E4tj-_%,cv+3X ue}fآ#_;+޸-` +m*w~,op~^Ӣ؄X 2{?ԵRMU &Ga.g1qchX|;oMu{!]w]'HQbz|37֙W9C(H?hQ)2;?'KfgP8ju2K$? !j_B?5Q hs<}*Sn Q6/8Y)7 8d\z")pi߁ϕtzc|2GM I4h,Ky[;t!MsP;ݿ۸~c S N~!՜ic~;ICʱY ';kc@jL4G G神n.o ;gr<ƹSL[_83dD4B3.?NcۨV]xY֟\2lBg^<ȹ*jS̥*)To+ats [81gK>"V]hbUP5MEX<|Q"B~nRB5W_QS=6$׭9y)fzOEcF4u.% ͖7fWOYAs#8C9:Li\U@׽;?/]ONΠ?o;N;x?TΔtȦ>W}|nB`76):ԧPL pMZH9sWv$9.GKP^oF#]X[KڛoQGJDN ^Uf L4ۡMSunG hH(d'ܸc.O&xYXjXx̖E_77 + N.9(F0aGE̼;dj;  5KbM$Aٜ!ΚPޡ8[D7#qؿA$ )*B̜;kt *e` |U$_V)3Uݦ'v64)V'(= +߆UMIXc9 0DQ 6z}|_AzDx; sBX剬2 L{`i6nE{BΆ?w78BJWIZ>;-2_X]0/t3Ágw=;WqtɃCU֐A}z˒iU AX!28fRj:0`>Au@.I&D {gl 9 <4p:Zͤ`w$Gdvb "7Q= EMt):2""OV$~ nc/1!G׿,c%`a]j A1A-}Vn ,M \h\o26eً4}/gK 3N,*7jC>m3Dm}أ apOt8EN9h-d'sK$f5ڛ tyOӵ"),Ko"'^bݗF">dqkiP_S#s  %wS4+@k^ЍCM @i*TX{NvYsglk4adH[]|1ZqBa/O_R8܊ 0|& Ìz27/UO!!xe F1g>4M/5(5.PйQG$(W~ǂJ;M9eMq+n ׾xaBMLKmR1rM0tWp8E0@LJ[ #Upa;%_!#y" j6Po( Z*~c}&oVR#ANN^!Uh աڹHWq|꡾6+\vZhNZ`K̳lD:Rv ȸKт>\]ykv *ăÁ|cJpٮ\k/B"RQN 2¿8 HTP:+;KE>_ I\x+h$ ѽc8ޥ#v`P%oD /0+F{8QܢԸg Z:id#^{p~ǾGC=*3!zIے0(R+.J5Okk|Bu<Rv6Ճ;!|UpbQ[̕6V4ǢKv i%O"f5MFݘL+}bL2lY!.VU#*+dӇDkXr/ӕͯ0xl*Y ;rКÚ.c&]>p$~v?wfۡmV(c7+! !Tqb(X~W=Pb=%s%[ᦅ)` QINCX\zꆮ 3Hg:WFƛd N/`[jTglM)]/~PEVirTI.ۭfO_w`lm9j.pSf*IJZz'<63)QsہtЃ;E׉k`X" $V/ nA#GcXm5zgQOh͸]1?cPqbNE?c}>s`Ay9@lᙩ!狟[4A_\@E;ː-/J-lN%RZ/S#\UzF"_2(^Vu~5 i%lN?uI:۠K5&fpFhD8eЕթ x͍66Q5H`6E.6mCKeO|9עM 2k٣~^ц7{!jNdlog)pHk2tD-R2U$]`3-J?Ms$.]\HhC6# >0zx=}+9s-:9V2}fgydh ~P`ꪓiBOtS[ ,$k?rδ1.Wݳ]Fj5w13 UqYVۏ\E(%PUpu2hnVMZqoT 3549/{lMU?̬;GtG-AazXkfc+,%f(KZ I#CI ;ɮR_6ͦၮۼ<2/I FJQǕ#Q }B ?"Vnκ=ӄ7ȵB*bh:h ct l;l$ANx43_鳒TiVReRU7el#:BOx%l:ӓekCjq~Ta? )/P"(8Y #vȧX+ H Q}`8Ӌ[K2- iYc)Uw5q>5"u-~ɴz`wEo4 l'|좭]`pް8F}£iIK>sZ(Df^$(lyY*DBr%w{j}?װ$ XyhNrȨ8? tfP|d,R _{ڲҙ@huZ(XD$6 s?_h1"V^L}*Zi<@-w8s8 jK@Y{YJ+`l8ų+p%#.[DV@Ejy;zY?r %VCL foʽh/ E=>Il%]Kϼ9fhԔI3NzҟFL˒p$jlIF2 \|E.HB".HJJE fz\rltOa3#4r,gO',<Ǹ[Cis2LJ_5H|NC r_ jK ٛU^tʞW?eoX (zl+/xXTls3t;7]Ӌ B3BoCC>R+7YD"ªWNv2ČHҸ5OIyck!' NA=%҇D(?09ud? !u# N:rc:󏔪C}@~':hvZ$$gǛނ}`/8:$w4fF};e,'%uX5z!~4v ku/ToJM\=C(|/6Yyԗ5g?l5Cb&;$)gȰR΀&}:l:`^%fg e.4CC TGTE>Z`$8cy+g)w׺Kt99-eyaW+sJk! Q!lEnJ^;[zKeTo$8—jW9-C,ܡJ- W!1Ɗ5dU㠮B FO C)&&\tnwXd%\.RD(6s -vSyRhXUpSߠqH41CTZ2ĒYڇl|x -/㬍ˁtK7i%?#-H R*(K뿰2…$ Sl68B*Mǵis%c=h^YZ]`Ή,o9e@LsUI ֊8P2T2 A"eeXmr:?R<} O eo.W؅XG9V(L&6LyeITb'\@^~ 0gL/8rrnt+OjOb^1,B-PhN?8@4-JY6-d'KC4%֣2!XFHa3[U%9ͽh[FLfomb|݂`3vzNn4B,g7U/+X$0n(| VIo֣#}biH0h6 $ɂ gQx"d Yz?I ౤PC7HDO-|DX+T#)_ N.t70%['B)N;?>|mĖFDߡbh 9AOc w(:y֛P?)1P[I Dsg1iF˝/Yyhg9oD("N_=r7 hs~CT8l_gfTF΋˳*8UH2sHD̶-koaߗ?޴l6;PGm[vXE Yv62k#Oj\ϳFH v\D:W >\YqA5RޝIۘ5?iT0$D>fgB XErܭ%2-*i`;J 8"}}k'qdgz*C) Dߣ,<]oH!j4s=)5@`Qq I)N.y:vUŞM*ǟ\N!fǂ<6,&O\v@KZ? WeQz _s0G:0\+(莲\`S`:(ZfMGIEUˤ9LQ)/6n6t:}O( @5]A1?lJqt &{H&&:uǯG%^bFX[DNxXh7m'_bqg͜Nrbŷj(KgBvVWmӐUwtK 9PCX:FlnCqX^ȶr'tq~E fƇ&ј@@lҍ.9h)GKH/+7i |O2{lnKX,{3O3{6R1Ld_bńP: CKH?dɲ #ꓨ_JN$geOm-P$bWHz#Vş΄ D%7_HCso=.ZQ 3gzR6dW `h]m& tLjK6ٶh|PpxaΘ{`MxCƀyG[j߅ZiEm3-ٮT΁`Rn3zNj,nyv#BB@ap ݦ*;ٳJ94x9x4^\u~fW̵;;PNKƎ0e٬\vcTKW2ewc 㐐?~!d6fe9R<0lݷF$볼-] *a#@D)ȪWU0_B2,2ULkU,h2,lH;ӌ.?iHԯ#nWǘ#Ml/qˉt?4-jAriBaW~=in/g d7Pט 8Irġe܀`cn&0hn6yx{a&YyLiU߻>} ?D}7F,n}3-\ [@K!/ӛldžWya.tE)]j,h.%tTxSh5y D0^m.[ރ01o9sӱ#:qi#KlG8F9ԯzN&EmVXO@B[ ȵ+ǗRs(@prf{4?Db=v?,S/7Kʞ"(DM%? eRz`H{@ 2Xjr#9 Ixf`=.&A s}g~Dc 99¿n'hԵQ_t 3/o X!p_A)itdr4/Z9qkpêA3 ^a)_V*MUL8=Eڦ!h580&('{"xny=CJ_ LR~6+H<_'O[ΞXDٸ ,C[Ц x>N1׎ȁpY1P QnБrqjbyW2D"BV2>@N!]= N^szȓ\;\|a`5G(d{4\*\lV4{=.(=1t{]3RH"[#.Qk3VZ3Cnwe;w >FOomnwQ:KT27fؘ3i60D䤼qG&="4![өhP"I䎻t @Ҳ߿ZXT)PB Y6b ux_,!m_|gFZ6JZ X4kŭߟ2v3j815}`bfA蠮Y$ʸ0)q%5(miWkETS% J :@9&:F)H#s 6Rh(Q-j`g7TN +@e2cr#C‰J!?R'w&őT *- ^5'?