samba-dsdb-modules-4.15.7+git.376.dd43aca9ab2-150400.3.5.3 >  A bp9|'}T )Lf{Y ^%%+3` 95%Dc<2?qX?@uŷ+TgU90xzdHCW 3"%QDֱd|E?GoZO%+ #"+6I`j,1}b__yZej8)Awp#V]_8 Dͼ>CcO?~Β7h:tjv1ܠM؄Z04b2afe6cb89306c8a0ea49888b9f2461e5e16bb224cf6a747fcc51db68f98a1443d29225ccf658da9ee1c9013193e49ec5f9769Gbp9|_6 fGfJ§-UD_ʠi`.8O v뚰}9{Gi{-eURí4s xgBtXe b„Тװੀo*W}q c>D9U VfQ 5$_u_NHRs: [m5i9[C Əi pReT}5g8,p'9{]EqSNрSuE" k~R8>pAj?jd0 = O ;RX^-|- - 0- - Q- -4--,-uu(u()8)9-:>m>:>@:FF:UG:l-H; -I;-X<Y< \<\-]=-^?b?c@dAeAfAlAuA,-vA-w[0-x[-y\tzjhjxj|jjCsamba-dsdb-modules4.15.7+git.376.dd43aca9ab2150400.3.5.3Samba LDB modulesThis package contains plugins which add Active Directory features to the LDB library.bs390zl34SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Productivity/Networking/Sambahttps://www.samba.org/linuxs390xrm -f /usr/lib64/ldb/samba ln -sf /usr/lib64/samba/ldb /usr/lib64/ldb2/modules/ldb/samba /sbin/ldconfigW7Gw7gWWW''7Xp7G'7GG7Y@'hpWi@G'''77GG'bqbqbqbqbqbqbqbqbqbqbqbqbqbqbqbqbrbqbqbqbrbrbrbrbrbrbrbrbrbrbrbrbrbrbrbrbrbrbrbrbrbrbrbrbr02764f43cb9d1c544eabb6429e7ddddc040cb635ec16cb55a73fbee4bdcb4f96feb18631200044f86debed379dba73b6be275354f79eea5b7bdb2a5c91946a61826e68d82e7d8b069366c73f27a3fe52c5621ff79e8ffeb96a3ddde5a4fb6e18206f43acbd195b590954ff9f95c95591b1b2c23715539245bdc5e87ddeab3939040896103acc8e41ba430ba1cbe097ff2353734491e8ee8259cd77deca4afd06c57a18307dc47d2560ffc14898e82572a39278d859fe1e7236f1685d49982a79dda309691898445e83f6013a2f159abf0afb0250a6605b8ec969a098bdf699a5275b670a6c6b36f2890e3f9c03236cb277c7f2b8742f62e6a42678b3c6636b226ca6c332ad2692213f9dd1e8ca96b82824267980cb82039ba8ad0ef84f97456113d302548911507ef5dd36709f3928d5df31fc0811aa136b6873f218d8e2f3a6668cb952cdc55846ffd6f1d415de35c410b70f825120a0c9c453bdcef78db79c4324b97dc1d86ba5c51e7c4ff6ce4bfcbf36851727cda7556c57ab189cf5e2a332dae4049ec188936e92371d08bc0b0c4345daf0c9391b7bbb42acc4b481e3c79663dba8a6270f2718555e3a275b213e9c683c7fbb5d85a7ba6c110ee3538da9ec2aa982f93ff430a8fce6455f122fc08d75854500836ba8e90826eeee1139ada63066508a3757ba63e6798a599bd4012943d5fd33b7841893666df7cf6eedc6f36617ea6d2b52fce0e6726234a2c9013169af1685a3355fb7db0d916d14d5811adde536a0ce3a4de6cfa473713f3b244ff9f81697f11796bdaa2d8a895e4132bd2ef24b60114136a0f97126db85c1b15686b76d9ba50818dd48f659367c69ed1f89e07b315e4fcd14f463b199ca9deb44881a9cae77cf0b112072399169991dc4e26843ad200c31dbfc22df94d8d51102e4cf2cc185bda46e3e2d120118ea0ebd36cdafcc917c43a0ba713f0c96d04d076a896078bb80fa57a30c27f3adcdcea6f1263d134ff4121ee744463b00bc65714216819b50630cddce84184fe67a58be3f2568036103210ad15bbc3ce1a0401167c076e09cf3a1f1954065e01ccf9bc874f937a1d7c898dcb1c0f4572fd59bb88be717f5c8bec0c0470020514635a16dd4e5aa1f5e83abc7d90361e110897156107cd76db5f78f05a0503da0b25c42287d1c7d3b1490e81812141243330052cfe638752974b193bd4ed57025ae08ece86344b3e5c2b14db30377b0d24d5587f452ad79c09b4c1c376a528d6918f0374dcd71773d8bb862153bf1b72bad55cc698f0d629e4ecbc7a64e90be36cc681796d4b442b529a7aa5a2f04246a49424673be9762043035671d862339e6ee889479a330ff224f4e2f93dd465314d630b0823d1ec2539796d99741fb01477a80697b6b9e4972d1872390802934943fa7db9dba8f080503c2cc05294d8cbef2ce27f9f442a1e479eca401faa50d5468afd2b24acee6c0976cd91452717aea73fb51209036293d28c98941097e8d6e9b43d5103e1c58451267f5e18e41ad087d4913552d200f5c90a3f264b28e2bc5bbf910df177eadb32c81b4209375b37f08470a30ffa75c60818ce98da803b0a073822b2ab6ef39575c77087acdadad81d9706b4d2c19eba77dd3bc5124f50a8e927df5deb118b17c46a6e275b03dd4e8a1ca87d5b8725221671b7c302b537fa19b44da003d0163eb169f42cb87e5dfae0e5649f8c346bcf00c19ca2bf623ff995e3c069780c2c800e39dd672f9b9e7be09a289e53d8b4063d96625c8cd1da64dbb6e3b72986a23583e7df9e37f6de3f914379333196c53b51e5a368ec7a18507b62d00c913d9c35e41e1b31bfe6f24da2ca534c22b5a5442b13c3f727773301ef2a5180d390fc3067e6eb790d032c7df9998ee4c096c097d24921216a2b1f52e18826325879c79232c375d23cbf0523ba1f9ca7dcdc7d76700aa85d969993b556177842c4571ca21ad6e3058600b3c383080cc565b7904bd620df21e372282e856957f2cde181d9bcac9e5e8be826de64f812brootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.7+git.376.dd43aca9ab2-150400.3.5.3.src.rpmsamba-dsdb-modulessamba-dsdb-modules(s390-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/sbin/ldconfig/sbin/ldconfig/sbin/ldconfiglibMESSAGING-samba4.so()(64bit)libMESSAGING-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libauthkrb5-samba4.so()(64bit)libauthkrb5-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.7)(64bit)libcli-cldap-samba4.so()(64bit)libcli-cldap-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libcli-ldap-common-samba4.so()(64bit)libcli-ldap-common-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libcliauth-samba4.so()(64bit)libcliauth-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libcom_err.so.2()(64bit)libcommon-auth-samba4.so()(64bit)libcommon-auth-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libcrypt.so.1()(64bit)libcrypt.so.1(XCRYPT_2.0)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libdcerpc-binding.so.0()(64bit)libdcerpc-binding.so.0(DCERPC_BINDING_0.0.1)(64bit)libdsdb-module-samba4.so()(64bit)libdsdb-module-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libevents-samba4.so()(64bit)libevents-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libflag-mapping-samba4.so()(64bit)libflag-mapping-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libgenrand-samba4.so()(64bit)libgenrand-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libgnutls.so.30()(64bit)libgnutls.so.30(GNUTLS_3_4)(64bit)libgpgme.so.11()(64bit)libgpgme.so.11(GPGME_1.0)(64bit)libgpgme.so.11(GPGME_1.1)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libkrb5samba-samba4.so()(64bit)libkrb5samba-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libldb.so.2()(64bit)libldb.so.2(LDB_0.9.10)(64bit)libldb.so.2(LDB_0.9.12)(64bit)libldb.so.2(LDB_0.9.15)(64bit)libldb.so.2(LDB_0.9.16)(64bit)libldb.so.2(LDB_0.9.19)(64bit)libldb.so.2(LDB_0.9.22)(64bit)libldb.so.2(LDB_0.9.23)(64bit)libldb.so.2(LDB_0.9.24)(64bit)libldb.so.2(LDB_1.1.0)(64bit)libldb.so.2(LDB_1.1.2)(64bit)libldb.so.2(LDB_1.1.30)(64bit)libldb.so.2(LDB_1.1.6)(64bit)libldb.so.2(LDB_1.2.0)(64bit)libldb.so.2(LDB_1.2.2)(64bit)libldb.so.2(LDB_2.0.5)(64bit)libldb2libldbsamba-samba4.so()(64bit)libldbsamba-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libndr-samba-samba4.so()(64bit)libndr-samba-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