samba-dsdb-modules-4.15.13+git.691.3d3cea0641-150400.3.31.1 >  A eڍp9|% TM4٫4U"pyQwoPx~~D] ΠT 3P9@#r4)9i;SuC֔ >ТAZX){g7XTqܬp@[ nDy>כ;wH GU@6OapLQ_-ހVB;2qkpt]V+O\9[[bBL![ēetlfzovSC_>sp"SeEiMVc19a1a403d0f1f96d281004ae47162ed4e6c4757d08e874b18eb11197e009f9f2497022bf706e6b59c54ae4063c3fc326bb66d66nĉeڍp9|A>NO%8|[7 vJi~`gIu<1!in`!d'vEYA0@]&*ݩ!Lj *᭾gFJ ,ێS >+f5muָHd9cBtBHw Ȝǁ߾!5+|'"kԤAً$N_*.QH]5|:+߸>pA\?Ld0 > P ;RX^-|- - 0- - Q- -4--0-xx)kx(*8*$9.\:@V>Y@YFYGY-HZ`-I[-X[DY[L\[-]\T-^_b_+c_d`Te`Yf`\l`^u`p-va$-wzt-x{(-y{zHCsamba-dsdb-modules4.15.13+git.691.3d3cea0641150400.3.31.1Samba LDB modulesThis package contains plugins which add Active Directory features to the LDB library.e;s390zl37SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Productivity/Networking/Sambahttps://www.samba.org/linuxs390xrm -f /usr/lib64/ldb/samba ln -sf /usr/lib64/samba/ldb /usr/lib64/ldb2/modules/ldb/samba /sbin/ldconfigw7Gw7gWWW''7Xp7G'7GG7Y@'hpWi@G'''77GG'eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeab139c6ceecf639305a1e46b8cac7c564e7ee359e337da111aca0662163fe2f260ebef1b68e268089bd78980a0cbacd3beb9789cdde58dc176d9514c3b93946ce61a127c492e11e93169d96dd83afdec866280a06e18befb7ae4daef7daa6a5016afe434ed455b7be4ce4665c99f9afc88fc9ebfd163d525bf4aeefe9232b14eafeb73aab3525258f45116e0dc8db3346c0040df441861a7ccec233b50ce6ccc680978a998a32decedd66a047996d6a27265101d2b5feeb1f81828a07f0732c1fc61d6ff816f8d8328a8b2a6651238df7590697940eaed6a23980da365768bdba0ffb06f24179c63a8721340f909c9030d13e6f45988e8890e3b2ff60197a1d730d2a422b28a2fec17c39f6ab30edb82d1a7f36a4284604634a057c6144dd35f2933de3ab5f0bbffbfb493e9504a9a6000db89797f0237470f97828392d6e9cce78324bdda30e84f017ff1d2c2743a441e23a8a96ccdf8337face34347a2c5fe7ffa324811b50b3a98778ab58b99db79bed4c05d5ca0c76f7db5a1db77b1379f1b627b9c15b9efd403f93b8307730091135bb7d8072139a3bb004cb6b962558aadd714dfcb6454146323da3ed7f8d41011bdd5a354b4550abe80b448f6335e87102981974ffb8696f0a0b77d974ed973b66fa9a8977c3aaf4dd6e7fa7d28d1308c46d05975a49011fd4836395999b3344229f7e81428c15175a433a09ad22bcaf3d637a21e9524898add0223b256a2ee39193da20293427e4f298c6ab398c553b26fff0432c45a6ebaee48a2bd19719b3b0f4406652f13226ace4b8cb31103bf1151f53654668eaf2911fd0107b5dbaf6f62a2a5530a244daac79b01943b79b8d90b8c08bf485928e62364bb203062532774c3257096b6bab9eb48d6b6a4c725055d41067fb956802d783f76d961b39adfe0dcd5ba9a65e99b2b6e2f79aaedde5fbfa7bafc9f86db96c170b382a48706faa4ac5bfb8d628bc30c0340806f9d0076c10f96b6ccae9c43f334db38a0ce208fb9753dc6621c77f561e23fd44a7208afbaf4a261c758d5ff35440766dfd33ed31f9508c19521c989ce023dc11872c8da6d856ae0fe5f27ee5830e7b6d995aae1ab1cce4160b90fab7fab3ef476c80f8be774a9fa6ff1cab3e74c8ec11d0d107a847a78c6d63e8679441323ffac398df5eb195c9455bea6e7be66d01b0b6a9c3323e48d7cc089f32bc3f4c97b27f32be647a87a8248fabbd5c512324c7d40ee3d43117ae3db5028fb6268d5b06d796f6be8ce2d457e49c03317c3e3f1bd8d44a928d4123fe63e8f212e5d64f25d516e01765814e71cc1680a9be2e437520d3cf3275b2207f51152a94040a4f9960c6f73d73d92658560b288431c6edb42d18f3a413df34e4c53aed9178412f06c82a6fb08399a9a639d8a02b55add1c26920d295ae87c15680ca97bfbd62d96aeb248b37736db4905e3395d5b7dff3796d1eaef52bf448a74ee4a8348fb90ac8b2c564c863e2971d8561a349666300496a128fcdca24a0327b3f0f14c333d995228383b270f61dea2bc7a1c7b63dbb36c84296f99a211a6d9f5da31496233a061b35e29c89ce1dda1b81e28c23f9c397a162a9391536acc5655436aa9cf1b2d46471e29306892d9a01cbcb7f39fa301b6f3868b9fa92fe9413e8c6def00502035053ba9482998e11569ff3d9bca3e3dae6424b56750cfd52031709ad2916e098784d3f34bb593a9db784c7fd78eb993f1d37cd7261ab50435ddba60de950a7e893dfa7a5fd275c622a8a35467c5f521b169572477f189824a4cf0b860d3eb836fa707bbb75f90248ffdfc411345cf11304772f7ee0110602f4ca5b50e0818ed4dcb4bf5ac2662adee7055759d372da2e53f3694b65c31a846884309358187e436bf7093f585ac2c8d4633ead1c30e25e6978f6b6d84520ba3ab7a5861decf591db4a636c23c590bd5e65b866e185b2d88f9fa6e9c4885c918248a19da26663b792cdd9be14ec448de9357fe496f52c9febb8e4e6be4a010c448f28e739002edcfefa6rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.13+git.691.3d3cea0641-150400.3.31.1.src.rpmsamba-dsdb-modulessamba-dsdb-modules(s390-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/sbin/ldconfig/sbin/ldconfig/sbin/ldconfiglibMESSAGING-samba4.so()(64bit)libMESSAGING-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libauthkrb5-samba4.so()(64bit)libauthkrb5-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.7)(64bit)libcli-cldap-samba4.so()(64bit)libcli-cldap-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libcli-ldap-common-samba4.so()(64bit)libcli-ldap-common-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libcliauth-samba4.so()(64bit)libcliauth-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libcom_err.so.2()(64bit)libcommon-auth-samba4.so()(64bit)libcommon-auth-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libcrypt.so.1()(64bit)libcrypt.so.1(XCRYPT_2.0)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libdcerpc-binding.so.0()(64bit)libdcerpc-binding.so.0(DCERPC_BINDING_0.0.1)(64bit)libdsdb-module-samba4.so()(64bit)libdsdb-module-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libevents-samba4.so()(64bit)libevents-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libflag-mapping-samba4.so()(64bit)libflag-mapping-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libgenrand-samba4.so()(64bit)libgenrand-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libgnutls.so.30()(64bit)libgnutls.so.30(GNUTLS_3_4)(64bit)libgpgme.so.11()(64bit)libgpgme.so.11(GPGME_1.0)(64bit)libgpgme.so.11(GPGME_1.1)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libkrb5samba-samba4.so()(64bit)libkrb5samba-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libldb.so.2()(64bit)libldb.so.2(LDB_0.9.10)(64bit)libldb.so.2(LDB_0.9.12)(64bit)libldb.so.2(LDB_0.9.15)(64bit)libldb.so.2(LDB_0.9.16)(64bit)libldb.so.2(LDB_0.9.19)(64bit)libldb.so.2(LDB_0.9.22)(64bit)libldb.so.2(LDB_0.9.23)(64bit)libldb.so.2(LDB_0.9.24)(64bit)libldb.so.2(LDB_1.1.2)(64bit)libldb.so.2(LDB_1.1.30)(64bit)libldb.so.2(LDB_1.1.6)(64bit)libldb.so.2(LDB_1.2.0)(64bit)libldb.so.2(LDB_1.2.2)(64bit)libldb.so.2(LDB_2.0.5)(64bit)libldb.so.2(LDB_2.4.4)(64bit)libldb.so.2(LDB_2.4.5)(64bit)libldb2libldbsamba-samba4.so()(64bit)libldbsamba-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libndr-samba-samba4.so()(64bit)libndr-samba-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libndr-samba4.so()(64bit)libndr-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libndr.so.2()(64bit)libndr.so.2(NDR_0.0.1)(64bit)libndr.so.2(NDR_0.0.4)(64bit)libndr.so.2(NDR_0.0.8)(64bit)libndr.so.2(NDR_0.2.0)(64bit)libnetif-samba4.so()(64bit)libnetif-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libsamba-credentials.so.1()(64bit)libsamba-credentials.so.1(SAMBA_CREDENTIALS_1.0.0)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamdb-common-samba4.so()(64bit)libsamdb-common-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libsamdb.so.0()(64bit)libsamdb.so.0(SAMDB_0.0.1)(64bit)libsecrets3-samba4.so()(64bit)libsecrets3-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libsmbpasswdparser-samba4.so()(64bit)libsmbpasswdparser-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb-wrap-samba4.so()(64bit)libtdb-wrap-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtdb.so.1(TDB_1.3.14)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.15.13_GIT.691.3D3CEA0641150400.3.31.1_SUSE_OS15.0_S390X)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ldb-ldap2.4.43.0.4-14.6.0-14.0-15.2-14.15.13+git.691.3d3cea06414.14.3e@d.@d-@d@dJc@cS@ccR@cctc5cM@b@b@b@ba@bascabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2023-4091: samba: Client can truncate file with read-only permissions; (bsc#1215904); (bso#15439). - CVE-2023-42669: samba: rpcecho, enabled and running in AD DC, allows blocking sleep on request; (bso#1215905); (bso#15474). - CVE-2023-4154: samba: dirsync allows SYSTEM access with only "GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES; (bsc#1215908); (bso#15424).- Move libcluster-samba4.so from samba-libs to samba-client-libs; (bsc#1213940);- secure channel faulty since Windows 10/11 update 07/2023; (bso#15418); (bsc#1213384).- CVE-2022-2127: lm_resp_len not checked properly in winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174). - CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173). - CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172). - CVE-2023-34968: Spotlight server-side Share Path Disclosure; (bso#15388); (bsc#1213171).- CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords in cleartext; (bso#15315); (bsc#1209481). - CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users; (bso#15276); (bsc#1209483). - CVE-2023-0614: samba: Access controlled AD LDAP attributes can be discovered; (bso#15270); (bsc#1209485).- Prevent use after free of messaging_ctdb_fde_ev structs; (bso#15293); (bsc#1207416).- CVE-2022-38023 Additional patches for the PDC role's netlogon server; (bso#15240); (bsc#1206504);- CVE-2021-20251: samba: Bad password count not incremented atomically; (bso#14611); (bsc#1206546).- Update to 4.15.13 * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); (bsc#1205385); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); (bsc#1205386); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); (bsc#1206504); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; (bso#15197); - Adjust the systemd drop-in file for named service; (bsc#1201689); * Paths are additive so do not repeat paths from named.service * Prefix the samba DLZ directory with "-" to ignore this path if it does not exists- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./bin/sh/sbin/ldconfigs390zl37 1696520507  !"#$%&'()*+,-4.15.13+git.691.3d3cea0641-150400.3.31.14.15.13+git.691.3d3cea0641-150400.3.31.1acl.soaclread.soanr.soaudit_log.socount_attrs.sodescriptor.sodirsync.sodns_notify.sodsdb_notification.soencrypted_secrets.soextended_dn_in.soextended_dn_out.soextended_dn_store.sogroup_audit_log.soinstancetype.solazy_commit.solinked_attributes.sonew_partition.soobjectclass.soobjectclass_attrs.soobjectguid.sooperational.sopaged_results.sopartition.sopassword_hash.soranged_results.sorepl_meta_data.soresolve_oids.sorootdse.sosamba3sam.sosamba3sid.sosamba_dsdb.sosamba_secrets.sosamldb.soschema_data.soschema_load.sosecrets_tdb_sync.soshow_deleted.sosubtree_delete.sosubtree_rename.sotombstone_reanimate.sounique_object_sids.soupdate_keytab.sovlv.sowins_ldb.so/usr/lib64/samba/ldb/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:30951/SUSE_SLE-15-SP4_Update/8d00899bedf509e14240222c35afbb11-samba.SUSE_SLE-15-SP4_Updatecpioxz5s390x-suse-linux  !"