\j48cؘq/'k:%w5󯛉1eJv!uV1y0@ /$fyТ9Nk4c| Rc%hI kל"iϥ'A  E +7V C $M`25V?.+%݁qX6hAFg') Q+N!A9 fKnat=XNW;3ʽp/qOH׆ѻ~gZ3m||\rgUZV&H ";4cBiDiU,ڗ8&xB]f*X*$ݣ:,̋$o:8 $!_-tѷh4J1+UgL7>֨̓}͡#B:KP_bb)r@hq)]ɥ4U:?2@ii0@8\X<Bk؞1/!TKvSP gϯMA8_v`&8d7Q)iἘۺP:؈gp!@ms_h9 /9zRem$kwJݍ COOvW]+:\6nb J EHfzeݖV%ju$!"pkkQٿ=8]V?M(U(p&ުmM7(yɔ_p#gw΋/los6|Q 3yne|`+D@gb0+Tn'1+JWȂ)qfCj끲2]dH^qO[I‚q nJz&/4w0]2j <QsNZHC?SZNθud=X˟h@'\Hڝz;[+r9$;vm {Uh.xM//o<fŔ;t+"iG{40b~^ff,>TFavvRQ>Hҭ,*Dlҵzd#ЋsKQօH-M_ _")qHzkD/zAM,'9$:Ҳwׄ?4Om^C+1ZhHTqWxiY84swv!k30#Ci'> ]f~J «UnXbY#رcC7;U_D4}}DV!Eܵc ]_/&fag%%}} 3:rlqyB $VA41alZ->@P|<%\-ow  Jiw?tμe,j\DzsY|Oŕ.? Fxz4V\jj3~)<ԁ ^1>`ԕdJ+3ĘECwW]B|wׇyH!?[a1a@A?JSȪshx=hOb?36l[ß0E/62^ɆQq5E8>hGe]@o堫WQbyh#C;>ӵ׽5griqQǒɳky:$_&" o0c ʰ;r>wEq]@ |ed_G( 9!sqMQ-L wi7Nj@~J'Nl:Frǘ4oZP}xEf;D3N (E fJlO8$a-u󥗝'z&?m;n5 JL{)HBu_9jUED#\ާstk9Q E7|i.J3Gc1td)aIxE%.EQM0_JYeWB%(,3zyI41 }&OZ:..%#ZBĘQix'i+Vnf}2"9/LܡkvWK4C,#_IP&rDpHL#O.)!<% v ٙo8Yr]]DaM!Zo$ @co8{OM[M&|HL1t'Gau SD]Ve!Ngt0֎d}fS.ykp z%G>bՍ"lсPEt{t`**Ֆv{ VP|/$Jr8!Y!nQd1 A>8EsQ +;`z$()~j SxX*A]&(N*|)ƮK={ J矆pxtr2 ~Sl02[&6>R3Fi,?Ml^ >^QJpI<"lCךYM;ܜ {9\6c֊cYD+T~}:# m/,;=@+~cFF2X(EZ(oo1J׳&~4Sg \P` ~o^gTRLE 1FJmQA1 Cl'wжn=GP0m3ܰבR>k=6ϛpYr\yn67V%bK =Ц ,P@5'~#{uc䲹jxq %:`r8N;ay !y%c۪fr)UX7%kQN<#!n>!U8vE!;/p8HyWw&.VvAՈU 3qx|Hp-Xj7c4SA"Pگ zF(ndE`9bFd-lLOvzZ lo2 4᳹<Y>'2$z'=2kTEvV9a۠'/ӭC\ ? `_{~^6BGspE ,/8l}P}kEZzX~"bK/y:h.B⌈.Q}쿚j뉅f xůE5cI9cj˦U>G&$/q=!"P:L5YrH'AHIgěă0>RXFd! ]NM_r؉jU :F />4­8yEk;@¹q>a0@̔ZjUMR͚ʽ?B1$B6b\@Kag'Vy ]7O"@v IM"R̢}әVD5= W4 0+\*4NdO/pj;+}Tvy 'b18K]Lbs8i e ]1>5H{kyWWR|TBsm ˻&_yo?zF75.nQآ=/~u2-x -;!2O˝`+Q3]'2Dk9u36F r';Y>.5{\#a*h6/l` ,"[:=z&mHXʰ7N'^BR`SIfaT+S$EBJIw\2E:H_Ѡ!(S_"mē~#O|0OZr"KþpΎxQ̔*tݜ bdH<)XTo(or7_MO@"JЋFju#ooc?R0oX8}0m{6LFdӹF]-pC-}W򮞂u]4R7!o)Ǡc2ߖ Nj#m ʍdG-5'%_C12pd2''@sNBQoEQYʦY9c˥ `u*ր"ZmJgv/ϗ?,s ]FE%z* pѺ|23R\I2sd%,e&hwgc*Bڗ{-z`%J:2}RC Lgf@gyLM9+Go #bZ4"8XcᯠaxT%~QFg T q_4E_F?H:"Ta(9Jf|E S0_"H:--rAcy 'E2<Oϐ^ӡ:pE<䚦3$,.H۬bu$vG۟m{h[C!.&@ 8L΍Kz4ѽέXs4hJM_Zze~Qf7ɗ> X4&7Gk2m_^I=^eV<cs#݀7om'C 9Fd@߈Y$i.8ҿQȎ˰(,U,ZXf$&qް?vmgnw9 L.f4h,RO+k\AOuDC撛iPt D ^-0_avKiOcf/?ôqinx8_96`׃Xj yNJXa`< Q0[9t 0 bO/ )xv:]i꼰Zq/ɖ.wx,/%=q\%|VQEN<}gޚV^\7CR|{Ʉ+TF7V_S92hC[Y,syS1ַu=|opzYlxj0tp˹IW:F&4dEی+refUbKrV쩒4%tn9zC:l^̼ɯsToeuO+ThW3I||8A|!;t9/J& I60;?t|Gf; Qc@fWyꁐA"YTn x!>Z.I??*45XRlgj60U|PuKj̎n'bbqϿqoDŽC ,=%kN-P )(-k+,GG Oύs"ϴeU|xRB64[ p\pb/Mt&|R1uVc{͇ԮhկL0`s*-/ C)#W0 82`F>KNw"'?w TU1E&^sq5 vEu HTw'Eԥ!n:\LpK;»JBfbRՀ K95T(@緭LHq-*vyypoPtf}92(T_|j{,zJaI#eMl~m彀v[ֻ)X lk)C:Uzf6vb'UʖIq--r+ +H#Mx/"Ko^]R0ɖw?Ś(u"z~3TFIk$̶¨dtRYH9aa@j(dgc= ^vݹѼf>c`m|ޛudE*s*/J/AdLes`yZ?D'h&g/\GD׷3N p8-M3H&/5h} M67;;<:^uJ%_<($oX~3phj*۰us賭d:lsK8 몶߉8o3K?[Mq¸ɇf5`Z B.]h3EGܚETZ5}z pvQ-Ņ݈Nwҭv_XdeC@+V|"|MQf~Ke3%79A}'o=,& q<ۿb-'D'f-m>\ש ǷDE.a2_}pCDs$}1g*ETӲ>D_+ F_kT~0QF}V&mVyŹ>Tr_l+lP+H&ER9pko3F@#OV1+ M>A˄H4Ax2{oKn+} wu2!6 g'Աn AVHuڏy}QoY:#ϯ%x&o YF4V[{& S}׺:ChIl'wn„OxSy#r)3<Ȍ. }{ -rx ؄uVY+8?@K纊!23C2,/ZTMM$;eX)!E%qCzL@m^DFbǸr#v_r 㐑pgY1]ʋ>ZprPs0S9X:U ٛu??abզ"2gZC;ΎnH&?fR$;i:IӖl2bEمx=ͪ,WB)?cDZS'F](eV ':b fBbm޹]ϕ2g!PTg׊aMٝ;GOTnyL7h\\B\FL1"X7^KRɩ>t4ӏ㼗SSaQLs&ݱߎ#'^blLΝe)[K57TĻ|ŒT2 O3ͫ'%:Wg`(1+hv9%_j^'63X$Pnټ"{߽?/im^9 !~>C%\]U$3CXJb{FOU|0rrb·YZЂ\#H[JRcWҭS#N9j}sX<)־ *_p_K?bTIzr;˕n+ RX61S7:.~PxC,mQ8"D(캕#ܞ5:b8ݸuHxX >phWY)`Sn\cV!0\tU܃Gn\Rų`)R`:K,5ؐeOru,1肂Æ$w pjqFF֖ )$ҋxcUoXS{]Jm %@Khrs6Ӹ0$PRϸ^EOhӁَm6IxOso哝Vǜ ˗HL"ȶ^(nLLodG|baƍZA4'86O\L&8NUގ VổM01f׌y4BFx P H6Dfl|rtMg:|[g ֠ yasd [s9">0掺^2hR!i2YL߽u:X\__OF2Naw; vQǛ=ŎF+XZV{PC uE^n46T9`vhi)~RU|I2W'w0qGHZƵ:wwiݶPLi@ J s8噝#&.J"xPZIME C*LYm~% 7%Mv靓,Q3 h1V+ꌠN<{U` dEo(di<"! CmO%ugxIԠC)Fw>@, 4} < w+p+0%l|Pi*0㦺lz1)1hْi#}r5 B `ϏDC6W|5@YBp%/G=V.UVܩj(G(+϶Y*메1Qj[Neg).