libndr-samba4.so()(64bit)libndr-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libndr.so.2()(64bit)libndr.so.2(NDR_0.0.1)(64bit)libndr.so.2(NDR_0.0.4)(64bit)libndr.so.2(NDR_0.0.8)(64bit)libndr.so.2(NDR_0.2.0)(64bit)libnetif-samba4.so()(64bit)libnetif-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libsamba-credentials.so.1()(64bit)libsamba-credentials.so.1(SAMBA_CREDENTIALS_1.0.0)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamdb-common-samba4.so()(64bit)libsamdb-common-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libsecrets3-samba4.so()(64bit)libsecrets3-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libsmbpasswdparser-samba4.so()(64bit)libsmbpasswdparser-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb-wrap-samba4.so()(64bit)libtdb-wrap-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtdb.so.1(TDB_1.3.14)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.15.7_GIT.376.DD43ACA9AB2150400.3.5.3_SUSE_OS15.0_S390X)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ldb-ldap2.4.23.0.4-14.6.0-14.0-15.2-14.15.7+git.376.dd43aca9ab24.14.3bascabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./bin/sh/sbin/ldconfigs390zl34 1655107735  !"#$%&'()*+,-4.15.7+git.376.dd43aca9ab2-150400.3.5.34.15.7+git.376.dd43aca9ab2-150400.3.5.3acl.soaclread.soanr.soaudit_log.socount_attrs.sodescriptor.sodirsync.sodns_notify.sodsdb_notification.soencrypted_secrets.soextended_dn_in.soextended_dn_out.soextended_dn_store.sogroup_audit_log.soinstancetype.solazy_commit.solinked_attributes.sonew_partition.soobjectclass.soobjectclass_attrs.soobjectguid.sooperational.sopaged_results.sopartition.sopassword_hash.soranged_results.sorepl_meta_data.soresolve_oids.sorootdse.sosamba3sam.sosamba3sid.sosamba_dsdb.sosamba_secrets.sosamldb.soschema_data.soschema_load.sosecrets_tdb_sync.soshow_deleted.sosubtree_delete.sosubtree_rename.sotombstone_reanimate.sounique_object_sids.soupdate_keytab.sovlv.sowins_ldb.so/usr/lib64/samba/ldb/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:23822/SUSE_SLE-15-SP4_Update/b64126b71a588c6018bc481f4b00e0f6-samba.SUSE_SLE-15-SP4_Updatecpioxz5s390x-suse-linux  !"#$%&'()*+,ELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=b2dbddf513e6a0c895313ca21c69cb8521bc4618, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=f56d8904e32c2edf30e0190e085e6e48d651eabb, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=28e79f3ef3f9b80e91b1d93d61c164e867397b80, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=8092e7ac3f88f59fe1cf447edd56e184d3197c75, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=c432ad46a970cbfa15c4909302c719df6934aaca, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=a6584fcbfee7b480039e85c10d14b27b36d78957, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=3d33dba27cb0ef35591562f8d9cb0ced4b1d4a9f, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=4544690d43a17ec99a5c3ac8f28127f3cda1c303, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=ba686380abbfa7426cdec190de6e678d9bc3ee82, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=9de348f1f3233bdbbe5c9d7a1e4c66107827cd4f, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=9051055dfbdb266f92fba8251d98c72b2e7ba172, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=6b2686dae9b43225484b247a6e083e6c256b366a, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=4fb0dade2880df8f73ceb13654082535ec1005a1, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=5fff83579ef56ae3ddf5a81aa3716faaab925317, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=26f99b6e4ca32256e13c84ffd16742292cdc08d3, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=0aa7ac13af3fc30713b50353fd5a8c58244f459b, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=a128e7e9afb9a393f7f8192a22f9b57e70e6d5b1, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=923a4283b3958e04f1f3d28600df94d90306f3f4, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=c18d723ab277a2ec58fa2f1189b0c66879ccc898, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=6f2edfe72ec5abff1765eb21efc2603a6f9ad8cd, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=3c5077b8643ca222c68e7618a8a4156498209d4c, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=6173461ee7c0f1ab2cbef9340cdaa9087cf8f1a1, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=8b7067513ca99eceb45d7c7a5b55dd21e2b0dfbe, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=928e5e54059a806c48e7e79806a9f5372988d90a, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=1aae64ad9c6248bf6cb31e57415c9c0f75dd2558, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=9e5956e8cdfc16ea645eee515504889c71f65901, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=faeb0605ac56d8173f3b1e3d87048ab8344a8c8a, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=f7cde229b274c95d52bce983bd2743cee96473ea, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=cdc08c92befac32ac7ea78bccb2b1d48a9055517, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=1c503869ea5b1dea90473dae6862fa84af83ca73, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=4b2794e603eedf68e501aa916226df608e6e01b9, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=a9a77c30b0dffe38a1271b75451c6fb59e4f709a, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=2b1a934d801d6281c1080f36f937443fe4eee93b, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=99fae6a0ea90456f40e2537944ce4638f318f55a, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=9ec3d94b3f633a3b452d2695eb3f4d2b548a1c4b, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=0c0116dbd24b6a74b5217892c10af86df703dbb6, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=b555b3984d88e7e328e222d4546b9e02eec7e651, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=6317bc5ca98737bd39c12535685f7a469ad752b9, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=1664ca2e4ecf536b8dc6f1bf163f646f590dce1f, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=5c1b7578ecbe7951174986633ae704d2b90e9613, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=1b3d8c0c8575ff2a6652b272b12dce2f8eb193b0, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=99fbac3881b2038c59323f5263c0d8037fb06820, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=92f1db69080a8a54e2f0b65323a24cf6c9d375de, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=2ee69f2b9dee29dd06c0ebc321613d2f1d0682c6, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=6d35f9744fe61ee833ec65f7e356b8224e10e70f, stripped7Daq5?G]izAMz  *;K\i    7 % - !  