#$%&'()*+,ELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=b5743125ae7743d8a5fd3d9e611202fa15e5a897, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=595c55fd184be94c7dfb72c999960286c32fd57b, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=6a2d41467fcd370011c8a6092cd98ff33b17fc42, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=e50a4ba168b8b4eb922dd27a78c8f795ed760278, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=61df79589c3ee00d51d3ee4e376b4862455c2846, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=f1f6ffb6cc4281d168cef75acc1a73a00a084806, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=b4b54b4fd76c7085b0673cfe73bb05d5b9b0fe92, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=de3646a41afcb482fb471e7f6586e220dbe9284d, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=4c6dcadbf0ce7fdaacd9352a6adaa3c0797ad603, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=a7c45f85e39c996c368396a53ab3857f01024e21, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=f5a1f94d03efd53d2ea77942b86ce1ede9aaba99, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=fe79b46c78db9d5bd5390177d77599ef33bdf85d, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=3bcc73656f7cb4efe9dda51080265381b6a1fe11, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=c80611b3596f6a204657f2a86b00e9f55d8fc7cb, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=eff7faa5e49839baa9827f6fb567e3a57e211acf, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=e8e5513cf3f38bc5af5c6c3feeb069e82051b940, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=253b48f6979e728cf3e21bfbdeba4445c49d42ba, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=c604de86680e0b42686e0f17cde0c635db194797, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=c8df6a59c791d2613aebf210c1b66547cefe156a, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=e7f930fd73a98e8ae8b0b47de5b14822f9dbe4fd, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=71a8aaa6fe251e8c8941dfdc15e4c98d71a8b5e5, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=880357d65226dad1a8b7d6420d085ec7b624ef95, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=2f8c0ae7dec85874f57ec0562f66d0658f220b93, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=3d80b7fd43230d404657ecb298dfb655d67b56a0, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=2bbe89c57384ab51a82e836d9b904919732fdc82, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=6f20b215e4bc7aea765c81e17cac09afca0a3c14, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=58fbdf672277f96bedccb437faf680c912be8105, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=695a775d71b1c2f84a1867feb52bac52a91e61fa, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=a010658276ea3c150ffaa837f20757e0821a09f8, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=a9c596607cdc1915cf0becd5230229d262b44752, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=127c5f6f4cefbe0a1489326d0769a56386da983d, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=3a393fb3cf861685a3c42e7f33f3eda98e99c7a1, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=c8f4b7a5567eab46572f7262b82a6317a6d98488, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=1ecc913a38546dcd31558ab6cc472ae5659312cd, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=536a1a58b9a71ed4c35b8021073bdf8701313bca, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=973e2b08b4b513773c79b589bceb7f7d2424e030, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=5e7ef09cc4eca09f1ec919194fa61ec716be6e17, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=99f346b45db0784d05043ec5252a78429b2d8621, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=fc88e5c8546059f943353fe0fd7c30d9651a7b12, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=efc313da2a65f3141d38f666b41dba5af18fb151, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=c6031d580edb59d6cc4ca551f48e02f528ed1c57, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=09737ede8a21fbcc4238ef4604f4c0bc164566b2, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=3b505149e117feb471681acf9ca605ce4d7a6430, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=653c71db04df3f62823896305e6f23477d8d1fae, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=db9ae949b86c743fe30533733c18996cb0bd7749, stripped8Ebr 8BJbn%MY %/9K[ly    9 ( - "  R]R,RWRRgR R RFR@RSR_RR*R0R.RR\R+RER^RRRR?RVR)RfR-RRFRWR]R#R_RRYRgR R R@RSR1R0R=R.RRXRER^R?RVR\RRR"RfR-RRgR]R@R6R.R0R R R\R?RfR-RRR[R]RWR R RFRGRURRYRgRSRR0R.RRZRRR\RERXRRTRVRRfR-RRiRWRgRkR0R.RSR R RVRRRhRjRfR-RR]R@R R RFRGR_RYRgRRSRn$ytI/_cf'pWqrN5˪ ,$9J`SG!]MpR7r{8j<hdnYOkߘow W%H0i:s^b !'H>3_PpP$'#UF8+h@CD: #ZR<>rif@w2Օ%7KRE\(S7mhEi' ?. P@F>,Wl$PlL#Ü(TM*VǼy{ɛ(/ ԃ.Aض Ew_:scwM/HC1(/y%:Bo+~nΞU9xE {楯5LYo.M^ss(A3|3@GKg8L<p 'S6pLV+#^](Y pq$ Xoe[gI8Ŷ*f Q{+hڄJ3N_Ȃ]dU$dX7_}=24ۘZ|A_uKm$΢R3ɀmg(x<ϽH$P ]}F cHIU{[$s;2} -+\ Q2@oQ ҅6 qԏve52,N[aC`jo@%Yd%ejd'mf+p RtL"cxnLUUeyiřD^b[ j픔",2ᲀL4RJ0 a-2f $;[<d}Aљ<52B݁S&~6"%w*hNyS(CeâY9&p.]l&H}s&.iQ܍vty/^4u~z/?W4Nfr[XdZԁeRqUG YZߠC2X^agmK[hh afL,HP!kwuZ2[aPLMך nAKW?vQpH :g[=F)+1 udU(aTćIC]ͥ* <~|B{ 5uJFuЍ( ϴhx&?FTWsY@LpXF]\M|J4>swR#x9y_X#B<[8nɃZ`F0kXa-k^gگ6Pj(dm2# a=vL#;iP?YpV`ʈ`L7;U~x_U."ߑA03-Tڳ.,y`H[-I3!ˊ駱u>I#.v .hSܠ'zE&<*<& v9Jy#We$3f2% &1v`FTʅ^xȖ*|f=ey?(OfsU@%9l0~#\VAi0Ӎ®ByAiq1cwl k羈[z>!G`ʨT!rwB~OdĉO6с!UZ 9[38C}At߰W;WC#]>R:JuaázCy0tű ƽomYYQ` X'Pd<,ufD9N0`Di+&.*zĘP?8/w!B.UWˈR!B"`DJުck|]ez 8j29m,T2v3H[Til[B)/Bs{כ@֫ ƴu|3/\:tYDﭗaΨ%Q;W)Z2HϥtQ#1+* %0l;!vhaUq'Zܴc1V,+ vHv(Rv'elSlˬ(@IKL}wC/H]&1w=ɔ$_J1~:b/e: )M7xB!gYxuK{Llj*v `x(i8&LZ2DL9"Jh΀c9HFҗӼ g[0ڀ P"mSBzm"[FA^^Ƥ1ЂUsq*FɚDhw&> jz NiW5PE3`h-u|a S$kTC/ΥsL6Pr ~o7b ~Q?-Mzväw$!}'4~LETe߆HK|5ݰ~ΦWL.Z3O~= F0~>?RޱǕ _q16%JK]٤Ӗ~#`كK^)7CA570 X/? %G|7(;ιs$q aҾdp76} U?UM5M&X UwM1g][XVXU{:𸈭&6k&r)ʾx@?ART|VWN@/DL_B/dC^m&$:+4*rqVh^pnCG{aR758c!d.<+'Ze))7MT#Ti@0em ocd*:5] 48n~MS.$?yBjBD[]T5\̱GmoE|mF &A<ךd"xyukTf'lR/w;yPLѾ!= ?](6y`~]Y"ȖjVa-A A'03J-/l({XYśis/^lE:R.^)6Y;bŽNwΥ;+h0H7%xkXA&#`;fS= <\ TRe a 4E2GՃk4m!}ca 8!x?-/O.H T:wv.TP~nЄc#d0C׋X&+& U6#H*=lwƔuyzo {Õ@#c.n֠vi;p[g17M,!5cF&I˕>RO2bֹ1>+㣳 ݕn1x88Bp/KiVݝ0p};9܁tWeu=2l8h X,bVY6+{ʜڵ될# EIC4hkfqO@빅^|3Y!,seLsB$Z h\ / >pI\Wo8~c֙=i>ze;+Z"uǯ"("fdAJPE8I8@ !UdTTV1 :HEJ=uf_J ǏɑJ Ti"o,HHɯ>U &Ɂr[#,]շl$,U(9| VOoG9_Iֶ϶v!Ȯ%湏KT H= k]c1 B_{NήHP@#6μ 3*! 5Cs5Ҥʒuf#6W-h 0Ӛs2;vnmɕx`K"!G1f%!dF lm-rIʧjtzA"hmI4,F6MrgP~:gigt]%I8A4i)gBl|;qlOY6u)OBB|IP .&n۶ Ke0eM'g6T\Oq, ˰&dަtY_wM~ 4'䆹/&E[ugvX"G -hXJW Y] "MT] bw&~~\f*Xwl 0 nw:dER$ĽIǢfP p];#1Νzs^Yu­9P}ܧ/bOKM>+c젂S A0 'P)6Ŗ~ς"4 waRՉFS߾ѹ))=ۣ^#@I ,\6\gNte|Um d~wl6/'ĞsӝN:T\%J^HVРCSaUhكpXOp7ؕcϡt^D#wo3PKFC{&WM}W m6Qfbsce( Dee0l:JG$Ϋ6>$8ׇuN  'dEc82k/{ur\q;:>xs0e?qASIcJ\wkq i9z,Q\bPwQKHcsnU:yl*ڻ^G78n450M bfM1h`Row0NTڮGon6ӍTqb𗣶8@^3ͰDif##USc Sʎ~f}lf-m {HԜ.\c!D.Y/1}n١x#+^*kƾ)uc~M& !ϸVE%_oQϢ39 1D K]tIxI}ZQ mjqkl9dЬ?=Rm?0a^%bSہ*sMLw;eTI+]Rʈ頵%PIBK y|qUWF@]'\Aq5JV/D0œDjɌ)}8HieD{_@MGCUwEu=:*]UB⛶ LXђQdCv9S窗e={.7vT%k 4/xmnrKs }=p.8zca 7-Q[F ,f Tѧ-Z;7vhBeEM|y[WC \\8sך~`.U 3\@qLnFNZ}5'0W/T].TQuɓP܅ jqlX7zrn~˄J?`.ɼuZc& |'<SfϻRkil|+ypL@` \FWZb4>#Lp+?BHtP n6+6) `;.[iGyk4]vp[|t9nBM?s7]FxA[d\}*`樒C3vUG^9~qMT`xʜo.$& dVl.3 Nw':Z[{Bp}.u;(Xi!ĜK i?vAwmxuh1eO=")pR[ %&n0Ψ1:Ք]0AQzs'!c\˳;N}V46)m9EhF(Wp|/X֒q8Rp߻z,HT*F6Z z蔜 x/rPM*$4*s:fgKOt(N\X-&@MLCz>ITgs4wVLyHXq}L͍ n!=._@Jy_}/e$N4qŀ^X ?jn8bX@j*$N!ԍ(D?@(v?n-P9 D^ɠ2KBm 5|?dkJDԝI5 gKP7a-;YБKt%JfYXVAx^;wF0y '(3la)Vu&mg֪ 8Us/ϑHmFBr$%g,9=<4k!dZ3U%A,\డ6}kю r&/%YqOgw@<_giIKzJ9[$5۪]G"YTȸg[rH8=lꂢ4|d`M̕iqcXlckYĨv(Y7##_|t:ZnbGZ)ngo$Bހu\ՙXKH"lb0P"llMbf(sZxNO;byQa,'$=RLm(;o7J,*x.򹨏$B6g Ea}EõbUH77"xnc_T ub -Ds #4 #W8t7pў# ƞeiᖘVŘſxq6 ʐv3M꟱G "!@IX~M `,n l=tl^|(bH1 ͏H#ò]Tg˅w=W\gKH+M.?zQr5|-Oa5Exɏ !D _\ v2B,l>#54"f9F8Hnث^<,tc9,)͝LUg&9U !{ߝ΢Ϙ67 VR q[r"y,{naAUbl8Q{>b(嫝qסȝIGZ:'bҁ Q-|a%WPXz+sz>0[|Y*R[2g2A+)E~E&| V mndF- %a5ii [(YL<2fC _ ~$z<_WT;Hkrn 9,S2.2da+o*BDNL9xfp>WoETѰGDjęDLIe;14յq8:ӆ)WD&$g\ՙo ۼ} -*l"Wk~5+F`'M`^V<g MuFVP'pbV2+)QD]6W<.ߚ'VկK:{^HF-@d䃱䉌%p IvoOF!i*^h((0QR!툟7:{!宰~2t\cWSYп>dl=p{Gѕ-¹wZf\_ (P'+|obAL:)zg6Թ8ZU''կ4`ykaKnB |]02!i_ <е3€0awSC'?Xa+30D'(o7d)nԜՌ7CQ$R.URkgXQj(/hOOX5Qh(<8i ABu>] |KFG2bIA"yWq2hRJn!.0h,0՜uE uĴopNsƘ>aƈ' A*jƯNX-'C̟8cHƍ9Ղ ^j_:k3NPs˦P!f7ՑT1 CS2Q Gㄬ6FIN*LIK~*dǔ͡LΖ4jxc .KCd^NyweR7 WTVTk9XŠW>?+ @e/Z % ryK(2T)Ui`}Ÿy$*4uFg`R&N"9m@eneѪIe8Td@lT+ mx ,o.]^HJuX D.8:#J[@=A"'nN82O  Ǎe ZFpzAaL_ҠRB%S{K)x#5>_=7Cp\\t]# Ɨ^"x˒JI̜Z&憉ch :&tY(ac,ge']sĘYe0RÇ i)ȓD_z&jevγ3N?ie\ųu] 0V&);.kE'K-^3)@Lay>+X3 @ΦyM]SS?V CuVJ=twn2=@OnC sh]l(_=2t' ;Mc#6m69irk>[ gA6Ntw2Qr ωٿXA-y^[_|\cS=WQ^5dy /Cygۦ&wQŇʟz2uDx¹#3&tKTrf5y=aXᨛa NP*+S<0d;9{{WmrQ$SvbscO3'~j2LxbVUag4M:""OEhKja8rv|@r He"# a넅2j_bm_(8]Mu!HRݫdI8eN}2mO3RSo3I߀B^ " aOmc Sc-V/jBOZQl~am}Q4ǂ&bNʞ?7eQXu=KȼN8Ȯ: P ^R_vwχzbv?JhǤǿ}d~! ڕ ec{7g}Cѳy%%Ρ\ Mwh`}Iq Y_Q[s/2LU4K7ecئ,5{}0@?b |2`~y@o)u6Xfd_oT%eU!}*)"{ф4XVm G?=|tvO@T_~|stL{H%v]zMa.,@kõ-j[~L 7L Ph /Qg)0Il=؄9=M蒞d޳fG!Y . iQGO3.oIAĻz9l/ʵ1ܿsh$ p8馓3d,~E/ _ֵҔt佯@O\M^*MRj0w_3 ]0iF6bR7MHs@}Ƴ`4y Y?1`XOh;s#H/ga(Q^a<+7\~m ?{IQQwa= a|vy1(\b>}E+IF V-qylaý{_ezc02㶹}u \Ōc@ю̚"/ 􋼵4ӛy z 'wLG74z)S33)Fl~Nf&>=:J(RѤd%ofF,&3TP`y]Y5\s&yV`wXkXzӢkOL@*cD,\5yg,XgCe⟙45roVW)V"@rZhu$F[إ'}RjvAfxʊJ@B nH' WqSы%FJ' hB|gU E-%լ"-Iy {^ &۬ק+0T8Mt#m6^7̨6 3IyM+=NyXu#955kvo{Ee`!1&dOֲ@ !FvhJ"N4CyΑc6i4KK" 7Nh#+gH .络;9!5v/wXZhzdQ@/و`VRJ_fZ]u~ Vb߶θߠ3A9T=rס&F~'+@-\"MK}AeFv,K*wO ^T))\as>ۊuFY7_d*X~hkɍjov|-{?00 XCFIEO\ h0Rad3gH `fsW;. p˄;nLܳtmL@UHA1/YC>FǢ #Ti 2YJ#>O d:g.D$xy8D}JZ@ @S3NWIG(҂.!٧\`˿楉^Xp$Jw g #šr}ඔlCs}"5y-kd 4ES!2W## ^PUn4%/Gؙ٘[i!J R e4@L<|WK-g%GT$wU,bg>`G5=Y7뚼 gQ55| OJbnnثQ&DNS褥RxS1R * U؀Cd$O%ώV*!PRST#7B3/3MUBMpD$2$α#ځRR愊t<EiJB|dw!zDuߎdʽz)Tx0|Q8,/G:7!e~d/Wwt VP78&>*-q4qWn-TZ(pk9\ l9A"+Di ABA.t?L*Wn2RxAml3הikDb}tRBEY?tufEe)ğM """_`̵wtÚ=V=ʽXLˈk̏RB}O\!5dt؟t}8W.!A6ֽ,kvxy˳6 :|9Dwߔ5=dV7dx^,= NrQ7ugW|Ա9+0Cʃ{'W|݌=\hU:9\I+:-H^4sYOR-oN w(W'6C2w3(à*Йdpu T׌,h<9']-or<o>O#Ky\5zxP Md5~Y7{ ǔ+EKs9ӐhZz KLIz1| =vvcsZF`smW6e$f`k%e'@aY3yw'bEl sCEhZQ|P#?K\}B>~h갪yd'?=+zf ǿJpuXTtxZ"Qp%{<jޘ ?﷾#hk:k^|ƣl 1҄lK ;c(ò~{RTWO(*#TDX\s%ޝsgcߘ)b]@ SZ< ȉuPp?uNfyJb)sarS(CU: D\66t Mui)<7!L6(j]ĉFFP)mWƸv^17~4tyOgl+mw-ChDtȡr@.BV8{*f:#AYr.ltbqqlsR>tTG$!.X[> U/Mj 9hh%Έ1v^斞 n<*W(#c+4ӛn]4ۓa#$jhÁ7?g۪\r;B6 L.;>3P*`K)cݵ'\Jfi,xq {.,^_YVy)ס0A0c Xk;YQҕ$s"`7G sYfƁNn-dY]-z4fҤ9IiTaXdjT` r?5 i8qƽ-g兲߾{%]Q)ZhZ %%.=\]Y]gΑ[Jٌ.tjLT =Kb O snd/㘩 s'lcyL,B ]'K#8OvxE ?‘n]!I2;Sr'ќa‚t`app1mh algf NٷXM؋-MJ s[*3QpdBi}F*ꅣb-pӳ;< wZj7ϓRZ‘5Szc6#)봴̭0)5[ZV 8[DI w! =~D#G"$`p g8T,0"zBqlidNcr_,]2N5TNfī,"3qT-G%bmʩדis{44ض - (T!P)4Z7"qQnDsok>=Xj%Km)v_AZ會NhbSEtQ <7v^LZ( / uzeID+r~ U1<X}G1&†$vNt{`qgTФZsK1~8 FM(: 7lxDePb߮m5ە^2.J{5NX^@Oe$OThM}A:z|F/FP{['R@Rng2:{Qi_Ё;SJ+ikTjAZצΆ0׷LKخe#w,ZtaHԏc; 8aQkܣqߴ! 勉NJjWF{ Mqvr/,4&YA0Q͖]D 7zhzŦ0HʡIzB?2z!Tu̬Fse45"}v؈;BwX=7SMlPvO-zH&r7r:g?n \T pff4GX,cKW\IWw1Dz㻁vS/ HfCѩ~G ƨ`Wm4,&.*C8%SV(Knnȸ~ۆlb߰Q\5%h ߌaCJ44ri_'6"MJvV]ķ"0S8@n<{Q9x&r֒eFm3ktD_)*nۤ\yf#p,GF>Y!O:B8wJI>`Լnu+%hv?[6 -lz}Q (N0׹aWGB4? Q}0^!7b9IA7x =ylǐ|vaPqX2o ))5MK=O Adu*[hFV.u RGU #nE z\XTv:B8,`H h*?径Qw!M @Mgߡ^ƳOd:Vg?Ԉ\>d|vX[#),mgV0%gGV'xtݒh5DV~{nUmE}M(hHA!A2f0>2'x|4u-ć}R-qC5vi8#($] }"HJK[O: 舘E3j,’NK;g11Xer~Y~ .?r;~€NVl ŕk!]X?{ lwzg%Rm%DKgt+;|:t mI:^ҕEƑ!-ц* .pjft(^2jɄg}@31p\isqCg:Vs}#'LnK lfLi/Ȧsjב0VLc6=̞%hEUߢ lC:˥ ۚ\l<k 1ÙWIQbZwua{LbǝhRx~p-k㴵q3E4)eBEZ`HjCy8Tev~!CmR sS%HlJ|K+?t_} @7c ]v(7tɨ'EmB[} zO%?^=o-s FS~mӂM!cɸ?𻃹˅,ΏaQH]JJ#4 4JJ~Lyz80 Aڙ.ݎtH]p^G@J^n+{q^)oJeA?r<@)ԝ<'؋=zc7ug+(> #򍎄VO>E~|Hͱ Ł΍ˬd4j9Rp dti͚؉/3^S%a|]"t1讗!w&T̻2 Uh+{bB';$QAg،Pð͑|:&}S:-ՕQG)4,L`Ɵ؛ ) k{@%Ya,|,wV%[ʝDe*mhҬ7T`׸$:ә`u C9h`iL ,.zs }{3?zhk&`jJOxrGu2·Z}7a:)Q/bѵpH{`ſ(>s6˫ U(' _ާxoyNb${ZjktMc<- %D*S[M%8gN{}FK\`D EðRpPIkN<= π kI2eL.t<;C,À39nyQqc&xpE)2i_Ƞ;#Vّ, u[@Aek؊ωҜz2M384ќ#řHi9+BWs{Q\x ¥GrS{jWUN f'41Q }~HH4vUA7|;,Yn} nK5Rv}y,xY}@ڴrgAxTG&+P1X+ⷴ5a+'J:&&Ü$Q[9hMӁ,%4s!V[x%;rMHD{P#ݵTRE(('Tq ڲyd9py!M!b$Q9DX#iGN `XLD _\D,XMH0}}7_#7q'z&nLV'pOҟAqG{~"wL8\GxVlcRفP}T.?~9{TxŠOlv4go^h'Y5X y O0edm'=QyFBG5AmV-/:^j^`!{$+h؀o"gN~lyEA0xHY*zЈ\n\/ya:V(5ȴbğe*͞8S8\gK\Yo K,^ʴl4ev9]vڡ84'f. `mz6V>媟ݳ5RJp>n.hWݥ gg._V]-_ 饏6Mw6 U& f[FG0MƙqAp̔ G ZmZSil.a-28Hk=5֕Mflo[UwIjEY8Gr\ʮI٢NJ0!baMJlnݩs'"_YET %`t"_tn:f`)h%"zTq/Qh|G>ëzȲ<6 (^EX%ʜu/&^Vo_\e$ ]֊9 ؼC9*n=KPky'; ك>vWmSxΓ.Z)o(;<@Vr+ݸ\h4BVI s I{XF:qM ꘂr`,[D:!9:k?F-KȫS}, džJ>BEaF\( ͽYz)R]+ƈe{75la/`ߚΠ3ſFUlp#EXk%x@ c/'*g_{CDy\_` t@k],ꯎ)>O+i鍆\n4`E;p';ݷהMҴ3'#RX{.K5s\-})0EpOR5HAӶ&A pA/U=[C>9d& VhEb/JcR qk\0KҬ7"n+J7"gxȒ8ܩjJh(Q7U杔`QX^SX prl/7_|#5ꚃ4R9b63-j ˝"_9b[?@bvH + ;%uc#?_W!8"S[B :P)BWRԟ:oa}~S%fCrVIAp2SPs5 ]zV9}M ptAw@I6#]鸶&i5N@Z(ׯ tWu֪uYbqX~}aUUT ."C*eTӌZv$aӕd0=}LNwHa{=E]z3Ը'[Trw(a V3vh@AuavVXG8od؛ '6kgr6 2N*7֯b~Ө}V+h&bI4 M5i|1CtІa=y5m2я_~4li|?