&.CM71CF-a2Y7fBީDmy0)lpb X[fh]pX4CC34zʄ] Θ)Zۏ4WK(>juʵ%E> e<f+T p*K~2wK~tgQVK1p:3|j^%*)k<#~G[-u5u7I/yՅ]Ѣt,6Y`zGh4K2 J4➫X +_"eI`ڮyg|^h3( mڊceqTE]Y卌fTў^( IaCz8ʑӇmNU][_ #a&ooa%A-DySSU3Z]fi=Z2R+) BGN,qjrOK|us W¡&cM_^1¹Lߖay7E{wO_Ib {N%shpb߷Il6&pG<&yuEq HTq]sM%?gFu) /9;+IRLX\(gBG.+ Y#_R# }c?uLh Y+ pUB\FptG B 41O;yLp.ޯĕgKz(`YmhQ$_ܧ^w38޻x+ضr灘 뛐&UM۠ݹkuo ^n8#W6:K/QHp@EdL!'4^$߄Gۥ͞*)h# q2Пh'{ji*p\Rs!%>]oχ1ipm5nLvKZQmRCO(玠v,dEHbFL췳ā;1X|K'OuQT04'5aHE;D! ;ӔI)b#څXCo\t"0F<31\0zaJ61.m#~t=T >gX5 `@:u `Hh3ǥg[:41!?m&y~2s?Ah%AqzJw͉5+F2[.XN0\quyP M_8lZo2C69$O~4%7mvŌA (b \#xZ)yH$z`;&Z#Fc1VqBTorDtU5fn? 0"q2׳LGA  @^ oV]?=5gYm"DO)laG9I/H(NU._|k |>Q,ٺ#%N=::)yh}YG|B~TH}oԦ ʥI^3xM9cStSx$.b8vN"&P0u/qu:c}'9|8nОC vhn$:܋Ga"UjBQHW#J}T(F)P: <`}.KIeX%67e>g􁞙~p(dB twHؾVED@*%h"jO-;i~0.AѠM΃3U2OA7|%z7٫FM4`' ۍ 7;~0o\f:DS!r%9΃8sFn:hc rݓ,˻ʴbGM'Iq +U۴X o$`>]LwߎG <B KN.(oH-Qk*Ӫ.X<ժ `/zrvtaĖ{:5R-Ü5IU:M" Iy34"3%z8< DL,H!EҤY|SWkU$m6_dp3H,hc({&Hq..ɥvNW N{e{\dᶑW!5u@?A$ A4c k8"]y<' H}RWEJSD#0Sqkv5yN#&ݳ(8Q<^,ߣӉbI*0h0Us sv{kԬ~oܙJ=D:ظ+ybhuKlRX欑?¿[vC>d^v>A c ݩb܅pD1$29I0͢eZ'xSvuTZG~*bv%`uad\ϊIr<.jOӠ &x >AiC0XuZ᫋0 lRi4ɚT珯?lc57$zA1ӽ2%{]!"i,xv${&6bjP|UPgcI[ SSIƴ'oE!3݃Ͽ^eb{iuIإT]Ȅf%'~Kj]ac36I윸c%Δ6=@y{p1QZFY i0,׾l_O Lɽ=ٸe%lt֫<.\1a!ybo%-άOϴ/ԟ@NhTW|ӡK(SZ te)\[jd*(oV^j IgIeWP+wAM9鋘FG_'` V uE+n.^]uAheK9RG YIzg#Fԣ_m؇u]WagX*[5e 8CԶ(3b+iATk`wpot 55A *٣-sgeb}D}fKE#^6l[;wha]nYXxRR=5ģSVԐ.o!j'pGUREGs}cRv`K0!*J_DŦQnEPR3Q;$~B P=tߥTcY2JA2x>엔_>wis#'9*AY 籑\]"+iaS9̑cn$s .ybypFr&rB߫68f_h< LD532pb zͅDf:EƧb?"l7 m(3/q},p0^'Jk6=6Nm,*~-R{sX¹>G?a#B'A~FRλr ڔSZuwWT3RK"fqm/xS.0=n8 !%:hs|CZsM.  BU.ig[*ʆ_Ƀ4k!~I iA 7M8ki'M{ZHP!&yя%B1di{qR9ᆇ:9NFQ> ,ng ۶, ++;8F|40""!$Uqq1xb fQ91XM70uD ɰrDE?{[;z҄cu8!tV6 ^}xebyfVɶbݓD!&%6Cӭa/z'ZS-|D>-|3_G諛[!TQKsaD0ٶ_q`zg<C=\ )Mr9bDEnQ >?+H*VesؿYW.] ) -tx'-XEq}9* "nJs], p*sqΪ0yPy0.b'\{ *9O.֜د zjz4Z' p!=ANj|'JF&9ãȡeY.0l}=ljd|wGW3JnПz8P}txḳֵIWU{w."ϾFl?^=~sO )cZ1v5(<(B^(mZjϔ0~%D(=jnAul9e.?5gOZcVoOAD=1IH+%N^^$Ns[{_K#T Y ?CPh*ooȖk,ZFσ(R1OXʆq^Iwvcid+ A&P3eo𛍛Rq} vfn믂j0ÜS~c ޚTIؗ(503o GK%h`w$ [(|RۚQ\͍,xHp[][73,-J/l$v=X  _ |%rh u)Y*VeA)qtXRwêAK=+2yT@Na97[n=$$>jڇ'k;s_f !ޕ>\o懪)~éAuWIKDžCuCec;j*^vcXmW\iU(l7b#;C|?-эH5my㻅r<938`a 0 LƂ^= HyPz:|S:'4wOmȇfEãEĄ8ےq)^9@V>(,8JfcR}chTYb,)}u@LH9զ8XznދэMD$r!SuqHR! ,9v*I \Q`J~T QJv?d[o-zs}K6$>8 &5布]RTjmG(zӁ!`%%q]{#Qz_=dzJ@"wƲznf2ATac]ATo1>3wQWӶ w}Nؕc1в3O@&.m`+>{xyǺ[/䟇+^G!1.@`k:D5qbO 3i{+a޵hio|D%Wڜܓ}mA}Yrcg ʥLNXhy.-) L J6(ܡJ@A3k@vJG^Q7*aCp^AȜ$/AoB@gm[SŸ6a͚::71T^yk`)=Eh,a$sְY~I FWyОS݀G?6Ž⃲=)o1a&J?|ٷIchGxkqީs5|,ǰ1Rl\jA̦if/!O)ɔ2K]rWP3m3s`[̈vӕ{|̇GZ8;v.EfQw_?uҸ`p0/pb0-) /xL77vr6.27P*/d7_?{[CM (Ehك\+R[q2 WccM i>+E_9V.}si?lυF&@:Ѭ3B@$;'0%lM6zv^CK7$ET6@3u_1FjZͣiC{uS )u()JU*tBLdz;0shᣯAo,tA P @;wԞ)ӰY(O4YܑcƟc7ͫ ˑ݊i Y P6I};7jXn͇oiVKb'Z4߆/[JR Ƅ -ACł^w a$fRt&u qUӨAo6hWDL0<ΣXbPE-9+-_„ ulѩS$*R^Vڒ;7YĈ+ Kب4v:o0Jf`K**ߪb+s3  ͍J^a>…ł~^SXAV[0cpq0-g$!rhPBiv.$9K;E+)VUVj-S8o@P]=FkݒOα e&[YiT+plZ,x:u-l}I\&uQ*pJ\wW#}זgh Fn p1 44z+)fm,;JBhuO#qԡ&X.Q&rTo-grEm!(% ;)i) S"m_اa:jCe]JYIZ's[%wLOZt ԾC6Bex̣&G+Xny[,܍4oRO_BZ?gRI.q>©li*TB|AK?S =oWMObypG츬Kw>bڡ 9l^w/^!+.< ^@;"q =шm{[E}y^ȹI[twm+VQjd"NTv@:@\+o`#JTcpdn7Q|?$11kG@t<,)Dz) vg0y"63m (ì27~Q<6%nb0,9oӆhYѮG>.>enQ-;*+|4BR8)QnLriA& ] ؄yՒCǁEsZr喯N+1dCi@R7ۖcf5jtL }G }R>y:3BnϻRM*YuD6?kjٴn"R#h?8%qmB_j=iҦ_6r4?8ʣOQfCo">V#:BR9oobb=9c2@hsbFי76> ,?d<_06U2IhUsMwW~D? bw]$HvﮋsΥCsTR]U,~ фPsq =T|Ǣ}8|*Qm۷5"3ܸx]DZAneRLƲ1q1TbZJ{WAiދt[x_5D-/Joh'>DPϟD buy"@`,`9Mkct{|-5z)o8s+s"9M m{Oqʈbי -l$- ڦ*kiVlUK*"3fjw~96gAn/ <:冉<i%ݔszW> xպkޝ=ݠmjFL#+ꯥQN=s.CR2FJOGN5m(BBKXD.j&ϧ /VQ}!;Ht )ON9;BͿk{z6[g(eϦo1'@k3>U|_\dNŧZd[Aa\:\Yu`i~`  -[1rΞ߰<ZsTe7':nӭ![ܺ5{3\a޿:pCi1c2bо\-HK9e$:C%Loꥋ"+(6@ղBFY[<_߸/gb‘ZssT'i۔