RRVR\RRR,R?RdR R RER^R*R0R.RRR[R+RDR]RQRR>RUR)RcR-RR^RERVR\R?RRRXRRdR R R1R6R7R0R.RRWRDR]R>RUR[RQRcR-RR?RdR\R7R.R0R R R[R>RcR-RRRZR\RVR R RRRRERFRXRTRRdR0R.RRYRQR[RDRWRRSRURRcR-RRVRfRRRdRhR0R.R R RURQReRgRcR-RR?R\R R RRRERFRXRdRR^R/R5R0R.RDRRWR[R]R>RQRcR-RR?RRR\RRdRAR R RER^R6R0R.RRDR]R>R@R[RQRcR-RRVR?RCRHRkRRRRRmRTRdR R R0R.RRRRBRDRRjRURSR>RQRlRcR-RR\RR^RdR R R0R.RR]R[RcR-RRRERLRARNR%RdR R R\R0R.RR[RMRDR@RKRcR-R$RR?RR^RdR R R7R4R0R1R.RR]R>RcR-RR\RER?RRdR^R R R7R0R.RDRR[R]R>RcR-RR\R?RdRRXR R R4R0R1R.R^RR[RWR]R>RcR-RRZR\RRVR R RRRRXR^RRdR0R.RRYRQR]R[RWRRURRcR-RRR^R R R0R.RR]R-RRR R R0R.RR-RR\RER?RRRdRR^R R R;R3R0R.RRDR]R>R[RQRcR-RRdRRR^R R R0R.R]RQRcR-RRR^RdR\R?R R R0R1R.RR[R]R>RcR-RRdRR?R\R R R0R1R.RR[R>RcR-RRERdRR^R.R0R R RDRR]RcR-RR?RARRERRRXRTR R RdR\R^R0R.RR]R[RDRWR@RQR>RSRcR-RRFRERdR R R0R3R.RDRcR-RRfRRLRVR?RRRdR R R RiRhR\RRUR[ReRQRKRcRgR-RRXRRRRRoRTRVR*R R R RER,R#RRLRR%RARNR^RRRdR0R.R(R'R\RRR@RMRRDRRSR+RURWRR]R[RQR"RnR$R)RRKR&RRcR-RRdR R R R0R.RcRKR-RRNRVRRR?RTRXR R RdRR^R\RAR3R;R4R/R9R0R.RGRFRERDRRWR@RMRSR[R]R>RURQRcR-RR\R?RdR.R0R R R[R>RcR-RR?RCRZRkRRRRR\RmRRTRdR R RHRERVRR^RR1R8R0R.RXRRRBRWRDR[R]RRYRjRURRSR R>RQRlRcR-RRbRdRER\RXR3R.R R RDRWRaR[RcR-RRdR^RVR.R0R R RRR]RURcR-RR?RdRR\R R R:R.R0R2RR[R>RcR-RRdR R R0R.R2RcR-RKRR#RLRERVRRR?RXRdR R R!R\RR1R0R.R^RRRDRWR]R>RUR[RR RQR"RKRcR-RRRR^RTRdR?R R R0R.R]R>RSRQRcR-RRRVRfR R RRR?R\RdRhR0R:R.RR>RUR[ReRQRcRgR-RRRdR^RR.R0R`R R RR_RR]RcR-RRdR\RR R R0R.RR[RcR-RRdRR R R0R.RRcR-RRRdR R R0R.RRcR-RR?RdR!R^RR R R/R0R.RR]R R>RcR-RR\RdRRXR^R R R0R.RR]RWR[RcR-RRdRRR\R.R0R R RPRRR[RORRcR-RR^RFRdR R R0R3R.R]RDRcR-RRVRdRJR.R R RIRURcR-RxgUMCv]Tutf-845934257027c84fe13d44332603cf5e0ee56fbbba6e07bd9a99df91db6765b12?7zXZ !t/y] crv9wK{ jU%-a.^{Sd%a$4ǡRoz1z* ++)l5&_7j½Dl+IJgfv޷dT-K29;ڛÙ)jZt/FvH_B 9}!@R{\Z!بi* O(UZOrBLJ\ OqX?OvjVQriM3Uipf\*eV]%2V-aLMIsJu[Ь=}☆- xg|L\ QTst iw=x}gc]} l2I<m ;􅗵Q;\/@/2A4Y[׺jmY.Ɨ\%T|S81B6rrX\$% Lt|^K{\xNBȨJ XmURH@YO &NGfdfzB$ tfꙇ+HEaj*3v=]Rog'͢-]4Zƺ&6${OD@T7 e z;@LO(5j%[WwnjHXHdpe_Ԣ#$onDEYսY;Pw֔Z}39N"|ax8D.a2ҋs Gf`oJ롛lX9s^o[s-z?8ܥ;( ?]N[Ȅz-4TQ3i+oKvMD|){mp4FBz.n7>{j Q2!~] [5ݢ=&Mt\nג~X 6ܶ8 &PT.&w\2*T c|3Y?apQĪ@BDAgv:4Dbc'7tlRUjϬe9Ia'*au}-/1G2d4'vA'%쟂Îz+Խ?8njp?6(vdž@N˝V羽>yg2U` LCnת:2 AgxM/6GЪ]YlqCgb^5,s͞2ce촖+RWΡQ 1ZsKZ@\;5)g T8BNG0Y[ ڡr{宐l(wUȳ/ j|>zb2zяGuE`~!eǑP.tAWuJ+j bRͫ.˄ȎAȤfƥݥ'Q~j=e-ӈ[R@tR2z°{d̷=~2rxclt(^Ak@NC~ $a%[ 9{q Ƭ=#9pB"Zg6֭8d;T| (~ K =|Utel9qSmm@F#se?%]b}7tf@\dI(no}7%hs}y=G ĄPᎮu3F,?Z0=6Tf unlO0h  JȆ5UeiA>:ULR?0ikܢٮ=\6Z/:z9u!ӿFXX]sj>%%r0;QVN;.hAcJ@fk%~Z%[|Ccc}ˇx)!{҃u)!g3R0eȋU%vo?>CWuP,_;x,KWi6^r?Dau|K3kCSp0A7@[&d)xU{>Y7qq4ߏ9 8R$(/EaC9F7g;D$rZop4] "B;IpWX)ϒ~l/!cP_"cf}B vt6(o̹Q6pċ\F3{vűoψ ZV~uA%Tgr YO r%GV~O*{F$c%%: `;Q0E]Mx?l2oH) ~Fo"0a5PaɌ|0#z-D( JS4 ^kJ.'Wu Eȁ r8P]igIX1̧?ߒW93ۭ:RήfNAK3@kZobVsYaT̪.S t5PEq]ޛ j>!s$V7nz3H)5߷-< M>m& z\@N 7LuQz\7~T* ?pGc ʃTY9S^t B$P;ދ4ッ$.+'4I`c@:;"(մI1qPZTm/|YzSk+mq*ߩE{| {;f0o]mսYTo dF>NnyJb> {ϽNjﹳqFsL[yxZH{65U3s])om&EMW|!.˜Way Z5Sz`OAR$sK/rpwcb~b{ o_CoVDlE Pk揩^JGO!]N/M ifYPsd)jrhz[?'mVXO4U52 Am{U)FH/ PYbfVza{6PP CsnɲK(},}l JFun0AoM_w̝w9uwKn{py^Wk6Е19(uY]=ύ9O^.W&~ *KmPSԡ%zv` 8,e3ʞ% te@7 ScFkz_,KgܵUr8ONӴe[ްfڹxԫ." ccj`ϏL>A.c4DyLUt7BJ׻U'])Ɓep+dGg km3up_(LݵJ9>s?kձ]&§_Qj_f}B8Het1^ y( cOߦšᆫ|Kꮸ!QlWzGzg.^XOu;F;W5 a/q4EQٟP%Ԋɳp5!#$.ݫ4{5T%` bL#z]㲎mM?u1u4%0yM$"N/,1j >{W̔s Ps5Y?P&% Q"UȔ'ë^;'"⸻@5pԌ"o] +]S+w#h5|2wZ 3~KYynp}wdNKѷSNu"lP)%>sxQ} c^;ѵ;Pu{1tKL!n ?vG|.z mD;x-r/HpCt^EnʋN%&-05F9FB Pֺ y}jjh !+|# J'4p1{Lf6NJsE!xv=hSF`*Mh#*Tʯ <%X3Zuf ˵s)n^lqX>rwc!gI7] ̨'gیΧvYfnӶ8MG4NAiJf/W*#nޠ'"'sR 32[~=h+;) lUIlZ}v-#Qj^%‘+BG6}eM2iSI ~T XoA&"|ѕ MˊmJ^#J -}B Mcԛ3n%{*VUGgty f IC J!e|Z{ e{uځ⦅r׎pדsp!-yOZLۣoQ>\w[FaOh"*BHOS\Zn⇔1jf<;k/:?P@XY^mesBd(jLyOHB%:9b?Z'Iz{T|۷.6)3_VLc+Dvz%]OkSa.Lky@ՊeMi1;z|&Za5U‹Cqu$(>nYK<_@4f)0lU$絤6>,fu|KˁbM5?TGݬ!t T,C#fԎdL )G*ƑǖaBW//!ːۅ|[>Vt\m,.Kep@b[JJ:X1ɦוgTHu1&· 3MHDi42=CyF6utP~ IJ2]lN{>?_hE2$ڳutq ?:[MӈV*(o+X+\ݓ^a6DYgI5|jd D'5햝. Kff[*I!/5^g+i7~q;|ʤʏV1-P l.%:xu9|R'Gn6G7"d>oE>g@5YptaYhX|joӬ=n_&Zww@G Xz~/E'_z^Ǫ>,*0# k(M{C9|Aq"c,Aѽ-JgL٢C1<<9bD Duv-\՟@Aa.~;C|/{Xׇ| !L&/)[wӻݠE7R ;a006õL<cް9'd*u6,YOF0pv|՚McCOg:[>yJ ?>F iR{bRa7{,R`+KS׸ 7<ʇXkQ7->P/CƊ! y/*%)QSJk|Ϡ<M %ύ̦4[&4ZkeR`ⅦW& =L-B48{0ĝ 6gVp$~Qj'-N?`H I G^:*1O. kȫҘ @[ }0R}{vN>AKu hIy/&'o}"/3eb{l<.(΢>.XkU')r *_'vl^*n;1?lU@OZϘG=qh3x'rMzS1;<%l4|2o%^) zAj:"{]XAMZ3 ꡣ3_8*#{DnMm1AiemC$Z 󱵪R1w.hzbWpBw.2ZWi{vVz@П:;Һz c//JRRqvE] ik61u4"%Q&ZtըS^_t ʫ%VWnL8*TPf_&'mN@863D{U^/_l pMJRkw>`iuŰl*F\|Hsf|Z-V;g5?]%p埅e(N~aGN&AVV)`nliO&Eլ2). :$ZtNj>R'ak>*~bfi!* S}0!nDAi@{!~DZy>BiLJbä'wNiJiſlPb4\c?F8!MFUz,,3,H߶NIL@9^_-JvԿA롊a0$vnn-=!DhLOe1kR&~pUBZ۾t3|knW}%Lx&A?+=~2j@PcM= 3*û0#ܔdpS* @:?6#B=HE(}P/*ˣ5 Q7E3hNS|Dxh@e%zj!eg pĵtdh@6V)~qdwvR}<wa7ڨX󪽉JpbWShUTiD@x~\s]KNf?i%ڑ淈W*_zPrwxOb2ґYCz1}T _rs+Zۿ:RL @x_0O?Wװ SjP5o(h!f{U9A'KYpa2KQ?Z]%؁[;dj'!Nceɨ6TyMG1VA-h]|7m<2~. +}F;'[ѕ36.b<i<4U4uI  jrrbByevli#2DOaAMdAwGjVpl[Tl@Xԥ(w|/1iMfyP3F2||ݾg#%Ý϶~oҔ1L~O Aw-orؾHx>F|A:V ~ޥqJS} ÄVM TmUI2B x VEkZ]4wgWouK^$d50˯Ztc,%~ORX~Vh(иq^&6SoP^?59uKuwëGiG[]K>([m!G/Nº0z yQ '8zQS!/d t p[1K wM${7 ȫ Wg#i,sČB$ohB[D,f ߣ8saz$Fm r(ZrLc}c|ձW5d[?Z^cdֵmhm n ̵&-1 -ŸWk{\?E@?_D`b1|ࡾx;$@kf.?#h 8lM7MZpb΋TS_cm=&V | )Y\u ށܳu<3_܎=1mdj?߰tu}QeFpNV'HEa@Uy(/imIOP] ]D"JsָwZι*y/U PȿyEdE:~nٔ+$vA&H/ J+‰ץ6T'"eBFm.nvޙ*,`b*u.}vƇV# uin<3#i*}}A>ufQ᭑8 E }Å4! ّ䧀-o-{sHQ}\fZux|htq%=d\jAxz񧛖ѿ{=a)G:C:OXRÔIHI~c _3*@ ŕ8a#ˋ.4ۜ3IЙdX,N:)GD u +tWxx sұ`,RH,M.^_=Ƀ^ߴgT!Z\!5m-nߊ۝~2DmOܪR{ޮSDEl WU§0:9[-3cI;q5F qGn-‚tlFˑk$AX@(LoۦȆ.}2 .pH=6lOHlւ6^ ),dmoa<E7Ӡl&iK8L6JEwd-+A71-:4BZ쪟͕b̞ e{|L Prx lcR@v==ɟsUGTEX#V8գ8^(K➙2jeך|K,pwwqZ Hs]>Uo^'g(.(WPq 1BZI&^>KDrp\0 <> pj2Vfؤ1~i~! 3N7ߠ'-@{*AtnG<CFiA.޻"[t&fpGրX16lY~I5 JC[Ѫz."jOMm}equ--eB@na]m+l eM-Nw:kt*x:9nAsG`,"0Hۮj0Oh7c/ s`_˕lKNlnyUw.](*0h(l#姗% `(8HJ#}]k{bÕ-bo]19*+۷y4KyJņ9q-q تBz$k% ]fз̐ez2ǔ@qvXo' K:,ԧpͬv.H`AD=?UagKR "]/YU1Q*(!}%#9wTG5% mܩR2eb܅tv\eN/\⯹D?>LKV^ߵbZ)Et-+yz;'@85"|hFlu)Nv~ps/oE Q*&g H&_nZ뾫G|qY7Zھb\3*0u໾ u}F/)U>CcHKҠ@G$xOoaӄLk`>ecO6n/(>B2E"AN2AjLDx UH.ymW~+Zq˩ftɢQc[IBɎXEa}%+iuK-0s5nW7jKD|͉_t!㩈QNykjTsk#8*A|#ldĔjD,{g&YїM-nJ-҃y! j Q:OܯhPuVYF*']`eIo"bmkdo%[@ީo]k!p:7ֱ͈9*KFJ_CM3&:S&7~z\jJǮ?c"om!E wpAxVer_6IT\PwgR1"8kHE!δX Z$ ȔWF q>4@<@s0`p欼9(t0fu)Ydbob,,bΗhU{ ([zcr3r[cc jJA9oPrm,Xy"J$XR)aUXn%϶THMω^0YX;Sƽh=OB=ABBbR mi,չ<~Orůk.~ڢ5rL݋{D«E ,M鎟G_B7~ Wq .ԸxOE57=i=Of Ll-FUzڀWI"5Èw9+*A(`bt{\ J# /gx %9$j{ޓfH}h?7 ת<]YȈC,[Uϯ qQ_*w*<6Q.02.