%$y<~~Rc9ne؉,nHͭh)lM@",܌X3H9XxQY>A6@;0pBp򎴧F^K釋. õޅIB0$  Sձ S~|-%#^sV(jGK՘IKVuU? #'Yv|XW]Riu p/^h"OAt-ef<' qFBNQx 9,R!ɇT|6xxWrC봵(VFܑ⭝)u>ō֔ƒ f#oWBt)"]1Φ]8p^2J@]L0a?**~O(AYb!="ɞ/r%:1nUݳ5Ӂ%y@׶^%]ދ8A8{NoX) qCGWe>A4x2"v~tY5$[ Jz&G\T h&`C{x ˰ O&{~Hy#꿏vgL3ڡCNȲ$qA ,3 ܉x4}ÉʷVtd>?G 7CvSA7kpHkCsPؽYH(Fkn|t-1 Ւ>:@u~i/dbTQ\0|WB^Tzֺ@^e)l51f4moX 7]uh2)t;[ΩIw^\Y:⣶fX:I ^ָ)^N&cti˷bҔʏ%Y9؅*TT줸pCJwU9O)OėiwZ!:vܚ^ cpġ;zQMit.^0;s,FXƊ߄BgOj](V} ۦfh^xd9V'`QD#yO"fv'N /yz d+í%A=ɋȞv2ÿm y/|5qhj詏D_h Ν'KT nπӤ@l bA U 7tL"񣽼Uf#5nT; eel%bf4^@]/?P=Fb@n`d(w"⋃Z}"ˑ`-$}A)E3 mm{0F- \?)({vDPkFrc. V-(֋KDzM 92^9k 7:kg/! )6 thEq^|X>%|2u+'+ɼk0`r,YAo,&]u#=ܖ>e[pfZXg2!ܙ5`t|c#G0mPqJyFǞR9xⱋ) n<2Wh Nفΰ15L͕R>BNj'[rqZLr8 %TOIil3Z\$ص$ Z I">nPߪy=i׆DQu!m{G56H0L=SR!FVOS-Tr?N]8JBm ƘNZǟ:* V޵ahtS6Y(e@P^)(ᓞFDٵ9#ǖh3^ęo?n# sɫ (Tq!zV{75=U$6qW_gqb~yk'y`s!CJHa򆢭u`%= WE)$Zs, ~>6iUm|-kaWN!$̘yqg l#{J$ mv7V*ѓ.o"% JTg zDb;^bTq]-*n\H-Ϳ?/2!U[qWއ}`i6x47'4L2~֍z毅 赭od0'p`%zK +Ox:~s9q<>ly!匾w#G[ %FKj//F|:| 65ɗֺw?+Љ=o CHSf @l'Wa=(٫piw~jE((d;U3u<L|*IS) ;$ro|dSOә!3X$=9N48)+d£j H;5%ǔ/x2T[M,Tiµ "|Aa>⠵9É6H +ǿ~I:~NBX(bKAcӘy na (078.\ B*UڤmaơEku I  l`7zɑƛOOk`St.)剡MjDƐ ub}USLiC nI9Br,/h$ʽPlUXy`zQfs#mx0yeqs*cAkL\"'U۴7aK-q]9.l6(ڸv<'>dCr}+ GzVqA5\ZKvj_},b;Svl9h޾lkJld<YQO1T}Ezˇ|뻫&Jwsh#>~Ob16~Ud`vf#V@7'K &*۷f4*5|JК P p3*3Eo!VPt]\R[PL>HuNb͉z,lto"B\bIo)H7hh50 ˦udw=djDy՚%8; )m7E@z:S)Vq" 4RK4?ߑs3,U^}Joىe35LgmVVE*R&GS 5IDJHof$iYyIζ?̻ݚ>  2+FZkTF,w٭b3~KTQU΂rVˠ( .`Dp3?} `G~^?# E$xv'o$ ^Q1inPGη &< 7i[M-roDg7/ʥ/'hQ,lDg9VY! Ը1wPxYmHy{te,@BN @vco,O6@.t>qUaT]h]9:$%{ƟtmyibՍ}qe#{ɵ`Jd֕rf!ra[XYE'mo )ݧF27`uϒ ΀]@߃lx[q|'^7d^R1{9P)eַ`+xK0YqFo8jE[w>E!v˙S'Ic6mQ0jFH w ^RY2O俞s[PS#lO\&-Kdci@ǘPx>\]q⇘}MTA56;z\6=a_5n(z9ɯک$_HODJf r7h$TY@!Vve]~豛ٵniJK;J6v'wK DOe)⫬t l&=5cqV=f74{-MT6T[ .pq3{I).Cle',B\<~iBB k2jbO(wwmSUﺙ 4,lbl%Rr)Qk"|;\ Z eLc ^"QPfrxbc!fM~,ݚ1B'Q7w@x" YVnJK"\VTJuzhe2_e(Gc&*qߒwv/]]Wa\QAMv+=X0ϫeBSdZE}j 7l*Jt>1guv^F;ՠ)?~-_dx1B&Tvd(`=+X Z !\k*;EF^n'qmlu3q%/w~>qBi`2hUC%ΒBXHET]z2yw*JHbJaJuRDL7 q LW]N wj#q씌&GyyBu w`SnSobhfwHI>;7R뼳#/`3 wYQ 8^J;~ UTg,7!7ĵ–Lf{jiʑf%VN9hMB dO:$#H]/MBeL֦u񤇅؃yle>WsBܦq])lSn9r|GR[0|]-m5萱%]pkv(Yp"Ook9gfF'ӴUu'büObjGh 0Y#s"/ R>aݳl/7z@A5ɁjtEFj!պrd=8],Ɨ,4 +PABզ/@2EttP [Hmꏿeǚ!mYi Gт͜j;hl4N3 d 7Cn4X|JC0mQ+U?1#~CB򺫉j0s6S8gS92kt|[FBҬl@( Xi؇ZIӵP#, ,GjXƑˉ"E5 j|IJqN KC `%D^WoEPLN2=&-}0ǕԷz?R=w3m oxfdl~n(VokǙqpv2d=:7͟n_TFHExXGg%N@Lb=ybRԘ& {GyHRHjR!)=z?߼Sok5A.;ʬBEnX`U1w5rX2O.ٙ}lsK.iU:⹝遳@Ѹ>d> {b+׷n$8 "60 Ѹ CٛeX_*,xS{5O"ѱeC'Ft _ + g q  hr g/[ HyPv0DoA;A{v#?mX \񞶚i3Δ"ܠUKË7[F\b3}NN,SlGЋ={6'oj̗.22]g8$rTNDYfy3pcQeAo5dm 5UQNV+KUkjeS' 38.j¾.ɞ29>W2uz :4rxLpzmf{dPwl-{ލ v)" }D& *a]h(e;w}9,%*V똄Է{-☫8EF/h Rr uK}]S9A}8%aә ԓd'Wq ޝY+@H;LV͠$"Dx;@%d]W?h=1_4VlʽӅ{$q*+_:)` {Ԛp+YU7=j(M:uPm}`u/{X3ipĺAbW4hg9!,Qy)#0VC2kۦL<2>/bxJJ-o>Nϴ׸٭N螺VRrrqWiR@{x сnvBrMǘUOX;,  ܜ|y|A[*8WK5WyIUKLx·vG]On*|6ƒ[ZPh#Fx,{'PChx/ɸ -pjQ֦)[sXٵO1%2Uc6rdDq@RAPQʮSY*A kk>/7ձhYbڰ[W%^JN?M[}.ʵK|RQn6G͹ZRۑj`"FTƿErRGQN-4Z3w$f)\/Xg-)!bpe_=\261d*[E|(R˯@ >G1䮸DN 7O|+5 ⺆L}u[zTO/g#>i %&ySQPUdW.<72=taeHvC8]Wl+Cމ?B+Q}9ġ1pGmW2EfrU-s ^0Lv;pq_Y7xo`&{  ~icZb[x BhsWJ= 3ߤilB?!^1Z&lIzI;OkҼopaM}—F8-eKQC];9i$k;!?udşK_7}m-7 vWBI,lN<;7>+oL1=y s<[`WGPPRpMu fgv%ذxT?T`[~.4ICaK,Z} rrP X4v-*هqCsZ͉n@ִ3Y -}n< J6펝F\Wu|*V7Wsuy7:#Zp,.:iCeZ. N&/qS{go( #좣!/p ._n(K{'~AVStmn)HE :d*[F,o}߉| UZTR^!ٙO g.WzLkV*k.\xw%|ёݫ%i˅Ds'<-9j+3cW@z%2߮{jJhnq$b,}B㌟#2!Pg073>#^ 7JšiijzVJzk)w{ AXl`uFfTzV a.N jB|yO?Y?L2@;X2HF34WG8ݛ{P޷cd8;PVv θ+^F`?$+S!mXReGT½|#48nyHz`QOxFeZB v/#o#NHAF:EEZh-1C3E>EYw{rwd,#Ba$j rw7! PgYuoK7yXÐչ{ep,fkrM/ \N"<[)!hy_w, Jx&0EAD/ -'\FH%褳o(pz! Q)>%{{ŀ4k"n8$)TLulMi.zF4gGy0@z6ٍ/g\լ)Sb2ܟx?,bqg@qao5'-]2NO&42ze_[Sh5 eS9Qpn[zSW([&HNkD(gb.z(̭YopXkc;kCъ4sjdc~*]"*A%H= &:E\0Hx~\N,Dkp͜YP2FgM)3w:)~DTPgr6!\&g"qj^(TvDUJ˭ ķ/)90i{s+KlّxpPlp+P^XzsZe>̬{tNdތIh1Utʥ`66E{+C`ԧ#({kU|q4(̟<ˆ>m+so `@VWck~4gn%d8}ʚm'Χ&>'\Edo|mgWx` iVaVp9r(R_X'Htr+;UγbM3щnjнXƥ(a#Œ)KR"iY&{tj #gi(̖ :,˵vPMIpV2|kTiTjlQ0N#s`< R%8 V?+|P$bڲSYkŤ,FQs&a%ХSPb-V${[[1Noʾeu:)IU`|b|AH4q>D r?BTvSvd6>nYl<\yΏp4@5/S؃;fQ"3t$]i9Vh387[J}C\Ea sJR]E+_LEvkm6s`c'Z/)[v57zܜ]`Bwȸ4"iK-;g?D} [Bmel/V˽J R(#W Ȫre4'ƪ.XB>6K mj> EB;HVzo\6,Αo(7u ,<-}Tݞw7xwUWT.UA!: 5⡒<pxsΆħ1JIp;!(|E L2Y lKƨďVm8!jhNyZo~A*jLMn(Є.j!«V o"626VW u%–9j(?~3ͧhoT(uHAI ޒ1L0h&K[ll^H_Ae2!}},@#a7/f\gZRq!TeOCg>P2&ycMfhr 0xGTBt?%O蜫.:RqaEGVHz3$yp`ߙBk5_,(Lm;GOWdTR{+*`B4JQ*dnѥ{{~zUά8ۗơsLЁBˉwk;Nyʧ԰|uA O, hˈsw'w%ZeH3eqxC?6Јp4C {yC4]윒ő+=&co^ P, պ6BLhl+IN jr_n:i: 4n~~l;iݱ9/ bku1j] Ӂ&M2fz UbR% YL?62U);zSQ2b1!9V+lh 8p$j_muh, W]e8e^xq7%TX;Ǫع%-`O*747#nCG<O{cj %H=wTdd  Pb%CEeܻDVƇfW̭O\VAÊ=JK;,n1f[U{.C, 8yŽH VK*}剩9|ci<H@%̒{to&]ZPCr kl: >}Y$y>(9 N1I\LsaN lvRYp_AWS> ^SKXpl_ج@%):5bkcA~iza"$e?_8]6C9 ǎO~Ă|ΨAW"usp""W%װEUx~^ O:4tť9Zn=S<$εNБ:/߽Z8UR /G[r8H<:խg3~S|(sp'{B V8 @u+iJbM%Οbijx@bK<"}Xg\cD>+*L  Y}X-|R).9!}Ƿ9al6B`W qq:X IU<]ʅokiN%Tw6}9 ґ`-k?&c4َj=0FrjIorhfw&y3QM1[xzs AW2}N:OBEC-z FKrrʉe uLϞj1 nZ v(=eana4Bx*rt](8{^A)bU 06:߂4]tԏIEށ9Gsw絛Z.ٖp!+13 )3z)-KdNsDe5#܇(ɾ) ٖ17ktVFS_Ѣ[PlT\P#eաb{2"W]^׉ ԸQ&I54"B˔eOIdY-y'A`Ja. y+_RsoioXؕ,ё6tmn$ oV=>E g†wۄO9Wv۽<q1 ]iNq67sCX)QNg7@Ȟ!wos*gP-M,2V7)ΑoGmp*hxΔ4Ӻ'H2&DHF6dmCROTv멯Q]/M5x5 Ha3)LwP{MĵcHSG7NWfUeVQ=jO ^Z*(nU܉9K%0[l>fQi [!xYOx.-+2۠ W ,8EƘzbZUmIG'&;z=ˈXPWuV牓3] #RIU۫wmhgLJ~X%pſ-Oh](%`ІWm{#XŕYX `,D3GLg&)Z,b`bb6M+ݺ|51\#ED6?ᚙ\0ts=K:˱̰#2:5 mGfe3aVoFY rg!|u~^?ߌ)yԾlְI]P.D@!i^$Ri +l)Jv߫;xkg NR\} th5[,biRC뎏2-]2cWw!*+F/ ;s&@8\9+:FecjX\3hEPך.lU'Wr{-LW{7OKv$-[Z@!7Q!g=reP"u׏ jjA>F]7:\_td&o7RkA% u9nrhLuKca 0teW>*pS݇3oĨTiY|0//S&<` #OUo!yZ|3}HM6tYLYt7uvtmk Xkmt&!\8ўC/1晃n7ء%^U }"aKN14U*(Rnu,RKEJQ+xo~,cw2;)Lŗefvl!H!DyLk>NLGJiCza*-8 _w65U<āa2xeYthȵZ5lކ$Fܙ!ʭ@{; Ze0Vm< 暢S^rh 0x(B?usÚj͆0$!RVE*! V.ߜ((Q)m؄ 3ʇ6&b5aQN[%*2}:yTJr)%5s-'rD}#x Mnd.^&9-gl]\~SVJK&{FDꟉGh[0jA1ٯ7K‘!=,_ 65+T^կ]$$9tݔRG+>ÛbR Uw* " VL|)$,9Vvrk=}C^ &on">E^~*uzǷt&qq_46쿵>ZW2|‹c f\+U!ҿn| Ij{NO?&d/^M?6^R=V4BlyG-wc2:zM7(Ƥ$n}h~e{z9 >,I 8%%h{ygT# %o]]!tN<\6 emYn5!QcfK RrNg?Sy+2R=fE.4ԏ VB`jR`E%\[ujxu?Ef6`OOЅ4Lz]zW%?9MP~K.9FfW,vOҘ'e.U4*>7: e,ϺċPB Wqم8lܝ<]4mߋI`E2i8GζC ]t.R܋O {L:́C_'S|nC8;sgzdAlpw&4j9w MVzf:zaPy'l] (-Es^r[>qRw*/#>n ,?݊zWb*)ЍQ M}mV/NNTuTƚ+.OUm#嵰zR;_󨳒bUWݤ9zk4ވ;eLKb"xZ4TE)f 9J1"C%ҿR_aܡ/Ԙmvmh~ۻ- zk"obd dEzƼ~;NDM֟1/9p.gWRꡮ`B!.yC}ޅKT̹oכhl͇W:r6 ǁ|-c jK;ОRWʎ*U2*!6V_SI]@eg8xO[?|BuَthZk~Un$hW tZPFj0BkJi=-!Z&&1jQym)/@*EKˎ\kN>20F-.q/$\`",PQrSKi{u{mB cvO)?=ٕU N!7 0{F_ wˋp,'[MZ]?ݱc"M~A\˃ bVРp_#or0q/SߌOTՂ6_o8d0ؽ[>nY#7]L36Y ;^9f=8 =hbP"]:cO, JG&聄AnM<dwr: zJ)Ӽ_e G#Lڴ_gv1r9mJ͟7 }G$Y3+uW\=?;ix5`!# }#X8fhܜ)s<v`}aƵNWb.X'iA)~.Ѝ/=Ra.'10= @auHV`ŵ/^[ID 2,Ӑ_H8cvpɵPnexʛDEt=ʖ8-M;@b@VhOKg~:-|9RHuOeEP_"m0'_c_7mhLX6ىRw9cȵ_*XS|~ySKWlR+8c<?ie`$Ը- 2p Q fjȥ0'/lPt^eK"x'=:jxԅFI߼1c0]O6De`.YY^("CTr[ N+\md/M8D*< L=Q@o U*nӠc$ ˾W*1 +}}g9&r"._mG|W`!%n7g=^VN`9N@ .4= <֘u1&,OlZ3!XN;`dn>21NlP5/"^DU p6(rz]']*GE2Cy.Vmu7uQ.yp1+;WW+M3] PcfnM;f2PWd"ou2K͌׫w d5Iߓ x=VBa`TpZdĬh'5k2OCe e {C^Փ 𦖮ݵ.1qG^K[hTjS20KWIYԥ&T IB+Cd(Nmc1Ҹ劉?b;2N#$d")rsr'pq)\".7\QMn yIx]w29z0F0c4}t."a)"18]v=ad4& $`d7f5sCNA#+'Olus?Mىڡ$V dܻGI IOnԁ:iO+R8&,ɥ[b^Sp} 2pytXJe+=[IF D#p2wѵn-nv)%yXq tHG) iqqjEI5ӱq["Hj1zrw}.?#Ն}ECק-}z@B@@2 ܫ2.Apg2_rtDr&*{eA}3ގWBw0|9FuPM ;F\̏NZ77Pe3_Mߗ7ʅY-5ADX@^D%IG {3!='#Ą@k_Em{H0#xF*F jvǫ';=Oڟ(^M.bM򴹤d Vq(oԋrc*-T^2p+) ʰP!DAu I܂0P8!k_fy81p7)~P w xlA:y/Pɩ 5}fEv^'j EUcdWq'۾ƍnG<{$Om.ܹA[B߲EB 1al~9fe|+?J= qVStlZ|-n(3*[|՜= }I׽gq/^pYs{vĤXG{uH |ILƙпSD+6V+wc7>?F$~mʊ]:FV={1uE+gu' ]8T!Z",+it|#8jPwLnAH,5@SME;SW( Qz=Q]I@⮫$#[=+e$x)_-G'K:Ŵ;XRX-a8|=3hh͎XFM04F66yh!VxzN(9v}Ӎ)zͬ鏢jsY!<`nrW#bXXʃp NSfeIsjRZG=vUEA qnFWvOքtۊ 9WTӕq?Bp~r9}3ec997>}T¡@Tj5Vt3r"GBOn&"HA,\~NPNQ3FobȢ2Px#]Al  '[%yj]QD%`딜tidc9jlwl|^Zk+Ř {x(2[szJH99WK?|hL\@.?N7"c892~ w @;W : _0 ռZ`5G7UU!𘢘)pliz-n %J!@XڐEw] %yGM=b0/+5JM 'T\YIiƺ>-½+%)2tXVn&WS `t1#oB2E,XC59>ZFƌR}Wog4s~֕3z A‰G {%1I 6u]PB <㴗*Zw㝚 <)RHrpCc1D+rEx;EH=)F, h)B>6d33{ӻPQQT(<$ \:3#J hISCN}݅(iJVv!sԘŘʋ^ _0?G1. Σl-)tK4`! fl~a&{7b=RlP<آ* OjPܩ|FiM%uڵצI|rlDGB \7Ko|Pf[Pڌn (wW4w)di^Q3DRshaD@qL4u1e:D=8SwıN4Yt`+ch֑rWk26cvR23>`IaL';+5W׆Ap _ ~,]_!T0[ue9g)qJ NnE؛ρ) 34aـ6vJMdHLSdPoeE#\D nO ,VR,!`zgv@0ASo<+׿&kYa ='֠Q3\>SrMAw7QM]z:TWqS= r\g#&O*ʉ>79rbgb|L'ۼɧF`bFa̅sҕEpZBD )З}uxǥ wccQJrPp4s[c1Uͩߘ2tyCF1(ylkS|Sv1$>nMml{Ctt3g>u< !uH^G-՞H@ޯ"/-ET3FxWQYx0-V"Cr. ͦ:ue/)z]ا\`<'F>bҔDΥ?0Ah!qN|#gh(ȢOn{wɕ>;T}΅ISzc#PAt4{ xoLQvZ4qu ]PC|.஄~W-aiL7_tD@4$?fר܃6d&qG:yae  mgɅnɿASl?t=n~ʚB9!ny;Sq|%\/.?Z5M!46-xSo06ݧ/5ؠ$킥ȪLRkqMPE(m׻#$j>kUszB=^2 %"*QsjI1!z':,7¦>3qTMnV ':cZkD~*EU;pVo簱 z6OGd֍*r|\U% ߗS菹l'@G!!Ϡ_ݧA_B6Gm>x\҄Mi8z'"sw¤P Ϳ>/PHЮ'SZz,HŢ`rt$aP)nIhӅ``$D p/h ”=8%]sתXWz:Sbs<[%k ]PQw,.r1``QfK՝Iӷ>_Ǎm ÈLOF)4S+;5=%#ĩREZ tDCuV(-[r80{1Ik5+gy&=l[4%q%`G::E;?Q1@R N]\X'f*wGV=  ӭDgLJ~Lv=M %/}dLWd YYOx( Ss!lD[i71)[kzwIqa]~1 ,HgnoPdc .FJ}I]qQbs,Pg~ZsҘ\cu`M5F^q$CjݥFK, ~.= M}SNwұZ&7ݮ{E5}WJL=BlSv2?P{\[0&խ{B(~,-.HC#U>QNN}cu-ǤfE;VS8f̆.8 Ѐ0H&HgV,`ItZP9 HXB.gajBr3&tȣi.ljÂ&^b,Td`&F\jᙦz84n%s=M%$ Zm@o7Ą?lHPv3#U<,_GXUoK7:›ӵMJE%~o fiD.>`ƚVs}/`j#TΥ׾U%>ԧ֦5-Ƭ Ң%&sc&*:@h,2#4t)MDo(!u7VBQ*~sͯj VF!̔v2i{C;Q(f`-Kke/i9_EOiN^ȁG[RRM~aUjF#:o>NDA0I59h4hAS厛1.u^nFM/Wx IKjF\oNF0{>9!}!a> m t#5Q1wb9Q]%=3Xk:v.EKC(!06Rft 7;FΒ^x7U\[>{<߽SWJH90Goe(rXdY{D(;H'fi ݻI߀bq$_aW?Z_6Z|u34D8# @|943WS"Y:m*#%v*+q׶0oG)³P۫ ;xcmt$5,u pmFV;giѶ͜˭Oaݙ% ,"okL>Z2| *l!T?(QT: ʩwrn2#/g½d\bsħg\9xNF\$-ukmT؇e" $T]P2fv@z56DZ՞`ZwN +-G'vYO.+HOzuW)NY9Ҧ6vϯ&ao<|~j:NbXcx )4B}2|_fY`4jmo{uUb:ҶKdp(=9( YfY$F]3yG\"$2~;&rHT85:7ߔv!P҉Ap( ZufR싍mx,J7yo*6Ͷ:FLzx le," -sPT7B9bTS#:`+z{ GǴ>8`~<CbJ4`5_jyfXwMpvWkvs>+KiL5:E'CszU4 kX;uÃc# { dDь?aʸd]X;*&-k )B|!JhShW0'u71~k߾#iR7؀άᄆ&"ګe)ؙN$T^v W~!Ԅ>'\ I^cÑ /3j!}WS8)=#4MVc/{1/vi;Q!ߋ}{SL%~Չf,^NW"/2K&p&ONX>9 1 tWSԄ`Pk *Bb,/ܕV1J;j}6yOA4m0Uuu 71NCh3a&lրB\c?~׆R1@!j!iB%R⳼tFPz)6,EٗLYDz^3!,G^3Bk>.$J^:TB3ƝE%jХ0rO.̮ -d0t'%F%d+5Q+yr)L/TP+:^1Y=r0ɥs♪g! M7(`wg nM,PG8O'r>A,FWLBl2 51␺S yvpῡI>O@29ڃVуTm45ݻ;uy޽hqȰ#%=D"s }t$C^Wo7dQm1Q^-,+h|PQ'ⰕY/JIB湨;z qOA230Ǡo7K Ein֣ykK-ni$ݼEcpy?Fo/HD:KB7[jN+"[ 6铹ؿ!׿Ap#_1CD-z/ . E1z$tԪ/ԏfLʖ/[hъ336sVeRwգA'&u*_'u917< }[F 8xQ7?Dt13wHr'{]\|( >,:AdV{x7D"ׂ^G)Y6xmjc ^|JK) y]!=olfkɪዛuE[lKf"?b8?$!CU] (PZ٠ҾcV<" RT'ASl0+!q`-Dʣ<䪙ڢ&:x {tX:HPWZ\ʣS"15bj\z N>K է-LK *Cؗ);V)Q[PXaLsLCS"v:28%PS [NG:rMo)DVu6]F]Z6K=2a.=+Na^u M3PY #ORC6Լl7%TML߯yPCLiPjsh|]+ɯmOwjj]5XaWVڶaJ4O :SnoiC Gޏwc=M0"nЗ8:Y}{~4]cA;baMSu]oJ=g=Ym&*?Fh4{P#qei&ߝMF:/(0iw-Jl0R7T"Km<.F'7P8PXyqS)| SGxk.OhhDj1YW][y%qj+2XgRG )C ,ͮ$;,uB%~W Hnkgx|>1ɛַsG_0㹒T/YӛN>pZd;+"=k@bp%bqZDRlgɧ< N#3 z+qG\b:MK`puiٱގ^tc*Y*Ӱ}~h9, eL`pGwi rr[L ;z5-oH-$]!n,|xo"^yIqtO^s9dSÞx^qefr4Fժ.n*r+@xI/CyEfaV Em쭣1㖭Pܢ-{ nNžr-ad+ T2vpB$G5}A6{ͦv?hRR{$X6hȔfbc!^LSI趪}P1rC 2fZ%ߴU̝GuVnr;ibZ4h\9jlUK'W" qh:q Y]v Bci#`%WHfV"dVEƏSWfIRJLaIg3cI6"txGp!րjXUҤoV lYR$+ġLbcBb9a/Z9 rOtl-*]gnp1j0r{k)]ǖsWrKf[DA&+/Ǧ.$»\Å!k&2X8) y ?n%^jDh~hH \oFm`9ЌE5D&іZsӴnp6 wsҖW|ĥauy;:IRkX?j1wLhP`ӔȂ,Hכ8͞ #GO0ci7nI1Y0K1irmG:[}1/$1 6g[ϖ'}y6w XlZ-C[e1):FSv?j{p$%y3qku1 :(X[ٱ/A3ϜPYå~3op`Omw!檻YdSC ԤHCriIB?֐S\U)`@guo,:l4q-|ZH;@GޥErtf@a!MMK, 1+rQ{h?^/XYp[.g 6A=$u@xoy*v [)"$_A`vk̵q7y5U.KG[$bHe/;ZA?fX)?g]v (ft3rUᘔHZbrz H"@CdK4SOɴtww.ג"'V8XVGZJ_զ 7n4IvH7U&yaVq3%${cڀ\Q9TK og{`TƪѭZ,DfՌJUN|\jWYˋP۔Kf$`ISrA@akc>t2^˹Ab?+FP.U{_}}o8 `&aX]hh6רhc0 8D6ɥN>S.^pgbT숗jXb3 mi8Qq2 S@8<=,mbs R#U{};]B|NN7Ż#Xn$BVdgx" iKb\22HdjHu7SX$hy9SNҔE¬9^:uuu+:f7~0)6+%CuurIYB}ڇF30Fd,x{v U:xP L0Al]{Γ#$0Ӳ,,~B3kiJXݖedӒI4z 3Z?L4^E[LΔ -5unJS6\+ɮq3᭮W|(բ%W~"ݕdy'$&-DqԠL6`*KjebߕrTb0I8du 3f䷼h [ ̔EZ6ǠXq4=jrɶ%ϻ&Yc=/C֙+mm`^87g5 0&;a`dWx=N mf [Fg3vٸ^X_֕W VKaj}<(q$3F[,8"&0 lFi!OaPhﭙ woduް/Qg* C'Kb=׻TZMlar%uzYuQd޾~\CBЍˊj^Ur[V^"Tyu|Ԏ%I2ŠWLEh}1L1DֲCAB:6{&$9Z^4gs艐ʘR/S֦-xׯ9 m?Y(2&9E SeC }+TRw\$%x:sLA'(yE*ȞyKǕ+^Aՙ#1ZPdβ뀋 Y˱ 4^/ ڎFѸP3[3YbgAh7 دFivSmySp)Sd hW ?sA9Yϭ将aRo`%VFǴ#񨢦7wsC?o7<{Pkdi?OU+G]1]>ZCQTuX"2۴(rDzѕ zΈ8X6X?b̓su%aBV~@kUH`DV*]H\J;f{jۨNcTvTlD mٻE/Cp * z̹Keq*7W =p]+<>?jpOHB \.6=pP%TaAU/%`\xN3,\[K[5viIjg>W-eBq+M&O5}ʵbjEaCTGA$ BrFoRoJ"tUvpKOvS?nL.]!+xtE7TA x֟J7ň[M<ЬyYz`:,kLbprU"F2J-gci\v/5̠–A$`v}W<CnGkv He( 96Qc9<˙6;o6UBm"nmb?44B7̛]3"k&JiYt`}.H89t6:95r_"~Ψ@I}( M$M$3 .BҁajO~坫mWLjTEъk XrmL^AɧGws )i"Gt ēv`$jx7 S7 porY4"i AQ'#,-@nHqKL`݅}q$dsrRmFAU3 3H.