wA- NtmZpF>@vk˥,Fa+ |I{!Gc9:83J I=T⎺GO9o<}J`R56v2;7V_8$wj s%b5 TN~}:DU1]QR2\>@O"y6zi Y1`Z21q81b빗*a iB1>Iݜ;#bݻ~F.bm m)N׍D!(~xt==~h0_߼G%{2}9Q$&^a[o./MINgH(2Aaz x, c#pά0I^\\bxRC2E*jQnCxW~"˞I%'$`DN\!EMz!W .";H-f݊avzv\fPԠ|5(ݭsŹ/y%/ $k3R%^BKQqy9OvYs=8YpO:?[1Mv_TKRҩ AnG>\%O\SQK$ԉ`&n-3G[,t!ugw?+Ys ^.֔K}ﻜYL=;?OO+0.]Ͱb?"k/aFkFSJs3aĦ-J-iYi;˵>/Z&59,e^\B(ub QQuez,$yf<{6ڦs-)zW ǻHgP>G'RJxM QdcTYv=~]j QHؖ#e%4 [8DM:ت?'GfOC43=DՏ'zLf}D^(M.Dp'^#/jЬ$/Ɋ 9kh8 N۾=<^ĐT4 %}+EZY h6+TIjWK06Kl߉ cvjre*5r C)z;'léɳt~5dnz2AQ"8hmT r gʛH qXº15o߈x{ERLܯ2yƦ&C"xBՁD{_B]ҹeH~yӪ,-Q6Pֺ9-eQ4QQ%!7sT(zd `j5ȡ,n jo=pq z.ٱJ"Q ZYTR?,぀ՈxYI iRr ,~e<!Ʈ伣V=Cj|=&h,y|Ds#ʦPQxIb}ueyVb{]A BW}_[b%fi?>~tK`"QJ񨔕$k( a֝WQ& d|K+9vPlf-THxC Z*Ѡjbģݽ UG9rX aŜ@W[ₛ-^Ղ#^_a(C 08OBKHEHzňWn;p=DvH5ި SV((R]Σ#\ryuU6=K}Y3ZhU ݥ7au&0FrtYjp'fDŽԽ-%H(uRi}Dn4eIl `a3NMsUSLcn)jvIM[r$,v}k"B `H,D@$yKȩXޝD:8mn b%8ٗUq.c.>ft@+tMUp#Ga~ x%ԑu<9@Bd$?P͔C"2Kz!JvF UI7cw+Zo}LOgG(?SY4Z$vQsۛ o+EN, 1GJ*M$@9 U^<./ds5$?>l;b_Sɮh3"L&+# v3rҒW?6D"ZτWGW@VӇ!Q./cً>hoC{fםňiw=LNR]RWWfN?m*+NKfz7!ƐϪ,PؾFۚP(_TTNәKT#|CMEJCS΃~9'J/ ˫ZxR^px>x-R#8}c{W ڷ]M ⋬Ni9}%F$N;W S2uNP<}[ t |;X{J\M{i~j< +X\c#%7'}X7_*JSbxkOښF{-&K+C26Uze<]߅=~Y1-YΠcLe]`[o}Ul(o8U֊?D(q[̝^=N歾i} vf4!wUj_ryl[=etpB 8f^e)Y^Z?DM'Is4x϶>N95j;ף{*x}Y?3c] ,h#*5PF2ag8nsP&ZKM .\J!J#8嚥y'^#|.=`ld(ݢBϖ 7 ztoau 2Cbj$?`,дז!JpΈވN Fպ|&/4nKdϢJ:2#MaD8y~IxЛIҎf3R՞(H'(%^ dyU9tjSTdcgd,d14םO-tKp*/]хȼM9Wtj X۷$^dys6{6{,X P 'yS16c7XZp S \$n@Ax-YAP)sHr&z 덊oOszcha* Dhy T6I:'Bte_-Y y3c}- @ *ltk%5_ }סNU1 q+߽XZ>' l4gw%ڕyΊr AZ|9Yϳ^*qdL+vB&n!`b2AlXdaN@rcH4 F|DXқ}E+ȫG \`)ut&7Py9<%U7<[ hE1VhXT@Q_+|U&ʔ%@ B|Ntqݤ<^| CyQtU"ed(y4Sv3ϭzDiw\z$M}+3Cza1;8Q[+ r ,2.8W<2@>PH xL%d2HT0Ӊ G5q4[)۩PKn\2K})P,ȐOQ,>lSon.hY1 _E e+%gr)4h֢,[8d)ɑ5K($-&@6GtL(i(%9JF̼f}QRpNcKBFʁCt׽R8dq= = C$r@tSfs{{Ƚg3K66#OGme#VIב:iꍸ8ɧUG!s)Ar΄{|S85E<;W>S vVw, vc="' P#=x<<ւF|"t<.LM X>yKA~ L}^YW' K[ZK=<4L)#LY/H[!L ffLWdWq#H \IK]]įZbj& p+ +XE4 ^̭Wcqhh!H1HdQbwb" O,gG0XE.[笼0*"ђ67zoe.Uަwt %"ua4 Dt?(m Hyބ&Z{P{Jg - l(gkes91-́ m^įNLG ^d6M#q(xSs[:\z=q3BIhFkMht{<.#dr X__D]_?MbJq;|$a\c]c`׭)';2]+{idHU"@Z,c;XE/XL˃A%Zi?ל[\&R85DȅaO@HcY-µ3nag-Q+9{2 YqM^1ܽ*8P_F̥`jWCaǡQbDMQ^rg/DOFc?c"YEug?-baᒼxtNP(2cF$p3\~Ӥ[z ~Yq&X"2L>@5%$˳?gs:uw2l҆H}7D"-GCVڤHdˇS hfg8[iBKr棰*^bs&+"OYz=# Z戓ҏvLx$0$Ɋsyv3C)5@[_,5i(ϋ77'tb@\[8~IOڗ}G\<)$~B>J:s\Yh=s?^p8Z&X]Sm48w)]u7qD;h1}p 7:-NC: 7/}WXSzGZ9/vOJ\#pCqAa3C@Bo\wQ1d4QL [?LFb@x7 Ь vΨX_1A0nn-E <ͳ.P@@r=5~^1_Isr:4&@39+ewc͌_qŞ]:}vHIVqbߋ}˅m,ې`{ΘC᰻{kG<  ^;es{JHC!zδGF  ^ѓ_vSB~VlZ"zGDAqE+Ϗ,|Ո/]RM`b#̀H@جkBGjH(?5Ejw1 tk.S>^< d[~ȫĸ*g>xgqǁu;H)h5GA} 9Vx4W2LQ|C:ʆƢ wsm g}:-.4ꑐ%IޢWk{"W(pֲQٰ#n*Y͌^ _vT\^A=\ J,j[ * ,Mhى&493n>~ژLook6sk#^)BPN ʮ ew܊ی q3`;s&"]@Z h \ᢪJԣUEVȇ9OGo0t@ +(If%!'03Ӯw7+lRԉn|r$IK5bY1aVP5 c, jH#8Z7жN E z i塟Po: Ug;?ۍTeI7W*-I@dے ,W~z~,ICXo'=c/{`rn7mUD&*`.;Ağ.u.HB1xerIEnBw[x1R9=20ҍ[b 7i*St:~޽ 8V(o(Gf˯z6,R̾boʖtAk*F~UX^щdb[)#oC9&P6Xz(C`dEM6mxs[8a~䨜1-[td`oks){ w2 ]mVSm|I3](goD= -<@VڭnHRemگDm/*Uƒ1 a۝FWsS{'f&% Y" '.;m àdm1zK6G-MF#^%^A #\(Gb Ca@m3OЏr""iZ grR*$k@:(xG/GhONZhv<$0%hP#RzyFl`{[8cˢ!Fh4}bocF':O2U[_W'R4$vBFiU /, StBCJM;qM-GR #C>Ď^ʧv qIv{@p͉MFk9=J9Mz\{DRc? t.ޖwڍi,~5(KF\2CR kBOل#{/D7Q>%WT=\jT^\kC<վ y訛_% (6rC\6u&GuE]#DTr9'䘇N"u(ߧSF‹_;Xf^rŹ+敛]< S9ŒU ekiXY\E'ϥ,~\'C'\6<5H Ӟpva¸t77!6Q.97V$F `(~ˡ'B_m_f &P0{xpz0}Z3I~N'it#n5oG 5 !& 2 hC.MFХ C CoҊXIM{ta_ݚR_KnW7m_ez!L&iCYnw8'29p >%{π l]ȧw` ~mż8B9)ධE\cb6J7?