$ GO+rIV{]I* w?FInZsʵu;~ CIЧ0aB ('@D%-O(0<[40*sgwb[ߓbz`K[$s(umau$V-("Kp3>=E\$|[2q+Z / 6"e~°!DSX0=Xunvy99-#t"ہ ۅ\L= 2f!/a%U0VL&S& uKASq%V:C*F$O]B)ZP-R-'n:#Ј_+Ge.|صo$\AУ?/XA :%]R{%O9Ett{x>,6)$#Q{[$U fל~_WkVSo&KUWi+ՠ@Y?(;j*v${TKpW~sS_LnM@;ML581:[9%]L'h!עat*V~TNKFj=NyNGA6$<+|#>F(a0#0ʑpU2"TR6AjGWֹ KRW14TyH%VD*Kl PSFO%X@"p%!җs 񇬀=#L ޡAU9s@dq{,&v 7o9P*#УcBr°lcGxQo1g삮8Ѽ+:{`Tq@:8 Oԣa˸hw4W5#Y>}~R'AG4\x(X=HkDDm#>lnurati+j&dQ#|&6r7콀W5y~ǯ2rgZzh! ކsг@i]*V^T!f CbdJĠh5XۘdVU\D K𚕦SfgE># hZ_do ȸ#/2:i1تPd6<!B(1jlzF9Ķpcɣ-K"׈zd$ VoI8F&|u߂uDw0']ZRaRNLL)3GF=o!C?l;/~ F^IrSrvnS ^''|t!_ H<1黜[b)(g>MC}/r7fr, O'ihCEW2[pUoQcڜ!}o1^?e9cufpme7t\ǘ djtyfJ{ٔK9;?̎>+-JyZzFH%5P.J ZE dR60 .sn8XTĩLpoT$=#Iv@̏2s4'yM%D #+"۠*kC#9+)mlmaf{EpX=^Sε% >bx,N էHJijM0)T0ʐE ldp6pbJ0ñR_5lpq y?6Ab5{cR\c4Vk+11;Tk+9f OFmMRN/` ^ {ý^w[J 7,x'[ۛJ/X.VVsFAY.5عq̽/NXr{&B=Ij!l1 QB|vޅz{ƦndהrZ*3P".OQ&`;hһXa= _w@`8 ) +p8AL|}X ,#"O9a~^ETR1o![ѪWEChRi|duՉl*OL1b_jݳ]4^oinp[[T\:&yh1Wc|J23_!46f;~RPJG礇gdm!Qlf6m [Ѓ\+4F 8A9rr|rkVBc&=tdt{r{ |#{>ְj݆PUXU{N]mu 7î4kXJ R ;/=d0t!F^FKF[Jͽh'TۗWq3}/JC_ͅ]I+ywԛBs$H 6M. E>n^ 7BtZjm1/P\w^YhhKLvC nʩZsp6#ihNq24,a=YHh=P<Ʊ$.Ŗ6>NE})@@+&xonSf齒՛8]bEdXGUŒ_H JQ.2#l3aӪɿHd*OڠKĥ:!%QBk<?*du8aGg7ϼOo#mW#DUӶ 4(7BUM,0'K^&iH*t[{HsT>1ʃ3ƬA׋ 6΅pfR^;YU @^Usأ%͈C3DjêR!'P0 DȯvMeё^둶\Gȅa?*]̀uqM+h2^Gv^*E_kuܕr8%^=b Q' ,Q^9jL&jlYWO-qJZȪ/N;:yiv9RgR ru۬}|PK/FiTC~oc1}h2Թ'6ڻCPx~%k_) ;-V(R"E#`go<-4`Ysx-Ĕp^jEFn iS#x1'Z4UGq@ i]}~Zx(eR}0c-\JYca ݊"RVMx 4q9ҝPL-tu]o 1~c ɤS 6;1AvFuF.@V#?斶c' )̓y{[8!L/q%`uY_z˒1#cywB:\(gs#p0pVL}? Y4!Z/N$h綻3k64%X %ooyw2ӿި8yЁ,('QMjAͺ Ng ݦSPN3{!KːHd;xi%02@GĥX޶@ \W!(B$(ҭ>bp/}.VBW+\2t)phwg$Z]dbȌ><3*Mb#CuibR ]5R\P [fzR F$m*FT:1bcz~sfO?A;F w02pk`'DN3շΟy@Ӏ2Zr5ٛ|ހ1NgYkKD\e_M]e6SmbSn-V{̑IV@!|m OOY1ƫrƒ` &`֣ϩ_T0`FyX?IH ]Nq#> ;SktwXw}uKPJÔocgJJ_!;[$Cď]o9 "bڢ`U@kf )һK:~8q"_swۊXP uWGAU?w*ӌ9= [O9.:pOǫRrV 咱ǃHd@p(A(adý06⛑,PVCHJ(sZl%b4k$2WF;&`6xyzɘ[_eR<$pdߜt^|oK/ϿT""unjX7՜^C_! H>@H?WkJDw 2MYy!h/Ҏ&{?e4 3 Mq`9M@\'ҥ'B헰:cv^#Rw ?쎨R@=ۤ+3VS+yf_"]"D)$?W4@j?\GYNâjI;H~:n ˵n __G//QV;VCSYqϱ[mQ1$ fP=Hl?_ԬJY阥# ߢa鈍Jd0gf5\ BW$e ,:C/ejZdh53'KtevnR"S}c97)1 )lw(t!c%1w+ɪ+pK U'OITBƒFvg>Ϲ\J5ZЏ 898թf_@X& 0ug'm9^XЛ6QK: +妊W_3n䵴>d&D7 ȧ80x7UȺ6qc=PaR=C5|eUnFvRUJ \SbͬVmEۛggCyu(~#ț|KFLmh C,o!FǓsed#LΔf}ڹjː5nY%o15ob 1O\'Cȶ5G}eͲU9!EHnLyFUg O (χ &*Y̹Xvs5t&at@4XY7e]q@pPv-?9/Ly {[K{+.:1 1 *SЭ6ī2C􆽽4\ *ԗ9Yj{Eu(-:_-y"SGq u) 98>TOCWg3Xe;r3u.: ~}!tr@ZOi傢ւM$R 7S)97\ԙZp!ϲ5[(ΧGq,KH"Adv/c' QC:yT%$k{.: bҎJE%dvy`Q Z11ڡvsLLIn9eGG.X. Q4bJLEzʫE)_°6>E9b@(2CE.iWȟdoRwY$:Z*V y 4\lpC9|E0/}x[њSB 3b>y_ @^:81W_Ʉş-tƲ^HͰPz5'i@:o{BVU0%n==> շqTԮ|THcj  WKB{8 XL!`90:ةeVX[a\j0^zN,bVMZ}X\"x!uy&Y[Ŷ:_%m{RZF~8|%@xqV%ck ^!9YUՒBc9nfSA ZG^t5.$.rkaeUi%yH84߅~9lYs+7_FF<|?؉gKo|ܵ9yH|ט5F).FkBάi$Lj}O7ݼEVLm%c A6H+R3ګ_t3bZ`S>V"h}r7] }]k#k>\eL;E7㠳X6.^qw .j) ZDT/W/j&8 5|@blP[K^c>fQXɀWDpWY -%k~|-*$ߐMX h S^G28*-lB,1\(_];Ŗ')HxK!ב90g̙xv-4\/1' 9y@uDy~$4ܱ,L_d*\JZio l呫Cg|p*ʁִWyTx66y42H芼 p&~ȟe`/>b `G0|чF_>pZ6pf Z{mMSiw1km0ıQ|S/Və }J>- Fi!̌aRS*+E|jչ?UaV!JW^Bvc0z 331l5nFn,\> Qmy?TҳC` Pwnf؅MMim5r P(A~jK,wUP< .ql #hK8f:8vz}a'bQ>Nk E]U侉 _DŰVeO\֤8cgTc?Dct1Oӕ>MY~7aIn-1c~LKM+\=ĝl.Ah2\!TUL1#Ӟ%eŠ=)൶F!1P5~i4`XctSW~Vw` S C:P Dl9"&1\7ab+P!!s`>8{;G㩍ENaϿqֽAqjFpЇ9ity>ްWgC'!q TR{ҷ^ңcN s;ˆWYG;+~!UW8l+)CK^<YrߔvwO> 9.Dlle~xTRsQk ? UJ!DحhsE|ŝ~j7WGCbxw$RJUySFjʉX|T:Aÿl*"[~0լw2D5J]-ʩN@t SJz=\~c^>=-s_mVް@Tk HSz(m_ׇ݃&.WHPS-d4h 0nl Bm`ߘRXQp㿵ڝxrL r4W#&ڢptPҀ:ذsF,䅍p21R*PgbOud$P")tC5aɅX.GlDL3COh1rɬ\;HMNG%Oe}#x&YQNfi&tzPwZ4-F{뉝ҦPp;klEemxTG^D?!([2xwC#ʇWC6NwB,hUJ+NlBVn}gOimhB.+RzQHxcO3Tjxk~d 물 =A=Hb;aO0Cz/}-MZ0{IsF,C"k;@Fvݠ>* a-Õ8%zCJSAT%:'g_ݤmyI |9e܃l>:ŴWGɛ%ao5e ̜1(vof$N_KF!bDhL ɷ6B Ĕ~ SX޺l'OrעTD|q%8ʽ3GaWLJ+M>Q%CL5 Qt>?7&Yf;nOݝ¢KdNϒ&K^@S RAO{=6bOX2>r a[Pz~.MT\8P{AXH[qnzb54cuYֱp?k†|NChC|%.G!r en^'`YL 4DRنrS.#ԣg-KƯ-[ۈ;C:={6n~C `ZݥSx7GAlU>U^DzJ75[}hdZ+vy_4=U 23 ŗA,y|Ng3#V//rK 5@/غcBaK!bѬc"s'!J90pL'NJwesR`YR{c՛Q;6v Z3f| 0RHAfuG;}ќmIQiX^M*+TbxhѳOpܖzɬ(ئ]SjBQ Co.?);9`EapPԌͽP'pdDo8S~4)#Aa/(v-+11Ƈrmf|UЇݣ^fU,"CJlumZe_fGq:鉭5fx ȭhCb2&2ܭFg EFJ)-\8|dC[e%B×v8^v ,PGʨRpcK(|{FOvh*A^GOA赯LWUM\;Ew٠LwԶkha$SRVKZcT, QFM@sG[Vvy_UF`VFFɢ8\nh?/{? Nol d%$2gm owG(7O{H ʑQd6Y 3E?x"j5Zͥh"̈́>TL;yWO`* ,ez\~i/.! ^lf]W5QgoJ.S!5%_Y9曣Bqv$,|rhSE5$]{s 4'O^UGl ⵯnoUmi7XPd9U`A~?0\q"h l$$1Fذ٢:g9kaY99ie x,ŃQ|5>(˚Q12l0%C\ t4B 1iS5)"kUM HqL;7y잎lҶSʸAє#`(@ED[h*x 1Wǔe%2zWa RG>j!Uhmb 5Dt!+G;:ᑺh~Z`Z][֨L!,BSOu ^Z%Pg(9`{Q P \1(ѧߑ^ōc9AJ ͳ ˁ{blqE06B|ILe\O$:YESLjø/sP=t+B4 7* W E4s?"-XT{'͙h8g:A,B8)GDOq?d a𩁙 Dmpi> ]x.RiCvI`4xݶL]C&ꇖɕbQ BWleh?n MLX ФS$."'(c GKaGJU'ݐjvU[jM˯+MX)rԶ/Ԙvo&ϧ_*[jyظ忲={)GR͋^xY:pU9߁|nk**wCCY'q3:Ee)T+Hg,F7%BcR0-/!f}3aG1b%Vr384$pU.xJ*ΩqˤIz,{ `@y'3?Sa(rڟ9S{Owר+L{G,mqSP_9$'&baӶS? ,Jz`9o:<i)fT" Z`*9uszlkC}rV~BfyEVܕ`@ \Ofs&Sj} 04 ^ۤ}v#׿6/lm$"R܋ mld)~JȮ]iZ4ƻ+nS#G,m 4h--:>xjf.6€xei %w 0Dqx=Ǐ[ȻsPX ;o _@eQIV_X1_[BɢhѬe{\_z(6-QUOWk;X('5^W[q@g $pf ;6gv4k4~ ),>*h(MԾ, ܸz@B@,O[a .BB C ^BI<ړ JA3)'g8rpTm* jP@Y,߇cJA.kp[tC -ԩHtl@z2!u&8+0_$L+[@ WߟlkG )oԤR(M ևS΢Z &RȆHɭJos-tD0} 4?)J#UnC JT p*v mG7h"-Ă3zXh))n(hBpnq;+kiB~;@fJ<0 +B.stnX=0vJ$y@Js <)^Ǣ}gLPeUNv/Q8ꣷ1-kn_"?Dvۦ x]bĦ>JjUƶ3 _m ?afV=s5' @_~mdwQ ~W$ab⧓cYmԃR (T< m%wP1ž 8BQUԫ cB\T7SHrhC=aa7-@ڇzʖq{o6I~!-e#;:&;~yڰ.'.TDŽv፫q.iۊ^4 !}zNT^XI:,E_bͯP;{i1@NimƄ(݌9h]ܳ7l*V8:D e%mӽqS. e Lm:E8ޑ Sxik]_t)A))K'1Gnc*^W>/;BM5O^vhxFswP@w__8;A@40݃O&\z!/H~{Ÿ4Mvާf1F *[Ĺ/EN`p`누F C hh5 omq֍ce;ԾfGaf i /—e)5 mRT'Bۯqq^. HM6 :gɥA .HDf.o`jXlKT!LݪuEFq3#!Q|FfgD[]:`L-#vm0Fk2 gEɗٱ Ƅ4DX em&ӾqΥr-qX"St=GE="N K;fzو&! 6ӂmSGS3<Y__7Hp:6VEF t9{I2[É_;3u3HD?Z{Hf %F! lLJ>?r?+g0E†"?PqNC$L:hCUc݅~ HYz>wGp8\O P6csB_UIAUM%]_0*;E{4rk4 ~cclRʇfӳLp8lлbq_4nR{U͋j!zOSk 8a]B90+!,:{aFPtyu #giióK_2Jw(/KS|Qv PqIM>VJ^{]5zg÷pթ y+% 6["8kqm b0\-Îf7 Œ XLmqFg^'"}侅I$SYz<&+p1x&Q_G鞨p!J% NhG@ 찿Fޒh%>b.?Ѝ7XKk=rL?ܠ+*TgoְxShc9B+wߛE|fL`?gemS t ̖/ Gj侠6͉Dbp~@쟬a-ܖjE{u}iDcޞ`Z{ia+;QIP3+W oy.0q;# >$_z3A Q[Rm >}G\K !f`n<-{2V7UtKZb$ <5+ư`u=WQXGJFBR1GU ޴;/x3CR\cE`hh4HcƚUo*WELamb blbŨ< Y'Jކa<.i7ymlaRoSɱ7}o7 7kX{W$'d mj˵oS$%C[TznƳIqq@&>T"A,բGQwaw&@0Gӳẗ́RI+ `e'dxYL.wJ{qc. ~óz߳w᫓ ,)˃Gֶׇ9lƩhIA2-dCԮulїFmf[ 9Ek`tDy Э(+hn;)Y<`{}8}NZ%,ܣme#=MgMt@1LO:%w['KvIY Y}@ye/EB)-Zz7M$7s3 53$ϯ7Y'{"Ok -<̩/uNGJ@ ̇gxo:˩LLmBJXJyX+my 0 nb.3J3 zuQB'm˨DhyP9I^Le)Dm%:7 T@ 6F2PǢmHκ! oz}<8NB`ۮ$ ըN@[# BsN95m[Emļ@K}w볫WƗ\#lОoIX1a#CbjHщ\ۨB#i}6r36i( ZO{4s-37OٶPz! ?4f©uv\C؇mt6|TzwW@GIauK۴Ŧ&Z֣",nFj_х=TENF]SqL&P(;EG:#IJxK}Ľi=]"SIUG7Y眘=cl't!|Vہ_x[[$ 4-,ٯ3./T~M{k<3R[K; &X,sV'=Л#mh7^*"tmI,j>=3_MhsvnK/AysfwH) mp거F*筀Vr qt :_f8Y8 8#2p=fМO5u$ZMpzgz5x\<: |8e-df u^t*]V,<ПN̔Y:iE4QO2]j@7m3lqN|s}ߒUxFԎ۹2ZCm\v Ȟj-"1,_?Tf-n2-=O uNg7IU!gn?kZ7' QK 4EaD"WS 9Y>[A a oG{xLeG{k^t]+ [y!