%1FkS2)Vpvޞ?ڞsō(YEp|oZ$g2'WG1oce//% )޲#6ˉH6 T9.)0So»gR@a>Tr!.z]g|͝kF(: d όt苇PY%TLx}7s|1@پ독ro6N~{3{I}Br.:@OLC`gV {W,OlK_)mK,Q,<^5~/2? V!96o6ɫ/ S F\~gPnpǼl٩XM[3.w|OU) <%ց@jGe~-cZ="e=O'G5!(f>#JݿSGH,ZA{}@4SP`^^b9\d^i žczJG ZX }6gj'Y&5gD\荓t ha֕fPÕIZoRe<=Ey(օgI=~\t-8RAaAjT-8g2-"-/?qB>ۨV`wg{oV)I-DG>Jw>uϷD@-?#81 JIn~95~7Mw_:ԻV KY;—vԭiy:3T>_Q:dʨvA_7rs  V]nQn?")98J2~&Z.{mbwPw4bQ΁t13&PB L1] v50@zAk^3*L=6֫~SpTdZ0Ђ Z5(_y=姹X,qe;qy$J'r b {{[_e\/A9؋zPܿys bɃEu^(R,L N74?}FIHj΃k[slk`n oVCr@&E$;C5u MޞR6Eyο9z@SMtV>u~f]RW,JCL! 0p`_rchfW5!G”F:C5q<'SAb}.f5Q:*s-ИڛCCX^l3Jtl-ೋeVJE\x%@w9!G+ĭQ a>ֱg]z?M BE؂6m[Y@OBIp s/yo%9TQS69?ݝH~ٽ1xN*`.eS8ν?e[}[0]&Ez` />-6%=6b黕h$.:?r,2`SDNhgg}%.I+1U5P4;W.NZ.y  g: np'QWW5⎖32܇*4I tY8]Lh_Wқ D!{ e(|bʰbg;A Ͷ@ۊu~`S&s/>Oxl6.Pn-zivAg\T50s5 `vkН j xM ^_  >26WLe.|5nDlȈY9Ԭ-BZAOss2&7G|-F$PV3QJe[wnQG >C1Nf4?{T6@.?IB\B:II*!`)bOErE&;>p|KO< :19νfm*;3XЉ`[S\^{4u>wY'8֟\dKe!㹰c: [\ "n1{[!E lbXfU G@p=(6Y4*T003]FiPg4#5(Im]z~"Edh8G%^N³vʬl2@0_p0tЌIU Hg!u@ c31sVl|)JM nDF) v  +8#X)e2n+-)JXn f 7N@PF`I(ʈ^#&I(Cd# 0@cÐs,{8N@m KknlBaK.^/@^ ":ox1M&1D=.{{ژԻ\Ød ku*F8q\SA|Jdq-.DG٤"/U4}Z\jKRiy_LIGc$f2Ҁd~穐 s(WxP᝸ x (XecBDb<jSX]Vdh+COY;=M1:,9/U2׸1Gm`=Nw<-NtC-[I{Kapפ;fؑu';)SdjrNo_ьz~b!B։i$* w4 __{Sub.EJ(|I<+p[ TGF'g{kMHOj4aCE|qӍ~]yRR^kLzt_)x?,siBg1Vۄ(>_mKj6R{ڋTJjTpп=>I 4d̤=vxXu9M[ 7v]Ìb2ٔNqj?Edwl,Q!x7'pBH=sBwBPZlꁍɏoHYʴ?oGyC}&mxjs 4$wrJF}%Ic`l 9~}2ѤiJ5lXYK:NNR4&h/3Tsut|{>aQJ?70C{6|N,8G/Ic%WƢn>S5r'h&+[hU#Y5}.v 6%5pF7)KhǞn썁pCnA=] χmH!KP:㌠:E&v0m$Okg8rjJh ^Y%*`E7d"pk)}{@ߛXqyr8_uApξF8B=d-{ V]fcvǐ\SDN;I[ٛLʅGMMip6\RfʪYϑ(Xf ~ PNbP"]ua-3a=zNj3L# 1cbxlS?haM G]W t7>/W#ߤ3*3Y#5@읿BϺ [iWKmkFPť:*| g;ǁDDM偞ԡڇ2ψDz|UHxgA5qه:m,}!"[OrMuDRI[\شh[g2 G4>\j2-xM"A0w}UJo+˥Qe&ix^C  CKrI9E,ˆe5x64pӢftiз3KǑ|`n@z y/F-]v"n % UСwʸJ] ѽ|d{[|F1 YH%KvZ8pl3*/˔MA4t@1©ܠU\n   D~gAyNDFS\"'e|p~z]bVVK[u{[x y7b3])tmy~`!= M-OCvzljX{8ǚ .xkLjĎדWKV+Qn-vEIH@Kb~uc ~1 ̄o+p!֭A{n76ڟ5&IJx|(՝#e݉z5< }@q|xRi3|7uFbyTDOx/&P9D>K? ܷV 3˔H5O +8ezƬz+P3!`;N2닅}U:#𺙆u-335^E3tjgl=ޑxO3nt6M1AL^9dZls6U"E/ [>Dұl0 Aר\5!;iVt >¿/ȱgcc0GŨ_mS>leu;~0W E#WGV٨}wpk V<ɡ_FP ;a);W૳Qg|5=;\a3"& HvŒEN|rz;y9r?D3Rh$Grp\O&o1Z5s]+A9㳬mU7.8“vLff0~z7CIoQ1y.;,˦SASUj CeT՗Q[d5Ʃ7O7B^oÉ9O;EiSR$[`WK'X\;u%UMHqT^JR^Pt}VL0uC/=ee YXMGPJ z &OGA>:.2,t}v{껍a[ep_p[&/lK `G1]Gue6poHbn阼 D?rV@'[Gf{@c=Pk?= бX`@b{džq-f7"Yl= s@C@4Gx 3Q6#{ d$DHV ^(rU 3Nõk;)k0P~沽s h Y8>ikxpZKWD#fa4 N%FwHK=#;+ð8@"OCѕAC {fHWM;9R lů\/J`qQ)<-r0'htR!FYn('ykN4+ 1ΰ05p٬@n*rZ33zM2i#ޅkclr#s0j7R1(լzdMu\ͩQtTֈnԂHʦmTexԃ7շKuW0zT`0bX  2ڹi0-(lj=3 a\59fZ~s/}:DH0Qo0&}{"&J^Im؜67P;` Gs$A*uc˧Ά8=*5b$hBA`mpIPU26$+6Sw j0&F vfF= =6Vh@n~MA\|V0zI(b*C7WGM,G4Tv'{M5G ? I#QB1d. DJZ%|+BEld )hı]bT10O?~-el7yEVokҎ8@[迁 :| JG˒O;%$ƐUDYܾ)0EIHqG, kXuʻwQ:Ƞ=:<NJ$\thoxtPtUTPc#k} jCb [ PR@9%fH~&Ʊ`|yٚϒϓ:Lv 2V3CZmwi打J=2@>Mf)Fp}6wmԴǘk{)o?⡏u@XڑL?7Q=q!Emn.q!NQVeMO%\ 2k/GaH+a .Q4l`5[} *KŞqęJMTYZ+_kt{չU= $p|(fbՅik l'AVWQewtz7S&+m6v8u7P+ۘ<%l/ؓ>ɜ݂ +?W }W2eyn<`] Umym]ʁk*鼞 |59SINJuQIA(ns<`l0*FAѿ?- O15ks?*6e$#{s$_ OlĎK3Q& ={9Ɖ8]\\7;<2F)Y價@|i7>WSR VoCc'CMՋ,|HCNY E$ ?P񱪃45O ;BǗӣE,5b$}E[>]9SWEX RCm.`e'rk RN0G\ɧ#"ɱ^/2޼ښRKy J6ݽjv 0JO_%. M6AD9EשPpؒ!xM>p)r3ǩk;6@R{ӸYWtB4C*|E9 @gC-y|o; ;qVC!ٸ*fc. aeN|?D]NW[j<Ħ euEi! ?[ zIah;ғ[k=o %{0Cf]xw6J1ŶM$d+]j LARxGx _LE׵Z DҨʜm^>&>Cɻ0=_~<_)Ŭs~MtIZc%D|rp2.-CsȰrɤ^Б/FTuk՘v>}S*$HbAҬG$o;S喜~yxWfM"d ƌ ̆g9҇I+𲏕ghѯ4h{꾹0op7/f{KY} טy^ۃ}w= ʄ+ߏɅ=2GN;ꓩ5NU_vVB١~"'<;mT ZDgvOD+ /PxȒ[:^*P]&XNi%EF8*ZFU5Zt"АKxy~PrH?6nbd< Em}B[ CٲƉx,9Y/t±Nq )SsG/oKg)XgBw 2*Cim8i9GJ7aVB/brp+-&l,R>iGS讫QiV vf" +<fՁ-ҋkZ̭7oW`ˈK,-"iOyKzop~q.̮\jk6YPtc&Dv@E?&J 5交jM 67v8[&amj? +Bc(khd?:Dh"(v79G[exPISkR=-i3qsB<b,9ѐXPbmI$WFvJAVcmi4OUj$ħ'q[^xFzt.0kc FlӆWpZD,KAx(0Ԩ%;X*j;YTDFˢJM<.`}XHܟi;؋G[S_W`zeH]ўjqP8ߑ` ]"HD}ؿޝHiO߼-%|Gꝅڎ_%Jwewk⎞A:,$nT~(~w}2Hz@֜Fviɧ_UPHAZB,#cqp9qP^Rd?̉ `+Eo-[c;nHKè¤NjdcX$M5(Cf:`Gvw*CZiw1j[[|(u0sj_yvX`C4Ԧd{(iAŧe̪fs?@a->Ga a=*_XCuZTeW H+smU>+}VTSt`6 t[ѼW-ckrts'/Z{wW88Rʹ  X':N]x~d[]&K+d1 f?썤BM.8(49kΘҳB(A)R$NK)L9^A2Д]%*yҢ;rØꈺie Pi,-Љ Ꮍ9"3fb6iSozyd!oI"H$зVq뗔JR.d*`<$l`U,D~, B)֑؁v3DpG?q 6jٌz<1ij\Ld|B G S?ft?[Edf֬ QbLW({0 W,hۼ3OEp7 NH (xWW#Hed7d犰:V3>AtOt~GhqVGFg}'c:(\='^H8O"tÐKg{*<ԛ %u>{݀u?s3pDiԨ 7y|;TLl(;}١ٯjU#? $ *>hsd@~Ók˨Nr 8|P f3 -GJr vgV*.7xԭBܪh~aځ9'ePU \&OpQ!pܭK N vɗOvcݔ=7۬4@VdnC|~1]}'diS^֪gnxA"`<(SrQ2~؁U3{LPShk`tFN0dF&:i`&KԻ)ݺ=,]gl_,LL/ٔ&jWՆޮyᩲ\pD䐆zs9yj(xrj iZh0Nlܹ{x, 'Zi㎮ D8qZzfVc%vk!1V屯|:'\Lg-' /@g|]'J`pfpH<9K~J xЀa@ЙMIdi§wYn4Ta,1KU+\UsQ5MZ\]oop1}SIzh %ՠw:AXbP m!uY L*?ȲΆ!fz`6%q9,K;wkl4sɴɘ2qX~DL)JQquMU5Dr腟R.FDE/ ZABTCț(Z5*r/'潉fy0zj4A{q)Yed;Ү N f[ORJƷ9 w*CAfXr1^JK@J!-4w5ݙ&#n?1WY%QAmnru[KI?_`b0:nb`AX!&t'FmC_- JN_UEU ,S.\LٵMQC0eJJZuŏHQKNxo8ur֥]Y.\ĩOWqT@ "9R1#ZCiaZw357Kxv-{_lޘgu0B="/n/ u_Rd5`T\^c0r&2R]# Eo 3W4''s&◺*Z149P%᪽c枓Դ٦^qd)r= d:7k҉A5ld6}BEmY҆8ν>zsjH8DgLѨ% 8Bih3L-]ySWTsw$bBjBwFgEZQJɑ ld >@ v!!e~L ]$|W怖H>jc OT*Ŗqܥw1oL赸7U 0EmK[~o߂O $2 -]NS&*ˡeܝԿhQ耩qwF^ <4idl $"H5`Cȡ.e@a߲&h3D_Slv~ZT{{yvKTrT?HGl]A\?xz_4@+C5o SmsJZR^L/Y߫RMCzhR1WGa7smB!oS9`\<40'u漠ڄZd^RGj"O 2ڢ`CZAB5(cEo{ҝ(j3+fPrMjg+ȱ J%p;¯;FТ ݅C-9BGE*&w.-"NN~ٙG2VGf&>ٴ.SP5@Q3b+A̞GCna_@bİhiBAU>- `W3 c|L)3 ;_2FLl-({D(~G߄m=r|`q6\b BE(5ƆPrv@̭GY%V;fM4T Hs0VvmM#m IE8}Z;#d2!![GH-#486WV U*cE| Q7˴4#5$:(}Я 0ä{ ڿVKҽteae/A+JUob9so`H}T˶?8ثD sCOq}b3x\q/ tәFpc6 ydVLc *W]bi>Yj{g[[m m$Oݯd J}e1)FJD7CJ`^0swc;N )$ͻ!=3wf 8ܪZu(WwIVenQb61Ћr# ~1j=6@()OԀ&q~>yO ]Il.Fݝ%O'H9.'߅긵l.aAΛU//#N&XtF+0 ".+)PI%&!ɓwͶ$BA^%%Y˴52yn5׈^rb)) W +bT~徕Y=3aNiݵʳTbqo p^ %%B +Tm+l512" m~ʁ)946v\;8ND=B ntT㼘S˲fPPXKaA|rF8E).Ú 4E R\}\/ߏiS: cT]"nKrL]-sAYSCK7.1-#+fðfȕ9Jκh4>;O%M7% uR[5;4NEEJOR`:N$ :P6Tu/FȨ!<bӆwz2$g݁ocɑ"A4LS 3U_Yd/C ШA]@U#j5 Ehg+A)Fw s۹AecϧRA$)ϐp ]ZŃ9g9Wf-U-c6VR75xRt!t\'yqDfl~bED8k!e/'MgA(pF1;>KD6NʷD;ۑc:zg,"4rЍ( .HC@ I?4f=PmYZOk-'I e Sf0űq܏l[~.tLw]M#|_/ Yi'q*oa˜dMNYhHW!r +({sge3ԣFFS*fd1η!i|mC$*Dl!&4DRbaӧ1-?J4v-3t%͡_p A`QЪ^g3~9Mi*_f֡Ppy*@bieTInNi]1 "ԡqm,=FD8ǒt@tZ^0iQ[sZ:\F: }+ṱ]k `xҸɸp Kչ0EuAf.2:.iX0Y*Ԙ tx/ջF$?X Ҹ-c}w~7V4oe^UvϾS,,P&>"[dƁ@!e[:J(|51 ,T ^.ڼo5F!|á4HƔE6#3Äٞv$ .뉡G9n_TvהIG>_ xWXQ]9Q'6] *3K 9#X  d4oH\G.590mgnN5}މDzGF`ByQ2f&-8'^ Hc]Ukط5l &MDQ rNƙ5ryUƙƫę]RrVXO?ת%,_j"Th1A kfk#)BW(/Smt&fKAd1 rhnz+#4Qި)d]V0u.ԏ߉9| Q@CaEN@i٠3kդs otx𸧱@FXermm(mp<[d W7l&*k8R35$r9e$\zau¥ %TV`$ I3hחZZVg/ *Swwg+SrUz,6Aa]:/EzV_ΠbLB؇Rot\߈A g4bfj[e=:2yy_;/fZRSժ3J3JvR[;<|'E HڹƗẖ%ե((خ$a}NTWtBRH'0p 怞l[2>uӰ@"5eJ a ӯ_[{{d%DgvYNN|3iewG:VhB|Ô^uGw(u%#)QvxZz[IavFyU[鞔(C _<#k| ׻>g ٺ8YM陸X|fN|U.8PN4Qh,o5-Ȥ'e6t<*c۴djV|%TtT*:N~hc p%Y? z ] ?o`9hw8j5?_ `Sn&s+ 7Qb<)+!j$='QTSJː}1/l !mCr~~ ƕ{g!3RqI6M6xFgnbgY4IJhZ 1iƒ҆s=CfpXbd\I^#A)9ͩtPWd$j+Ę(O71GS0tcy4.\8] VȔi1/_)|_98ݙp9Я2x%sGuYnXBfDdf%9}ZF\a[-%C)S [ԾF7%qs]?6 VE1@^=^τ+bccD$:;R wU;˛oc]+gUPjUE9jk`vuj&M4;uH%t_jΖpqg5ſ&lk*}*Inw ' P`{Lo6V#Y @R^y]e`,7fqN1;mA1U=E.4BEm%T ^*w^U-F tBzV&7}* F~KB:Bp:CuW( nNu[?#*|=t$0Air%䃚JmwfM}wKUYCsPQj}1%~U㾫B9P9 'P/J(8ayZl F!6ʣWׂUߝT} .Nć/+D#ھ4LJҏoF.`Y#Ck*;_yKՍ7ŝ Yfo-gd9cU?"ֹᲐԷFę*@/*oBKw@昵B^b.JXfAX{Pr(bXh.˳ c ۊu92*ajҦh>jm9ڢ(BF0R!;9bS?(jq)gwf78ƽښY> /ѱ}2Œ13ܘ;- c7﬛|= jr/Â)ӗg0KRA {CV4~ _T)9ltMdT$ۦ[qe"`1p2l[au q5 ' lm vQw,g^,ò&s곣v).9H.\i vEnZVLSm)B9$ZJfǟ0w= N9 F|2Zl}ƯiU'A#aXK\#_ћRb9tHhUikR0Rz×vM c}ҀOg[XiyM^c G13w4hNKh w@dp*OY5߆D‡19YӷOIacI\?d, ]w֨PO-z9Tr X  buwyc!nпIJ}Ecm[1 ǎj_ ?LAu끿zrfyHen$9M\`DLV]c*" ~ZG(/BDwz }YԎ:} Fߦ$WD)*Vnp,뭲 3M Nf.eڸԑ<R}/WbUsM'sV|젽mcl$1Djʹ`P1k#$u(`~87Q)b cz/aA1 R:V^Er,:&Eٗ[ 6c0#g`\5dPɡX_m TOPX&+Ui'*6NW&>XvzK/Z&3ts%|BZW $ʀb2K&?Ѐ#q}f>`,[]U?tsWީ7 2]sFFDk\_<(eOW;fJ5aeټI54IBhDk^Um1)TrL(|/fXp3e=ʶHD\o)8=P.aڽMRdrPK7/_ޢKꍎ2۟TJ5ePdww6ya"Uu /÷/$D<3h\b\dC^.ܒGơXcXN9wco8B?YaJ|[‽)wBM c9Nާ6wKBZ.xq,E[M1NZ71B—ICAPAL>䭮^O~g<6Ctҡ_w`).nxlA߰b?pBӾ% abgˆ% »2<3'qo),c2\tJ2*8KB-(Ӿy]ߎm,0aV}N&``L:h` Ua͢NF,2Qs9',$+?Zf_Ƥt!4p{_}o^MrQJ&[6RDMx®ӎPP5~D7f~mPAJȈ#eLC%ʪ[/a_fʑ-t2i%P(e{#zKDHyOO;qF~4.O BQ6ږTK#'-:ݲj_KSRR H/=FwCl( D:`oy!by&h;:"օ0:H oD)i4!OCwlv .> 3BH m̃'qXrŠ2(.dx[y0CifN0NOVynDi q% NRɏ獃=57b m+ ml݄ܺv`u2a$9”:U8![KxӰ+ b ж7J9,JhTW!#b3b$e_D7?4;'9EKaFAⳚ>*EܽFZ|l60eSJhRV 6$ur7h2mLF*M?URiYn0 62Erՠ[>1,E>1CZn.|ج* UO ۠|Qigk9 )?h! 74jyob}]uږ10L7}SIKd@g+a7aV@zz{ "/MρCn:!k7! i~#S5q?\Zhd򉙃x2)wGXe$:pymA" BdeZdi)&Nǔk$Wc¼ށ.L;s|MP  8.mY/BpN ȏ6ѲIF40I3a]3rǀ$Tu"/"f :{x>eH0aڷ׮ Bh`/ͲvWSJTt7/}JiG1{k*#FoKiy>AQ@=9{@KZ1% GY)C!q4Ov_̾oޚ$́\g\U a?C< 3]M=G[j\"3$1˕0+5' )cv-7CZrMYQ#I}b ](\W": $/+=ѹ(܏\<%^.T zح/FF:C=bCVI_lWwyOPM˼ŠQc D?5%4@+ y[CYzQ19d$Gh:0+*ș!b&сq61){gz9źm5AKr>7`ElꈸP!eDDn烜 w>7^TV|_'`YMbG|\9I e9hgkV $۟;^"Gh~w3򬰜*ԁe}|~Wh*(%l|X֎aЮ6q^Tr\6~1 |5&U(iUD_5ry ȼ.M%vO~j'ޤԧFCgꢘR jRi tHV2f oι|.{'s,q'ɘYsWg)Hq@:dKZynMϔK mnokhCZ4d~P5ĝ<N6T8=U]X?y* "3O㧤SU[8n`8?Kz"`@)S*yc_˙폛fhmD9bQ!^<?}JZNݞ/bot;ʹDl9[hS! ''EYDO>as1gUb1~$<]r98q?3xQ֟}G0dhE Y>׫|[5AcT(geXF񔩋ơPB= ΓZ^Zrˬ}:G3p>lkIN֩?1U?ddG=|)tH{A9e AQgBnW{}΂B1I%K?,<ďv: v#G $u/ 396 !ӜqFmѮ60jF_IE83߮1:&WnI}.p5~F#Ưp84``sYR:m[c"MQ ,ozMWMYLka/Ǭ{jSfy,k 1P):3M2\phk@Yssː3S*INa67¸~#QFIN#Y14)ބL 6~,7h:* ֿByS_iQNiQ:{fcj!u{M Rx> 8@O\8V_%g)cQՐ4 n⬤[պC_-$)4qp } NHPJ]ylڥ{W.,"P4Ľ?όWl J+s2e9Ɗ`!+ %y֩=8?)V;Pw[v녠C_n5Giq0WF'Am\\T4tvg[x ރ%")J I!oCB'/ FoX>9|t7;MzZ=1>dՙe<e-aBBsxn]pgrW5SuH~{Ջ|?o-H:>n:@Xl_rg%R?=0(NPNwq̡yǣgAM_4K9A읣.Ub? L8hH%ǨWlZyGxW3_.n|0m)~0NY(%d}C^{(xf{zo4B Rf#Q^V %8U7[&YJH¦=PD`TSaIzjQ Ҹ NJ@7#~a{I n\i. .)&_SmT(c}܃-Gr[nuN9֧6g^X8H !op4K:'X`P Dv!Xdޏ?bS.ddzt e߅;,|1-ΉapG2'C_qۢ\MΥOw{f!vf |d?cphMd5,)o9h6~,x6ʁ#H#nAup(Q n+/ @I=K6`aU,ct dG'dkb\~ѼtLg67 dmq*~ZS{gݟG"nm;LfLx`PF)3Ha5 :< "cXW&ڞT{0˕ LinVvuGaC>M7>Bzx%^HV^υ} O>7.VuqNJXvԽ9v i3RX_CI9(*K v6,qJn= M˥R2ExF>)4v7OVb2} ,iy6+ad|:񔶏؁1X H0Mʡt=P)?J#:cji4%5| 3;lpXdۃjM9 G}bǫko^~'I8=9(C m Ksy.c;quxx^hIMFE3\FY1W2;`u@eSn^!] bްw G鐊O,h64Qސ *\&PA Hj5>)-M6+&CVF w83 gWf{9B0c^O=9C4Zp>W> fh*27!.  O%Jc}SO;n  cuMbX WNq-?v:^!+,^yo|)72ŔYn|926߃]ZTCi.;(Իω׏s [>+L'MRWyAN51 "9ٲvڀ<v˧]B+XP1/BBvhS=X+K͠-${A@P·s pC^z=BymT/9I폜Z F \,6'm@TmG 7,HPr&Nx`h+l?w.F+uDbaHC=p8ؤԈGk .4W֘c‘MYewC+ E>|ʛ h<E=:fQ7iCi۪s:#N~H$ĺ-F^/b(l; 9P@ؑxF1j!19j $FRH=I?ERvR!mR{>tCZȥmop Jޅ0vϯ udA_kD4ɺlğ+Sk[ޟ 'q͙(tŤ8K33$]cE2r,%:Hé5򖝔 )e[%S oo) "և\O^ `rAƉh=  <!DkWW[ދd࣎HŁ< #CUб7XD3w-pMM!HRKf;*xӎMWݤaIMﶘhf=*PW;ua R+gmi8Ei:FT/JbDpFh\)51_ %Mmz3 m֗ĿT#|2;֤U5^ZOXmkǀfK?}};_:Hr&3gU[SkKZ`C0zQN@{:}T C캹e~W8 B-KO&6Tsk FfԆZ2L5O6 X[3\ ˻=h;Ǭ|?9%{q8iƘEVyһ[1gM^(Y%/S33:S rVĶ/Tt@1N1őBws>>NKQY{L]軥# \x申:Jig5%kt\ Zvg6\$wҧH_T4ahjw5O'1.튼/ӤohUbƧ<=T]6UךY+AN$; oJErRŴ\w##O9( wm#n-Fl )#;XAێ3.liGM|seVx+hw`0Fx)2 l+|>?۪b tK2UN)'Èk0le@ljbaۇp^wH^~[>|ʒ7 ^&;AaIk ^R\j¹,Q/ ` Nzo毾:I ,e,|*C.`GrMlT`s L FtQ_BOO '>`Aj,:P n#f)zΗ1s(lHEMl"h"MWb+<ӮIl~~HXrU7\GםZ(IXXɅU.yp " CBٔD/|rӬ['wbKz`)=Aoe0Fa HVIoP6Rv(-?Y7|^aBoY_KnQR1f`?u;Rx [lebczy x$L' &/oo!&?.(.qFTJ,e *ZI1]W$V<0HL?.:.󞹖ifVwwۥ8.i/3A@iG>] $Dݧ豮QqKrNǐ~>*>iu+RȜCUF`$eg N&jC]Oy'Śg^YoBt3⽳z]ӯEct;|E A >_I@Qu*' !8)X /a1Ԫ~"RR|-4a>:g'7;=rhF:7NjӯA) h)"v(hЍԕ Pȟx~޼]60PVN1as D^O6K@F1^tdO@@pWKiI:5&eʓM<YvϏQvbc`͔PK˧Ї*g{.\1ǰ$6u~Bup#&GF)"15o 6NIGTy "+B[Ay 54@骔8Cќ5XԐ~(AYAT 2ug1cOvτ ҩYf~>?R t(! +%ҳȠ邿$__ޱda+uxu?=Z/HSԷn:Xԡp˥bWh;hD_3IY9[g,V|V >vBqعmKobZ2}Ϳx/^n&G;?O\}>W!:C՞)fZ[i #5;M2fb]y"h׵0 ]Mu|߲Ÿ)~-Y2G|yqtcj߻U{ 9Lh ;HaC!͎MsO'v_؅28:m]69h!6Y"-'X1]b?5maˍRlɺvrR8 b瞻:Q@'NJ~AzkB `rv"TR5QK+fEޙkHU9r·5 H V$O -/$DJУ7ݍo'g12LۯU3Rc((  UĚ"0 PUAIL<$63nO}vW;_0gdu>u A\4ZYQd1xlyM^(;}dKq 9tU.; vUcstwFI Qhb0Gg/JՀyE?-]Y% 5^6z0Y:"hTG3|14R>c{*d ? q2~r㝛vtG삦93T+6S5:֯)uBfWXKDHv`ߺ5#| wOnhwlMW,rm)̼#AaxG lPS)V]-Uÿ h&np؝2jKć~$$,?,Ox (=f- ]^8q}t|#s lm{փGj ңW̆ i*sɚ gOZz7(#HXGCˏ/RFV@$XgO.q̌~fp<&:k"A|%B?^S22vM=o-B+ *G&k 7=`ՄϐRp H,1:{~)Ur|8]N79[MOc}xEjrTOfoH+56: Ӹ/sߪJy*ºBY^Dv?SdAVAty{;5_ޮF7Je+B= Qad4/Ww@KpGCF $ +`3\SNV~p$~mh7WouO{m+g`i ~e"cN+44%D1K:6LsēɻFɕ.9qCDuGCj|/PDB#ŒmBG*d:b&3 BjA܇䯮Wð̀I ]lqg!Af,8].|USp"ŵ7~|&g$>n!KKͩ_\ L8Svթf÷{w8$8#c}O8 8!][A$8 Wn q 칮W9v<,u" {b^`73_Œ#!HtTE9z{,Tc)ع9 (C!B7'W V-vH/6`=%C9t$VUATLa5{{ܕii=|{?7#}f ɮy<߼lI w׿"vօ\01/0 OLmPS˲`9nͭ$?nT\Sł8jq]gFS漯 Z+w_rs a`]RzN)2k=3{gÌ& x>aDă(aв7 $~I <+Oޡվ{HMp<i |r̔}\i!_*. B57;WJqGwֹdf j.aXFL|1jhB[X\RahRJ }kkdHq,o~g-=UgSRc([>;tbw dQIZ,8w30ic4#i< MգL~mX,jW_{T$*Bty#'p^`fTe4Uj(7nsȣ$(^% !gzM>fC0=J``iw!Xv$lX'[~ $LSd0E"qým A Y)4xKa,Seݛʮ@ҦEI)a:ukW:&מ =%yu?)R v_*5Ūi)f([d+Z2j-?