-8Y8PrAPes' WItEF!v::KƔj3#k2E z݌ʀDZtCOЇ f^OiT@/^- 5_(Ks:TM@i jt['cF^Ğ{ګY!6|A;lj߳3A>ؤX)]G3I#IL (߷A#YЎ7=Qnئ^voHFOJUC3p4fzȤ[f? ה/ih\HWoR  Io!{Ϻq2,A294y *^~1&*^@tAY$&YEkb1&|cĤ3*޶*8?9sTb)YZhi1j0 ^<̢N<"fu}kC% xdd1dȋ2v/|f'J|F2p6pz绀(XW0mfZ3, Za5TճuE.CRD؛@@_Bߥg %Uk KJUԕC>v4㌰R![Seyr%J1As6uÈoOSvj1I5ˢ%Pe؀'LuA ^mtl З/ϱ YIMuOΜU[ДQ[-g>ڌz2vt޼D[\8ƹ-ʩm,q0䣴Ӝql=T' ?l ĥB)F!=Њx_nVY)Uօ ^x.PԷ e_<~Ad s@iy/BRJS\Ev7Q*~1F4d d`}d 랲%>}{}V>DkQ%Q!@0PGY@bQQ DeRCQJ]GHv:܂/`j\Im <: }j :(ct[6nvf=*zI8?^mC  % |F|=1kƩ7Ϊ&1>Ze!`aKlNd,ۊ+}[N,/CAN=P Jzm_%n-^j"s鿉)uY[뙯ul,U[Ƕ%y+HO"~,\tnA̓>@`r#Ҹ#{-Rm1X;y9!@.$)t5qyxƔl*2\5(GSn#ш=\ b͌"hnڬӝ&~f|ޞw7ru̕`̭K{]ee{;W!/6P#ɺ֭s9l^ _3̂pƹ>歺L;4ڨc`Dzf!2|Y"\ⱏ6%NU.Љ`JŚvVZ5C8׼^%K?\6JڜYC+IjJW)d30(j>v87׃T($R .[ރ' { jftК!mqnX3&%Ћ'TgQ"{0z RPpKqzcqO|݇%UiAXWPZVnh I7c.8(θD 4#ə)s뾯i7iNhsEgtQ ^#(ỉ4jĕGKo撹@4}N'-j6Sl,< 2Eo cJ~c2hhN)ryr!ݒPϔ5{J> g@5Mƅ`Nan=m?L$^Bqn'iP$@GJ&KRF#JfSF|~UZeT1 sUgq6 R>蛖{41Qd}RqU*1)>TfAuJR,Lu$+3!m;/izyŭv(}΄B/1+J6")"dP|&J"{3p0"@^O%9$w/=Z`lTSZ5{?7{ۑ=ʠq"xʳ)5Cw_7_3CUD%-F4 >#Qy >#R-`<ﺲ҅d'i@_O Elwp0Ngţ)C,$[Wnڟ.{а @gtDW*VM@zpaBY1]5+jiא ҄ v(jfY^M;7%o\+G<] \HWb8e>nGb F?J~mh^Vl0VHmjНZX&QT0)CRj-Δlu$- Gjkò_XHYT!_6+ z53!y6*"`1GvKa)7pu8!&؟`}}2^p|Xfz7S>QgR//^\G/]uB`igiaל51c,۱<o-1t="8A>)ԇx8w`:]ٌr(*} !eCXwD-T L)&().Ҽ9G}-o}w;|+F7m%kc W wQJ ?TA-u& қ3Y R>No8yeZ}I :35u ;-쟱rg'Hr n#.'^eL`N@oI?~E -x34^MQzb.FJ@Liz:RIt ygi~ȎMKCU*<}JpO U裁 8vʔg2JebDV!d2{tP>R+=݊dQRݪА69Mlg&L:lncz^^G(-@Q߈@/ M)ޯX'޻Š(l`(ILVoC@yIX"A4nFԩb#r5 i# csCLr@@G/7KEՠon[F+v s^`] m:Wcu1[^ٺx|I>\ YHE幡}@]2֤U2f8'?RS rGlLcg|IAE]nz#C[1J<(8:ubxY:5tL|!Ma?ք7clE;xYbpz 嶴tpAP7vA}NX <,~q$>O{ic鲗tdgة[ LZ aeᛵ#Lz'09ڳK!^{((twElwY+ei,#A%5؅_rrAQ ʙzLe3ߌ[*𞨇`ÒQbaֱteZ-v4VJH?,-U3{G2[ I.r)e@9}}aObDҠ#nvy_f ]5״iRď("@3q /\* \iWÃ3u 8ڱ/O38n=L12D W3ܓ`)gVYx<@!UlI-no_@, =cu:+7xxyS9T~jSy4։KF,]92]cC Gz;١1Cӣ!H_i s;t7<,J+f<ǞT$3q&=-:pWei1E)X_NׯK7~0E,$X\t@BzqP;}wί'ƿmҨ[. ,gEyͩF=na`Vʀ2ԍԵCOMfC?^IjQcmuP O%U iyp&uB_> ;a:ʽסn6^p˞PZ.JJ !|*jɡmVMF;Q%s ~lIyդҁjZ%eF)Ӱ?Jsi?whUFZR%(̍=E_g.@F(M {ʇx5 T̊h&ao{BCh㳏 RmlGW 9|&&z5cpp5w\A.*ܠɇ'A7-s r_rBVշ<1߁A [Nmov>ǝRegl33䔐tX +- TOEPq;:8#o&5(tzӘkdAVHI=wjhב_޸]Dե[ȵӠWRggGbӰ;kE1XS(!B~q'6zE)v}`B¥A-W{=F#ھpT+ʳ'- mq-Zbmo ǵ#m};eF\~Z!DٔofڹaB{uF}T \7j#s?8FfTxU4U/ J;{Aϗ+9@%v!*Vٰ`S[{?(K .F~4A]H5rۢ;9 3{ u>9Sq\F]PBg>Qᢏ'N,9b2)G>@7 ] V0*B(~rY.}eŖ -qZ2=}#EZ2;]sCuE2E=z/S 8~Sw4y簠Nc561aW4x8۳Z[fI\KZm( Xw䣐SiԤ''"g ab ?DEwR/٧-GY`%'kdjmR=-dQc:4uz+}Vh&c2 8mDPV*j{!LN ʩL1:Ԧ`D(ͨOsT"/Ec|^ptKbHs iVJ9GIxolI uio?/K ?4_v&RK9Hh{V`8ޓF%D2dؙ($Ҏc*68p6=KX=7<#.'4N89|@Tm)+췤8'^*gx㪇]o<ӓq6C7@ HE ҼIPPQS&({ܻCWq@}wen1>[ybE:`WW Dzqg2!F#à9•<1S])`Yp(ǓtdTkUV;\ Zaa1NxAUv#0UmB.其s<̅̐hD}Dgyݴ=[#|-׹NOk)Cl+jnIOtIjb}hU+_~T}0iAv^ i@`8S\K =}N?_(Bg%Rm>qIVPDYF8ť}n=Mۄ$-<6Ry_gev/$P\ MIq)7\>TMv\{X2J)8 7m ,bگq_M4.Y>EG؀7m A [TuPX{x38@$x&4~̩%K7iC `JRsx0}zmVQ_,\tđ|wFwR~^+UT?u0MyQT_35b"%]xcLKw,$&&ľ>?כ}U]f|n^(%bmk.EeB%:J'~Y_ }]w];KrDR(1)S *x,S.΀H!F}QaZӕa n*kyƄXjz;+^vWYh6\!QQ6V 1yée¾_}~[?}漋&8L[_m6'1l͡Wnz.ueocu]ϩݤc׬cZ_[2%D+$ :7?ͿָGEoLoYm p{ּ<in."dE؉ƶIj-q;d5E lс`)&4Zs3c劰w\VϷ把%YӟRa` %1~o37׵;Kёy„cU5idJ9p>gpZ|e>E d ۩$aͰ X>ENw6r`MD*Z9@uMشYToE"`/+`_+8#mBv& S˄tD whK} M8 bH`{OFB EdR-> > ,'&/,Y:^ 8h7ݨڲEagNϿ9lpTC0"v>;|WL>+$渏fW u xFP݃'TDCK)Ev(7R x]&g%֤B!/m0/?aTF,-D܅S&E-:e10;]1:Wl(Uro8&Q3b/]Daf64ENMG0Ӧ~(+~p|VtNn:iyWo#"tKh8JI^n,|tp}q/`ejZ]~:z^ZB=&Y;r1ͤI䄤!Α)ᔶ\ &g6N g%|Am>K0Ź԰`bcE@Wi0Qc+۞qK޷M΋h$|9Q ttdMA;V) US-F]%}tؕ J&7qK1}e?NŶf1oiuٟRJN-6A} *xВhMTEŒA8swR&>]H?Naa1T<+{d,v47B|RfÆ#qu;(r#|tA"q$לx^GX7ciY .