(^u͟mKc[Q^7KvŨ9&T3IJLw߄/P$ĪRzpUX1gU4֚FT(_GDY2N TI$Xs?6.2쀤;v!> էq5\jBw' Qɸ"XZJQ-6fm=o 1q(N],UaPs|%N]wf<̅n@$hB.Y"oB8%'_q\\f^P(pXfl#iQ2J7Lwr`SxdpL /"sz{ uxN]kF1)QW׷RX/[>i09K'vYs23hѾ!\A}E_حTH W[Uc<k՘û`nf1q obmv7YiGކ',% .G5Qx:f;3\ i:4>#"gu7χ Ԯsձ/ѮBI=/S .6íuH} ych–E Xf>&,! 3ȅ鲶vόy0Q=h ^[vC7=Wk?;?nR ƂtCaG>8lLAj_ق-'6҅Ybz#/ !H)官Zۺu5t%tws G#^*Nc48_6R#4p/cK(V.n$T2]ѴAk!<Efel:\Nb71Bb6xĥc6ԥ$[ܾ0wiƴP m6Tk5 *W;u={AƙUiLxB=j?RU|YdG`6]xDיz|K-ΙK,Q$ ˲B56Kʪpی#˜¨)*JNJ%qm;_+a!U=Ld( %0~tʹW>˄5@|䐱CyzA0iQRk9jݾc`sj%Y^,GH>%kǼr=-icNFA) }rQ 0uZ)Jl#PŐ_2m/46I[p(W^bDq]ύ67Cl #|[*,4h\=͇ZFfvTy ;k"fõ䡯wV[ .#Lr`Dw:&dM.)1oh:M'FRzхEɋb6`@-UL{oa fbQ\8NU![D0FGQKm0Jt5X^a?FeӜ{ /ЭgAi.~7utӘ`oœ ,+7< `oW2eAY`,}'YT=sd4/B$/v69o~a"OԺ+u3;zEj c%j  u3ߑU:cOŦǖ)P]nI;cl\Z:2`^ \ wX<_)6M :]؇HEJN0r@ek%)%i=M@*F"NBW~S흱 :‹#,{&u!f7E8EBz8HDn%#x ; Mɪ~*WH=+;uO Pc֯A0ש|@,D̋ndlib0ٻLhg] -4h }vICY RS6%T9>~rl 4ly}P'ٱoxD!hPP5B/@$W/wjROp];SyXK+xŻVF{QǗX {4ۡD'"]1X͢!t9sZ償las,u`ꬾaTxөT1B@O"f-4mZ/"y;\gF?"@iME lo8URW6 -oLOFI)$F6<򦈗F^mogf^2Tx!Uyې"r(Ly}cRW%}dz6_SOPZŠ> IHdyws#M!ˠSi* %;n+1Kz|n5 ^3CQkNS?DNdIK gAf 0hzSeM' REzŐ1`5>*QoJeKoL36X\ft6jİb%"(x&YGah)x)w"Zi#=jZ{zJ(6 qaG$]VY0~QHuZv 5.˴X6jЗzUs)O}B.V#9vy[gerpKI?WWt B,;mOyzl?2\ \gSL]~X1Eߒ78cmA?m>_-eb"d V< :#$Pτ m'2J1&Eۨ:nğps&ZtTKR(Uc"u}ikjSz3I,`e*+ЀO8 i^bݝ"QݧoIEN,!h 毆Z˶o3q!A~Y8+ 9rх̷wh}0f8(Tg@g>8s#: edR|D:2.j,zA)qIz-?M>!\fLx3ŠθJ7I'ބmSe"ȴ0nR|L6[v J{R83`3D5̅BAwTd0@w֪?NP2:~g_mz^qV*sm\X%·bOh#D&/Ón/tU'T(F6X(5gRYa 9AGf A 7줚rD41=AwF&X\ᅥTO~%/J`&ؙj^̟ gaO0zN+(f#_y8TS)D 7 \B>0!2BxWRY43R[PRq%z˔;?hkElKKEL \J͡:]$9Fޗ6~38HTL7R@򣖹zQI-:rmʦpn,*_p(gZ?dBve4sl3y"=?(IYN>OozMrɿWXcTR + {$W *~LG\s@փ)B뀰H iqF:reͫ|3Ƀ,D9Ck#Rmw3Jk 5I#IL(#H^!'U8h9l`c"1ߠULmz 6DktJ BȦZaz IN`)a+3}cyl/pB}`d 4MAib?|iy c y1FTjxK{_AA!KL"yKFfrtcTPޯVh^iaۅX 'bGD3G^4hCN5dG:د1j=\X)ns'Kr%g!Y@Wr6iҶl+vJZl|`7M Pi6dPq>HtݐD #E/M#geJ{\Et`v!ԬzYPt\K=zζ` S) .2;{,b?#>aP^Rx& c@軰vX@70<6`Z|NN}$XrU]5ԿVŢo)%" n / :׃g*"^ISo0u[C顶 P̗D\/ P_RtȞX= pTg<%l :ezZ'Ԙ"N` -EaPdɐ@oOP.*s[(8avl;@88Lbiuqt-`% ٨mj/9=M4YImXg\A"&5~"cHdWcl3rQ=P1̣RMLL<pM:5?+<"ADp"H̕*vKRZZTү^}5f5?vE{0h>h>r@/:uSHШ24<*9M4Q`Sm*K`~MBF^7튚G+ߊoK=Sy锻* sfMӀQaU7M#g~0W`0a FhÓܧo C|>Z[M0b:|4kG(߸B,]vA֏Ulv!i/\෱ndx-QIA !|F\@ZNtVPIJ ̜`wJ:$c%0(v7XrEndc!P-(ڵȍH@aF[uO$*̝vpE[rf}5(Y [-4y.h])܉jKUe IHvOr9IDq FƋxI37bFpƤo lrD`Z+&)My'SPEF6``iN<7jBJ4g4_ ,7шz§J}`rf+k]pѤЂbt7vX7k*Wr"M8rW"1g %7{if31 9.Þ8꿌7cL}܈ (++I90 \$A͍T@_E.qmYn =5ӳ(gO%e8풵;PӲiEVuYN ^DaÏ?bo=)xھpo8d~/({!lE %4`" .&]a%hm= k-9X1pi!|ܖ)F W}ݞd4̺/#TT  ޭET'8n 0U$S ~` .{GB?\ g~XƤ,Łk mWmw5ŖXC`OWu T#rZیe91+)6\F'o"5SѨn&~ѻŎY-g6/ZVn=EK1 Ø!,Ǫ^[Έ6D;vP,XqU%A^taHy#r:\+vai!T+8s5%CTg_faSt=q|P^ȓ:(UM=Y)Sf.;ʳiE0v]r)R:VOOQXt' Dmz 2ubv[H(gNmR>ԫNY La}\-qlq,1c]y?QV?/%|ELGJoCXwrDQMuZ9_+]cuFu}[2 ݉k+T۠(R&["jʄY䛹:\hNƁHJ ?ٲ N4f[3 oX;7'c76sO}0#M%bV (CujRWd>QZb㞑$=3e;CK[ד"<$$B- :ނ!n|nAɘN4zgHNPS@H#y`Bn52a1JO|sm\kEjTf 念nA _1@XeXI &m mBFHQԘiM\NW4k^{ŲbbAEU-qW~rkº]($`J bZqczz?#tf4Wh4q5'tfDnҏig(geNO9xZ:I qNif<0`芻3Аܕ"o #|)xM[Xk'?ckؕR[LeC6++`ьjtZj.9iZLdqL#Dp3<!,;7f<.&ga_I2cjF O {}n;>e]W+yjZ՗` HN8SUYp}b##SlA :XzjY8qbVޫPv`aO\Vpr@Xl1'Jnw"`Pg"—DO`̶촇񝙔8A weA/,e"~]:Ҟy7S m0%>!|<&HWkJgGbm1[W'c6q0{ ADr m<^weL<%<ٓr}ܸORogv=)M}(6-A0G[!6kMX97̤gr㈶˯AŦۊ•B}If1?'M K1 {_6ef-o2&usb%ǟW7";M ax?Yɳk.r-o f=EYyR!R0nZ@>ȼxlMP,oؙĠZGn24<ݛAvΩzx_ X=q nXZxo>ABz{)tZBVSM(7 w)f=#~GEώނЕ%2J@"+;yl+ll]˕^g@JHE uB ּ֑IU$6Q `xLS ,!l |*_s6pL5MF\ZDP* n\ރF/azZw(6 a ey/ѿ}F|ySJ1Da/H̏sʜşzv$TrQ/_zdfIwچΗi>X >~:ꉅ"5nRtaĻ&!ڟi.m^׶;BUO9WiON]02z @4o^E!r.&@f9@8νv;sXQ@2xJ1B1 LiȋȾ]U d߲0.س 8VWU!1#gLZH=DDT(UrY_C+B* K'!fnRMOtdFΆZ6%|l+n6  qYvEYV!ۑ0 䑌'wlX1UPb߃rb:/[,?qcTRhM7goxNb82 ab',ty]n>{+_"FkhaZ3+Jc]thS&dNȿ(2tӧRTمb@,a 1 fx\`5 ~yU8)1ol|j[A wuW-4 ՛FeyDƀ+%=vWiğ?"{Lz;~Ok 4)!ç}I:6k)f{,a!==w(+7TewpSf!wCsET{%L|V }Sr(Bib&9"X|R?LV>fJ;I+}Ź 0L\|MX.;"Ob7u !"<EiŶ :b$E's6^,zF2EķAN޿br6 )ƟP GK5P*MD_co\Rz0B@Dkg&ն&iE<0fF9G3yN8hKKRX%AP >)'rCD<j!aı~VEH#ni_Ys8 *?gm?@E=Q')i0=6s:'Á.[ok$mlбp̑*P1wޱt<3 tt}b '4oS;M)ҙ])fpMNh}W䣘R'Y_ 0ρpbh܈^; >@\ ŧ:|ڮp E,$ 5"Pw/;"krrȳʥ.g1C8Q7=!sGE 鈒^ŝqሡ`?i~ȕ^BQ͋ ˶|lO;rc(ݛF ~$^lϡEE`0qjZ< =tQ@ad OGxҏZ q8o<#d=a> QvpFc Ȍ8$!:&Ӷ_]G\O8 1jp҄wWQ^j~X,u ܁p1j&1 VY {~>$: p]Gz] J2[/ߔO RuV@4Xğ5#W9NJ1Pr)u[ӺT SD0uQ r^OZ)p >c/qfREi|EM ބW nZO=},0@4~Nt~Dw#l@v-LRu3x_A08 Cˉ?of*N0^ǕL-MSUyW^kçeo8(b[c lg@XK7G\?n_Vns 4:8[tQ^-]sH8ݴ:1?Gгu?!$ga}PӓL]`elx˫Hҡ&؊,+0ТAtݽ$|w28x^:Z >%5C95 Jk05v8$eZn³Rʰޜ7M;l]7?K R\ĦC!%IxeB|ͳl*dr0rK{ݛ5R)6 ݽߛA#tB=~~uJTG ca e] f_C'B&'h*;m2zHl$g97uU.rtվ`"wt亝&+پ2~T~y DZCE;qZFb`u/uvP+Wa:a~:-G(/dP$1O+T!Ak0TDNT2[O>xnARev f+xlDiGxL MaTARޘ[TM,Kmufɉt&O%iD bɸ fKǔQo ˀ"ٿ!B: &%ka֏0のxFT>wܧ! z8ZBl'.4ɄKg[UL8؏L̥3]6loyGr_i7јQ Ymخk}w@?Fo^&JPTSiXOKQWrʕ9q)˻)*lg88hd 2=WMUI_G!溘mY%ȩf=p1x!*cٶܤ^)'=bn,Wn/iyM?#`G8?ə.W-|\{W ?WHfY5#~uH>- kx,4.bS-(&]VTpJsc0B,$ׯbr䅻@\ӂ&t99ZXSwhxiop%$o5Vz/e9g8v&2ew&GbIщYoa(~2_iv%Z)93_(.,~jۈKN㍷%Oq,!@p"9orBqBC7Knˋln?hΥVeM9h I:S SxԂ݇E.ܠ`t|o?|v}B6@'boi5J_|hb*EԎ wOѣHc*q*cnj"ރL,<]>j4IWKbɱTOcjC:q֟M|+CP_{|1{Q"-PHs %vܚͿؘqߑmzf4 x$,Hv11}ܻX1Z/Kk;Q '>_PDR- {#=i~R 83)o!?(sQOT1QqUI@9&70i-Q};7r+“_9s3~O1guȷw+q/gyM*xҷY8  vIvCE`J2ju5nO1fJHFT4U`bkIJn6٥;Ula(f54 Ի/Eyl W( ?Ʒ']@ fp^׏CE]&ŕ&hXor_+.-g{L2NB\Q+$:C)DpgLYW4ji}%ֽy3$`5Gr2% (-۴Ѿ=:E:=p,LEl#Os,ͱʞ_24](I%X,MD^!"Z&N& 3Wx5fRy?uXIg$6bVg?n.NOGBA6u&ez/SJ֚l{9!uЫ.Ej!cR8 a\5W8"kLو_FNbJhR%Nqy2foJ30UE;fŪ8ы9!IK$fG9 |z_ϵ2X `=|" gM);j"'P"8}j[?g'a([*$Q#3/!wr 2ڻu[8;{ƙNt/)UHFo<A:EiJBJE)7#+|^9ziFmݸ1=;S~ WL ࢺG{0ص6[$^q;y}6f"+nx_OJ-0&x)yNE9Vy|Ifډb4$ /֭ܽ.:Xk|}N釉^46eϝp!OK,V'657w#]${;]:ê~/Xe؂^yv-oi|R .+XʟC{DŽ1Nְku+6rR{Nsb{lioae9;CVo˶CT嬬](?:Z4~_i_dy Te3UcSc6Ch4Ewh !BYg$г#,Cy4`x%6=,7<'LdD}i2K(%sNK>=#U4`a%!1^·$-+&CޔAh֢`X -6;>d<ǽNM#NV \A&-tmpX2X,fK{f:36t`/XTT:j/6MC&QdJ`+#7&=Jk΂ip;"kg%ׯU=IXij@6șGL^ (CA*zR4Q-:^iIDȈƅiK7+}d(ޅ]Q2i V-ʡфZ&K;j{O;D斗v|vCCKswij7'`԰~(#D+V-*XтDCDK:+Q8]tǜ!*̉ʡq$4ҳ/g_%9V3{N'A{N2މj6pG6X @2_MJgԮTUyj[+iknG6Tj"-R?\]V!)p)}(}8wes3 F.bL=2[-1ߪ$W+˅N}o/R)7dXoB߲7T'6;G3A+OmEXJwgCFޙbòtޞK$}` #~c7XUc&I/ pS2Ff`.F}nBztUQǟM"OƧ֡dvEse#j@^v?Dwo{1ܗn_`/:bZẋ-)_wM뼤]kyTq%ʊɎ b(6e:cعG(2ڊJ^ 2XrGAƄy=:"C1!{n5~mVUl<] 2!ak&ۿz\֙+A/ FFs,UmG)2qƐAyI:cFD\}~}zqx݂J٥a&`LӃ޺~ee t#z|k ^(eq[fʄI1,S)asiL,T(ٲAѩCUn"x04&I`zI7a7U9d>C TSUeR!d,/܆S;'HFn 7y]uՓ&_hps/Q?t4?9aLO?b0ɬoFj"tpb~L|Z̘ri􃻁3ñvC-\? 1pd}t ;3OPA'W kH^EV\IسZ'PWI %oe Xe0&! +tVYޗ(?UPҰꔭw& lj8$' ;!զ\%14s = |,E.@l,gpV੏Iw*j14 *qt6F>%keGY і ~k]hM+E߹<(~aJ^6Ri61:/&fi/>ѧaͅѲR*7Px/7o~Ճ1I^QEx`o iVmg(@5BI~frNlY)n~P/l{g:;>q[ XD*9\#b!8XC2|ޖod0{NuK@z/WqK,LjU|PR1ߐ[ :M)ՀͶz;3ҁ?>C_7aOߢ^w@3;BΘO&/jTbuO0F{ jT@9:mIBFP9qL2b#Mw0w62 & L"ܓ{+^V fjQ|>6&؈K;"MV#mk{xbG :ul{kQ.9b!~q3A&E0~qO+ KЋ;;"Ri7 3{I "ca`[`PTY-spEC#n^>m ʲ%؏>S)ѕIYG@:mZS?Q7h1&&wES!