\buu?̙g&w)BH :kߢ5m@0ˏDeFa@'^^)h7:CSqGKǞg$*Ms1Y|$5rWWRiI?t NNCB4r.1_#:ƑוEO;;d!BC -ðU(>r"o=*xd ~qm .BTN}0 kdY(<2ݎ̰oFqq<,tt2~"(d]hq#GˈmW2U7{hft,6Q~-({j6.uEcb1 >qT`~ (@hEh-)ʤ6LEdP_H'=O j8G/g7i|l07vq &hu&47y"^i_vG~/-ݒJ7h]5B]3,*>6\32 ?6P[ %#GI9*ĉ(^c/RaKֿ-w3*ܿ+L|~|]!-fKy Ygl*I DK<:Dr"!MTb3qJ ]K &47A4L d9dsLV39JP%meMet<*WU:R{h~W>x<JrW{;Iԙ31űPF> f8ɌY0tnPQ.بP*VWVDk+ 8Ȃ4_]D;*'pA8s3rJ$1th{ B [Jƃ7U[/&vW÷}W9Q Zy[y֧!Q_|L .!RRնCΨ'[N1S](3r#\afZhuGB,w侳ท•s5irFkLG8(~]z`B3SZKԌe#<vj!jDkf?d4q!>2J=@ g";y&հUT=:_Fh=I3iz,m~Lmn=ˡqpvuCM&v^ k=W{bQRz4v(EB6Q˜ާKheH׊)6oE!,0b% X? ߍ/QLrjd2Ha| d85%Gw!e*%zM-Qj3PUf0{Wze+[Lk$X 5@`{.vGΦ`i҉ͰGFߘoi&K hIysV+<6]Г':^3{A g܇JF4 S7nMQwfz_U}rrJ9YmJiF[[tlIf&wߥ"ڱ25߸RIК."j)Z #{@NAE~@īpz)%6gЄ]oU nm<W%h 5 җ zZRWCT<ʎ7Y qZgJxȕ݌2ֻb!ӘE߶'-vxr(gɎr\g%\ŻS: V }giqs&ai>!h"k]> X*إrݺIm,Rw+ŚOH y"O &ީ:a{'w<ю.Z˪/k#t1n^'@Hμ*q0drEڒ lWSvN$Yfhig*!=2'"GT\ ;)p꯾y㟹CFl|/ \Ŕ8]7Aq[>-X`tq;,*VRe<qi J+yLK!Tј0CZ>$KŮc8E Ghxkc뻶h5%կNl|F%'A̖U;lAdE @}_˖߻fXemȑ.S1'@1fn?J ͛AMlT%:7]V4gZ.W *ey ["f#3D8I2IaMсXhm o7]dd44Da\iipLO6?;XibDL*ia7ψ<<(ꞇS9!M4ͥk5Cp7߫N$M3.~/O`;= C{CoGaFWyҰXeIɥ_ywzv*%^b?K ]wNp%^Yftt0}G3%RKz!G;c9 Ǣىeo t1lo?8#~ + #ch,ڋd7rǫ+בkqljDJ#ɛ OJ&yF_:xtZ{Ӯ6I9[:[DŽ*ZيqjB}&:ioUD.Ael{Pۋ$ΐݣ`^m+^jAe˾boM m⍪ 1yzVW7WM&t,^|WwzT;`F K+4 Pmođs09?-Rtމz@yptrC6Cu<(װq'c= ~z+$ڟMrZk2csT7s@hRٮ~nDTD+E(?!?ԊYV؎56^eJd \?-u[7s_XW}Wo:$Ɩ-N>5J.a{OL{'}r*.{`/2<ê5xt<`We63ZJ?P ;jJsyWƨ3ZO Qj814{8[X fZiGʥm.Mrn\f-U*L1R{jD{&h dqDtpܤnE'rwOe4 'yhhajy zj}g4b;T"%^\{Üw7J~얎r]V jI2,FQbʀ!-Ef0NOǮ A1e7|[lP|^t;PǠY5v(G+=\ń#rLX|0@a a9wt/:#?yŴR11t~rC@~l. dѠP)n}?_o3uvգ9Dvxq,FxY iw(VU %ҘOhPk?1Ψ}QavDM \Qmb?kuMGalICK*E4h2q8x#b 1ZA@uuߵ~nf>CKEˍ,R kQўcjq[oM(7Dka6yKēFBG>mJWzb3-Xk"e@8 pf\g{c.Sgu\ ` |!-r{X}q? E ǸXqXXIbVcQ^MȖr=| ."`חfqֵwcy3) J\!Jnb' 9Q;Ep+9RVzk8'STPvv#֋r,?Η8h/r'o}ɄbgPƁ@Lm> %5fe4(:w9DlIIcUˬ#2gS.mM&SKB7^*gICc4\-Za- ¦PjZ@kq @us1uP7HЇӗ$G2r#@O[ R} ͋wq>:םjΕ]/fs> "!"{Q`Al;g Sn% \4_|pIZ$Y7cQV1G_Y*!+֓LSZv ?ipNͰ:ºqKPT=? sbWCuذ k447 $<;P#N8JD"xݿ~Ny\_NM e'<|i?%T64w[ oo #\k[/nbxJ$z;^Uo)s,MOisƁ:zT"!d0dqFX뛭4-"|J̃L'˺ B]ҭZ8]b݇u Yܸ1؈)1;Q'8vW2+X*^*= kf:~̓(׷NZeTs8E6yZ6dDM_xOWr쁲Vm)]iSʯtGd. MZdM TL>ms3kHr*ޥ'e}9(kjp*-3S{zx R<^h< fC{rQZkiC J~`-# MGô" .0X=VEܬ6i` PRͥ3dyV5)vcDEkҌFl7x[/:kdgUf&ݨ1d}uF6"<"a2&I5FͲV"NX݀ K_$]և0|;_'_\:3m1W@G{>HMOClvЪ/ ^E~?hvz&^ 9(K6ۜvP%!Sψϝ1S4(}dw_t{9$C o:8a@|d 2X2ݨ\TQF6( ro:ʰH*iar5}Iعtx"vAƎ 60~p9v?h/ Y&es6 fWA o;GzM>f| _pÈ\K(RwVtዀUi)D)S,jղhD1v16v8ϯbh QlRK=ґVT;\=2 %Z%葕jҗ'&tD !Cyyx,eb)<ʌZÇt0PyQU!bk쬤T\MrGvb<U^[bQzmM8tG| G䉆-A0buC1<8}L]ɞ"j}guul_9IT*hRzߐ԰x<9*b\fq d6Y0u/سCRCp߶VR"A#5X,zGI$myuw ,a]kc؍zv/`G$\k,_j{ZySŀU"6PDiSƤEx B[!|\l[!r,nc,=ؕ:T(3 tuJm`šCXG:^@/8m 9YZq3>P }RdvrwA~O^#tqL2t]RLG{:Ic`d$ك[O1iD6<~ yzͻJcR{ʧ8>wx7fa3 Ϸ#@ lk}5t:nMD< -8ԍɫ ¨ubɪͨ8;Wzwڈhc$?'ERJ<{GC4Ō/ Y\ vXڭnʬ^ E}$)&i#3ȉ ySD/lKٲs=xKxoQ-~cbOr }ޒ*.; |n +S/Sx h&.!ϟ/(ܓ9Jւazmܒǻ1wLwTIXAICco .Ʈ% {cgRhTs<ۑ6@-ƍ'B& Mas4gabq3xgBc2qcL5拁ʦ9]$MuF*ȳA?< .v⊞1v|ڒ Ϛ]\gƉiXc@0)z:ƱE,wA.'8 w6أx˷JAw= ݻhrf Ġz/JdicЮ^~>++h uA ')-BB~o(Wckc:\0R$?} BqJ Z|d<QHY; TM̩1b^Gt?+",u֓ .jcmB][\ $ NO 2#H1ɇ<[3 O'8ά;n|_ 0Ü\h/~J.P*e`-׆`^d$8M?0jO3u_v<=U3,¸=+i?Kި29dKS8 (+t>} 'Z~k*L)zWǂ3) ~Msm<]ۂ/.1d/yA秦 -\8bhT5G"N0]Q= 藞kO +vJս1uf1LL@0Y6>b_]# ǟ r"3JEgZ˻QL3@Eg;t IXsunRj N7 =.X6hOY1D>'d:oaR7V,ލq^U ?b-Jr.hRPvdI6'$iF-Phpmr}}?LpQZAOV$f.Q `M\shn5ϋ߼ko^r; iEݔ ʗ)"2Fkm'qv%lд,h L$k7wUx[* +84uѲ(b%{τ"k\VtΧf K0cӳ1bU#YDx4UczI)HV~lHس Xvav#鄴E 59&7u]VjY`%@&݋Xan;גpdJ -?}=ƍ5./|AUŠ n5E;"J.s/oAwctyu jT3X=_7/C)q*(0ݑKjEmeCvo'LJjS}&1\}NeA 7g.T]˯U]DBuevf"`'մep,8 뼌VL[c6zKp@j,:=٠;]Y9ȯԸ l2EpE4ZGP?T%e''daOd莫{Y¹J6LPP nqMA!_NInNʑN֒a3A{~((3^VMkR¼nhVWl3=) ,ΠLo焕v'ڧ/n̩<tpѬ)}C:p'D*vOg4nMD)]Jr]9㑄m⹕}匹m7ڬpdouGH a5zJaA 4 L%uwv:. my"&e: t|Fzih:!pCRwuMn7<㝕LΟ45,>8 sN:hMOD 1{ xlha)!@g;#o[J8At>b O7x*O+Z+J㊨ЕTPDݧE$'Ұ^FY@Քiext(yq;ێ,B;G L)tы1x$p*iK|ň'͟ 9$Gar/1O> Pf3,xLU>_)O6D`ùdvO;Q(䣞 xQ؜(XSpE|G{x;Y 1ҽ -;K'3/MKLnŊq:cD:LѪ ()޳sPVix;mˍq6I&>6~N3WFFPn1\cb_ț!_s-Z{ {cK_O;eEIqR-f^81u*b2K*`~EZ4m;r}SY1LQ&2ˮfozp7 =-B3CY=u>OM`H=)<kjP> Z,%\ҸTSC[fL!`0p`IE9KN{,͋+@UCwOvDg#©$XwH\ ݊#{-95%1(5B ,d Cu+S;&/̽?{#57g7q >EX&EЉ ؚ!Qj(&1H-.zXg˜6moK}8i0\L.>N#}d_Q_V%E {)ŵp@ZffmEv 0e~|r6Ti8,C{4{U}$02kiaB쪣ZęʹZvqhǧ/yDNFڊ+9O$ȴAd܆ò>HeBM!~S/ФLG{k,t  *=1aKR&4] /̭mT´z CTѢLCŶ</F]͗(e(%Y.r^b]D&[Gjۏ63@E97P5wwܯ3) 23rW }版J$FkQWW9ѝ_H.UN\ivsSiGZi6" .nl4&˨'i@a-YUXfV9 Oe*CZT)Ȝ{LOkvrrǧ*^A{A*XNJnLH}Yf mY)ZDe~ ty:\4y)* {:|/4KU>e1ؙ:F]REl덡D=9 i.Z˓L+FUEpKGw{ ʭ $ǥ\j ~O_&=&>bJ)f(X4Uu7Hָ $q(jMB{[E,\m+,5^ɞzl[Ȩ2=렌 ~0s/X^זAӀ(n9@o ;tVs ،ZZ& Mg3eaڧ{n|Zb {=d<;E#լ|+ULf&1RB)A-C)߲11EE`cQ⮷^ GvVamq318>lg2n s,jC(f,1MD+SER;N_z{)&# I8_ [nr?{hKnܠ@aN2(Bh" # p͒Yo#Jt647x) gr 0/w1ژS=@j6#0f^Xb 2D zLV3L,lrr8^oX&FMY[@ ƴ09O:)#S8GQKbTn2-9,` 5-0VB%e &:imے7Hķ5#K"$ ,yQM:ʐn uO!dMyRJ&k/08s)3(6f֙}@==C!xni q\ :?XxA+9ȎYQo;c!:p8wko叜- t=qĿȽˀo5[#hvD$}W8X%%>oxvyK{P}jr۞''t|oHDyoWwVXu,'@IEI{tb. h Ц}sYV@sP?x\7V3}zC33wO<ç[4D+(`Hqa>Sk _n2Jm9wMQmEzqL P{KFjXȘg< M}*)&*xPzȊ9Vy,WRS'3pw Ewx:_i}a}ebPy{=槐g D]戝 ipď/nK Bq=K1TR\wWXw.Q$71EBBiL'oZ]d/VrOR!*aAv ؘ5&c|ZN4'%g +OC>Nx!xb/մ㗺T \=BKOĊM3G!{}4,1s_R~z`F>"/xw=HKi77rӵ}F ]seJ@qw+ A eHK6 ׀m'!*NG:˼Ch,2yq0GSB^D0Z^Qۜ?h]eh9i'5m嘔wo߯GcZ{WCvHn=9Ԓ߈|IJ:^cNBua@,_$էslg,9K\:O8 H!q=T=Zw|CO;伪c̻>*?*ajv ݒm;_5%HOkdm!!t 6 [Ѫ9Ŭzuo7(/OxPg^0qHؿ6KyiM)cp}^L#,2XbqXm[1U!(*h!?oeȆ=O]jam[x}X ET$}_K,}qo[)?m\#RwZ!$[[`eL%˻/$U*c-.qi2l}R`z1/F8(wW:WwW8cxP [ ~x_1%Ѱrp)'X?,hcw/)?JQ byt}xɓh(]Vx/x8o~$* 7r1npF$MKu:9+n_)M߸Xv2}J.//\ݪ|ʅt]k"(<(Z1.Țی^c7ښO$-Y"DXvWὉ`p8哢3}X0ݑ1L7#yH7L~Pd WC~DC NGg^ /"eF*Pc9 M6 :4xTTzHU'\)T$LWzCO)B0>ϲz Be£PS(~3Ⱃe{m~ t%À#X]xX<7j;T$-- 1FP_58;Zۧ{_Q&gv U[YuxTη;(GPQ5wpgXD.2' hvÌQn 8R~KcbRZ$E Y,:\q\sj_ţi?2IC%jq') 5xiEcL4reUA4Yȟ_ʉqs5yKioPtz'iLFfgUMdF߹Z1x͗tx;&X?> εlZ*/54H7?5"Jx$B Ĉf+Va=yd챔BRndW^UJ6/7ń?uwEqUW#Nq1CpMս6{F_jf 0ƫ},B0p.o!X7W;( ݖdiqo 0I 癨/A"ݬUDI΢(31K9:;h''|n@}tyU.!W0 &&~6ڒFK!2g4.{S,'$^.[xSҭ-=@-yYc8,\3S,\-۳PJ7ɣ1hN{mo$pDt45F`gk֧.m(u{AdmuUΫH||1f^c`sYo)-EA!f(;=Y lz{ydpoG=""qܐ7YI [C(gZNEJ9kh&S]Z:xhK`KA;57uCﲨEZFp>kIJEvD:ւʵ̦Ie;PY^֍HepD4}U3\XZ˪v_?}JXر1%vzmn#- =SwAsYh?F)I+H4\g \$ sh6jQ ߡ^MD(y8EOvnz/ 0$t6dR>D!&ʰrGD2P鰩cXz=: NC2SQrK {'<=ܲNwl MvfUr]!1VYHHfCϠN`¦#ʪI&쯀Aia 7,υò Y$sCHȑ-8>zJpdu#KSLVh0̖@|RKȗH Vv '⧟T#Yhi> 6M9<.n`I4BZ29&.:+ٚ犘K`d ,@loߟ_|Ѳ#;hGAjkw[rEFcd7C ~Q^q# e1H͹l{x.:! %hi7s^2 "Ꮊ}KsJ Ax[H>O sEb$C(dIR~ _+}=Y)`QyB/R bYj@?8l,^մmGW/Ӎ1=Gu͸QecV"|ti!>5_àk}ݨ4JDFW(9/dsY˩%=+l*s3sr=+r\f|ReU&0 }T?4/ŸC&$i8ȽztrSܘO&=zsUhwӍ(Laԇ78ss -$ `t/zn:Vy$Uքqf,S:kImgjhOK}c "HUz“V35k:]m1 Kh\5M <-by3d 6vNG7XҊ pE(!OF`MNV ҼxCq0׷x j=@_yF/"O,%;3%& ^'Adǡ E-Ok('Ɖc:H Gke~MD $-sR1ElyM q!m5`OOOηb9L󓪣J>sU")a}r2]/DABKxW'1bu=X|{"+ 8){6WkhWNQ}WZ!DsSn<bL?oȽN FX=lڗH;pC~{Q=+5~pi,":VMp*+Vk'f"}R~َp9`e p:ULD~iDN |$?qATB0x1L3XʈŬ<,rUl{-٠& ]./O#f0V&5v=NCض!rhn/>xC@a"y+Wm JXu ׸bG]*gbЂ)hϠ!%X̻Jˋ2;4ުl`M:w}]&>* `^C ޘk'8?H@f߅^P"r w߅khT@6BC # 'vJ#.3DK+F3<5Y~ӰSefYJ:'`b3R;'hǂNQ)gvv2*1ƥa*PrX" Kߎ:c#~_e))NedRYzN,vb֤(n_L$z$x$N{Bn7WRF06~_?@J!x|{ra﫨QK 󡨑lJC,&QABDPe m,RL :E6b:MaUȸk~eIOm9UwH9Ƽ`W ?B.b"B|d$,#-f@q*/` fԯPqsQ _l7PQGr&"Êax̬F\@/ ʅ4VH'[ r3zOa*F}5y9Ŏt&/Zxy?KW~0kt{c {6Ӌ tZ8/^Z!zA)ry Pp~ ;W-T~reKCwəXQX&F٬s- Q&F؈ w>Igf}k `")k{$5"(Xl 4fp[ d%~d:%?#"uD/59 2p"wK2(jmuVL[kx':tW~IHT Y35'N;ƶM}$+B:ZfK3e6x3[lMe~L|?Ρ VZ?/V;XUfs6PZfm1i:Ez'5v9U~C.gc3<2|ͬo"TB FvA6bV"<&]Piv^`$S#QrxR __/Wa1[7Xp/eb_ry<gcf /Xof?}< Yw/%#4<,6{ZYJCG{ml;Yvlt6u 5$YX*c9̯DOjϩ;TͷjU G̀)Ι,n%[vv$!6aO>}J(7 TvEct8}U ;<h$P)|e"(Sf>Pioai`{q̥Ac%Ҭ,dr'!qw_{μ1.F ]Ye+L=Ja2C $c9O9m>tFECQⓡKJ9I42_Z85(tPyc#5o+?.VW 5 iy\Z"ёue^O؃;A]e*%z 0@Crzvڶֻ~cбjDoEȓgo'i~RhlH,3(Qڂ]r齴Ϥc,elNPn!8Q9AVM8mAzft OSf S6z%X{sV#j6=?(?1Dg=R` $cO~[?Q35԰XlvQ~Ȁ/7Y4u!z^xPڇjN߄|sǰK5{/-\v ˬ6 eyS`U IE6űX씭+qt:#,0"+>jp][ Svf/>¤ʇU3'S*3+ XD vG𥠺bO,8zaiYu09!JX8Q%6K<.ք,0֮| B C?))'xќ^dUr0o8:;Yk=-2h\o/O\m&뵗c0&gc5}.lN{,sD1˫w2*{)AxoEV@>IVZ" ,JB+ xfwՋߵGU=K::pAыA>no^Uk9UEAIG-`ZYE:\֖$^ rGB3 OBeKVPwtws)O'c[3XlO&)09һ Ĺ9m|i rzZ;okCO/4yt>K&Q|m˨yT!E\&*,sf93߽ uǧ 2 -0qB/ЗrO,)k~rWy~b8BE8Mpɕ?E=!$] f5?I(j]{h ȟoðl԰&$shC۝`6wqEPv LK+W(~1r9}2_PTKS ۺR1 ^L$q# lnk]*y->IW8aI%1JN*T5#&'Q  F|1gOY݈ͯ İ{Ox&RJ'c?RYzo*E+J'.6+Rr35χ/{MK[I9'uim: uH^VOv4H '&lTv bE0"aڳ*CSY+V\wޤGB?q:Vy^3UbRbh-Vĉu .*oN&âƻ1~B;OEl;u NgsVkȘyA6V"7GU8RY{> N>2.E  8B=g&YPSZ5E?Qx;MQ:qdY,J\#&CCqdTa:; NJ}=|Ez|p- 3W:ʍ%q$ͳCwI.N$jC̛w%˄L=T[-p8<<LWk!&^fg['QA-j8.d0p H@\56k]@}}Y$,> # `j=΁5xHOl 81yӍS> +R: E'Vdk` ~?$#ܾH\w7),I9DVUU,iA o$kвЉn-뇗sY׆C3-+iIyG6 A-ُג{c@7 S^wL.B@ԋk8\>h&-e~a9vfXL ?ҁEH.N筚;fǂZtu"3Ώ.BNMjBUںݩ xno{,m"5Kwq1%U35ŵ/ JX^9cUqaf=seށSOјuE# CHbd !@p+N1#M DٌWZq^${eny6뽟OZ')F-.1KG>@v td\ſk!O3팕%I }/褥F559jRn.Jm61&1$M+)Ǫ~6GU 65(b7qduǓl 1A˥&7$s)0Ru ,tZMJ9:<6o(P43P+3]5UU&o%+i/"D서v6c9/cK*fVޞubѼm(on%}LFD{2xC)OOԔ7"2Za[;.(hhh> ;{J_kP; ZI3pvLT>܊N}R*o [ZTe  eDJ|: C#RR$DեTbv9x&.+HQn1Y\V6̊GEI<`W*3  :i5GPO٧7Ѹ@62ؼE>;,*ĀwMM!3e͸"]'KFR֜թ&R> M#?N#kYxzqic2/J& [ VJV{ܦ%` S'oCN Cg'KSI͗$ erXU@5+Y"(; 1XkquB!R?Bp e[̜OG"xp 0lEQ@Cp B!`.g^0q;6_hQeC(QUiïWyG[sѡ-&XB&+Ls2dMPşEQP\Dtc }_yyWBK33d]ЗfJYIF[`y>bew!ҡ9:Y lcyttзXQPTŴ~H՝Z2+ +MpMuQV/;23]w 0.(?:?,IH\cW mapWܕ$ƌ^!*/jJA⭄p5-H<g4O!t~/:9N sqCh'8ىg?/Hc2ь6FOL#ň 2=1.K:2%P Ain!2~&0 G_} Dg{X*}\= h 5KhB8O) ꛳wxa19%TZVRVqցٹcv7^k}ةs];1]4?T}W<;: ּ{0u]~X O#J^g9O^z6iX>""./=`ka-̘>@M86xњG;O%IZ)hn~^-`ѳ.lp6[F]@Հ> i̸r ^͍6\!3J{Vg(T]7$aXaOKKfބTv͘p! k49wWi9幄\s)sX`ӻ['~9Hx/'`"0b6b!֮zq*0( },$DáErʈ~wosSڤ9a +S<W`ߥO9~Uj6;]fQ>~͢I= I9Ӻ18DenÀ"Um,>UD؍k{LKkk~xM]1#|禅`9z`v#6d; WB?"unߢ&b(fT!: W?)lx-{D#qd"]?kZVG"1ZH!/& Oc+SGCLw*s/)7 ni_LNB8LJD`RFFsL08HS"^aH>ߡ:i|1LFk#'D#(hRwܫH7v:m ?Yy'B,|55]-e;\TT-nc=.BU8AC\jͦLp&":r .ֽVԜv΁~…͍9+ c=:jHm Iβ`],5/!0{9{N Lo-yw$EvgQɉa5W]m0 TvXZgOSl> lÕz>m"j˝ UK8-`) X'r' 6OǜC\w+/Lgf;U`NOPwKyv[aٰp|5mPnd)EniS@ IzWz`5QiTsц̘prx[WGu&.jw?z-j08;-mB'UҶTbpf02n`_Q,^ `6d/f9:\4 5 ѦBÆ=Ȭh]$rBg1odϦM.ImІGxDF5 hJ`4A!:,)!;L(' li]LgW?"j_OňlIJAɛduôaF 8;-t0hkc=L ʍ;b,0}ہާh 0#r.XOՃz~ft܏O@ȹ{&Ʋ1waߕDU 6'$ Pa0IK2&o2xsc'(R㚠 ̎4<x}݉QڞKVPx ²R_{C CGG ۼ'nboqG s?XxD&@+G)RV@b@Ég^G1tA? %Ջ*O$"E FvZĖ<;Dp)cB,Içs=:ԟ^Z랾>_cyOeł#ܴ<^(X :Fn.VFM{D6IGpPp lQG!vgf$UMVc%M)qRuRX¤]m`ɰt܍ۂl,qr:0Z Q "shI4&:=| zơ" qH0F䟖ƭ6ȨnUؓ+ϜOxB豃Tf@;&sHa#8*)=*Y +D,XsNc,.v~ׇ {Hh QL@-Sb M6v̴ u}RW8m1&|4N|6:xs:lnRm'՘/֛ΔzK=O&0Ū6Y}R@ID*u=I9;fYPCc:3|.HCwzf6Y:A i~GeEM-gݾO[8`bE;>l/?sUM,KlGr .#0zvZD[G 6N+5A|iTܶZrei潂̖ء^^I;ӹ ?ڢŁ$~fCg4۫ z H'ϳJFCTc10)M_fpQZ@3 a܆n@v h/ĘʍMLr-|OTx|F20倈$~7z- IF,Rt4sW᫧m47ŧt ip+,Ơx¨ f^HRwF: {#&t(g;ÛQ.wx\5(f9X_XayJ(S"񺘎;cSyBblJy~u*nn: 3dbXДtQC'jF01xV @Bᤆ/+%o!dӌcCOzn 8fP/ԏU:N)gflnL[S^ =wfzB15`-F-h2Sǵd7v0Mm:OĈXP$':j1>w13_ g [{ۢLM:\c1;*(cGL.̪^t:$^N[3%Ńĭl xQ`v%Od!."d)YfȎ.5>mD২|be7娮"LT k@@*A@NO9k)84^T!$_ wWLF!ͫ{wCٻ]':>\}y (oX~:u? "*5{zJwIٵ-rPp%@^qƮͯ˞NTD=T,X Oz 1r$gdane38ƙJs1m=GJ?o Hrٌ\W bMtn^| 4WGkşd}~ͤGBDl\]45x](9Z}'̌>cVHY`dblY"=k]7κĞ`v I֟1w`֞Xz=h3+b,QjŐ!:(EžFuUٝ Rs]٨Oﲟsff6f3ՑvIPX8n>Nsjr/k-Ey !rAϜᐘ<>f 剣x{{ԟ#{/sX"3E]1p1jƖeY3XG!Hȣg2;=PYHŰ Q? V&R}z'̺&JM☈ddj}Tlʳ7w~ۺämz9DlYjC!\d_7Pdk X*s\.n.Euo{f'!̛x@:#;xuE/>&;t-+0 C60@Ja\,Oճ xi{a~zVvS `zGCD#H8kG5N?[Z ׺/̶(EwWW2 M#h9ף2{ůjgSi+wUo9v5^KGAA,B0!\> 6%`?.qe$Th7Rb oٯAZgZ ϖ$rFҔ?8ލ STGh bDWK"WMfK _aI8qo)CkNn(QA@s`匍iͭ[r؂Ơ|^iT\E >ӗ*jFpXS{#Cb1dq#\mHCE Ϋz$m(򡾜;2s8'ـg\YfU6hΏ` %} ZVߦ9Bboo.DAͽ8dg[Ki8P"O!*-w,$7\A``{]K?_ ^'<mk.P܈/0XֈKwjYgr koz$NlH0r֝͘ZRыQb9*s $!%^g?r9Iޚ#(a&`)E ޅ'!".3W(fMS[N +=*ž́v/KϻJH4i#2yM H$lpyvo [WE0h7Fg-rNUd[Gc»1hxnam)@1U&ǦYRp-D)/*pPCW_61n/-<ׁZ:b扟ۆ"\wW <F#88', ~,'+s# {<-)[,Kψ, t$1>szFr;rZ o: T~j!Ø`?OM?ӷ(GM#5՚ m" 2Ӑ!m'j_3v&2hp9Q#і'e_LW@ W(3((v} hz3ՇKk&D]D9ҪXz#SE4xGPM_l* מ0VV8LdX~FQYVA$Xk]?\^sqGz_m@r:*Ô4AS"?'8EEڌB>J5NN% p7 Xk_jR-b4_B`QlUɰqao |@)5n?MFy K@9t ToRx^:z-P1ƾ&] &H?Zx#%>C^"$U⮴^?:R< @ Y78CXXC~YO- PmR)!}ow9m ]K$a}NjdWi緬&KJ 5":62KCrEdaJQTNs'$yR ?$;lD)b8 B Qa.̤Ir=%8 2U =RX+դv6r9  LDPY+ulغTqEҙ"[ظS>;rDKf/.l|YYU!;y9ΨQ4'Eڹy{jGj9m*P\>juo= M-؇O~UUoM"_}fRu2̯Iy!+,Cz/ɼ%EwNmmpTGӃ€ КlLN4*ed?kW!p >!(n-pa$h .p+[rsY7HYN?:r(k5㡵KF+hyԷ/-+7}B3lG䞵7@Z)smEo>^nJU @gnPFI@i%wd礼(BӘk4EZ|`>I\?K_VEH_Ki>.7+yuknnazqr )})ȵpRwiࢴ-;'v˵h*g ϥ&EmlY6GȰ#ǃl2p/ Am>:ޯA VkPE6@9$mt" :+Nt ;+ac`8y;׆;`.?DZzO7w)/^ԜZ;T@ōT*MD=?;!