ʫ vWH" bWzЄ2ʬQ沷 (*>) ,S/e[ZɈv3A ?cbDSGi(we 9i$|X"ڐ JFVP^Nd׳8 U8P\Ѧ VbMI&,S=Y=^[)GT+$!],p W%2)u:ֈOl:rC(b7K)'V/~ؖ c 䢝!A@yuKd=~>wz)6%G]<5u&k0Fo[k2 +$NB>Wsaͼv΁kJ!QHg{])DC1O/&-%wb \W2OvSR]<=LLt cMBN,E&%I 496?@ od.lB%(_9;BZY>&gWȿYA7~!c*hxl*ͮ}>QspPER2} Pks\/d|8;1 }G~X l#o8D'@>UAy}ZP$qچ%|!JP:Vɭ5N똟GK MJ\ 1?+Ɗ3s4;^:!R葂dA'YdH䍊;& ԁ d˴LpPV"!ێw M@jfd=hC.͹MC}h2N|ORe5!Eu..<-^(9* 1ޙbǾv~o>LimqW@_>cS0PŰB$^>-}|wYD<cpzF=Twh~ R<"P[ZN0(RV]c 1jf(uBX$/a! -ï'?+1_~ob;ȶ RU W%[Qsy7oZ0*)U=CQ#D`oFvonY(д> n pۗ"z`1g8 ?N&ӡ SWr1l Xam;;Ї1OV\306Xuրjc^( ?N̖~7};L~1 BgTwJV42GnHPa!g+j[ VÈXV;RHMhqg7d[ݩ^>ˈVRqQBT̥ol5pG&2ܿ^BόMCWqߒP#%r:*}3}&b45SY|iq-9:xS(o5v,ԧu~`O#`) <7}Oc- Ej2Ƣ AOl2L-_t2A pp{h9j=1b9_mvklfd0SKK *4pv"č 4}h^hPB--L4Es8х9bpYSP!%t9K|_ZJkRFww _enw=RГ6L#w6-!p=/d0r!jN(Zo-ު/8Bp:RO(}lm.00tc Fdń+3ipE2O2o=+Dm>65/P2*^zX $?yCuO=V(Z]_|"qؗge6o͊|(!%RIr}.($W.NJc)2ۊE]ɳ+.\~EXݱT[p&#+7W;[in{*UJ fc;MhfNyF*lwO8juhHc8] uUᝈ= 1'nNXxbc>VTd+0w%,~Bvnq|ͼd,4>lO.#%zg_ bu +;wwZS:|-1;1`΋J8ު =GĮw7#HwE@*҂&=[5}QU^Oǣ\z"ZRe(a>y?js?P{zyvԾ%|kzb ž ՛=1QUGg%RaUV;9g2qԏ@hB7'6nW,IT|sȞ CJF y22FFɮyV- 읡iҶ;x{5!' .e(ECyuEO).~QShHyίVr,aJ(6[-/ " ۇy>DƘlYY9w>O-֑rp-bU~?&4oEE}VVY,[ZsVPGh#UUyQ:ouZ^"~Ft+Dkڎ<[u R+holJO[ MC7f>/\pr7!ln0_ݤ)D$ MOy!]@;} XjdPIa-SZTEDi(`i)oa!k[ˀ71f) ܓ }5 a "Xr8D6ҁjڠ8QsJdg*8"tKlˍ5 f>yn dwKP$*6g)HBh+n<j0hIc2pmрRC@?JY7$ <6MT lJIsu 6N6e0v0d8|!zG!qEJuVO2y6Gh0&c0 %*6Oz⮚{:d`$'r;OLxvz_o K=‚"zuQ+}u2}j0kYD;ӷ+}8 ౵%D[fp.ύgcO"$>T_a1IJoaRA*&Oծ6V?a"i*̂Oe@FC ;yK<Y!@iͶA<ɵ$hftgYƦ'XnjD\6~vhpgC,C9IJP#%&mYwҦօ#L1.:("Gl aMF:xW@fb>kMss(;6j.ϒ߳~2ꁗ9"XlVcAm*(1;aa˙v] )-0  W*^Z Z>>8*;LGDG c~eo0Tv;J;ç-œqtԇr%X&c>MXa \+!ns#],Fe2ŒeF2ӣPObpG2d&(Q1jM8%4$BTuY# qNמJAoH]}¥#s՗JCU+S@iBG̀cT) O Vmy4AұF'$iyeyl8 ՠ{7&4HHlo ( ,ᗞ<ӝb/]T1fv>'`gvُ3jۉ!P7،aoaQ^(1`W%GS^n姥$Gst3,?>77e1K-Xn,tB!_-^\Iʛ5 rJӜbS&k{sR-qy}am*`Ӓ0{ϘIL$'TJn*$Lp֌4'!ijOdp雀ȿȶޢQ2SW!e~x:e$2g|CzF6rVʮ|I2{ o4;TbpuiTTO[2^!`0=B\h,_TbkyZܚN%,%}/\-mxH?9U8{C3\=^MRJƞ;8#if:tWި 2 w~!hUW" \HM"aĖGtSÍ>tcaF@d}ҵ=5? 2.xR'J?c.!r .ׂ[9}s`x\k}>^{;~ufzkɜ>Ά.|}*Jd<(w*Oj !65xp Z,r5DBqBɅUQq)3VQ ~6[5{lh3'u@z_97wynEdTlrDi!g2^3߾my ,ch:9UQ.d;~oS$nG8}B sO/3iR(bkt>߇=yr͍1o-|Qryѫl'oI>>  ,wzkޠ 9b|wz4O݃[51gnz_嘫I6:-y47G ڤ5/_xŭHO*$.:Ɲbf^|C| v =]D}8&DL3@ry@4#xm8G66 )USwkùQa`u@vf2e Վ9>P]ʉ62dFձjxe$˷]ѪY>0ݶA)Q.-jOnU͋M@;,Qf"6{\Ug7b" :ĭڏH3 $Nrzv<#}~:o)KR~]U7J4|jZءƤg4ڡN\i. del+nfBzйK"Ibr ?Ř뢀 Q"t'ꭷ1䪛*1>΂ޜ0 Y*ta KaO¨@qJ#|b!6JDޣIa ;iYwQg&W"lE2QO)'Q]S938ԋcP%SU_MDIya1.zybzS,lH5dH1)ء?Cυcl!.POs!5-Wz̏7S_~|*&zZEG]IQqR=c6S4­.~T!ru,&_nq:ML#Jq muu=ib0݉ZFw||W4KP0Õ[{غ:wf8li8sHj-*dS6W_;{fص u9cQIzD 9iZVL6w$|yFbTHʙĕk3:='H/AKF2]8:ҋHQ^kkʶMTܱt\#S b7POK,^UC&B!ykjDŽ/{*f-f ^$߸ (\w1d2eU?Wu$ B',9bjgV>| 9"%r?Hg"m\7lSgM i:KP5uw2S7)KyV, gWg2k ei4BQl SDQ&ɶG;i#ì f#Mj&2tb+BAsj=B*20nj%;ae)CYcaVTfgsT\^^K]7]82$VuC+K-Mbס.6cF >/ABZ(w10}i~`P%HJq ir%$6XӰ0=|{sacfJ6%ͺ&߁ 7ԛ$KZ5M50r&Ut8RɖCa "3 iDT`̔`NT!fs^ j:n-#~f1X[ء2=@ eHɐQg ؗ S4I]UXo27:<.[P'zp#DhB˾Ừ&4A߭Nl,w: $wϋOXS6ˊ6rбFH@/Im:#+[ xP%ϗΊ)}J.cH ~T9tr)7tx 4 I4j_s51K|(dߒ9~+W-5ո`,K 7=5ѻG6U>|CwrP߃L*pZjMP3?=(Hp&x07٬ sӛ7IgKIH]j0 *Ҁଟ K$pDkw萻o!M6abx׉a$(6E5O[o<.9n1#N=E.9O+#Z@Sf=Zq{JhS  \L_uZ <GҳKζۆ2픧. k.k "DE6a.Kf)WK8.=Qp 83 \"xgȯ&LJF@g#jS| VO^xh/O飍×t[)\Ȓ%cDى&s 'SU@w2W Z[7:̓ &Fpd_ rF*0 UrVI ܮtK ? ,(ry{Wm3i]Da T&ϹKM/ DsBM̏sE~^dN 6K }nGIuW%5Ov 4GG8,'[wlI ^3-Pv(ggCz@dٴP{H z}8 }@NYxYb267*DķYrѪSܜd9z%%KjrF \N"ݸg`8,lg O]ޣ8YщxWpl)b$tpOn &r ܷAHz SCiQQ5XMQL;0a;Yc_H`pڃ9yX U,8Up]\>XP8F`X.vPom4NA 璌l{'m#6Nn.QrӑbǶ͑M|Sn$ng4Epi[(-GG}Š>K,tiIf 8O#I3Orygm[蚐`2VgUR}hZK7A ~:O ;M+h=' MӜeZY$=Tk(1Z*ͯ4txG༺@Vlu Jq l +f99۔wőw) Q?δX\gkm3:{vPa X`M[4^Ѝm/װRD8k AwأԫɎsk^ ~wogIVX'VF,$( ؁ tfJ@{h93ddM 錺|#Ծ2HԊQ^=Qe $F?# /oˆPUloA5tg"z֤IdaHӬTkN JJhBY:\X:52N%':oFicaJ)&{w:x|hG*Odm-Fp|k(᩼|b!