$UV71iԀA[da d`bv/;| ['3qx3(Uq=^-s!pm\ ruNV $Q[Vs&T*tU9옼D5KO}M7 }3{nT fpxi{(my 4k}Q%ȇ/XRm}Yndj9hlܼɘ9I0*qx.AF֜q=+_!dJAEFCr@y>ͤ(2g1g}& .jNE:*ʺ&i==Q,MK[9p#-A!@RMkm\_Aܥ)sOx 'K7lyYA:&ϋ#`±6N[,,g0wj!Z-W[}`RxC i} il@^X QXx<Ҏ{gXR޶u*~| U x$<R@kTVZԀ_OY3` %̔l>d^]nbR4O$U4[Κ޸j;%CzÀ }ྲྀچt5Ԭ$Y';q~*8FimϦݔ{jOc'DUg7#!_lb/IꊊSu@9=&xqŒgh/Ve!8mkT2D]MI2wF=];l_I0M>tb+5:jه>>m{mnv{*՛ z6na:Nz6%O7TNcwQ[D 1vZ=*O(#xja4+zJwJ g@e]du^b^Wd_ΫoXҀ;Æ,eSeI# .m]Jo#*$1$Q <24f3f8j`"Q},QE Jȁ_V"W{=#Q`.pL0M4eYޙv* ;-m bHE ioluT;G=Yrs9΂lm8 Wl"9a;#p `='܆fҿ̎ HTvGnKZ,=VV_tgn_AɾwېsɨsmΌ-T׹.'-FW>|ҤlWqu ~D%%-*N|WzºH 4tV ^&Z.}/aYFԖ礷 vf'`@SI@ւPuWOxJ (XyPeI`v(р7b*A߅}˽ژa0;0Ny DHw#bHu+1ghRlo7O}/XnaV/bZۍV3YI 23+icbH!P)_yY&d~S =CVض0n87.3p?Ko$E6:>qHk1 &QFLɼ9}kn{Pwj0 LUJƑyoqu=m(}#% mI~WWbOy7o*DqXM˖ڼ͍=Q=~ p+9WdN$EZAIBk2zRLb'vyD>n՚ΓO2;knVU~i1mǩfqiRd_92׶_M5 &I["ފip .aG@H,?7(e ST9P# ߝUz|J|E1N.7!..^} $8(/lp+qug8D]})RϪ}w >/VިJ}@ķ3V{ 5$bN`K  %Hu8*XPA1 EmwFQ1WIB_ 4hȊJ'}1ʌL0 r+ }iǒ2\6;-md"ى`>h6,ld?Shyi`ºIk>=@DL޶f@霏B[u ,pA:x ܉Ԅl`ڏ.czHIwJN2Z1p^4 ew#yMW-}?EL(b>~rW*B.4y&6d4VŜW( .N:֠*|TJ8*4x\Gj1}/u=V4vY8 nJ>Ď 4qgBar^qVم>HbEۨ'!Y/`4>*m *P=?@=F9rkPY}BN>([".0 ?-q)bE |WduKd5`+.ohQ^`ez40{ sIļWZ0Oc4-CQPp`AZcR?$5.? ^l~J> yc/ ~wF$wnn9yR5 1OHGs5&[yN T–a/l/ :0YG{4*&/UN3-9wZAG]|O"H_ԝXNg5<-Iy ݚ_gY&y +ob~BVf y$B1jMFiB&ls$I:4`ϔd)C4s E Vt^pceof|eZ8nF engCKdPF;!Ȩ;q^MJ#S6ce0>+ݺu:NsyX#YV;$p&Z"UKYxe]>d.nC [=&\Y=|4~yQaȽBm`woomƬgg%ߥI&ΰO €"#nPa[c )w]RRɀeSimfL>Y>]QCFW!Ib媲G7 !| ]RDz :oAXVu1Bs` [nR=%}&d| qa`ɚ( fzgfl9cE6"x.i-TlbHnW uYݪ"w>>ZhwT;`/nd Tz7ʡjDʎH]i_\*C"m-uj*(~ x>`~7 P죯1w#s5C y^ j4#^\wgW[^̓-umR!F-rR[>߫( (kW&Y2Dpcmg<44+ D-.(" d7vЅ$Z.|cMh9FhÞ-߾GPۏIXo/!3mCnB@})5e~䟏mt11+yz+!5C4 gH`$bG y[M~tHtS,s)mΜV6eAZ|^OKH8NV i<7\',2%=~D)jv-VtxfZ&=.o-"L% w!S!3sًJs=|Ub":o8!yE܋|p/Kԙmlu "8bo#Ӝç5WNSA ߢ[@x~6FLXY;;3_{bAIWT7۠|dL3p6 Tv21|".C&5ھ!5P` 6af%~4 ?ޛH7=I#yw>`,w&1t+8he[b RAI:gXQ\! e h53Y>&Ah-GRwT8 p{*X!1u:@ON9fgKh[peA{$ A\_G5B#Th\%l5 !vYhgs^,d|e7۫tB'~LgJ=h3%6'͹"oL1?}qv&S bd; q秖6j>#,`];>_}f8uC]PlŰ}yb{q|x&\%q1(]hv:p:MU[]f7M;.~ kFM,(`&C̘);׏J #q9 ?A.>гlzVp+rD(l@6q6 9G>G2szW_ um¾l QJ(da)*Cc6@sDAB1Yߐ5N`,q2WAn%x8ؙW&r;̡z†N$1l:,vpsL6?P|\yeW_̱c!V~7P4.dQ.WeltqEFP *NXd22j-C;M@̗`/M ֆrD*ےS$HUI}@+eg #lͪ[ [Bd8¥HpB%ٙzýC: *Jlu\%?Z+ xƪŸAa×*-@Y L;/K콘?ū:lsG:; 23Q9.o.?5voK\NG98w^"2oa!#8Yۑ*cGrI@V2G8\hv$[AѣVcErB.]Y^^ @ٍ̢9Ѱ. Z ?+Lop,="isf`jpTPE;q_}Hg }rы)h#m+ uz}P ;jJvJ05a{9'wҬ\2 Ꝣ ; g*h)22_c$(BA}[NO jfCJa"F>0J<)m<Өi H r`eKohNYM?qUGRH>z­3))L&՛ 7 Ԧ3O}%Y˲8a"kkm9[_,1&BIDօ65ZV85Z֚O8w5|2=5,ςH7靄wY>Cdr@i%&|E 9̿E2̓,1}n+[O3f%㘀ucH1,5{_Y] ؄&G bbߓݴ ߞ[U'c`Yr]"V@䱾uRďن`kWE3.REۏE@|WRP\0={*}҇.Ç޲ַjmӆ.R=7!,l7:w%pۂh+=k&bS,/N[+":*~3mN]eҩd_N(MLv'/+$KՀi,{XǠJ"'̴b$KK}fBI_5|gyk*m#'dž, #ό{ϩ̢w'/eoPC2?Cp6IgYYY.t0LtCq(LѸ^媭xx{0 s Q;C%Z>ʸidU?M>md|9Lh)jd@"R,. 2y% US>yv6a"mªF$ s-7s}z23__T5mo{ڧ#(.+Ȍa^3Μuo %E!E<‹S8g=%L~4]kxɀ ng{kc#;tՍ7>? U'm݄e LjL}!Znk߾mg. OcW@&>@aD; <.Hl=rKص_E2QO4/: #svdPFAbTm޶TKSf7d~?J7Pn$Bcн'+4@i$SuJ~ I9\w-/gus^k^!ᏻxs\`{~IE9値[zȫ:J[!nnV9Ck|Ч`%ɞj:p4^p>[6?Mēih Բ?ϵ[bhq|=&p9@ kKK .C|YmydN< s8 ch$B# -l,$fرZ]51'm)1a8?7w0(ƕl Fr緱[2F[$njdX~ _\2csbn2y' '?ּSo8^GbxprhW1l(d`fO"yIvkY EU\H[mϟ|{l[d+֢Ofqcš ZکA+LnJ=f{AD>hY KmCR 7w -Jc)!Nz XD{XʯȲQG-/Iˀo7J~YJYZO|Dhsk50̊}?4AޜR6(`LT\vHH3FuW1em152z&Gn`ѵ9LKfaByĹ[3 CMjI8j` zꨑNbQji?Il#MEZ ;0̗GgqgFqSs@Z l@Zl/4BtXxB~r6)+yu *IGGM$Ed+k]VqkG7ss0dO@&2MVH U6+a޹ڛʿ\_[D>LYI кBl;3s^9KŪ6fJOXf &@U&Ɓcr^=e irSP .mzp)zi11Uػֿ'ꜫ_qP6gIk:5"9MqqW+/=O 1^"zY9Sc\ëur;hC\~sc5& BR,Ӑz(Jw,3+@oB7;*Yz4bAa)ErʇpD~) r^,W_'"@$5$}Ѩ ]%{LE/f'\8An0}-L;D@Ujzu\&v3w9nP9'ZKsQUj8䅉XϿuB ,Ąv#.;m10}8Rq-bIŦnjĒk*𔠦áX?P8˽lbe.`Y.(e\72r Bo- 2'c]WWa,˾~iq(0'$-U}4bGX{wTx *]b=$m;hr!lڶ!C *_'/۹յtA4U1> T >& ;~d|3lkzhU&JifJƴ1/ubNb<]{)ԯ JΏv_)@`Ή<5>/B&akՒWH1DpM@eje !Wu eņkƂ9$Iw4%}PM{Rcss!C@) eGШgl a¡ `ϸ ^Xљgh|4/o8D+gdF3vd .#!((?)'A #\Skk>E+{rn>X u.2&'ß7^ELSo;X7Ć]%Pe@{F(*#S{%;;eۋFt"{ VW͌Xv[p1ckĽCsXMy)6UarT0OBӻlrxk"nomNl߅ =R`.Էb;pIhW;F!%I jaaz\ۖ0nr=Iߘ謡-h]J~ma0J #%{ũF6~:Qk6b#0]=syt)U(d{|[>_ KwDCߘKW=fAV|R]Iqy fTԍpb+o#kOuͤ`ivxZT^Ҫ1ӭ>8LA>Ζ^t;vaS4(jn\-``C 7];Or&:ic_Q0k ES*ڳ,%)mcɪ =: (_ŏm HdWe~O[?:lWrH`,<Q?g֍'!v9:u|DUux@g56 ꃤeT@~>u4}-xbO3a\ vY1m[uw@2˻WZ&}uf-.j`^ jϑ]>cx8\fRjgdW8X~Ზ^iQIKxwZJuǪCE%1l̍aB kVJ<9q?#䍣 <( f!{o\/Wq"Sƚ,!Չ'0}19.Mk~!Rx}T*ZX -~ U 3JJZ me͕!?G yoGsk>\[˒ʖ+L?;aYV^u7>!< - M=r7 w5bO/,:{z.AWGGLrd/*$B\\шtxO/UF+/xg/:~v:qKgEI3-[`D^^mlV}Z(dB /Ԟgs m=cEQ)? MӘjAߣ6ؕLCC8N21ӕz6d"@e))b|L-m|GmwƵaA~ %nfwaϞ*%I pA4#0'xK /z-DN҉uxQO!$g ,;DC;*5$uنRJSei ^ FIE…k;zSYePĻ%zIs#1-LRE{W JԩW}ЎW͉`罜Qhp%[__?~F\!9xN} 4>!#! Oe^!˝,lŊvޢ><$[6 [\ygg" m#?SI! Y۠BpLm갱BdϑEv s\9 ( : 2YOo"HS{_S'֟t?G mUY#Z,3r< UqCE!J˟EY9i F]3҃.Ndtj5 W ):G'j:GkWpKPZa3AHbn,ՂEϝ3wHO’?wTKS2mb`f_øK䞇?a狺/p3u0GQ,p?[DgQoD!4>~Rtbgt!`|4n#)#}6r7boMα4mU50h-{%88Tx e,M:nyC{0ՕĪo" nSF6Ad̔|38{P^] RU3k0yHI KL7K@`L;5`.MLi 4&ᚂ HWSZ=T4΢Q$-7$%97IC+ࡦ~@겚N JR.E 58S {2 ^z|v {ɯBD4ݡk{GۍjʃX2IjeU5ܖ2p}ʊ0)`0Q#3/S^<7E˫ElR$0-={ִb"bI8QԁΊ";u[S~RЋ1<+S{P <D-aԮ75^єuP~tBML3}НetygMUP-c[S۔6f$nqZ?%ҧ؆#հ\-hAE6KM7Cmw7k*Vlm5Zg!KwrN*RL1n1} <"Bxf-3LZwSV̺iܵBD-Qp s8 8g9H@^}0 fuٴ鞯 u𛢃5#\~ĵr-'7T -N:"$yo0uxk#jο6g+4;$DV 5̠ ~4/S{~_ ¥d%1*=߲50jjŎ1rϼĢ&mh1~rlmOpWCXySʧ=MFXAB~@Ӣ<ˀ㬨JQ9$}Zֲ!;65ݑ lcDnE?y1w&5!?Ͱ#JWGnٕGnm-FOGrlFܲECiOdn!VѾՂ ʺ eLu4bHR @D18N*Jhɹ\2'V q:8cWyҜ::YtSLbZK Oh̅АgF˝նLKJPXh噮 "T'5}`SDݥ^5H}N ^U4ǡ|3pK [L϶0䃌/>{xy8O4(_,T0/=5O%<JSMJ?p9BMmuV.dT)qB߳D4p0W,VX1moDPU)WCG0Rn4< zA۪dkw2r_" NC]MxY蔡rخITFZ;hA3ٴ%neCG})-8t]bbr]W͎h|@H ʪMB!d-@)vmF})WN Fs/˷%!p<#e,~c `vlxF6VJX?Yv0Z7z:i^P|%(\d)wN=,p*1Q,jgٍ_!;=a+1 M-,DG2@:N-`ڝ0C&3h/i'T,r7DV4rdÏ8Iǃr_,{DSp[51~F/B/p t>H/m=8UN;!7#J!5"I4ZKMCcy5~S+:.ru̦/pOk<ЬsWgx%Ȱ<#}z/hKL4%"6GbP<\^Ou\t,(΀h=X=c51Qv^]z9QaIb}9K&C܁Rpun("| xRʡgX*.rI8mމIŻC4(bN[miOlKvǐ#Ji,GN" sn{UPH졳 +֬FsTW CrY,Dl; 047Ww 7VJ$v}l=Zeq(ۂH1@ Db^, 7/QOAZ'\oj\שxzv{,SNaśorj:޷>ZȘV.|_eD|w/j46#7|İ49bLBC\3Ƌ((vQ6U2WrV!k@+Ʌ^7GS:?f0b1,2xr:z5ѱ~ ~gpµGF-g'ćhAN I+VeJY ~O/#E煂 d''5Xaj! }pg*آ)A$ݦArqoDq ՚Ơ8&GB u  FT.Px[iG͔楞uC~m$2*j'w n"}nn%q~@~`QSV¯Թvӟ<З`tvY4{ G9I$fS7 à†Շ|s Wޯ>O뺭cCkG~zߡus4^}LNM;^@Q} YDnill1jtOp+*) P\Vp7f^Xt@IwLi.k`_*_ aOyU* vn*LdLb ߷>0&_ݙ-\~40t4RKz1 :Iؠ~˦«y'q==&xQ0e"(閏8I>5,$'poȬ R`l(K+8M̻̓@!kuw[3K7 O3L`&O H}X#Nea.&JF7K%=^GePgV>%XB5dHL̿4jv6h[vo/L.2r!+:9jo`6Tu@A՝hʼ?7}+!6Hz"*T=]Yz褃 2}Q/1^1Oɔ܏u۪x͢3OeXB9 @5AS1)J&WouU hB!:Nz=a5Sٜ%OeR9TK%ȴZ b3;#Z\ڬ+ъQREɻM \"- M*Gl39));=>9;9_ M:\6@`Uov.ڔ#߷2h4@'sD$' 6`VfKӷ&L/μw^'LʷN”6 VFqFwS'E( YhcFe۞j I4kSd?Ofy>IC0!wHݮte5pxGfaʏV: %°_]M鸺",*_A>DU9]|L8A_vK69u3Yl7) ֶ^1amy<߿2̦YxpB?'Oa:6cnYb .UlJ,dӊ7%eONbl.!8hVƷIiI{@0Ome+0KhK![^ ʈ8T$Sk:Zә7;#J9EDFӉ`ͳfLT//;1"_>m(܌X*}CZ^CҬ>x@*l2̙ABA=hVuŕބ ԓ. SbLJ~t#n; ]N҆fۗBe k[ 3yyҳ6CpnDv,jG(!n?=+\4-m"82%Ƽ4TH0=]:*\6 K+Z%("Kxkr`{*pKK2adZSKD,є\\ h҂մL fN( #*"I=LY'+bPp6v}#VNcf) X` Eec>1g!"