{6Toy-CQpH9d/Y=Mh4O81 $h1de.UcN%&ƥ/j[q`u@8 D ,8ۅ=֊-UG b>CV9`UdK\18?xԚYsMg#HvBt@Γ;C쐛ElzPi_̽`<#3G@z&Laxذɚ>A'PR9:[=bj; ݲ%v24Tz:o1!oG@~SQu,GR7y2ݧ3ITLԊ#Fs]~Gꁮly} 6[?r?ia#ˑ aQ[hVBf d@2V˟\t9~/188CR5N7sE*ÜOJAbFi :i ߂IVSq0z2YVZFb5 O_= xF"{TS˫*^S[8Y18Z>C:0 %Zz-NDZǦbr(E%:g*:XWNV%(75ȳ5W9(8&92%O?wb|U{Y*:Rr)/]P"i0`n HEݫh-[3bȆzoռA\0tbZR kJ}<9 Hp*$}*zvϨcs :֌hNE'Geߦ AVu$@U 0dY\?Gؙ)7b Xp Ʉp"QQ!_ äy.З U܎Vz :wa(N+v (X`sIV+h&fHװ tѿT]z$ernEU<!Esb^B>Jy E!KG!7W0[Kv HūG. [ml"ufnUZ}@7Cv ,C\yO60ܾ@pK`!cϤ0{*Κ=Z0;]tUsvd`i~d%SiWp *qnRiᾱ/OwBs|u:[ ~o=3gfa1ؼ޵^K1ccҩ>p-۱։2Z`;l/ q Qȁbi!P(qN4p7.3`4|)"Sȃt22b/ZIFSuj]8a:eSpB.lNdA"c_1p[=UӤIT\.ڈJ%xL]N7H:촊`yWq\?4F6S i fQr%@ox,^keϋEQ7hS'E\bv|h x U9A37^;'GoTʋ"N "$=wXmJj|-LS2w&Vx:ɜccA\Q_e}223$$;P'{?/XR*XX 9uyyo6:h?B5QYNtzlG_Գv/J_r孷w2ګ@ üV*s+޽>?ޒ6 #D1HRq L -i6 vWԗ/QG2.Fj <ऄs{֭6E@${qvWX{{4P}cCK_ĐUł[^K `5KU%_sQu^ ϡ<ml(ט63$>E[ݾ$3:wl*MĒx! DY,Fy.2/oGQs^L458u}0Zdn a[rN&%UoKw\=`!L[k!JѤ̵Qdn^`TMlfࠑCJ/96HWHju&U)6KoI,透ݤ} ]MeVĢnN1mIZXD=gկksPx~ˤF_>j;JݶUnbg "`tuAtl5wx^nL;',+H|mȠ[:ND 4z%6\O93/ ^[x+3m c":oK,laLyCl=) _aç2g[吮tåf3PYC6 l>rmucCҵ/\Ȫ=.&.HLؑqBEwT5$w| 쭸8Yy<2Uq7NcK ci}5/JkT, {; E:1X 3?Uqvc\@29fNj;quU@[^c4i \GP@2:QM^vb;b뒆Kói k8vǦ]t~p݀}# Dč$O\yҠeO_v_Ad1*v}3OdSOw3ܟ;->q]ٞRԏF.J`]M,P|HWn{p7i 8<6/C1(y~>)gljJ&̅m~<Cp,Gyhɏp:>FCP9d1Qk.ƁK^-Rf63r[ Oq['an[ !1[^ƟYOqvk[޼Mb3^{\otG.=+Yp,[Hvk̹Wh10sҋ=,={7/LV$Pt g ew§=v.} d a F4+ y b8IH+xp6RF9uٖb@wdg W),tfYyĎڟHS N^ֽ5ԣ7gR^q]$&>l8s7mɗ, ,p&1Eoc^~ =7eYq'ADe0ceڦg4nw gehpх@7}%w:@/+)3`dV9dxw;C [T(k ZKIXr:ǽ_s%+P{,XKs#//"7}mߖoǓQ+{EgnѨ$kߧL؀.8MΨCXB}h44^daU{JWv ^2S4׭j3Ⴂя׏;NRF>Z&! ?52V#&G.BGZ) c _~۰gq1Ќ=_ݦYB쁱0܍Zi@E+m5x`C1WƎ*LE)xLm!IQ_ KQ uԶ'_ 6JDѝ WsB;#أ>x_q'V–x]$HSdl8?qmӻ+\!_a17P+_>j/lĦ֙_!~Lr1xDAeFsR徑9U-H,B?BկoF nZ3(u&$ŗh9N5b\u_0MO1E*d$- ۽q>gp4v3%pMTu|d&fS/<*}17.->!u'j~KC 3x@:w,KfTc5߂RT,AuG'G\" )bM1\@ftCR2Paelz9|uRlU=4>@X>x{ :TInEjDRvHV Ww\4įX5Vu%3ؠSJBAQF/AhB$5ct;[KB]p߱"-QoJ ۦA [hF!o 4krsBbp?h4[w+POSNf{SDf>?w}P{TT9YNofG=q,mtІbXKuPK}YD;*7>qamlA?ǦvGQ{jb@9hPA\U \Pub&*bv(iK[ZWSӸhKBP f2-VC.]3r"8pap+<WBqMG1ϛKaI _1r$|uėu J7+nzjKC' .d+=ƥ^σeXSӔ!i<:M\{92<"Jr4^_3jc|OƷ-3βc//@H1IZA~8 Tu;L+PʳLQzLڥ)`w: M=|$;n:`}DjmnHߌ ,N:k4 %3VI)7 7?%.ƁeΕmh|XKվWBiG_6N=ن^}o; l8ùZy;a.Q)\;9hGqi}p{f;QvZ(;vm:F~%"j@&LilfKu0YXpgC*Uo0>竦zuH#EK+za[7sg2#4Y<'Vʖջ7$cFfmZstW!D0JmOl¦X.Ge[1`d>4ez;r<7r/H`m.;^̈Ǚ +/UL A!_lt<;^^誖uVZZ)j~!gO yZ );A5QßESr\Ey5F%e$Ay$w3xf=ʒMgIVds˔23:h FVL:hN4]e*|D)-Fqdٮ^߈^ xV)t\Z =rs` Q%補ˁyF9o-DP7ZPJNvu;W"%8qVk{\'5rVr O$pH]tVIrΝ\˩q[JX&IqR,Ғ TD_]/ 3;D֩bCsspUvB*H\U|x&, RNTFWj`9l\9CWIOmRj򴿪aj]wB!U 1*y%ivrvp>E' 7CMMIUIT2i`@Ń,,Y5~ł(|ww2Oᇓ?gQLx'lb:6O*m=gjXl{Ko=!lA2W@Ӵ0 +.`x*oE#S64|:ODoM=c88m7v+>cZ˩I'O=\_i\_L'hP AQۡ6GN)? Ӈ HfH9>?8 k)OI:Wɖ4kXXl}8B\v*h=ptg2Ozh쿙7iܭ% Ou\!%n,O{#T6J,Fi?Ew80fcNIx'#L}Y3A zT ˭eՁ{3leaN8XI) j$hwUV RlDR 2oj^&fW4q<տU$[JY H@E9;)6Ȃ{NÈyS!pt Jv^,yY^:G"Xs< mH].]P^>v{V՝/t4iɟys J\2*Kqׅͷ8DGZw?po%nN[OҀdh0F~yW&]q3IQcD]kțk]lIr0ݠ!9b>2W $NUydRR \AٌiZhVX)o*#NwQ27ZROkP-aІd3S*uLp{N [+=%7^on%ގa|T'rIZ@`vyURwp Ro/L T~nZ}!rL<7vרҦP˦&Ä #Ue͵&-[}#T_|wFiNh[#`}m]X {V/AFl|8}:'QvPPeJJ"T'U>;3ЫIsk-{Წt" gA-^2̟׃Z G_F@¸Q|Dpob+4.hv"Łmp}h/י kct!pxw+A@,\o-~5٭o.D3is?Wdm%X;bD/Hg!.v4;@L)*@ Ec Pg&Oπxc:-rP$8G;'HVd- @_EMw1!\ѓXr@a߼S~8}\>O֋j3Rb^XL(<}{BweghnCFTL\ ?[z1/Hr}3)T4 Bcy,0+CpOmiz'K׎0m!NGq9oojv T!571AJZ!V;8PR SJT .unn']=wѶhjS&#?)Su=*N!bJzX,Ū0ۈq@P ̼Rp+0Q%jeX9K9Vv`y/:ʹr|E_nḑ@sC86438Y%WdMm*VtS͚ dĄK""؅~sN7~_TWlc4E,cele`~B4oo#Pml4 Kag 7wI|K=7%+熬KU#I)1&:J ڣP#ާ)`LmYl-fr+G;xӀTOlӐt֘APpGMU(o89ǫe塊.Xn}mv0Eb SM9얣)z 4(1Ԯbhbv#>u< &% >JU["PW5"#~Ա{|fsF)gjANL) F16\Macu[p%RPR )!C$2IK)'ճSR#s?0Ҏ5Fhjx#!$4> GikhjIxhC)Jnجrj1IĦqR_% ]Ut!N#m; xi v_NdTk!#YTܝ %5uC5YtQ",84h&N+}FBuQff Qm{,ȲuMbC mmAI{8_falFuj4GF| *x#PNliVXřJ8k.W l 2͐ 0p*R`X0IԺ;C09֢A4 >zkK|qyN L-I]'ԝ)h;Pqb&fJWmpo3ǑTx?$|#~ s?Wq0s6^۪CG|}-Fg`~lJxoh^9\\XA'*^x#Cv ET%WVKo" ԄЃаP Dz|y˻Ƚΰ|nNVV=(ٖ2Qֳ1^t98e. #<|LQre;syaJG` Ͼv,M>i̹MEu: ؍7~ Yx!Ж󭽌:Z3R/(aw*6%ɵbg_9[޲+ɂQ H;Tt(cGא!ycP*;"]Θ/Bi@Uvyn"$q8O `𨢘z9,uE@Q%C޽Ͻ&8)mG"g,3?s$H罓 c=%q?cT;}X]B-9gMiRM1^ Kҭ8g^`M fWdxAW(wm%(7e0|0-ig_.xWP3)].wMZVzx'>|+4nq2b15hj2(;znmڊ!p9 ||.W<}%PJD5p,hɋj_Uٻ8~;4֪b($-XApn!h>/PM +Ǡ $\@"c0F)l[}o>Fu 3oYc,L+!pN|\ jIͨvboZt2(;9m`SBe3BfRŔ>NFGsSK$h(4$bꊽ53 \WP I*R~UiÓ*@ #T?5ڕ'p[`1Od578%'~O-hJkF{kX26#o࿎jKR5ҏzH]=L5se1Y5+`P$f2MzzS)kO|h, ;pCgJ)qQ_6-{n0KOJL˘϶NQ od니։IC Z!5uYd g)̒' fhf3=vu%EJ(#e J69ɉgaİ]Ö{6-@_}LpA?3hX8X$i(:e 2?~^ΎDAR#R]cYuRѫ, O'voV[fUdB0adSwSw;E)КUW.C'Nyʜi5**bclш xNM7_aY=|o=vv MѢ~k'֞Mrt? r09f+X2g`iAppygJ eL}Q ާݙa.‘N9tӳH㰌-*a+~ORZP[}XwnؙWIඛP̹Righ!mKsod|cͨkl#mF8VN͠o=)l?#`Y(J4@څ|6 ezݴ#l:0xȏ+`ux+@6Iy$+]B$wV6+\9劎uMJAMnRq#w<{fgY݀?`ۘ92n5TdOhywY }b?$-YK2f b |NA. }zJIQx߇t4(ӕ?D[*V>3 7-@ Li.?/29lo76Ò(p|unvxm;D>1opɶjG )$7!BB8Q4gbOo{M7_&/lUѫ~/+h9oGўI#^%g_wgx|N_g90< WGteFE<y^ lJq_&u"ֱ#ߟb\ N"1!f@Fڥ~bˠ|m8(d/;ZJi4ILL׳Zޖ+":Z j(ZꬽeIqn |>ЫFB(bOjw|9=?Di{=1̰?xЉ =6>G8=;v&Ξ˴훀"|%(r3f[ ͒~b1ᯐdW hL$ǙVN=RHO/Yq`æf,tTט]Ȅ6*qWÔBFBwö-Oh98c̭TSS=a+Dk5".h&\))ŵ?oJevqߝ$/d@/d̋p<-Η*ż;1 hRf-tl70kSR}ϰp/ = GzP5m7+7%}No8gLTQQk”5tv7+hZLTrD&䫍3WH6q79 V\ L.TKBP$Wĝ~>$w"df">hUmKofo {ޛtCܲ' D(?v#9(!jJ=闉rOUm Zx3S -0Y fp {GkeR !Be0~({NcopCWrgE)lOh(#2hnQ( IJ( ?̱5&EC޸;;)Y;lpŃL3`+1m _\l3\EYJ V>mF M@Qe^xDi5+sި[Όi9]~xuR;Չ ZOVHR.Gυ0&4_R\1$$*O^GG02xDU&$&_FŸ*#t%5!0b+`slF~PHK۪*\;H>cA}Lƕ YL2}HG/WQ4ިʝ:Vֆ]E/dʡk$r6*CP)/Z-G̲Q-f(h$wrnL3q5" lIʹ O[oXmX7>~y3Ctg 'e&r}IXWtNqKA*csb l,ȍT8%R(l&+0UxwңՅ=۩5ZhB(^?+d T\̑G>flՙH F\C48~gLyV[k*FW(~^(>90x= % [;R'Y!u1ĢOKOaԑX'Ա v<kИmW"|4|1;̡ͰV{0cm5o#Cs-VPpxdBP&Yp~/(օ|c5yyh#3ua@@v/:~6 Qh9*R16\5^-seW4O9 =?Jc"fbMwXDHT/f)w PL MNQyʜ>0rHqo!Q)oP^.o"Snģ5.t Yۀ::+\ȼ[RGDz& r7ޡza+H]d٢lhS 'QǏBL !/Hlpqvp2<[.oT:3WAS mI4#^~(HHr{ɪx/&ܔ]#͉:m @F7\NwM̟I%"0 S-3l.W \K=chh$ck!eaxǁ2?m@*Y\A[0M!̔yV\GV |}0X!T/0/ א?SRW*`91J!S؃v87Tg'#Syb` ,fʕ-b0 a'nqIx1ZB! IV/CM׌*h" gȜT i!Аׅ0] fI1rî ؏\;8,BL^2{K$ $W+1Ylq`^ɴ] c HW kS~BiLxE&d8*x%L{4P sr&ޓ0-Mȝ{/J猩v1)U=Ū;Xa'?rge 奅1t-C\到@BրzKMq=\4Pqrǹ+J4%o]!(OjX>VawrhՃrI߀Ͻh^… To|g,~&<鞬8dq*4R^$v7XU@ ;;v$>,ɵ `|@[1D=Y@ţ͇ʂBLSxtyم'Fxv5}X$ͬwGҦjLNea;rMbBh]|\υϒB65ak\PIJϸ9\PPx1bF+g#趈 }e7=SqV{}΅z : ~8/5In㌿F4AI[;*/q\LEPm6B?ux~7(~8qUL?/:'*͐Ty95\k~]$-ekFQ :&ǧpIYΡ,!׃[+ݧtĺ~>p*ЭzX7{9"%۞(WLҊ1rVqm^<( 0읗'2_/Bd]OY3sd~H%STJϏ_9(1 %*-ȀIpaT:|Fܼ3qSU4a}^I!=+'GfP^a.s65ׅQ8y(Zq3?j nL請xɛ(#K6ߞ % ~+ D*dW#Nw$!{ۓƉ#0Eت}| %X^8є!v䯑5^ey²)X>R8:qRۓ uu5 +%ЏFg):` E+k;)XXSIx&)V D&X=F/Mn9Ϛr҅{UܭŃs]=jJA\opXmݘUv7 G`QA`P?wκotAeEu&Q1<$^ ܍YՏ!s5r^E vT(P ?"m% 9hEy,3N?CƼ]svCs ]M ,i4 . /E9dW]_B.OϿҶV$}5>:k?.; wB"؇FܛÅ糢>1p˪ ~F9VSs8i7 సR( iK)Iw*m6E8wӂ wwC:"MƋ@hAnYԂNäN67ئxrYLPj9MOaFd_9O5wk e%SqUNiQWTVC=\L:bjH|>O`_E4A2Y4ڷS 5XtHIv:IT ÜzJwc7?Qݬ\+ ^'JtNtїLc&`%p!^+=9q2f~-\`r$ޅPWoAdS9QU ?bфj=Dn/t埈jU9_R @0o%~|_F0 ]#j<ʳcCC/iP,?߂)Y†d݇h 8$ C9u>BQؘF>荖`-%G/-C!k҃`31@=B2hsd/I(KcX'"[:(|؋}K͒(7I/l%SC\ ԥ`s!8=07bY$HƸ'2rwyYpˠb:9[ P?ƞ4~G K `"UmePPʴG3nː>5%Gr[aaF@ zQ1pڗv`,+|&*(?Fd:\= [TTo!D vqcɮodn7x V;3瑷nc)ddI ]o*"}`txd2?>b :J+B)XX;bP+ EzU"^^A*.%@w%$^ovpB`Vs=I5@JM(==kHj>S\,swǻVnlWeM ^M-0Qu(3H R_ՆpXa4QvPgA+Ű>׿+ <) OhA*Ig耹zĬ=S̅$O2Ќy!݆tQ32vr)wt-ۮt2lszͰGe9oL2l BiZ %W{%Exώ:qp(y0hugJbsܑ(;|+[R)S'6UPp`hT!ǔBioURDk?" N힦O/BڄRRÑ1&b5[.Cysˉq8KdL@*Tb!fLfg/xdy{pPdbNPHBΝULxωAlP;)T0:O{x(&*_A}u_-{Ȉ/) r杄Z)Dn$ rucXHЋ?Y}洌uUe%gankge^oƣmj@: ƨ+kz'$yO4k7hSnoYYOPmMY{]2`(y::I,$Y֜>y[Lw fL}#ʈM4C-M>rּi[K;t3lNoPzr͖KޔTJtn92c`JoEʬc2$_Fɳ-dri(Bn&p7&\.yՈ!%ch<;PM[d~jޞ@< #l> ƆZ^V|*)R´$-k}T/˞rj1a<"O"0o_ga$6bBV0`DJr =Ge՚`ΔkV!i5zZ0d/i=(@ DӴ2l @ĺ<- R5fJAifg@)`}޳.cn\IuwXz^iqMoK*ay(|!*<M+v}* C ?d{qbrtsytׂܰ6FfJޱLZ7X#O ة;sя|fORKr ɾR)_oc\&.tY&Y!5Ċo]y Gt|V՜p'Kb朾s=jX5l$\Jx;P}z&St [;[*vWXimZZƕuCmzI-iM ߉j\_i Vɧ,JEQ Ş ڲn?v^=4]KyZXŮnJp3 s-x$v3ĂbI}S^f8qNCe̶YQmtJC(ZPqH#VVJ@!a "z]-kvhEeA/~vI,550 淀!wE6C\axHv ^bJn,u| "h"hf[}Y輞<K87s# a ooc^y)I5FLTV޴֕/M%rR݌o̐I=Ixmw 枟e[1AsVfe/EjLhDO#z+IΌā T,ۡ\oN¬]]9R@IEp͆SUĦ %3_78' bB,E&IkinAy&Ύs)çmF$ , m>tp/sT&'.} tGՇT<={M6N%uݹixܹJo@M|ZmfO a6IEb Mz^PO9f@hf;sDž_%˵ڗŨhW,ʐGJ ]]h[.ZQ\o6HVPQB[Uڗ N-9V OAK`"?۷hnnUv7E#İ?#mazw֜׽Y2Ճ.ۡdE+u+D{wy˯^?i,PGe4 E*N0!k E]Bs#NCLe@w T{~.ei`q]ܪh+-7UB]L`{UGb*Ԙs2zQ)y9!w'4栁¨03&j[4(led̨? 0"9p< ց6Ü=xUzYֽQ[xR;5!$|;M+/eCcX2bΌqZl296XΩs}#0:ԡ~3L97w`<=`lTЛ}}f-*B )b$SC*vOM/Wޱ\*+ $c_X͕9r ,Tݿp[FWpѿo\&p ߄Bػ%={Nԡ3\{C{@N<Ns=%eJF$T_idA~nAGa9 FP4m|>)}`k(xzTTUQ8!?D6CM6/pGw B8sɶC5i+˃d)о`x7 ߭40UQ2NpU , {bu)'[Ҩ$4ۤ5^dVC{bFur^ݺICo52b8etϛk= [v5\]~zN+[G;$ OQlr{OXpSs-lJ{o§~  }SĀP'h(%l<.v*~$br*030TcL7TPt#Y5ՃŬxP!cFmkS\o!D7.g:l WFG-$jMÉQ5zPyA9J{TΑHJזSd1Z{~ @2A_|G l ރ@l0}Yh4Y`I(&(gwuʵcV7QYq| ìaaّE=y6^%'yFϰLhJ\jqj=byq>#U!ol&o XuφHfu8X=vVPW!2kAAİ uA\ʙ4vC<elDpzh@f~EHp`,P{&(TTP2"yB,yw]T֗N쁤1sٚk`CMAeHL{՛ ɖ\,hTON6z*ڟi ]"N@HGN5?iS Έg12IJۖ].&:>8p\Bϰ$ۖx&E"YdXlxh$C]ji<HGM -=Xhț|k:nctl6Ic~s5ݭ&Z3蓞1[]w:Z~}*!=U CA'qLj|EAp`c1a3aרmN ۟wS*9nS]/H9δ/. '4]-;/_Z'R͵QCesrd"?b:F/UK^|t|N ??d` [hߊPl]"u&kɳ q?dcF[㛇у˜wC3qV d鰜z1t-sç=,af#UoLβ5iг`%ڐ&AѦ d3p-:0]=:嘹#s/atvEd]9 ҀttCc^[ǚ"-_t;5rM ?؟-p.'(xG 6 -ӧajт@pcQtN.!Z)‰rՓweLjdeQTy6ps+4 u⭍(wgO[ᣘښGQ{ SDˏA#:2ip{53R Pzco+YHO]+w'!z,/馺fyӇųV*f41Su??{$[="Yz! ͏2}Q܎JfޡµXsr'NXGi-P8/{V&?u7}8:Ƌe+n$ײ5}ȉm΍?#_lZ7JYYw St=ټb32ꑥf\Sz!:VKE ֝Wi[m0P.UabGыiYlF"\CR+_u R% SV⤋# lKF9U9I_;9鹫qr*EΤ|X#[׊UBFy^Xg-/4*Kͣ =s&ųbqF,lws(؏Ce*G:{,jэX@zf*K`AHh}1JwΒIERn7rF@t}4)0MwlKhK7-^j}| )3Ly)5`*u(G;>( Cyt^Ä =.[3$@ީG^8 ^c d_<3ʹcvw }hkT"D>K AQ 9/3 ht Ƿp`nY3id`)IB 'Q #7NljAވn98bb:]o\&i) o8pz[=*X*y`>6 vּ\Jo%Ke~D 8;d埦>E53#>Qfq9:07h~,.;'+̦1̶j#N{55_Kta'djW"xTNQHdlX$ag$ҟ5 %l*ږ0o"`Iِԩk+!*%C޸Ufjf,#h!g&?dcpgPe~z[s${V.JAm#}T嶥;]ςGNER˘NA;emhqU#[,6y*@nv( 㳴#o3;=kkҩrm Vs.us1>0:/7؎9̝BuB}ԏ]`W"W4SbgbGu K; 6w6Kеk k"2S>;tjfWu|ԛGd3ɤU Y[!GڷCm>m\H8@e$T Y1vw @BLxhx~.RTź:%8PEm yeTddFKN#n(,Fi>֭}*[sT"OL(UzmRMx>/y8{ͨ*7숲M"-zo]a Y- _ XLK'x2׾SԙƣR0BǻxXkx&_u#[R;,Z_ǂgMᵏy1 ">|U%l *!-Q(_|@#kTpXͥӻhy/YA6`(T뇖Y4hB\% ?pjN1?;g.]`\zbpc Ȁ(bsHhlt5v,0nߏ:>3, XcUUʌQ-,N@eޯ%iBӿðlAS,rM0_)4D\7ϛ>ӔmEMfזUSBHh}P%I&U/2=WRFpB0Ń,nN(`L%n]@\۱0 YH;o]c36mL NAj>}*oSPCxvUoG4n  _" gvACa1^ӎCsי~ӯw;Ve-BS,c/ d>b*nLl[J \a7@Ҧa_QE:M݃#O#2od߅ V a #rrQ5 ֊ zlnz*(TGi/4`NbSÇ V;h]U'{x=C8 gZTX 2F%Ңpw`ou?<[ Rp;`ho,mMf'b; UJLa#i>4ޫRP{ŵY\G[SwpK,*[swĭf~#X}Yr،݌j#-5˝~'TZcK58.oT܎ R}x_w Fmp-0(k&nPN'4=deZ-,FBL<ѡwGT-5..~m-k Opϲw`0)0FZ̔yмe S7.&wۯ[,^&̓8![pV7c{tX :(`k>Y!hQm{G|#V.x\$HAve .|`c$a8G464 g?vCs!xQ)mIQ[Zx稺 m[SMv/aՄV9P(h)4w2$7Q>"ZtƊX?񦤹{Ԛ4[L0?5 %כ<Ł]p /ڮu^3҄*ǖ7 pMl%$ 5FN ,䧞"J}pvF799Gr"j;u_@c4";%7,|,G4(k v\* jc??g]zzd6!){axں]ڋZ:}ڹqD잪xhޜ}ȑGq Y}|MP^/կqЮa~ОCҮ2_K w|‚SinkLF H΁<.ؕp; ^@D1RFtӥ%tJuqz4+9h!q`>ǍsB~d9D'qEYvx;cJaU}=zot+_ey+D7ZLnoŞ# ϨbZE_]yiޛ``^y^+lI$z/ᅼ;pP7v-DڥFjmCmM1BCCAD@,{]iΡn;V . $rvś+RcoqI X)Fٝ`>#o)8$L'38t#q7݂K>l_y_D' /AD`Hr[aVM=B6u}pd2N^2kl 8M@4 lBtȠǟذQ  s!-BYv |fDӒ-aN!9?n%cm4ymT6.0ê_.z3ֻ2p)LW8jd0MaUmIk3fd8Lt@|c VҝL$ub`7MVU h3HT#<C<䩀зoJ/=s2!r60V+OtSnmhz:kN>D̨pm@ڔU#ajF7#X\cw|K4AsP1sw -E Y\\sC1.s_[\P< ZK3d&wX.G c4S($LO2L$eI`i{G=ꀇ/\(oP[ݿ"MmϾs~:,"_n ̺+lA X1p+%ȁ_WT-z~lQa[4 5uRϾ 6+k.܉۳*v(?ѣ#ɨob!~6cE@#SXY|"CQQ6GF݀,z;RJDtzP>` Lv0K>'"g-OD+[|=8.liir~_-W9|aFx 6}a)ջɬ|? OŝsH/0FR(꼟,rWq]0!+ҝ ~Is|'|&M23Tx*rş,&Td B6 ~ RaFLGOjtla~ Eu χ%X/HE [3 rrq 5 #%?\GS\`i*VşPmuO;'묂}madRp5rXIPL ^%ڐ*l]VU$}9m ~nڣsʞ=l{ahƛ?@J)&.Oec6|p7Qy}/2 ]':s&/n/WSO ̀$&,BkqFUQwzX w L'&B/yB>4eb<R"ֺ']G$eM?L?DZ -ERczؙ=} z>@Vۅ$޸p+d_/S{+D8!*F1p%obl7u=ON|:7pKAM#HS ">._߯aa(ӏbO:Lp(-ɇ򠡌 hes 9X e Yq+Ҿm0tQl+Jm'R TQ~zmjf6bH.pDIV-P>&sT5A rmMom.2ހR'nߘڽs*_qv{Y  wo8԰q|s,'+V=FRCBJ҉dJȤHrT[03"ҫ9lg)W {^&k5ryv ]F_Ҽ0w_opMAϏE@6Bo'k7zNf^KeFO/.l8\zb9XdP<>b]黊>}DxD%_FIg̲o%1;r mC%:V㑧m2gI qRyؙ(agW W8@V"O^ []UFNfF'M7zeU,+( &̾oRҗN&)/P RQ"x`Yb1cq 06NIqK(G^ONMR&>0`P ed*FxbP붎e4@t#EO ԫIh,ݔ8&d2fB<) 1R${?O Oj\r6-؅ &jy*ICJpϪqU2%`Uh+<&E.| ;1W=B/6+jvmKO63D9-(f9ݪ]/:TVOds*~UɺE.qUUwBѾܩrz34 Jק }abGޢ׽Xp0L< :zS Kc˴ XqE;HDmU4z$d"; lTz_)yIzȴ/!wm,󤾦/޲k]/gFHþ| ޓ e/0:?7jKLP+miI4r94!b`Ig@\/4E8]2Bt$^PHqM e%a|Έ,w w&+V7#qL.l3۷P1FuUet/$wMOSϡqL PzZ6ODQe&/t`nꦱ^X0̻ Ɣ0ԗK%4G(H 4O#9Mhꪧ ul/9JxzF 8 T"*1ceܑf}ea\PF^9A XkaQ2KJ((hܬ*#b,4ɢA XI~DYNyC;c ֠.xl8]|51H|gʼnuM=8/}SZxhWP>{h]-†V={XtGMǝ5MKmRZO^>A鋦Ѥt~P|С,Z-ܴzHPص sLp\=i%|ǂ"D~Ҥl=s P&0d(>fr}~q@Vf{~BqmJl7(ۀ}mJB} c׺E5ek]A.$KVV( {Է1Pm;0>`tT/Cnӡv"0g*i$c?