<9M|{!2j1fhuaG]n(XNZȃv },{m'+Y5s d%OeèV9$"͊ŽG&vݏzxrk%s8} hghߞa) .*);|JdC' WK3ݺ7m+G/Ѯr4p 8'Z|Y3Akً۫ݣ:!)I^[W8c4( WAjy3cI3 1r%:ĝ5ם5>X  }ln 3G?%Pa#iƬE׿??gO ރ3+#w\蜁_J.?ķ9x(Ox3򬶳 MTዩ?;2UrF[]"e,'HP[<rG6~Uʹx=kZ*  ,Wh -*8jMPؿմ,zlt1#uȒپGkBr8p86J\\>atfy Cf#5Jx#OȘHìan$qOϽwKء?q}jMHm|qCBn"M%:% ._=t8>$(!Myi2sVy-4DE{.Q&]ӝ27$e^& ojpCtebYc{*$u(QNjP*{/jP ]zGo7," rMb(!c{>`q|LQWcvV0b}:22H`K2rDZ㵪04H(1u%%?I KA28胧v7@3DIHCC1He"7Gx!qVLnsQ Wj+~)g`Q{=Od>W_&J ^ T3221hl>*RH)8 aVMvE<ޚY{+T#cSNҝПRtLAn~fwVԥ祙kxQCyG\szKm#3ƂJf@'Vo\ucCZѫ ubK{ɛFL%jdDnz $9I.p[ܭ O 3 $p\)'EY+yᦺw-ff@:e@(V0!f\ ȩilf7tTsJU4$qtW%8"NsAd#m^ zNf-8ak?Q75DzkX_oQZ.qLI@P:],\Y`25g $z:۬ 'ZmbM^fd%_X|w} J]h YX?SFp>npCQDjɍav92ʭmV&^ >7T_a s& XUVy֊Nn>4݆bl}76%,uU)׼ Gpkf>S%p %ig>F2+@[T_`(z@3ӦqxzdYG^cǸ8 &"2"q}&qp>qČ ᛠUB#vA#GZj0ݐP{`B=7D%_oׂm/?bL\([\>#2d1}׎q-ġΆ&T@-\eU6^!aHL%k!Դ{Ssju7jȂ{ـծMp!ƞU8N;__\VAQKh㟄řѥmw œc,4.3R1{UYF ƅ.Ƴݳ-j%2$~U9o}?ic#=\Qi(4<V2r)[tbQ-+iO.uT:5>t+m׹(b3` ӈ:?NkHHBs!bl-5P=ԓ4f8spFapݳL.G0FZ"K጗"ꄥ1X%ڻhц Nfn7jB_ rM|_|wM;֢Tq+K5"5mQ.%4wQj& з<&c{4QBtyTzXzғjSn:J(>-:TRZQ蔋,ڤ[>1A;baޡ l}jKT㢃"I#xR^X^x|ʦb\'n޺ q&T(Ԟ6 ({sK?zA3wpM4 mXyjT6zN_Gͦn.XD_Ls Ϳb)BǔDt{FWOIօO$ q4+;>fpP3;Č\* Kywf+p/:@V/q#gz9GiOVU`SBJȭv5^F^-˰E&TJ۽</nc+f#ļ-Z5Zm 7yb#I-Rb.U}DoY 냛!䳏 `%tc#74DS%єVNrǬ& BCD_Gn}4RĖ1JZ$y(!U 8_h$O%*Z9f37U>.6FD9iQ ,JZfI2'0m.O#`dKQ 65 m eX=4R8Iv<+8G:󑜤kXd c +i{ .g?PLN)2/nONƫ,(rˈo!l2wJdxb? )3-pY-him:$I}F /g}Rv-_FX#+qYr؉O8z&L \EFvEخ msp*v/Ӈ.w}m,m8Pٵ6u[RsgK_3kQ?%NrZ1R{j_~F?"x 9 ?#{AxYSC:D!xS W?3Ǽ}un`:2)B!PppFTᘈkwxq .0S5fWן"9"W3ݵxQhSߕ:TBMyD5z5NZDKSeS$Sj9y_N#bhOF_p1QvN\9 x@+G%/[Z7?/#Wȴhf Ə )LTcuhmZrv)j芌3e\ΰ{2!XU!S8K|<]đa얋lpw6c&^jYAåWg@;~PlF(FTqW^[ O;LAVrjJH@cBp9'&B wg#bխes/o ?PajH6;}ey#]!؆-!h?Ad4S,a9oHmS3}h֋gט9i!R';5- (IEqytg;UrRWSGN%`OK &kR>EVM͡yzdslAcKfT/h[7|=H - L8s<$Yάsihnz5NPoz;0絢"5F֭i,kEsȊ ċ!A"k[\X=m|Oje\+7emjeh3/ӻ,<y= 33386!1 0)H;lHIi(h#ųDcz/ӟZ_*UA-7lwNt&Bheϓ )1&$keXsz'+I0|'aS+eW"4xx ؠr<'e| Hu[m#w1s֩8'\5f^'N@xD\֬\E-ř {tTI%F>kXFZyÕ^͒L" ʋZqǎZk[dU7^Læ!Њ=EBv=*[zW3)? Wczou6`lܰB5`WaJ.GtץNt/+u{ CdJîBȪ+*<@" @?rJKM[@%4 ҃K.MKc|$b)eĢ b#q x_Dm Yuj ZX}pb€ؖ:ѐGM2qCZ{ibtR-P ׏>PԧQ3}coEXGb6Yl$"S=`%.V;ȶR{a x! FK o3谄/I7rCIatd߉vCTlͣAӸ4)0ʖHe:WyDAAUMh j݂ADoDwc,a+\qNYgCŶח> 8w#Mo#clHl \3W*OogG:R1d 8e;_]"ej #6OC */S :[{YY4x[8\lxG- Qu& wAA~q 'Yk0RS!s ^!A8jc+VDh r^5[5mtuxg*`ytsB%"&=z XK,Q#d+ lH'-* S+z)Wo@vțW5$0CzE@o΋=o+؃TnuN;SH.":}WV5ZRm*ŠQ k<cnϕm|){Jv#M5\Ę\+:E3Ue22M<3rDEhG-kR{MWg*]Hՙ45m=ٽ[eо4h9] G񓑘##^[} j#R&OK^nM mYw!3oFcsGŇ^Tڊs )Z!5&ǼLX&ðws~T@ yؿDz\ڼ\ >OzwBO}K@u6X "2I:X HQ-B[ B[Wn7Y4WhLށ%eBd/z^ڙgR#:[l@-vVP)nhG [9Iplqv(:?67y"HDQ#zP=:ĵxNy>t)C 0An`>w} \/Ԅ.)wMj$֌Ue&Mڻp*@| >ɛ 6 6weNDwP8E;qnFi ɨ"\7B{Z=SwKᬻ/j_5BwRGq>BڣG>g,m'V KRe(A 8jllJ šf^v2WD} A iȉz߾?Մ|24?AsW>Kȧyƥ*2ץ+' ᾈB+C^$W8 iBtLߒĜu}V Thɦ5.ъVa9'a-]BdB+‚4^|TgKjސUqEB錡80kQXa`N[A yUQ@!S# ]eN|8vboꟙD`jC 3:܁=ظ$]xEks͢N6O.W1Ggگ,ɍ}d{NO"8ȓ˳ !8iUf}vR 3 OKabGؗFwI6JQq-B="2D(ts+j%tT^ P ۱Mv;;YiBoztʠn민-GU-1Gc#zi(7ƳQXŭep?gF^Aas~Gy;dB?m%Ӭ ^!{p%Ea ]I o཮E=Њhm8bş8HO׻M̐FmP"EPƀ6 p 5<&5Me 6x,nr=bG<٘)]JS3R<<Į ;dYLNk@~%{lNق\ɩʥb[K(֘g/w̶$V:3 R[,LdɅO͒oy't^72 znjY"~_rsqc*?tIwg!@+U]a)2 o+>y+zxJVf(8A(g93KUdA7/mȐ|'&~pΖ@%`58e㉹fnQ;S B Gs~NĐ^l0lBN!\/t} Vp؝RcFO3.1`d3~ {nTBK]~`e|p;܀t3=?CDgs=4:ߵΠá (zl<j~&ZK2`LJX{+`.n,O_jF]Ej.O2!O'#;WJ8{G엋yuO0w6C[OJTElq.UsxNn'SNl}E0f7- ͟#OL#3ѨXZJnMQ8 _ P.& Oy%`pF)GOImk%¶Ov@><=tԶyB >C Py%+|K ~<#}:`g+BI'0˛aS Gdhh086Iev$c=C$^xl:^=)s@iteb!0yQaz R}\)aGCGE r,FHZ &&H|)Lpݧ(׾?Z ~0׈ITW R}qk_hiq|EO!aݾfVJ6sdM*y͕eADHKZt?3 9٤Я)D C&H&dya.OpzEGXt3ky"$0n/gF,tT0k)|vYcŪ(k5mɫ/[Nws&MKQ1|-kً2N( CD5NJ2~"9~ָȾRZۣhYJ¥rZe@z 0JNvjZ}xcT7voژWB ?rתܺnܤ0GGK t#ƂܘeS m/r-"1 `CE&$M4Rgf%HJB茚Q#-4}8n.T3;#H42e WD}*hwRz;~bIRuugt8Tv2O߁x 26]jRd㬆\o1 pB\z *':6C J ւAus? hPO[ pۦ<9yLqbz򀋱O2+6Ԣ?