دBv?Y B|(˅x]*aZ`>*qؼ5G{vW ĝb]I dlf#|Sx|0SlCy,6/sUhxn,Pw>h~KNRr/yE{J+8Ձ{ⱁuh)]s9mr8r)k%T=H_ަ/8jM˝](Ԍb/g'k3*t|Suc؅w3'P=+bQSw+\5hHv5ovaMk). G+0J@x<:2w/|#z} f¡:_˹ttil0{$ |`7zR%{^Qbx7rAnY/Ĩ_'opd G0 ְpI؏:&7CfZ9`a u2!wiD=1҈qęWk`1 +CG [.?Y)i{*{WݐvY^P)15*Njm5 Z=kRυR R k)e8r>I. bCJd8g*AgS`eIha#W04ؠmUӻ0L)2(S}k֮ ZWoD\% r@ &`b݀S+?^ҏu4lk,;A$'xpFG$(fx=ע+vU':*Pm/Naũ6y+KϋPZG/nX[c/3G$c:eDN%Tϋ,ZuPm YdHr5#g( PgFlX8#B]pzJ8S8ʐP2 _-}4ͲB<kY9?.0hJgu>ba"gHfYR$\VMp Z/*=֬5b1T6/yZ3 g1TT?3M YJu}z|4'qTZb~UmuC&p.-1if)D RQ^nr(;cG&`귦y=&<$7F/rر;xt `I/(U=sØ@BfLz?iҤt#| v=؊ʒ|+Szz)l$H!2\5 V;?p©OT*yܳ9wk8B1cQ5|E&Z~IiDzMnCұD5'Ҋ':tw@&fzс!պM?eVhf.t9kHD[*pL64-7ͅ1WG7O)2q2ԢO۴ ip}D.uT=}4˩aAV6aE2ğ.hs}UbqpOQ`qF}0X֥>,j#{;Z5gi%7m~{%t@{{.Q0 q_z2j< L+mM#5|NBVתMU%dX˫sR4`.kU [q|#+D0FaQm\̄xGnĵ]%1锓Pvx^fX|l^6/mS)+-/ۼiZjeK;Eqk Oy$7bD|XO8uC_NŰj4uIV ;jҗmL| u 3=-h 1]L 8|t_s+c(_㦙}-VfBX\Zɻ[$ǗvsE^ oe0P2:=%f, ȿ0cia_7 iE߱ 8懶Ng;^ ˸ikA8Kns #ZXE>1h%?|bt)A/g\jzXvv~ M0 wp7>ExvwLȍ$#Mfr@T3c%POʗ˯Uc(rvFX D/3L4Fho䤌5Ɂ}3[^Â\+WIe& 5`<ܰN, O*ޢTu#cn%̺&ǚ4붎bƳWOzfȿ&7? H݋#_G`_ 3ttGXlb \K| i+~s)Aͱb L?{E2폺د nI7/]'_T*@ro+'p4^\ erZy 2ߤƤt-LJ+!ceYv`:'nZp-LdaA&Ʒ,RnyVe\$5zwЖHI|'EK$qݳhu›I/1~kژBMٌQҤȺ?;n]@RSוG6չ+G ۅ`8gnόs49X>2O%O ͝qҡ1/OzҪUYy'+8O1ÛD>P! 0aRc.o-; hLczD?xa/*),8yq*E*(S7+31׶N`2̬cVL?+?mҵ k&ų$Z)ps9l(un@Q-h }[zxv_xxgaR >[ !j"6&)A=Ee=!iq>M~|4&H"L)%l6emvw|a '%DKX=̚b|ej)у&SZ$ڜ7hK0Trvt:YLN-w ZL sT?Y" @cm ‹ڸE piun⤔6?:{u޹d$w.t$Am&O|̿RM ܮٿ5qȠGXyc!k] Q oȧ. |zQFFk;ܖsMAEضxS^1;0t. Fdq`1_>R>y(QZ4܀Лt u'0(=5ϏYOهlɷBZ KR>atYӋZWdzEb"AT%Gm]ȉ κ6`&hhp?,pT@ce]mT<}yMV{L`u$i>GJgIcLS&sDs3{ ME6k5x/dSl)"QM31ۥ8Oޟ%PT 1ՕkTEGK8dkߺUU]EHsO>TFbNEF%\۝9D .UqPO>/7p)p1<20b5uQgnccI4MхTrH8La]!Hyh#)2|iD-ʳYu\qw\RSLJbsLd^ݓ-Q"RK2O-VU-~bu4c͙ܠPh:ncI"_uM>C< b'gG*䬢)B)ێ.dK5zxbW9"qxɨCK{SD -=c<,K8i ra rVf&6P/<6{`i f!SINb4aJMb{]aADvjGxOsh:FBD'뉨 |!]_Z|;V5tfo2k<VA`[TЇ;WX#LQ0 4vV^rz,m{+ P$fJ[f e^BʱŅ}i&撢ǹv2FMz^q\kdJs¨.D9YLHljd;OMrt'zmagUzJQkwa;g^nR$Ȧ-e#J5!R brK!'Bt* ^:-o%6U&Rђ '}5y`ŘcQѹ" WRu)퟿M֖s({jڦO%ŝvNSp [ PO}X ']sL@n[@5L" jqoCxTD1.x䕣5 O;}#]4'ftsf^A#=9qNut2,I.=U -8~"5V ?vPk0zy0;晖=ͬb1gnJ@rI&wל,Ik@}N’6)ɣ۵BG3:. R_fb*R}BLIi| G3q21*<*iKv<J[^Zh kґ~ $Ψ12.N8|Ɠ4%B˔mQfZ҄vbg'{9~PکtHl$LH~fFƮ7zh|r) 2x bL/GjOYu}@^BnVU)Bi}~.=Gg &%%!eƮbXBȔC4N 1OSTVd!ق0sIe_pRPMD 2?˱^Z$ݑħXp[/4 Vava6 i\pmx[Iw?D*8GJf6 SO/@;9x]bߔe#W>.eh1ֱ4=tCe.8a—; dviIW:gm?Ci%P*/)pPh?+ U 2 IRj|*Qqw\Bޯ@ŹְQ'jSH R.g5S{{$ՐՎUgyh(T\]:O_~B0 ->jvL[ٷTow+dJ=ߢdgj1Q$juT)bD@ HM1MUP i !a^\\]IpC ڧs,,$Z@1Ì=2U w回9r'Af0)0V!^)H. &26y֗RXDB"&@nGMINL䎛&ir=l6F}wwb[U5J$Toó-ssZ><3NEHKj Bo< :sL,}[X2Wlo/^Eʷ4A :@ȪJ̓N9`a& \I8ہ*;MX_0]aA3' 2OXHP2Bfw*ѱ?ú\ 4wb^J󴀍4j]M\8nI*cgozjPH1!uW(qZhywFcһf]+WswKݥX|(Vd878ms5ՌUj;X*3O{Q}Tb:^ZFx< 5TIȂ].gQKXiUHnRa.ic㗻.-Aݞ}-+VcR3.\uC#n*V*I z~8wơg EZ's i`z*н$Բ[3Ţϯ:R^UdagU?l]7_i{U){m\F-2KZʏW=I*3#s 'g2QtV,Ģ!7HA#g x4Peg VcuCA.o+`U GX/+$ (ThOFIi(d8h1։BfOp Y0/n'eˊTzt6a|تxobWhKYӄrwDzƝ,F_%ǘu:f0l+ ag|툆R:6[_r?'œuViT\ÈZ~1R3ғWjMItmfdHQ`ٰu,Q#"꫉~gYAL A@=Z 0n%OsAN2B=c3ˉsx 4 pA86+xC;*q P!0r1s/7;XnˀW&RYM= %|f^vs[h\TW38>*b U2tjh=e%%g$w[ZgqL iY:9|8 rX &71.[LDRe\sh6.lp+GeEURFN<Ϙ]FŎ-3麱3c`DUT{I\[\D6W Yww)E%j ;κ \~N`.j E۾ZVAX*{LХ}H2O({r[/פqnѺ-7٘$x$4K!$)]dsm)@Mf `J@IaIa";ZbLsJjw$=X*8:+p !dbX9?vzc6b]6QN`]WdR9_ Y;+$Y>Dϲ (|+\5|oӔ YGi~4hn)=5Gld*5@D!cթ%%칋p7Ǧ~5QJ[IhRQjKenU϶騌f͉[uZkņ7׵WQ7"h )a0+ّ# VєޣKTPL_X=  W'y_0r:Tb9+r-qrz$IsZ7ޣIN1Ūq_ \o@`%^ k7Ŷ:~a1ZZXafYA@+/>^}]H&\5$pQ@Jd_F ND{st/~(_B6xA5"T[38C4p:H?;ۘӿj*>OVO1_)}-?+IB|vn4Y8 [v>Er2 E =Bt q]$@Pa6 N% nD~G;^x.dhiKxD4Q{sUlV=(?BԄ!`/?S^ErXNlbkE֝Xl ?&.@ oh"Ks1VFjRrrvD\<<ԣȬмې"lϕ,C]YhtE1"BppJ(ZM.s +c.1Ќ;dGK B^hZ9_L!IR?<Q<<in>3J _kc;ceYvol&Õ}]Xϣ%Tq;޼fM] 4ޫ@dBa2(n*F2H<}&gs|ϗ?ziE>c䣟z& D71IJنI?s6*2-䏽%T8&-wz0M{x%ڰ`'e4~J5pyf=ү)Sd$Q^nIK\}{5ITʻ~D4"ೂS&Q{FG*%:nB-},ƮF&wAvnLłñ2FS'C` =iNof|}n!+K6#PL=!41Gr( - zb1mDr] H|EsED{E'H.hd?sko;h-t9HvjF۲XaHpnVuF~~UO}$l^NğʀY׫ 쿏 ">ВL-)*Q$ǜ8j6$rKs'J"m?n,u!W0?XN% WL*p nQ$-:^,׺%||"}#z"R [Aުd Vmʗq4%,f#ڧ$L$:[_cs6j-ڲ>J^ZǤ>b5Wa˜Ǐ'Op>o I Y"`B~*F_bQĢ1q&P`9+AP+ᆫ}ۧ]*?\0T&mS9MB;Pyz&ԚR'+LT^ump- CL24- r3:6 ~A:[TDh&f}u=gc/./Y?hn.eW|5Ոr6gAj#sAF#]מE} Jefe̷T5斩%@= ˫ yZ&pVAٗhD64띶ce);6T$Nu*.dqIppZ>ajokK~^]<$OM8LcMlaR̜ҬKs?&HlG_C{فĿ8Trs)D36U@Ђͪ8er=ĎեFkLW`e~/غO4 Ff!!Y&JUOi$#A? ? A_Y5\f%,O-[dq.4Y=gUbhoȦ'CG>Mm_AC9_9 B%cq| oh3ocwg MihFWK9ly>+fs/$(/k ޮlO)qwI(!&$Sd䔛3Q-#HC)VϓPUFč t4Î(C ;MX?6 ښefb忻-{T23DCFa/:.B  >A7ngFn N=0#,'k9!3>aHg2+uA ҢjY8{XEO gh1åTgo.Khwr`/XߓEs;Te1{Op,)ܘGQf)7NOdHua4Y`?ܾTf^MJW >5|҆mp1*.cyVȆХC}t-4Zj{\m%,7eܚ#,Dm7fw-@a)ɱ%c ~ȼr3t7@sJf ˻5Xu5IbY)9km}xu"-R}#GR˦ (b7T jpj]T=n_5wdD櫙NylE2yhѾ0ipe+BT]>0?UWD==ȳf2YPn١\Ǡ]cAf帠̳UI{W0UVJ^c7aϦs#LUTlH`C4zzq9u*Р*KKw(eلCԈc!hZC3M U0,V>Uøτ1Wo4GBMBKrnݧMP_g rrǪ_ZDuY]x`(.a 8wr81]z9M-"-F`Aʡs'DuaLAޗ3Y.@oZt$2e0A=bL~'Q3".&nh1|t+2 _e0U\6ARӥ@sDRB#D mKkي 5.}mv@ĶHm'"d\b"I(M йO}kjGb/yϪnZ.MW YhSlV0ΥmKW\s#Cx@q2}2I#hŨR:yEN6ĆPɁ-V{|!٧ zc<~۽hiaP=.e{w@Wu]06%3Јp5Q-e3Y ^buўc†F0yhЁ"y~V'հa .zؐ =S.Iu9t1 (Z)Ɋg}JK<$[#봚Egŧa$4j"Gm *$徺3T(ᡊ ǜ}J7I@#^@ VeYM%}o:fՀA{&aTBJ8HoB)qzy ϻ-qn?V_:>?Qr|k1zQbtE:7fk$|kZ?k8?P3aD|׿Í`D+/}㒰R'hbGqTEʨ=gV@VCG ӱo1y75djbOuIʫ֩|#q#1$)]28 +,ec{owXgS2|Zq_o+-roD"yڥY!igS,* ys L8DITJ6{xPߤ*l89Tׇ^ 85ΣhiX eROR8ʲUeZ~qlGe}ya lM{svh\rg ULRRL8`J3>,{7_qGo9L;kY/m$j㣤m͆u>WPB[nJIJ)M2",uw;[ Tkh*qG%(A?qj O1L vBd/d3;}x%'A;}Tgw+V65%UaAWLt'ބMՇ\g66pdZ<sn^8*`ZFQ%GZ/#!?Mf% 70 U4jwsKW[,= ꞷgz>6NPm=~ fWL"i1 ж': |@e1K!gp# ^\ޝ`zQZ5]s2_wE!uT&}3@$U"47.OKV ;7x\2];?,V0nbz^=ZMƁن+הݕeGg=HxOn}),֨>D}e> FH("T)No пiLX`n$ooZgR~H,1u4"|-Nkw3d7Lve !R%q=΅jM&]v=GRVP:UGu5*pmKgBQlc;mq.Z擼h̟0dpf.n Vm=ԉ7%f`]0%"Wgv?u}f^W'-,se;5WX& >K1WO;VB .K BTҖ@'h1b|vؐЗjq;/,}7g_7v+I DLFհ>GC\ÓvqAJJN$9e7T=Q;];OALڮ MJLتhN8b-#tObZȇ,n}JJVb{i3Ypi v&X1j)DlіE_w)p$Y˙Q?kyIGHWZHzx[RD ܬ>\ǁ[7.' `:Ic DM?Y FYj|4CK@ѻ2rOks$2`ց)FT%*ǜ%N|Q,i~%e |֛H2hn&]:ynY >oza[}ga'x*){I{Y/;}w0*ڃ YsmI:Q"`XQ0X6ejG_/JQ!f3)zmuTmώ+'#Vuڅ9Dyk9_q%A^*4x;$NB4W;"o@W5: E(=[cg;'jU %hMO& UJPJ 'H߰eeIz<wa=3I6EWX.4^?FCa8 ٠pGg. I/} 8v8<~'z>T1Vŀw~2wLOcw2(A}GŢi´Sdnx2')&8D$U6(/P/z /0nbm./!j1u(.rm,ͮ7)dB}yp3!>?K>I8C|v= OS;:!k-Щ(EBԻWO80$1̲RºȿdxUa]:kg=Uڏ:)`vw[t䙗)^|L1{t#nOta_[Z.Zl_DGT̋|c2y K̦S?q <*fFpd$i/7!8)}|ՔJu8ynt)bgl1++7H:I342(5Sݗ< oh+oѿAؙw$W]b/xy{ VPIrKktIViy/щ ׽7##U<قij8Xa}rd*Ё)Ӫz2Y_XGG"Aب)QB-s>0 &D\eKvff)'M *Ъ8EUg0D5DIA8F@- {v8kI&&38s|1#5̰ViF*5yTQxuH'-;֑̫ 7e=>A݁Q[`uDˆzz=Iē+%SgD.^B*ЫV@?qW7/}5wUBdt}.-Q)\mY rsd`ުh4K;( #Cзl;S\_Q[h#'xMuZWzDx gH(k j Jho?*۷֩t3XL=t!z9 #nZI \8bS;`Y&3[ѻy>Oz|0_[=! TncIŎ&İpX⽷4|+.ou] M xFeʺyc+}R RF5;[~UjA*LU}kGN50EgZ{迏𛬉PE/_s-b "F7n.BJwpPX7VrǺ Gx+J_/;fJ{C<ͺݷld>fvhwo"POZ<6NήfT׎5zԄ)|Fpt[Ǡ1{]fĔEi~2&hc*yc!ƯJ Gy߇F1[*V\sIs?qB%)RX"]C~ǚ=쪀WSoAͳ*AX{ !PԢ)c;NnK{_4|Yׂۊ^h!xfN]t!DJ)sW1%cwfm,ojTO|s%PCZ8趍̼[0=<8SS8B‚YG]6gMD7J-1ӋrsDN0]rkpVn9_<`-X6 V <2s{֦"z5z@[as^W?