\SD35k:v# CK+oߊeI6>%^ɮ$kZ|Ҹz* Whן` Bpq-1$`\{}tj|S1/Cn9IU׶DvyXԅeЍ[@$cF\&X(ˬt_HY+ Ou dm$4xe:ve2]0g^4d /uX(xz%@bӎ(Ӷd0s]J+BnB@YzӳlwV۸,y%:]ΘCpC 1;J4Y3nIdBlᔒ0_Ⱦ,:P6AIW3z%Ly1`0Іn'![C`s!:5{ETkr Yw${i T "Ͽ!K(c*2&F|Ci?`FN~-9k(Ly3cw-c׋bρV0-Uz)*FB0+ֶo|8k:5Jtg"y,D|fW CMnX{tɡ\j !P չ > D^v; ߶rjUoν8l>O8gd6TZB̨kk.RlP9-Pp[|H(Ey&W%~^ &wpBOV{S`A8>@]kR;ˎS,QG\mk0T+}J H`;-ehtN}o@:t60,PBd0?rym" ]ARmᮾC&z?p "LH}Y|1~0I"X "ή>qe,d\;{W/73Fʼn#2IGvHt+YUI?$OyB?+ƥ]D 8LJHi8̠ E 8JExD7\24$l/+mH?JU2+7[9YBIwR;At HR4FYb<ӱD \@?} `jC |;]VZ1 v؞n`,w݉H}⡜L;&q}  grrLxKe~e=)Dp-HC0flK) tՊv_a8mArEtnE:X;o"2*u,,ihЁB!|◭ VSEv"$ri~ꉟ( ,xUD6V 6i mG2R)1G<h\  ۱e ,OfDjvo m5*R|"lh2uЖy<wtLg@@Y.j3 h׎z֕2 PK /<"N0ifDlј{dtmfkQ=+&#8d4| &k  4veoJ!NP* C3u-],q# k'.]gτ4κyCMTe1_`8 :KxaH\j0`ܝDeyD1K9AP5zI_~MɑQ>/?|%t5yLO"3Q H$Ƙ~Q*EXۇ6]̀|_Jte #,+`ZZ4:fk_HWKZj0T{iOF^(07`FGs=ҵ=⢓[}ry%.Y_m̄ 6 <1?U! WM2а% \C| I6Ayp %Q/>e&z,WgB`IpCwwNCƲKᰗT.lȖ@z?A ^rHUl(tI"x6rJF "bӂtd0.,1x 3vjm[3^KCv`䲷KsX?Ҹ|KǕWm=yoq7\Dj`*}=&V:ࣲ(5jyM^#q(g9/ࡨ'U? q19Eeg zv^bzD_~.FֵO4}ѷQwыiV7~ {Ԟo.H6`pu(ܔSHO bv! NX}!(2AB.f'nq(].}Gb 7lho[`TNENP|݂nY";>[Mӳo p?/w DǥUG!E l=,NjAc7ǂD(Zf:tV9` ujɊt\Q{'V:+VnU?f͠'L{<2PqnB$$.RFa߸1v3 E^\/˿$FWébHljğ]n & =•_7W~1t (,TH:v6&Wx5ZpD-v)^2 #"jm>?UlA*Q̼JZZiHFI&jʷʼnDD`W>ʖ̤GOo$Ly@RG2ʴw\!\}(5&?ԓ5qD:*u eT2fhfIT84j-fo-%f碌\!CԥH:"]Q"Ħ0"@.,4ߓaA-ˆ[Z% TJ6%5@n3ntGHe"Cl.^K]ED˲翯 oF2EiKi{K`RnRܤdߖiq*>KBMKMkAUxmx0Pϩ`u)d= /Bt(Xj6maK FO,)+-:!XzH+Wz%ɂH^E&L }ՠ.ȵʎK~ Iܲ- S+ 0V5x= $[uC&?r)KX:fkm)نN}*9W6&%ڑ}<~ZC-#bP^=3vi .Ib;*hhg{}uf y ~e7kɽFv+}A/RT!s(Bd ]<ݫw"Ӿ3Fhχ۶s]:=G2R*8$I1 jٚ#v91@dpO=!xh D  ۲ B' 7jDMgVblӖ}7 TeVP\Ux6xFxԄh4!#%%x Mv-&mFu`OTb}ЧN/_Oހ/EYU8-*lH͒"dU//,+Ig/D~}N[1:/<)nN`oU7)F/RH<':8,':k3i!.ìvu\jU3{+#/2D/bWekwӚ_ShC\9ZGHYq 6D^IgJU7JNѣ6@(f-rkIm akNkm0~*y|Dئh@Gə1:'JزsZL΂飺]ϬY̐K=b;հ$5lMTxWϛOd?w|qSnv !Fb)k¤ŊmD}sfl{A>{Nxi],67QWLϑ2LjkʓyNr@zȸL('#i97=〷/ޟ$RLJP/đע5sgrHVie*Vm#ttTQ(@ŴA**8r"*skN3MS%%W)*FzyqMXwuBh xZjU~n;,<ގ bStX/vĞ0z]6VJq2 Ğ!;%\5o嫐Ctr/9^7acXfcaϝ~ XXd`)LpYBJf!/moX-X1`gȬa$xt=m P,iaVaF9B QTyTbײ5Lt1(ׯ|?]iC]ĿC鸕)?y9ӽ:w卬e[lP_>ox/O5ս~t* /6= U?4̿ ?&K6,8r_ʟl@.#RgWfvz* }%l i)Fv-:Oq\u7(i̜rM4xgx ћ=ϸ4 K'.#d_BLdQ oTWʟ, # ld| 5%rpqV|Qk}k1VAΌ0o/xgRO4״݌p*n^.+j|̄.zS/ih51]Shp*j E)}Y~0Û]{YMe]J|OTa.Uy׳K+i] sn:[HCCFSQX0Lħ%+,DXlPm(P'<!7աi䮢u27( hysÛ SeYn0;Att!AXf*Տ>5/۠>bsA.'м$LPs{ńLB|/n&֖O~uhw+MhRa9pnCOS:9aB'+-C=N2p&q1;UQ<;Ȑm+_]c%ZW$%Cs`])ӧaɘ9((a䵺;Ht0<}H㩛~4kȁݘ/>+sdgMS,,&&Z(}|V2jTjG>Qu~{b>pCd/VLvoU7ɳb*?CY&~\PX}"(s !AfN%,`˅d>MGܲGl*}&и#8Όԏ:F7^Ůٌc4} }'3m8H>pcãoLEjn3~7ѭ@sA:e ,m>꤆BsxZ2Tb[0,t@14 fMуRuTz/;B^DٺYlXBBOF\wG9|*Ki|m}x$H oNsm?5 ,4[z K CWhb>)ṿzm,SXޫto rIi'r|[W@Hw*e^W$yQ,51&@2\S`]}~`T55M:?[~d%# ]G}[{|!1=y{)}Pw5tih,%m Z2wBxh},F+{^W.H{>KPdro< HKth"I>`  f~; 0gg(? Gԃ(pw/i Ew^VEB0Jk>v-DR`{#g > \ s|ZQ[7 Jq 2+Hw YT {=NU FNAeL>UM2nN_І./55A=SfXsis̖^pKwbfK(M2 VaJPۊַ|lF$E S}VO Qu(D֜Clcby5xf]*oҰ4@ai( .n7mh-;v(m<Qu$򁫊^!F]=RQ#t)IHRw3ncC\;IFrvRi%Vq즚jNKFnxT爒9 5-[rQ)1R{@!%UfZjVB z (Vhk!?8s}34;ډz]1Ċی5.Uk>gl}w(1YUIv i~Rx W$,YtR$kђ 9@+::pU-M mY!UK_ Pe_fF^zzɦX>$i{X51) `A"Bu!eS cB|CC+K$?#ucɗEDFˊȀܟoX؃Wx.܇Jj>-=IĦ9[0RNNhsfi}7Q v{&3D3g#%{]b#)њCqHwR}. dseYxzE`me87х {8RoӬG_EjK $27O+C1]%O 6%}>"ƍһbh.@{TŻrϬL'` hܞ8!-n&n5Wu~*&EwtlOwa{k*#րd4X.֨Ų|EH 5E3ɓAwL HkN! N[ Xk ԔB~ M0<8񷾢\@oۇ} _ύVd!_z%xCq9hZ`kKTWc'3Hٖ-']%[ r{|)d&~eFKK@KQ&:υ#h}1¶ =Aiv}7"||LCjS7$WA!%u";湩v~p$ &&\0ŊތY0gsi,z^H3Cސ׹l4ŭ'S!D͜OGuO";X' dOQ:_CZЋl?CPA?mZ\xxWɃ+Y3B4{vEVfXOצ  c*ts 9z4V$ $޺ crP3W)ntAf^"GUBMtkC)Q]:ώ14%':Mq|GB֏Jt!OR]kA=c3B4i'Nk"]Uٸ;gXy弖O|ngF9AՎWB kc\4VD@M*`f#.@"uFӅGvd >^|Kΐ;C>Jj%֒N9h([ZGb.ܞ v. V@Up{n"``Q:YZ#jߎ"RNhB@un vJ y<_}*I  $hVcLi|H[ߠ9(Kʆ5k`ȝ s֏j,.`r-Y~ᵼ[.{CTn`Ɏ5b=%)oZI_ԁVqRvLW 3?!h;ӍT&UnäJ5=|@9mq=y+غHہZ[6 ԢhsYhZk*)Ð PTF?$ve Z"^B.蝩j7u-BJyB|-%UsأadصL)RTJ|MI6%YZ~Fbj \FrQ^8Lyt{J=-\5Hl y?, _6,$[6q z< "`1&NjW'NAwqߴ-B(?iok9׍jn0<~a&V(6 ^2kZι,E:C*}a8kp9P*o G 5Rs\} Mboz}/$8" o2M`#ؐ iH/"Lɗ{KSuN ;fQS 0$xMиۊnfJUC~52{%q9TȪZ1[7, \#)Duk}!eM'3^CFM2Fd) FybrPh lV45}ˍc]cTDhe lּW6'< tVN&eFfhɬ |=ޏˍXO?e껽_D~Rhk5l䭪5N{lQ}3"@۪Cz[ [ ʡ:<~ q 4`#A\5/;Ri\ En*1Y-m69ݑ齕!vqCQiiW\˵ ڑE\ wW((J\_ޘ=ގ'&w8/$>(u^kfה_K{$+2YU6TG^3="Bm+n91M8 0%tM9['Q(TVͻ?MA=d\BO_p)dv,<,/]769gmU䏂r u\&|ABd|ܟjۭ.xes + gW%9NGiB^ Y r&\X wLwlg1յxV̓ۏ,}V^^ TvpB"ŷxuDkq{uʓ>בЃG!fK#w,!}FJK@Q(˅b1OeA%Q^ق\|.ٌ&͔bVG)=/(DJOQ<|z#mk;@E\LZpM_,{'&|~'yyk%#xK^#flkſ:SQS)$zkhjA96ȕj}+jo0h^-h?h5+x ud99?tin0ºfgGD]¾P*@C9UK(K~ ,^;|)r~9LE+Hf_|އ,g5P2wX=0Hh[pC|ω`R'@C4{w&=$$1')!DC"ϗ^"wGE2 [ 'FiCV$|htS!_|!M]#Zc%f^.3B]|SH9(IT/eJ;,~i\O4vq<\~@piwmo%)B \a x$VWr·_ƝTTZTh=Ka;W(mGe˖M!@@[u[DaT !k~+Bi+L?]lo)5pKn{* d7G%7FO<ޠ bϑ D6lه$v.Uo'Zա:(i`ذ9VΎ܄BQP9=nMwsw4f\Wgx]ϗoUKzA:XZ q\*3Ne"~PtX U;Cρ-qE\arOA%!Lix g=LqtP cw51Jnq14=#s$'P2K~oBjyZJwE"FNt3=f/S%e LVM'`'XH iI/)AH=A>ri˥s o[LSSbJ%r\:QFDczAv1h hTM>J V|q8ў &ě;4P)uMLgǡ<݊WxU[F_ ]En~Ҕz!B|>)UQSՕ R]Hg*O^ה`,2[.*U-x:oP V#1b)\Z!y]Or7(R_`Rڙh6'#1GOf:{p  lPv[[O_eJAIq8-~-LuܷQixÈ$>GpLۜIaUXa< zz: &MnB|rt."\_Ifg1b51umfq쓝tuW8䴆f+wux|nG_ZES~$N><\!x{O$u`zAf @{>.!i7tkBF0l,qwb''!YY$G# 6"DMjt)$!P^0*8iuͭ#ϕ /C8:0vA,-hCI`ǵ;Џfv߈2RFx>w|kU5^>\g2ِ)j^'n+6oq+(1HA>KQP`C2OɈS ?zy(7Dmϲ7؄_NybqhFr 9npy Ao3}fm"M1G@֨`Q $6NVdVhjXR ِ⊤1mb.Q7f1LeG9!Z?xd2tr0"k |]ʒAZzsb$/ U>{C!h(;PiōB+P{|(LYO3HU#ywXȿ48_H j S1˰4ҦT/%Gu&e[8/Rƀؚ ,ĪX쫈cqNmT #p8MȦ WJuN( UX1lYm{i6\qV]Fİr-xٯ@΋ tQZƒ4Hzz`u k2GD4GꈌjЯ_t';aU Ğcq6X FepHٸ;Z^[kb.v1jkBdk2b <UQf L~4S`وJP"!0uZyb F YBJ-? !XYN+ b@iGQeeuJ&;,aj; Y^*ag綬cX.l_(gHR,5="l#3EZ[fIiL'@0u/RJYlpy7Uʌ%i1zDJӦh0ZZLgZ4ul'"\v4 ?x#jqLOaq"R+zYmeQmZBa['w?H>LQ VR|LIi 2T3;p'r0v|4*35kS_wٓu^rOFȠ& ~k뎴x~NBzmf*QDZA}$1'j]o[rB2_"kP3uĪjTTK\Y[Gjϭ7| Np{)J,7T(%$ r7>-KhtGe_uMThQHt|$# ^DDN*! ;x]3_Jї5uޚW RRD1XO@$ڼ|۴yJ mc;; aN8[*K4l(>%)D*ӽ* ~˜uzOM$ZͩC oYQkɾ.0wꫣ-8-H۵q'| }8$H 5 br2v,E Ѵ2C_›"pXXyTS8$;؍ra!p_ H?4 U1y쒟 ٜ5{}x:f,X}_^EA9zxG" Ǵ[!T[wR%vrZh9Q}#e-3*=[u$ßbY'|e'ި]sy60 2ѱKl5!_ķ=ccܵ&BfF'-"yZTIb3=隸)J6H[IbQǔ|^=_(3%r ۩r%)Ыa Z}C?X2-kjc&-:\&5u#|:+1Ÿ[}%>'8IY7%'t)X!K~XbӢ}t,-KV "#zzè, JX|f,!VjUuK2ي * (pG.t]K0 ?j^(Jōbd #JQJY .Qk#opHB[pPӒ! O?uUSv6qgo.V&LR욂{v9S CS=^"By -% c /ʬ>rA2J ҄vR2A5|S7fY|-?h)fz t怤ǜ'Eڔŵ΋aUi~!pzBFy"B.;%ѝ<&I1VR|r􆧪԰3T zZx:_8U%wx5UQ9 ̇p+.e,a (ߞ.FyC<%D\e!Zx-kc[~_Rj?d/Ղb L97$)AQ q^_M2LS:Kyb}1 ͩ)c1=;?[".\)[iB~01:9gtTǎ! `Ɂy 1&yD^0ťHҷj7FyMRocfRѹ7?ݔ< mVLM%/ٕ-$4Z|ɮ۪V·P{]T4/GMIՁG`]B!/7[*dm 3E̝L  H, 40%ɶzV=/‹m.*-N"Y7ޘ6 .ILx\{ٓFɎb{+a5<L g&Wf:xeBB)+vgfҡ`VEwu?S`IA EMeG)d_ hjf'Y:64/…Y 8-{@轺'Ә>/D9&AT)[8J3ۈ%U )MѰ+RWBIRiLVXS^ycH 2Ul ծAcDmo BUh@>з$xVz{_Eo|r_{}0カoP=VTVnI0Qr7Yt,'ۺIKc -%+g[I)͟ă1c]kY<nG/J.`vS J# bN3`o(IA!H,! tdAX3c"ڲ]0$ dNh|΋?5B`l٠+n jj 1oϋ'i J#c'`%be; Qh0VPrۚ=\^m9/KrPhL(]&M$w=Yߙ H'M|%NJA?ykOj'ѵ'XI0=&vۣ VǃZƒ=ڭٖ}dδȤS$pHXZW8 a|lKTD[-g|X $]((ڈz_K0*񳱈hJ3{>g ]7ԡ"( &l+|)2Mz"Jhj|]| xKqjz nAl=1#(í/s=ׁ U+DSf>6L9 5_.bm3>N)8@*Z grXi! D+=Z9/0k?Be[.8A"q|/`Vavfx C"eAz -mMqJ9$.HH&ֱҰM/쬯ˠ u׸ٜ  \^i.r@y\,c3(fYbΙ" Rc6P*s5v/^ کm >~ză2Aiș>2d=fUV$?6HXuC5Jg!Nw *m ̽f|f8^i67?4oenj!G/Gء%:2 k )2>e;RQ?{VzK"Sp ǥVv_zl 0>U4Ynz mMWL/)iAOT&ă%2 ^4R=l.U-5hP2a29n$ATrBYX'ۻ0"d׎ؐ5ڌB*IkTNl0 +b"|8V SA+d1ս< S+RJ@nf}51 uth.'߬vOJ5 ^"` Y#=GT$ݲiQï19L?Ӯu덂`hfԞ;0ࠝ; o HK6 |GM L@R5*9?}/j.!Y8 o[`)\G#Kak#fDBJ#~C "ܪ4HD5.bV=c5Ŋe41`;HMw?XQCŏ^|FC魉BJupKF I-5TKƶ ε XO\=E e 0uznY\*Wa8e:;, w'!m,wD멩#H!wn3s>CV&ըHL7teb3(~Or*WJ Ƃ+vG:ݰi \+(3ڊ0QNb.akCݪˋ-._ĵ,LdjC;$-ZER 4JVhcIeX"&[)Rvz)G$ e du= 9 W͟>fd_{WD#nkU PbAr,ZÂi:G`((?@|qq8_5/¼)|W7%>s.H6;A(vڦ?+2OHw4w$9,4|8Vk9h})JLνU4HoCq#O3Ni=i|3%J@/"|24^2&k_d٠g`T_ prB1OG1Nb0]J"W!Bi=ZTskp8)H+/ 5DN=uޔ4 #BǸHk= 19: ˫4Wy.m>r8#pP$4󣑾#<Ŷ:%(wi;Ƹ2iwFW™ģEɩp'vѰۋY [ޗۣQD>ͮwHT*E[HC L)wc%b\7i2Cf]EG'փ.8?w]{@-:}Kn\qIMChNVi)IQ֩a$`73.u}9q"0A&/^1^5WsLc<9P؋5iڽKpe&(m2ZиLZWnQ]"\G(LG9g>Ż)%Pmn}˺x_<;髬H4U׎a#=^JU#vG> wXXlނZaSt>kI/C"I cqu55g=J9FZ E+\Շ[ůIQNo@~a7l YJ|tM>$|2eЋXiW ȰÁ/NƛV:"(dcnO,RA ES)Ru  &K轢~hC_l5XMg!*iƜ>sNK0R Gv <`V~5V7Fbb4߭HA׃F.QHʉ󶯆t !as;H|p8Άj #ʦ2_ex8=o5_,t[q9*E*aŀ1*tNi7[ Ϸ<-4CS FfKB3z?%c7K @my+Dm"_#wX*FQxr^VQ&K`t&jz{!2{]ڍ#;n}VY#vPoݓf^CV*J;0,qw)!\ y/F :Rs4[TJE)ؕ .$M'c1rq`r^;@ 3sNٖh/ X YsF,*,ְ;S->?J̦fY;TSZ'Ҝ@F 'j"kwz;5l\lmqmk8 wX)l'Cj]O'sUUQZPi 7r$hpɳIW #<)z݁&Ŀ<8&;-Ff@!s$ͺ E$<UrLr0eFy_z$u)N_GkbJQRY39ޥWҽԃPH$( Z',;EظlvWA߼0r.wk8e4`Nj=Ƣ(zwj"La7YWRnw╗?>_"zP H<]]/d^Z+ nRq+0d:_(/Krr([*x MpnpCN$ʿi㾗jylo2!#E&M,TCE_3O`ee vz4-j=&;zsU5A[ռk?Shi]bԥSR`P7nIWP/`uzG*ŸE+ /3Psc(`Z`nb`3%3c>C%6o"e = +jfZ|`+>8*lt\N<{B":kgTRh; >@!{)QTX4'u&?*ftT[k}ow[Ԇn$;دY`!ʘN Y64sj'S͟h;q"uG?n#OI*IOih!Vp,Jf,cͼ7?-pPu2ntˁ@>Jl5h ?P ł( |}@-r#܁=Y|$:|`&q<'n1r1gA'TԮ;LfKGm"w|5Myf_Ta2iGaMڍH~X%HuST;etj#R,1.>Aif{3t$1ڜL֫#zV7[: 3^wͱi2.VԏD>Bq3GUREf,A,^\:E\A , }Yx=dé%h+il.(d¬rzNT[EyVDXQ,g@)Ap gR"6294iscHɡ҉ڻ}Sl];^2crnOE=^k 5-h 6_xasYxz/WET!O*E &D[pBNVwMD2AeD(?:A#珕Ǣ6TmY 08aL:)!ºKuF1#>͈GWm!UH{1WQIZ8!u UM-WZq?- pb6A ݨlHZmfQV*2/Fm(so/ i;EvVw!U+Y.chq@/h<dJԟsf) ](nTVCf~|zY+V8/,mpD#ԿI%YzAuJ(bܣEqLR9"Du"xMΧ%?ZL9ZAF\ {TJHwPr$P' &92ps74̠EZTQt~moDP֠8&>o>-OW/yb7V㮘 `XZ9 q!M=@{ xPVÑifPp^)aK>xN*e/HržAm}qBlD2pL:]9vܨ~nҌ̉C J5..dbq4lH_\TLm✸!_SA߽Q7=\|mɿ?A?A&_GH1T? B@(GVPly_cY:ae,;trxu IZ-wsDAg 4DiD0cU肽*Xw!\ˌ_WFn,U03LX -k٧?ַUުD~r1a[>AvcbNdWNrə F\2krra>3 atcí pGVݥM +pIOˣ tm0ڥ $D ن34?QMFDBDT;B_("=n("̅ .Qnl']_Je-@ͨ/c=N̮͊I#ģt?n0w<𘗡 Gw~6, a OۃS!FZjO&?K u|G$i-wj5Ho0T ,YtmLwsOc1NMa7Khԕ#E](LD&' ]^`@Rb#M㐘n[T) 7|V&}dd "5DOb+X Ix Rh)^)p0\9G{0 ]Nxzph,wmhO(hhDL}"6X'yˬxH5|3H A^flzM_#E;DgJ,s^;a4@R 8eD/˲d瞨)XTK~\  ̀e ,9fy~5 gMiVyl0mnrHFpև&8A*w4bM 2{Є<]Ƴycd;e@3a$>E6~;(;4IHQW;slb/*eĽ iԗi l^u4Z1Nm@'Qd6&OPGa:twn =+\5\u|!Z:Ak{E5RL’>#N[+D$'[ȇBAuҔr 3?{c{U (wݛ˗7cYӝ=X6~y< # b4XXx)\\NS6_02Iqi4t5DIyxnt #iQ[/@t_iR_FhP_o zSI#QxatxEP.Qtl91Suο^OhN*aޞTfVjmq+x9M{hh=Ao'N-w!&p2?祕꾣:Yi>00F.>vLn8b]ms%C7]ass7r} F%Fuc p['l龭VV- guf<˲5A]6EUP|FDKJ.ppᦒ/sLBtҼ%E3qJR]>Ѱ;\ew/=݅\t3N` 5 `ap=9:p!} N6ҳ* ^sVk}@t9~j~뀸 Y^I)q?cN&9Fb +䨜=sO;a}j)=tC;"_p鈞Kө.bJE)׍ᰕ|XmxU 2Ʌ-X Qd;SR5@7N)/hvrWՒJlSMXɒC=Q_akO9Sd}`_muAݽ'䂑6#RӊLahr5m"u@+rƇ0T mj$͗euIBY#g ߆k(}{ fpaί✡*9gG[ =iHV0^^\FHSHfbڭn/'I.ub\6 ^/I#顩c+a Mx[L> uE(ُøKH4>ox(U7 lk~25|aȄ]#څRv_+]u` A^6,t"!Hf_T\}}A1Q.d_۝ =cmv}}OG4EiT aP"|?f0ZWp鱋4+>1Tˢk(edX.1ui !L\JzF:&wFDO|Z^XđtYYa8+r@+sO#V jH(*zvIE9!aDqV4@(Q3K~դ3:>XkK%Mf("C9f~υhD%~8} I۵tmQtx@p*, tƝΈ ctTK v(26>8/l%vӻ7Z? ^姘n4;n˒OJ c>\!7h# L듍H(nǯO苳a~2YuddDwt[d#mT's6A'y 6T8KcO3QAPFD~`&}83U sk"6KQ3K{4q^W~zy2q2mͩ:TsKBrOnHs &N j(sg A4*2n? y+,4alτL\t4Bz` 2sWwŁ7iT2-E q*+IZbQ 86* rrD骠LҔ['l\FdWiF[G G^ ]z K!,:2" 4q2=S|ft P5l>t~L0de'zULF̪WWu6f55Zo)/w9a7>,^zQ|.hSkDZO>A34GRzX"E/:6hg`bKKʝ M"9-FAw]NQZ]UBtmfMMJ/Og>A!A}!pB?g^\҂M3g.|z_J@~P3R/6J,}8fv %cU[z2K6?£sM~1B D1*Yn^bS׿}dlab_8R'&"&Dy;7ʡVHH+@/^ĭ2qXh,De#XhR}gRQA 4M$avM>p{8q)=ޔ_ V5:Ay{IN!z_s+OL$G,.`}h7~[Ch$T ETjBxL?g XnF,uޕ4cZ`yN13 k\{)'Khr$xEqmJKG,!M7)"qTz+hc͓?sccAP=N`Wv{Dbn "u4N:GMQ"| mBA#2s^#Yjla>j 7Sl8 ;iba\P^(#MP"JNg3O]ߴ퐬it~KZ$Qd:.EZ^c}Y@Qg~S G{/I]F G~a<ҖԽ!UA^jTnVڥι:Z/ayJ)cC4VI1hYOOֆ#k;Ւ>B̩Կ5$NDl?Et+;?J[ n*E4ZC2!msE.{"YCu~^B$Mp'X^77}*75?U>H!>j nC:is"yܜkH雨AUl(y6UN^k`]+H46ytH ?44VLOBFg.WV̶U3##bL}H޶Vn-t+3?{ZrQlvdZF,nn=vg$*0\3̾ :pԲPt3΢2^Ѽ^ȝj6[}3 '#@Z^CYl5`iBx؞5,"7owWN1FVR|ĐGmbQ*`2-ت] 9~[4I]ڮ03zd#H4p׹,Yψ&DeDP)1n9SYIo$^Xv}jHh8jm|Mw1|nj% ,̒j<5b/I VL_6C˜~ZyOkEڐgMNGюrpV ,,42aP{l窗e0͂aD(H~ÿXC#Ի09IyC8˷bͬ}d+GJܔʔIC._V K3yfJUYx3F_b$L}r7ߍ|$pfbfIgt] it\5B [~˙,ǟvdrV> @)U Ƶ `' `_hc۳8g ٻ|nJh˱T;esx""G"z6^_Mt(mfK| 6yr#(3];ne% 4o-f X|72R[ bbdU4A]exr3t~(@ihʇe[%_z!>M^R>),{( Ԗ* q{aO] x3߄'3~LcPK;hT`k.AZ97 ;4fmI5m4ے1v\v=Get鸞*^ A] SF̮ Hdq猢uRy<\YW??bE)F MX'w1V&qʥ"^qA=5dA{!jޝ5Պ2`<ꍢ۳Xi;4ŚΫg:RBNՏVs,+OZb62>$Bea<{N/ 0Sަ*&ۍpNe'fγ|-]#_DWڵxOci ;T2 iϖ:=R@*s 9R۹'6@}"Vf, &!ϣM;"Tଽ`gݞ"EȎUzu;ŏ~C 遞/R=Oh|r#79<1 pR)D ᲒQ%?|Ŧe'V(?DoAL.;+o~.`\5rCaWЭ~tzSC??lK*g* 2NFet!yڙ7۹𐙙/~tb&sDі0q=|Gb-‡+M!$!S,\w%(Rr@i\^Eb`V$pwJ-u6Y!M*^6lSȄuckWLl-3M.QF̀ W*.Dx/DCNܗBmRnlp3?~af+1^׿q@lkGX}l r'ߋ7hބFo GѓukpyV D]FG‘]2>Td ^dzF毜PMe5x,SUZrBUf6iH¾*-.]??˥Ԍ2J< n6M]D4li˳Yِ kQdkGaWzބJfBn~c+֛G` VIbCm&"C ߶ݽ qBrKĴٔW-Ch \vidk)j&rmf}_Lv6un4KD\Y jHY2n( 4 gmS'LP$/?T;  }+^+A MIkr@(xyV2Z;[7KM}zutnj`HkR\:O?dZΈ .Xȯe1}87 Ԋ|WcM{PCO¢ 8uxC?KpkBZ%|8Sb3)/1ik}-]ٍa1(iO}mkv>6!Ng[e@{K3?pJӾڥՔ֛0s@]@fRYJG83%RFB@JTY˝K\K@&PPBq503&-:؋sUwq= V{* 6SlZ4T'̇d'sZXYSE#NmX]¥-dBe,oO&ǥ(O盶vйuաKI<;.m>m\tXU?