Ɔ3*]͖ooCX{G׸k;b5_Gq $2"~?q'K _)Pd}-.8;g,]3eNe@?Ǝ9=n"4,R9*cOwdnUB9/LZϾ  @fЬ^GM(~ԕ\XX_}4$b5mc@ٻ5knkf^{cwoT)-k-G]܀͕2 ]cl7*b{0 4yOo^{:ߟ UzMp&h2=K8' [t:erh?@wv xC~?[Z|7joI/[Lŏi`~z٧r{紫ħ|m"zǤ_Y>.HΈ!}_u/R ʞ*y]{U94?$H+>뱊$SҶdP?[xݦSEޜ{ 4 mZ8RǙ!uee\hJqH/5pxr?{`*(uNBi(Ic&>.Js=e\äG3Q "D ϕ(ft*&%V!^r[?TSF^ 1-$\3M>gP 5?PcNb)}ir9Xs2)hN_/+~g;[g c< UgytWQN%Z:u:3uTTm%P&^M8)ɽ $k d!mnN)h+!X\J@E-j m zw!F_?m$(;0ecGF ,R'C7rqlD|Z( "Mo<̘zf9!,?&OyrvZpd&h. ȽyktXi(,pAjo]>FnGv'%݀ϨȐx"X| ,o&Zg)ti'{b'l+/@O|\1 6Ml,JWGAEKks$pFu$-Y,ۤ͑񯻧ț9_*X ʊWU_1'u b T.d{}y %Ud~/=klT$d]~AҋtWgJeŘӊ$f rj>Td dL%N–]+oΙxz86JBi/ 4!"r$JJ'H"nμjwǵp!|6tCۗ̓=!P|ʪs&_ ':-YnHkGOYݢߠAy[rGb{XBrVؒwжMl/q,ʍ5|O.5{ .t@S‰+Tz㜳H6K}: FZ,|!dh} {a{w}HfqFb(Yx&mq:ʨrJRx/'X<9@(lIG lլseE4*r%.2BJ4[`PAbUIT"xrkۇ9\8t_0 Ci;yZ6$fJcI(8Ef囹ͭ478kk5* 9NsLfg$+7 %oN&_*lPxGd\̫\?}dnl^4@b[s~ g* QF|ؾ0e/xUo 0\8Mƫ _kNl }ttz9tt֏!|O5ؕt͌z(5~{2÷!#Z8 02NwZ'WuvL˟yČUȏ`n=kš9I:[2bǘ^ZQ0~:yHnmDamP1F*?jnOP=!/=R|ٗ;NP}3lHz7n,,\ދ H,XVϭM|T% qwF8\S;ꏤHH^zjtݭhIZr}wRZAmB3iOR4=CyW]t> $~`wu.3MK I9߾,1̽}t;N>s%`b|fyHzp6X.$ hSf лen Sj[hc pwVqbfg$[>zBo& ju;HatC,1v݀Tn n{q6진Gפ0@_"=TBӓ:Sf{[G`ErEAf^4z2ZÍzț85ؔVFSp`Aа0oMGF2 Xa䇦:隆Bs`›`7q3p/"1n6zS޿p'{%`U.(V$?XoW>ӳѮ3~?؈sAG$GѢgBGŇNw!UA&4y ZwҸfHaSA1]{?3X7( `$\o#m6Wͤ"*~( $7-l4''cSL]Gs0eפ!kX߯q.ﵣpW'M_نw^ER`~ +xc>V2kZIJQjY]PUqm`"J&^3myEy8TI !%'9( \G 05[X7v_<oY!w"ZIgrD>?Q旽k<+ndvr֜^K,F*A穋"k|O $Gk0wȷw~K"zv3}P|FY? TkXPJzO>>C'97Bd߆ \BѩAxFםk;겒ן?L!'B64nբBLM& 0dNɏFa䛛4|]iզhA)S2?^LJ PPTjg3D\^5A36C5[>ClI;Q@_#AIDteH"y\+KY!rR7+[[%ߩuۡ¡%NBSJX,Z[V'aU=g 4SfTCo\<[VW)̤fC,\u?DsQxH(׫b8FZE ʱC(+uM<0 ˚A4׺޽d*Hm7TM~ec'#vMփlT`ʿGz7 ea [LC L\{8 N1/Chdrmgit9F/t޳0:Nl} V=Ҍ{˦S/rX} ihi`^4VWŁ:Mɓ4B-_s?~ ]/nR`ղq1g;9W|U; sQ#vamvW=ZPo/{^)ٶR\ ɗk)V zd#EF 3Qu;F/pD,VFɂ\njrw|g;+)3 vfHT0_Ԁ5xRYysv -f:Bo| q@6"ߎr4OGZ4 rs@b$0к H {L^fX ƫF u;`܃:h(BY^iߝ[ҌO HHȆgս+eү n|B\ɪMd e<~c=iϰWw敕M =F("ReX.g7bᏝ#qu^k(^:9VU",PXsR_r\% ɹڱZDg X^M, Oo هur$J` Zف*GR-dߚ,ƓFN]̘ܤ}^1gbLPïXzUˁܻ83PsIY2^$<^`;bxpǓ`)vI {}~GSAbRk Y*{> BV{kd$y)nfYZ"W',?pc7Nu;]#W0[Ko>"T &i#~x'[ܶ>7Гז\ b|{^%Zb];v.ZYy/ṿ7>_'YuGO/">U6҅H7?A: /;+I}oEʘuW@`lj[q\%wݓǹ`L^w1 ~ 06 MaĖ|#I`hγ07%|ΩʨAO9G^])WI$%8SQ A1.JQYr-mE78L}T8;>ڗ })fm6-@Iz_J+aw81$T)=eX O]mZ4>ΏӴݨ:BtRKfg 2є swGmMYIB(N~}ė+ɐ,x#NXN҅jt#5PV|(g|n wv\w>ϡ{! ;O[ـO)&? ۊKOR_MS!qek/-whW<'̒JS% QQ{k~$ @ (nyg| [chh8/vC׸?✆cSo%4c:ڙ(7ˤcӒ@8)Y'eCa[ cpd$Ez%1,W9/L.L`j3Kܨzxq[+mVz/| Cƿ]h bLd:jBk%}ZOsց\bx][]VfUܟP*65D_GDu8]7WuA5Uxqar5e*^**7U2ޅan$vT س$-wXG'e[j#i P՜\T[_)F0aK 6 [mr~WLɑIEZ>/=֥s@ n5B R4d6L8d5zZ}=uf`/LKN|Bu8Y$Ǭ1/փ}pG"r̶SBq0Rrn2ʾ>a}Sd.zc?-pۭH e9p^D)*cmt-J2rG>.#5r cK9,ALhzQJ\A5 xOV㨳7z1 A9n $k*߮+%ȈS]جkcM0L!WXhfs8n|?Lf/վUTb[ӅIvr'j>d 5qqiK򨗟Ǭbbq"󥺵Ÿ́FiUn|з2&~?  J(LWL_30N؅]^}8;9"T*p?bXA#EOc(U"cyO"52Ysc)LoiR~{Û .X}PX22xE1^laԾ=~#y^} ZFh52s!pXU:3f`#>0m#>bWnVvX\ʘTwb-0Z \ Bdgj,ph\EܺARtNt\ [Gt+)>i)5K)+jܛldW4aۧ܅Qutpۀܫ)hdsh_ CDSI+)faiWg f2^Y0䗈1jFVoByQ+qޕ~p9P9Wg2r ck&-.Pg{)p0ㄒbgbfW_V]3:1Rl[VQ>9xf3 R 58E8"D1<v+ox]#tqF8Uܽ,RBMf;:x+I {OįSVT/cgj߶vߑ N34nh: '"M7]P<3,crwu c0YqX,[e1V~zռ* }kD\Q$s-6WEbiA™s )"qRog(ycLA۾E?b Jȧ0/ uI2 IYǺszߝx)tk"ȥ5I予2;E=2^ {]"aUk %TN1wAEVzh+▒+TCD@_j;4ʖt'{t á1CC+9 aVgU G;Zd Exd?a HjnW\~=s0, < NX6R WrԶKu t+Pb uvt1O`] c nI YBmk^XL WU!< #ޅNg[d7 `N ʙ5wBjf^U-!/4rY9* &em`5qءf|%lH !+*|̄Kf: 딻] #rL5AeP|6Ei=N gE/jZ93Wk 5?SӮY b7M"6H('pmVQ1ʺ-j3jmPJ-]⅞E)O |o1q'݉9unIȡ/}W[A>d+Nik8dJ 'wTS4)<7䠥2*ㆌ.`zV c !<{:sTН`ȘCescDRw^6&gҜĿqNH,(?+×Vϊ^YyuEwjnIjU#"Us}JE2F(M]_6Q%2ٔ+o :Ox.x9 kJ[ YZ