_1+U odlbf8Ԙ785W. HAA++P{PdlOY5j,,׽UnP4\7'Jf犵 i5 溗S1{NTg >~՟ ̪@>Y]\vԶ0dl^|2'm/133g¹hz>3>M wh7 H `FXz#*{R1y$iЈGib&FCoR&ZO+mXdހADҊ vP;:&F hxG¿nǕCT0ƪ26:,VE5UlʱDzVJbc+ ]-ז }V &(vb^&`͓,6!q70$1ݕOA/A+)D~PdpC9n.@YƧImiX'vB/1tD7b_`ǺI$ԍt*x'Hh t IIo3G:8d #6[/ "mR2xz5z@2nO~0DI@)wb6Yk(KowR7qdur2oh7/P p#}'L+yW_Y׺4\i"XY.cV!M bwu^2^ݲ6>#XO[K: pf=nzFTy '2>7o0ID=LTѕ>e'dy)vsc'_ůW=]d"F`Y KṄS|:e@ uy˷f:8KumjGѳ:zvtaT䷲n23 wR>Vיaȇ]V2xC$B +)^ະ*lrQv?K}٣>wPyXb4SHOT [:}npDN;qܕ`|k 5`oB.k&1cv@b|(S4 I%T j^dRsN,[__ J, v-kێ9,SV |/'<^,⺳׌r a&1n=#+}Hqy}`a9ArX B4zS)$KۘN«8bt >iE$iGV:Z7UU3pnCe[%U_ ؘ;PY}c(8x/}4 f ޕ0VMAIi"s1XP>ЌMOy/V!.Xi^rҲ 5P9xkYi8@+Nb{(bh}WJ9 bN>YIeem]!j#6>g bYVNpuOq143 ,tb0% KX&hnL~ń,I \}&}XH^ P4W9.>tTIn1LדE[gPɈcL?&Usو$II =iqKX2UE# }.Yrs8ZH {^ELjЊp.ZT zDÖ4`_eBI,T%`9$q7 r+_VӍ\m{جUqGO'O3 = < M2ӟyLRЀҲ燩2ʋ'U)^Fү55Kr)\0vqq6+ZHj ˸ȂaPY:L!I߻nȁ/BѤZYsBUj!Y8b=ġ6]ӥKЭ qSyu^l(R뉐"DqvpaitYbƂ-Gr,NID ^%:d *O華jK5~Rg2A >E H?(^QW/3ץ`%ͩBNt*Txwuُá de֎gRWt!; 559O,^VV0@ou2.ɠƒZ-T^@Xm_uPU:0e|QpƄO fDƒqρ,#LE(/,Un)Chyg;꽧{ gyp:q:Q,׼IH |T:UZ]tQq:{ܳJQUV{6M9mdzJD1J2:i+Cʣ`z1]*c- _A{)zӂ#ʹ7i mkBu\ֵ!ϣb,1hhە&\Zq\DKpb3.:]Sz^pln$`NC)S\k9ιKKaAY]^Ȫsz>Ke RN#^ $i)T%J;WVhKFpoהEt67bu`Nou#ct%0'܀uE8-ѥA%d$z;Q>\&6B6APH̸rI!of"ĆZjrg,B"۠Uy#.;Grڐ|C 4T F Xn­ L"4hX+mIaVn:9V/܆rӝ 4Qf3fc;t 'd|΢gVŧ6^5K.Af{[AT]h_8 ۨm( ny4*@jfe ]r_w: ooi>9Vehf%ee酌ƍ$s^s hIN0SINUC6S`c xT5O:BǕͼXn_-<+h$o_} =3іcdmr^ν)w S)>>ǚ8g?zlqMp2KQ72ˬ`yAKWi;z#*!gg]btuo$Gc֝|aK# @Wb'::a?Qͮ535tfK[bIcBסsыs3/(ϖlZ۾ 6cqD/Չ)~Fj(L>Դ+)@8';"TokQ&Sz|/,6n 8كpP#qc.H_[ qX7X ܟz"GT%'Zx³Yg`3!'% 8}UĔn2e*{Ek:lQvI5S-̬/`!8U6#S_d{#lvbY10鉍i0ob}i6N5{AC sϠNuij*2~ 1~|Hi j+4,+64KfOG!ȚVp7w#4{l _09͎YI)=Rzso^ e.>unа%ru/x7W렜Seox߯!@'tZ=R)`S'(BBc#}3 OCXBS XWH^ y3?hn;}ʛߎ>odı.4%wI'LՑr)=d?VΖֲAXmPu*^VaΫlVgQ{9uQq_J5*նـE:.T!)B 36~A2;ќ,9k#c%BEr/|5);5W{T2z2u_uov sQ uK(4Q`%^<؈ۣz&~Q@3V_8f%}`,GfhU:#R6f;,}2%aA0pߺAō8Mp,\\C1y-Un&|6+SMqꜶȠ?4m!Kf yVR ݍ<1 /&VEx[8|1ȥ]+e ]D,X~kS>g^OKFf=}U uWjogttdyGpEQmW?Ad:V}>Jj+* >ly6 -$r;$Gi1V1 lj<JQ]OR>G6.>[0@fΥ R*Sp`nIi*ȽF8Ruwvo.^J1>rku#!_㴍l@n'"݋[Ջ$}Y4s00gM6^ϕs$Đ=r&=M~'Ƴ_SjYiջHЦrۘ ]]3oB nISan2Y ;]֮ oM*Ƶ:{T!fb\Y[a8|8"\Ր*f QޛKDWv2vXGCI`0>;ރ_Z6 .Wa16E d֑#V!Sl0$/`<,MK F|FD;P~6";"BY6#Oa%5:g6\RR'*O)Zӝ.x [[̉4hƜ6msW&~#zX6(o.0ϗԤBj,~ud|җcԎ3$/k=gIG1T]}zFpAřȔ?qSU! 1 dQ4*drk9^w̷Tj@niKQ(!?$ ,Mٚ4*~ijyW UB?f uwPKW,hJ6oZ٭Jo%f}KOg00A  X2vQOoI#F6]ypܭʘ GijgW>)iiDwo`.`i#r}^3gx.ҾqUPStZ "@<h,uPmNUCɑaR',(;dg~Xפި5zw>l"R Kr:o)dhZA#a1MR5,su Nkg\w3٠ _Ӄ7 F ,g?>NDR߈BpzxD*wZ鮚չNo<ۤ։xsnAx5>8:;%<, gok f9!Y1N\3'!ڹ`ǿA۷ ޗġBczX 4/T,1ϧ:6e+9iM4S@ℴ;ްAo};}4TxpUfWֈ:K;Ke \Vt`ZO4]L~vr lj:IZ֌^0alj2%Π#tt*s%>ǜګ-RPq|\}~Fȿ'3FytyAJrs ˎCkt<2bepJ#U S;b_zRV}6rW۵w7@BkǪ l#"/^v v⹄9 T2"%[}?"s(F3W5oY_ LI*4K:k|MK]S=snN/958SL$h G~-TybrkBI6i`L:<3 ̲}3޾&s`wߠqkq p$bLlubEՎlm9>κpdz2rhl5򼳤/QBtb𥣿ˉeg<1sόx 1ׁC[m aB] g1{Wp~:.䵄9EKEnȕ&HW+5\ȶյNKJgfOKGEQ#J[iiv-s[&!Y';ìdKhɌyjY0UmF`>U'=ftw~/؃qHBA#7$wHUJYj7;`guH()TEcK7:JS!)*e1jiu u ;H]b}oD"dK[~Ĭ4~՝⯷ s_۪H{+-yiG!S+=e`- X5dHHTI^ۦ0 l=-о&Q:dk2 cԷ/}cbG~ -2(ᐪ|r^Ha+8>gVðUr$Rq`@H˺56lFTK'B/ipdRvX` m1@)V<+!s'hFa!6%Y^Y7WxJ)Y JuÇi+oE9_:ieȈ|ԡhSĥD-^1b>]ʳx*es#&ICrE( |i`q {9`Y_|Y|rP'ۮg&XCK5O+@Q +k(섉9m%Yes U]d$lH. ͼ=)Sr/*>ݟ%LXX>LǼƞK{:t%ih9|U!q,x]^r& r,<(0YBlh,vW\&{qiU4BX8\/tNO01҉``x qI%[Jto|%Y2VYr١̅ MBy@BHPO}L[C#?i\.5^vw@{ۍ@[q%[ꕵαc6gG1J AE};atrQW-!ΊKzxfw>AR,.QY_x=qy猆om<m+É ?EoߨqSÑQ w`⡢y~E+h^oV[T/BB8$W I(d, Y]"M2<"<(ט.[\'YLqr\xxu^Ib&#pcp=VH'=; 9{g-E0GǥV$)AYoM5YeAz3pqHt dB9@'x Hcen1ѳ}<@jqZV ;z{E+|Tk*ś"^U|P|GzW{_ RŞL5s7=Mws9BTbՅ1٥A0U-EɁby@ݵTfm )}z~ 04g.A4Op[>2%7s%BxjazNHWU8<.Ν{Z-58܃ǜ~lA%;cɖݷO$Aɻ!`1.g?ʡf /@xb†4CfS|Ree"[q:Tޤ Ɗ{3NC:g۵>¨{pRz0[=p91LHF1  P 6EZd%_kP_(gcܛ*wR^9Lc-\5PvS"*spAkYE9&l`+][@.tju)L։z~%s^X4q f2c.k_tMR_'G2 ,[e /.dʋk`q`dztxDı`좠f$m >%B; kS? "ۻ=@JpU.ɼhbQuJ}vN]mKaefoi1)`c Ʀ\n&'SDh8dPŵM~I2˒ Wc a6{hm =HȦ^F=My,T_ݴl` 3UM Wqnĉ`/&[h\i @M!_6FxhS'㹹ޗ%RTͯOؚN!fGrjlE1},G\P]I޽9Tx |}x Qc\x -^.O~f%?A͞xYZ=PLz80 Pq#KjtC,ho/rʥD%ǖR_~*e4L2j[) s9z5 =3;ͭUM2d?RA|5\{E_Zz֦LB+,.*Gjlļə Dd@,Ƣ6eq[ æ.tc}P]QD PH[Sob~@Np)2$ЧajՆ[QEa~źtVj04S>%tJ}!3C@X`\4Ksv쾨g>=Sl#dd]})ɒ+(ίdT0D%AGAȼĎ|Ī@dr\0AplkkBqA0^ҟ ٓû+[L^9!@@x#B_oZ)N(E2;BNDY/t$qgW:~c'V.w⠶3k|czP0gy?.n!|1.S;)Dr0 h%r eq00 XZrK&i}-iC-+hGp˭!a~|-BumV׬,GXzѹw~A^/B =zS,8B5lD1 6D.$rzpb9S3NFF|]fVSbDVY2{`Ca0V1i<# JSM(9nc`Bވ#(]&@RƎ&uj{ r_4QnfHH"R+1 ڟ#>qyP0KL[`vJ&d&;nXB)X0d\_5NY8Jd,(͊yg|u-ra~>(? Sn.@R||#d!+/"zZ#xneWԏ`մ#*ܛ@^Q$(Z\$ YI"N&m^V0"wĎS"]>c0?Q,wv [8iPZF8wKSFl7|H]Lly|O*eu-XP.aj% fnJCΫ S^/es`N4pe5+^K\X%5,%\H<^ecIq%:|UE ?IT9vs[UEȍ~<OpA8VfTLFDR'0o{;ҍXZ Dƻf&*f;:AԵ(UV H;tZ Y܏qn֬G4FB=Ђ: Zr G$a5jH&Ɖ'C*C؇",d3Yx%9>56":yZ--_|'aSX$6iLAقoiJXm?G\X񭉪mx1ݗZJ9 }v}hyz. N]=NSZƤ0%Q]p,˜N$?ve|[~.$ӹ|ACfkPQ/ev5k7+aC-K(A"ϿnRGʼ5XS*:3ܶ-9MQOϬ1m#=ޏ;GW>-j e~`jB׎ЇZ+.#H*'txխm`NE~K3.M/ύ>l(g)VL^+Nd1j__r:N #\{ VVPGpɫD8=wB`ǎ i\jъxԷ5erg S6x .iW}`PtGE5"lř%G&۳sm{T VpxG# ,X쒌NM-@M igXr= y~j`c{C mYkGS5wUmt>s}UrCźAJkZ~"\f<+BW;| kedzaX88M.qY=2:%e pBDQ5Сo/8@2fK鿳m@Fxmal^ \-H'T^ K$vl!>\A"0‘Lj!S@1ِCJK2~6NpE7_sr,ǚ6;Irx<'-e0U <Axi$^dOIkd|ޏAj>9pRiР4Mwt3B/Wqz3vL;CS\ġC+Ψt!JzA5[oT |82@5ݩ/43a5;vM H+#h%O2aQWrͷplTbVĉ lCR:z!㽯<٦d /FP-qS jx<7'Q#*;jT~%E=cwj}bħ?x 6c6 n-'aGUl^@z3cH4/X-ָhut#F|d߰:S@ ^-s@f>7]#32!sK`CEKz^UkLV".]-'wn*"]n?NhT[) C؉)զ&v.Ft:t1EUn/Bܱ% %b .d&:G٬R1zrJ7E-y&DoԀ)|2n)M_A\?ߩKRuD5Μt}iU Icq^/X~g*W՗KRȖvWcpv:FFo~Y8R!  %J`q?րl ӕbWQ. _R{g"g}`:vuHc.lŲ "s?+Z(I>u60̼z+ ׽1-q<&sLFjʝW熰 1 wKh u J?e{5}]ޙTv~2+O^Biq5|#m?W֡[`)IjoC LS{+=YE;F9kVD [2# ޿"sk^ya'U,Sy{)U*HER׋\Q1 sMGha{'t3yt BSj09Ӣx*Gx_0k}pf<I=ߤ@uu!XUqGu°|1!Xe̓#e|(|? ܱ)>~=@RAyqu#UhUwuNJl8 lK¢`v1-${~_479FW @"twM5HU~>v=z%|@c8J%eh/lEF(+NZ Tx g,,]qi( GkLNP7Ht'-PJGQCUS8kLx.Mh}.OaҊi=&KhuAp c"i ITi+* )8Bpj9Ղys %Dib|4`10;Y&uK] 4R3];Vr¼31u%N`b\Ylm \qEc̄u$iGUqxv~.gU7w1 hy z򱉃Bdk2yNOKb[@Hǖb'C>v$M3Y%KmjC!(͕N+&Ma)jFD&Hur#婀^VB?M5vrG#i-tkze_5V ֍ r?=9RIAẃ OWb^]QMiY`S1@u:RfPk eF15=E(Okk]=Aԡc@zX14 ?4)F6QahQ뭆ԬK桔(8WD?)F?™$W_}麆~͂08(E*Xmd-˪Ho.g'KXĽoԠh E[K+`O뉚 D/^{^V!*M [v $F3`0%`N4R9ϝk)lZB8]—(ק3߻3Y˸ {|<ޙC KRwq\cR_8HV7$WI]kb7郭n T_wЩ :%bjL`Ef+o+#@%'82!h$D0RqT~!(v*a|OPD,2-TZw(h}/Š?X``bp1o{(79%-+kpfxΜ弥8ČM_FԱK6:(ҫW5rr^My[ثg&N⸨8E\P{Wq*?<]2Dt CM3\le2MAp}]L+)Ԥ{'n (JLT-le58WvelܶQͿ7fXͱhc#jCDbG 8@WܠC@qs1}LI2drJxYXd;Պnti~w]D/X L 0DErڟNU!mFme=(+eT? ɗ`7Օ *dDkW\"JЉw)j}X.v1f,a0 !ծ@H.snk1f,神ځ~#my2YCwTe3| ,J;z<ñ5:?GhFga|XT`'T\VaTOz؉L41g\'>F/oi_G|r3)Ou_5_HzAC7d{6Cg~9tˀ;]U$FL6 JͰKHC$hXCæSSɥK2؜aK |/V\sx('-x&޳V=2>B>[aLʍP!]Yo3a?C lz H9j "Bӯvp{HQG@RZ;*3#N&vI \ije0ll3LO6fl\OIi nQ5 =W]7&ONo_31D΅t,v'? }XPi~l-7i#طeJT؏!UM3^9Ia~Tlϊlf.6Z4,vFasVV_,ѐ"K2 ~n͹@F߼ vb!5.@EBr]>`Sm,^zgZ`^cxkWq2t}Msyt9j('N#qGϤrhuދ }-)#[*MiKa@W ;8ڇE5i]]ZcԝMϣYKs 3K^k ,< 8-])HAxV:L~oR{ϚqvB0>Y˗+rlWoEwStzNn}JK+.P2jSdz*t`5{L?x4p? }$ `=X`y!PF4>UD _vj F@Sҷx ,=7,*[e 2[학x5#r.Ѩ$(  J) +RT8{ P`y+8%kΫ7y"A7uJ;55&Dfm*#\(Ĺ' fko38qamBt:I:T)( gA{\VQO'Ke#jUXj Y5U7]1k7)֘p嵋budF_B~ƢT)VWڃ ]AQS-]L`g7ٗ7!yRNnnY%nnM-M"3DMCh8S_$K]d^CT+%AtYxr~v)$a}*,Wm3 ieB @A⚽q`:Db& W4C[d~kHD!xA f/u'Q2AkEI,tADj'Nǂ7llBkJkBYP~[<נUC:;y/ ;h q7笨tV طQ#}IbB GkTŽV"lDSGCCV&?pJ"JqPFdǵ&o.AVjZVx\x2j;ׇO>#}͒9#AWD[Ku@PSFUfar2|C<:ʱWyŵ*K櫑Kgr@e>uM\* LsU|I*U_Ls%A8U!KDt6La .%KsMƻ%6#žwV`X(ԶWkeb3S?*)oiT+xS?S1iTX]"[,xfn LMLjnHq,]vաfRS 㻗Cv\^zjר0e٣Xg'yۯ D {M< t!! 8oԢIHsg-ekr.cM*x5 Mi\="ۜmdVbj%7*Û:v~pO( )!bzh[8~yf 7fNNӱʪLբuG9ПְOqBLjp*La+M|}(] څ:*"a&}3. jD(9d) < [̖algnZZ4Zvrhu#d+兀sbo|'luag$ _"#Cl'EVi}.Ï`Li0ZxkRxd=lbVfkPB";qfdG%aanA`T*B;"ijr ќ7  'v+y!Hu$6jCAݖI*m8B#)}ٙ˲kb} &xtxfefWmc=ۙ>k 5(Irpa3 mVݶ^-έ\mZ52_5&fJ)ӢW@MX|/_8>By ƒ9˟\xbjȶtl=̜㤃{8775ؕ(oƺZZñ6'M}[rW7zQ%FZ=VA?м7. ;fnW^5C(Q-j'H,tbܽBgϘoBald1S`rc_N684QcJXO}$2%be#whlj$06݋@+DKkD;`x"?xכ\ 6pCȉe!{Dt#9X~qeiڦ4 ƁYb4*ba%0 k9xߓ;K:Dsݳ `c kU[ o\]."ZnxqΌ$i ϨS|pRyQk̕xYԶwΓPRP!b7+PC[.-Stp[JQ(r.-'I/9D)<%0}ZMGF=)4w]L:iHJO淚\&N(>SfR`ЅUOٷuO(S,Bc:^<{0ZXS:Y9ZeBL}eN#ɑ]>.$W L4 *(&ףeX vs(qL@4?{)[!)ut[mv{Ab6[(*a;oP vhM/.Pb ڬ1#GS$7@Mfeթ>v- 0>rkPDحRTm8U52#Tk\:#g9LZ4>.2oؗv9啬}❢,~Z Zv,ꋹ6)hm)E='הcavҦkϼcU~rNyS/0A=[BRQq_%m{i Vzam}qɁr(|\ ZfȔ?|(VЅzYVv!)_! x%Ǝ?Œ$8?nhw_QgHǐ vEH (D5=_ e3Ƙ<7 f5[|P-!J9*RNQ+Ėw?-aI)CCNL^ɵRDU9azm4N6(9|3fžIbUl& ?H+uFYq f0~`# $A%N~Âa+&r|z>K<Hl5ި/cIȈ,2mn{ȿ!n$ŝ#+'sKsec?ܒ"mӱ3gq-Uc7n껦d Qs5 ܹsCY50^u+[onY*NnPsOu_۝vW:䴪(Zfn32`IQ/L]hakMd=~s1U` bu,MwCKiQ-\4k?)=Dc/;YN y7mhC ]IUD45lD W]=&%g_ B;WaR-q23KaZYM%tj#ώ bMw^ɘ[ UiT%AamN_z'kwCz;#{xh[z teL}A$޲r@4v=*u*!;p;-O&d֑:I 8C|i XPiͥ|,? SUtwd!c?>Yj&kgӢcO!b ! Hغ5UٜH1`1#"c=<ŕk~61hTиvX3|. ES"I^J$,# DLǾeл ijA}>R:("?.<vϝ컕> #Lqo?Wʅf(ϕV7O6`Y^*R !z2 c6{F>Ẑw7JeI\O9 gߡq?!v_?9$E,L?wDt=gפ9!4 _w喆3`_ {ymv+o UmVk|@xCRRx^#\r?b@b@ZߠiGIz 0+jk`V<̷z[,A,Z{>1+mv[i~ʟѳ3HxC弖x|S 6+lIq{fu^e3Exp,$+&r/nV7RP| v>g5 "1#cv w.9N޸;mF[w!.j 2G ]кq=>yb^FBے8Ma0C%?8`,FeY}>B%zMRsWP~Ǎyzu-LszPaS2ONX]-{|_{yE)vkoi2-'/%XeYDٳdn#u7MŅ0xyG(IF+gG-x` yiaP{)p9T37%,ر# [tSp]I/eL5b3p9rA@`JtmISӅFpcY <w j>RD *Z|h|Vbc+#(Q ; 6$ V8 _s! uХ8@H~륵aƗg]'"5^Vc~\ʛXHHR ^g2ˌ+B?9#jnSrj f~9BC|) Bd?FZo?7aכ(ХhV+2"1ᾎ_Gb>(n`zP90288%)tC% PU.Kfݻ!';QM x?zHJpN(ax&'b6 .&Vf߄t+"l=v SVlJjtP~w*ŕ=5gD^lX)uʿ l(@~{c%e. 0;2C NM;jUP? |4U23}.7"t'c2`t쌀7iKu:Slм$Q6P[xsT@rMDs⻜qb cT{/á}OD*հ&E| ތ;O]uͼ/Pj15nfIVKf(NZd4ȫ9Mjf0)܇[UcaZZPH0 p# rpM l%+9s|`Aq0.{s~7$ÇiQc-]\Ea@xrdr>3 a_cQiCbytwdSO_vreݽk[W ~tþ Ġqad+]W^̫S'ySӴ9B%ӹB ?1v zv/{]WZA`jmvBJДڧM8x='Uj5/:jM""8iˆlA.J T(f inmԟ0pP+4K)oף櫸4mfF0NVd$s7L OMH#Ân萝})m:F,z(o-f |I<^= Zݨ-Wm#f)βx1[}!=S>>'u1R`/:Cra`.[L޳pHS) $ w9EDv+1@qyHQV(_M.O0ۦ!>O5Ӑb~g6Hx~l+u=x>Cliyd+M~ `E|D"7_^L_n+F doO3| bjU蚝S7gEĥof=iN}+uK G7eRBޤ}[u jדƞ{ևjyF 8 %V^EYuA7[PKxDOrG+En|kSsqBcm˻:&$r'ՅGxeu95@-,:-#| ݎ2`۪2\vݛ*[coNC:OUv'j6ngCG:[Y[KF6TBy%·FG\i[# 6?7@w.vļik1*`an uU<? 0Pڳv Ǫ}Cnݸ S~g m~yepb&T6y_t|S0:n5FcDLAO!JwQ?tTOІLFv6JzN3mv_|-C9O+{+˦u\{7 FusId~OX) >!IߊUu5V_n $[wU&K|`M_fȄljYq"1'A-Vw<_!44E ^9cy9{l'}?Xv{EKMm;Ƚ]t6QCBq.\+3& u_׃4rؕ: MMwlEΒC=DҡCx_at'zC`5&nLT7|$m U][z&$Hgp] :pr#N.3o'O[s,ܣs bh^Bh*]H;Hߑ]Q;?bnZsh%NM3^4唁GD#1Ez|j\Yhk 7~x8x}N h ,P>c ,hiI C`ﱶZu?-Gc `K v$@mD7'V.W@*6Y{( O4U8KbY8հϒ%>Q=4ʞh  %؈V3jj}a>>T%ց!e@: 1JjZK~x2p[ߤeWMk௞S_P0wt1fɳwMvWhXYe'9d%ԌTjGQS(kut-%B V Py.-U;*~@r_b 1βKSP}z`KX̸wSO!NVLotY^VP&NO^G=V߳V V!ƖZ㬃S (m A)I %D?X^m)<##QD+R>$g  }!kK,kj/Yr/N%RUq%(q#A'&S3SZbVaDVvޯ!mUx*eraha6BJ2 ,!ih2lMdsX aƹ}#>X}(0pLֿtjojDJt!$>]Rrp#gύZw DS^uk&:c6< {2+Wen=,u<㦣RBX98u@1eS  & }-ٰ֚PGT%I4v]Pg_ñeqx#*a, ~xpbg2g60W;J(Wb-bQsMr?Fy{i޷^ސ7QQ"LxB{7uh?q{ت`5K׵0$b9'R_[e@mL9PJ2DPs5cLLrl'"aR9J̘ f||$L <<7>} PF/gsIշ_V` *,au3FǦ!2|T&HS ʬ]ܖz?Ym/ku,,-`;?n`ˇ.P/Z`63sʺa#j6P+)LAS'hoAoiV07V/YZG0b_О3,lc%̐RGnEw AE  >l^=/ Y.ڽ,yT;*o~J|Aojyƃ'et- 2pdbB›z?sK]4]P|6rM0h^3zy@\Y8_aJwvݝܺx_ pDhl;l %ЧVMvxEqI%k}&0l=l`V^Erh~};|͟/DIн])$.GYkbqriҠJ ;StZ(68@h'D%]r"_Dai4gDyAю̑)K* ȨkN/NDꆠ{Zmb5E|J08=.XJ%Aj,0+_LgiJ^V4 m/?s5f>.{N E0ZyܮFXF?d@k<hc96.Ys [A4|MaiQ[T&2|f-x4^U8>V֪ Soݵ0铭Y!WE;r]BM*>qܜ}f'*OA eq Ѕh$3(X-DWQPÄ́I<#no,2oP\AGW+Ws#Ut- ;HSJm~Ώ+UikZcr6j\7kp9o@aLP27m" r ݨPkRq$K;I‹@ĦDF \tR&|FLg3W"ej~,ּ@2is4ۘ{yz SdƜn1t([c=2%aYT68^d j* IX"Zjۂ|SG)ɪu|t>&.:[5^zͶpê~ oƳSNv@״z!E ZxyXno3{u0E2 ͒+LCcj^yz]uX!~pFbdv,ѿw岝{H+ . R ܌g \ڝ)$P˛`*3&=P裷*Fa<ʭ7HkШ^C IVT _CzPmŴՂdEЊ nM.v$NXm6fy5"Glv ciG1_q]KwOJ5$1___uσ[.~V ~&%#&)d /ɣ!˜!z6ڟ;[j@*{>jͱ!$Ky&9o pCʡḓBQAS /t +@=u%OlIe5yP z^T ;#C!v#h}.,ɠ'%44";Flt("<$'^O#@D$%0. &Ea{Nl0" ۟&*TRBǷ̟D?s¹4XeGELWĽ B A lv4&9D*k2iJOmX@$Yma'_,fWYSFل}HC` 93`[<(#lB!]=KISb `.Eaъ}^q!F}"#;μN2R{h~c]2\a\I֢F n5e0emSmN܊ fZ]]ip&:}^!s׿$>3}¨EgU ;=R!OB*'8Jcs }E7eYl,Nj Jd\wK'X]2U.SD~ Q1,N6QWPoIRO3i+>J9Rx |hyX80cP"-ϭ]Z[(`̐p\ Jh}g<p.?RQxd=}EuO E GQ $u{"@S䢚ģ>QHr9nDVzer<@I򭮂Pd䠶ar Batry zZ`*;ݖ,CgY6i\I$R ݽG6(@=+fh4@+U4VQj#̆Xd9Gc]&OE#:8 |8:hG4~r܀Ԇ w`کI}Ꭶf>떰 JRTg82ItƟJ+N4m )H@gfq{w/p,v^P#n,Iad;Hz&iͿzϚ6!j(aDak]`c =$xzzCo~IbVKSD 8Xf&x Uj8O3Dy!F[t)$Kf(Pfl{khgAq˱2t@B'*6 UT+3QϽ"^N J6I#NL;}p%:EvW5IXn6kvO% cڡr n@T L d[LtZ!RPOW[騫|R8ӁE9=kM=ˌ+!ﳝ9"6vՖ-+=S:1=* ~V}a_A0syVNYH~ˡ9[ [*xL??7jH~oBd50X?ak zK1?̬_@|2LFEﮈxhN:B=Tx'9_m_ZN%8f2BIׇvш⌦9,pmg͙{^[H794a $3nQw۶O5:(b1_e aB6 PvJR`9H-"fs:ػC7PƜECn( Y'DCWPS!:Y 6i} /X(Y>n@ur앱:m&A=I<"rH 6:ڑ'ď 3󢂷j8L[e}ht(I)i:ivZnS@ CGW:{cFS&^J}gZ^UC/r=a ~Vı;SKl;}z=$r%{)?3ä?U D2(q(3ɕrV6߅+1΄.I2-3[`YL֙מ m1ݔH `7bQϡ1EvEF*51@ȁ:cQ`_rǐU߳\HO/K 'Z =,:%$)7;Kܜo'w