~bsS詀YxOd\KF)cLP㏟+W02ݔZ]r SGI NxqXt_.eH`kt:qvluc@ o$k49*g+(}y 趥ЭfgADTLzti'cD-"^U e~6::b*Kao5C=Q8/Pl}Bc˜!v~[DbA,RyYq[o?@ŪkZC 5݅Nȳp?4^m,i`cJtlަ8+TPT6&Ϫy-YRsOEe'SsztCP͗p'}ic8.J⺺$^7 @V9(xVEqOEl[>wGOwL4/㲀y| UVǎ"!<-QF$ 6x˖](Ֆcd~txEae{ְ' GTS8ξ#ij-*!T'E!\/Y5"c,1ҠO_**٩PaqL~O Wu8[}oXQwX Pĵ`1ƦR5310/$U闕fSTu~& _"#@!<_1g(z}P|OU~V+ntaMfn sU=9h@&^/m<8w.W$Q{ q5ygF)G2ˬZR@OvdǟawXUZsj9Ի))7!Y. >8@6_M FPZ>F^Uk$v$5zpg>z"yxU,Foe̱GI"Ywu]OFCJs‹3E ݈Xi.bދ3=G9Bé}8 g(h#E(copiZ_Š.i FBܘto/\%oZ%~cP>M2X+4r(~(0r4,O Yh6M9ᠣY32HkB^̐>  gXf GB@Özhaԫ"_"olAq;K YMvr RWNKuDJE*zh.΂ |;Ti~hC x 4ܯ`Q08F|3^CZ`yejw-;kX.\sk9+R,X+bn%[6UiBk`znqq ӭRaz-Bau r*ݛ&VMf]vICnC59XP="/?j/p& S݃h=m۬p&737ADv7{("=Gl$KoYmkJo-03)_`*'Z1s~#?g-CT٫EҢAnPSf ;2و v̿1,pb~bȁu&R"ԁ憔,xz-\w?v^s˃,@%ez)ImW` #  ~ΆbӜ+IvA)CcAc:pIk̹hY;g|DrUAN` eL3Ff+ac7-_awxzCvtVk k1ޭBI7m@$=FxW0jXfݓug-VI$ީa8pSmyG$1̒}BNbaAz2MyDY5@x7dX= wnPxM!j)l *qKFת۵t#FdixuT,]]k"I6\BUVsec&JYk6k 3LQuWJ?ٮÕO R?$>{|'wW1_ewPa\r.pWR|Pp.eD?շU ]_ ^cDkQ}^S6~ªyXD=j,&iW-G<]tSuSKKi"cʥ/5 }b9 ̌IgvC z'hL `htG8\F!m|'<-:'m 9i+ /Aί$M5Q Q..ٕA&TWal9ĕq0 ڮ䲶;kOfS:α?h90JBóڧBuGCuHn@OiCmްOa+arcH.ҘDӌmE΄%K8O cݿ(Z4/,d{"‘xXUyE VeyQht,$NPєBjArLH ~&53@&_ <&hM]u+(fgXE(uA0}fQb_<.9m8(pcA)Ovqfp $@J/n[3,j (q‰7׮:FB^.!!u^ft%2G𣴖1Ќ@xpSFA>zKs=(Ǟ* g|!*2:r؀'`C$\^ם^5¨5@ڽ3w$;:85"\bn\<JRn\#:ԅ\TBeW>JA y\E nQ,^uy/(`NmJRp/4׋g5eu- IJ=5~(&"#}>B9Ojp]&uPB3* S"m{Dxuo 3MCL~)kr"U_[r51QVrҩ"vy/6D^ gbbG,JjCGoXJ玳]ilch/~)Mv:dPͽX(x~~|Z'ҤjfLY#J0ݾOg]5ȼ>,U .m [qj1&9Q1ø3/C#cL?vS, j JK} Yl*6Wiyʥ0l.xCueXV?Ⱦ;ʊD+d} {༬oG\7U|SfУ~2&c:(SSjM*|PfdT4Flb7΋+ `h0+m"KzPP]%5#O2 ʳ fg_ʃi.!@C$F6 tugR *N ԒF+? kꜪl^\'{3+wÝ`'wd0/kwÕoOIb]Sp$f3ٞu GrL "5zOXr߳Pi Y)f$+S-5k:µO;J=p ZF<Mc/ݙ 2$>J|0&g8@r#1 Pth"L[FۥQvT.ͬ*B +cCBW!*=/߿Hѿym { 7Z b{fޅO;AaRO1&j[]bu+\1ag5imsC0uqxڅMxA{ΖʇbOێlOW϶@Po O{Gw\DHʂRR'5=  nݳamkc\h 'A尚dnma*9ocXȐ76>`'soQzCxX;ЭX>5q tkto<FWiwt v.#@Q*d_ʇ%'c b$~T t*'XJU1euȆZYD(Ͻ1"b&oPh !{õ\,L`ڲLө`D$~iP'Yٰ=̱FߛNnBi) 腮 s<{ל>dp׀E*ƞX x@5YC_MvEǺfAJL| #L:I:ҭ_W[32inl*z(~r۸].bkM|FȊmn$9]=;G|.t)qr[A㷰ģ3e`c;[J]IQ9*gg_Lk^ߤנU{?t?^m"JD~`fD7Mr03<ǀ[kTZэɫ5chsR>$M#޷T4~ T~!.I#YYI.&FMlFۦzaCi NRY0#S'ƻiO5&A^IgII)@Φ\ yO# 0ݔ ;Wޗ2c1"2u4 zF-~.44xGAaa @ Ϻ =׊\ @aگ]8l)6'3§5!sKG=# 2AY1 hy+J%;.j񑥿,VQ@B@SڟVV9!Z{A7BE!]::HbGF)ָ=dBcns::˵ +?NUH.#؎26e.ЈeS_eۯwp$LX~ ;vRg )%Oa-3ł]ɣ 6r" ?y/̒kr& 2hzB&u0w!m{qq2iqxՋZ!^BW:XR)JUeksV~ѱZpK Hxt[ MܲBa8Pȓ4q.ۆ&f 1n$T: -PU(|%,h+ ¬+ #}mG ^e]E :UKd Ys2H^Kltr&|e;}k@6Wu7MM!DEK Pud G6Op5cmf0rdeA؝>5ͺo 7<̨! kk-]FaƊl6(nڇUOw; lQ;Ѐg \;xYK5"9ɗOd[0a(wINS2ƃfbRO'W;GFޘIw2K=ok@[Kv/QH_ӡXIv44$38 ly꛳t.~wh|W[\zZ KпK(U I2o*\Tj( ɀh\<-/OS >+?Il5{>Ǽ'̿l= D?&cL v5<]"e+4ȡ`JL$zɳagx>Įh/ɓJpiȨ*!$Vy67Eч4C~ָ;Pl$ 2|5'CZ TtLie. y0? --B,Fl[$=ʷ&*JGȓ Yh}͵Sn^'XarĒRolT#4b ܺ oLpj~+;=~z8]XøF)ƱMzoNJ~URV(ZqUcsɐ󇼦 xphVE22䤳字hP.%pxbqP#|͔0o υ oo 0% UX\}uxe2(Tq,M0~{!ɔN$wv@(>&iiVl6-0Xh{Jf". u$nL[L<Qނg$%> ~"Zw8Ijj'LLa20[zzH%\F[Ge7 !ٮ&Bp)kENS, l 3Ca㈐%swߦ*"?:snb|ؚ Byɣg5񓓉_d:Mic ȵH} z\S-! g}(%M zMW N:s/QIZ}lK;S7jX-ʡ/w :&(Si( 5ħL]a$O#Gl  W_2ZyN`b$vYTK IZh"Eky1ԯX}fQzݣ& t5osީ:<9K(K)2}j01ܬ.Sy P7<'qtFs:: T𤋮2&8{~d^Aʇ35_7%sQܯװjA"%Q#%B CE;ǙпN Њ޵hapKDZꋞ KLN%FΞcdm*G\)9+/A )'9! LPXRDJD9hR.մh%,o)`ESYYW8qOq챟XؕnW$S<)VBk]xuAy4u LdE3lA9|3Ƀ:lqD;zH,^kUon>j5dLVz+—+ǠQ(To:z tGKN GG3I50J*Ot]Y\P şdx66`v≕&φV`%Kqu۽ec'k mm٢n^^ +GL`7 Tc5'Hےe`28gYSZ<;O>*H*~|@o2Z+ܼR߆DDW E{pP]AwZ!AL`QLCQόq2$XicGJ۔C؎Bbl+DNnv0xtnƾ۬_H  D*u"Pc&kf.`~.GaEfF=3iΫ{B @=PҲ=VyR[a9(Y)}&,F:AQ$NwR%5gVwkfZڂ\ie_>N "U1t spzW`SWf|7!#ݙbWtżtwvДߚhwwbEM޶V;E(?\ࡥU6PĕBξȜ:G0[cdݬ>gʫ~X4ua ŲR̐IB/g|fbN@W-Y xn]৊6 163CINk䵀-,6PJolgR?2RW%}g#.Y6p6Dj՘~C%CI a>Z<- tQꉥzlU|R3:b,A w |+|r_Mݚht:~-Vqo?yBD&9tϿp?do{L{MAk_%ۘH>G!L}HXj\Z`?ƭDi 4-݀J/ap 4#!>h}e&aX7*>&$xW![L41g>G 3PCݞL|y92M;cFIc+j2^Q*H3sLա1qEY G=[c'as4}:{ tPgt^+-~Y}F_a0Za_5,tX^W\[ߚ8b"'iK$ rG Ԍ|pR *yo8>`婚1hc[5vz06J&@*ݎQXи<;>*8>_f!u~8"X˚]tZѨ jKBIsLXxWʷHrhKR*}SZaGB;) #/(=]CZF˰}N 6hӖA+ ZiP ͠pOa] .ʩi/ۻi g()ܾ\h#2D?󄘾S0X[ш_ApXi|q5FVȯ>=E{ķ>ޅ%A̔/ \&4Jŧ^2Lw;pC , ;5Fq = *.( Ri#\9O`KL8EՏ#VTjJDC-/3WM]/^G(#yHOa.~~@rk%3GFGod  qSY v4㐇'o&?X8Ѵ_@0AL,8D}[eb"WSxpŗ?J%X.cBg&2{;_`tOo:?M7VA#5kT \AAR uRz*pB7%t:EjFB£D jƴIΞK-_!logXVmrZڭt, YjS^ ֫VSi{T^:`@-]n/,1=`aDr;ptT)a|@1Т`w{0SPZyf;9܍yȵ L^̽']i9yѐe5?Q%<:g7qY~,w(5jJ́XkKQᑀa/}3ZO,/q 6 c9cZXֻ@'_0{"4,̈p%Zqlq 6o 4SB0X7& B'A3v|AQI_(L-jX5dH >g.;-tQџL4>Z5 վ2}5 @y/<$n*I Ĵw[ܒ<",qx|ۚWVOXk\`A䬴bz:*4^wd UoO5L '# S?GᛜZK)UC0GsR [xf!d^bw IrR2M.id30zYn*էȎgϩQ ]DBy2F+ܯȄm/H?Ԧꁝ Wֹ^dm(IIJUв] 'e_ZZ@9Um`e yc:8܃S+Xhچ=maߍin9Sw$i[Vng:NCԶ g#q91OA^4N jڄ\.f[4)ON5̼E(gYYMd8y| iDV!/b {KCCQS 1ꇩ,@!z,n$Obh0:Xz+`SWcz ~^ǂ먬Ӻ"wh"|Zx^p2wẫ6i.~VᖬOv7X~t@7̕ o=`,([߸JU}7Θ=}cBPZǦ?Nh:F)"'Y:ؔ١S^w&ʹIα'vY6W<}aE3yn= rYbCbgԂ 6YTy5GnKA G4Uxf{P⿎'0qz50uUaܷ}AZCHxej2DQ㹢0L<ߖצ8G!T oeMVtNmsDݔ iN8KPD 5mNOmehz}XYf;Ut wgyC# ,5X;rn9!VynЙ˷؄>뀣#} BwH%b |%OW g4jd lrBl[ުlfv6/ӞI[˝y=""G>631Y:< -]7s&itWF=41EfN*2ĘERr+ϵAϯm`ƛ8>bQqv~1ؤ5|f)D^@J g]Ufd.M$G={qv9~.qӀ쟇.Z68PCmxRnNXwK\ k?v*CFp2ȑFFՠT"z YU(^Kxog; y Qdsm /#a.tA*sH,BG` 'e GgW>14ˏ EKt).q7"P8b뿓R׮"4Z6nN ۮsC/ka9obT!훿,0+kG7Zb <ؚ-&L9-=cj3 95`r;V\N|NTE9{"8^Zu6o0C+>4q#sl5X$%u5N&\ɽBI4 %KupCO,z[#9 G>'Qw1 Sb« O]Sy| M*oMsθLqеPO/1eZ4DH<1ml, L4 =s)m X~} qL4n@pEN$b@ Siy ӐY/z,Z )u!u͝yuKǓ SѦ)n*F^A8P%M;F벵4Ž֨ | ƖB;bz`y354b.)aw)9i qgڠ]͝U\5Rt{qnOh{{9T:aUUIw XǤy0z*qh_(jBagL_,ׇQF͂xa<&׶v']2VPV\f w;G:D1 Ct}aOYTH۶*55䗄O:8ɪ@!|!1˜eT*EXU9i\/UA\Vm[ʢTpa\>qnρSx&k5+`?#Hu{`|F%Pʱ]lյH q5inznUzg/p=uq L)%͚NwZ"p8jt<7YOu9:K}SMy һNAA'Džj_`;w|2o𛠓]C^c2~JR,vb+-sfu~a $9 9Vұ+D9ݝgF##ELm]Vd c7.% ۇ $MF ƻFC"DN32__#j95qc_,lOo]DM\q`X&T 6iLp]HIK;Sett"WI,`1Ż^K.J}L"1 F }} wy%ly_*RYJuo[d> L6TiG,ۀvm2x^f>%N%m"JidhDS [ԓF0s<^_S1rϹL/G-(ơ^Y;5Sܾ3nnGb3 :oDM\n]'wL."ApӼ(IyP y`ՏON1_$Ocjnͧ;LK_Rg;02M@D8XPQ5a*Vy{lr(I 0?۟wj+ :ĭ;XmՓ2އRͧ!Nq>]R#$0{erLYKگLsfm{ڇi)SYO5;BnwTݖiE[vEL1M [7۝2bYyHXD-L} ` **o4z]#]LG`N~{fcP+N|֤/H7P'GkgHIG6U0+xr5/)O)2w0iF >"^H^w 0GrI[ղ%i?)حBpv? h3=: ձ2\9ckYa= 8wU++6h@'W-?:A;bTV@, Ȁ 32CS 7Fh Rdtg'w٫`1 5Rb>ԦO 0Oe?/U\}Gis)U 8L"ñ=$gQ|z1n~Fyb%C ׋7!r2`AS/G8b}R 4M&QQ VhS 2Ө"n"$o+cvw 7YR#y~ f-a;<,q'O5%1=E>i8k٤~'Nm }-Q'O ]vRIqDqَ0LW'=`Yl^MDL=rXh_CCl.)r^}uԓ78dw_nkϽa2.OQ:PՐ.U`Ka|zcof)3Fcg'ʁN'bLO^쑊F)1vYeRtaEv+"nv(1z xsL$yٟ) ~ tM$];bBs~e)vPʠ`Lu S4wB''<\a4P͚}($М7="s+7&n0cWPBGM {xtݸf23#h̊Ѥ*K:0t<ړ|vCE¡yӀ°,l2܄~8եNd2f>jB6Zr~9qLX6W"_X:^_VY?K5%8%\m1׹hbs{AtTØ<)ȯ՝<gS 's7/6n^ʴF21>)9##olqUy2#Fro j&NU51=}ّiҪ_x2q5}#gܿ ā}}Dž*u T,Da-+]oCc,]@co:5q:RK o0~Cecor0+)Ȏibf҄CgW>$6/<`ULQGtl֍ ~:L]QeGz,ø#>vR48pBٟ[L WЂ,o|fذK1Vh!NCG5N̿vU>= ` Z~d쬈w'բ~֡Ev'. _FwBQqBz2|uѨʚaAze;!8#{'PKE5 /Y(8$2쑔qc,2Ȟp$A< -"Lv;]kj߇ KeXx9ғY:Liz7*A`\UQcb8 &RA٪cYa Ln!➓ OAnw"*ݢOa Ѽ؂;9Sc2jSc]1~Y sm%춍YI#@fmY=]L(]}φ+¨iZ"AUcIn_LȺ( 35 h~9ѹr,4mu\ǚ[Pd(翋s\(\M붢m`F()V&RZSEp,jFY nsnxV+~=Yͻ-hmt â,Ɩl!VUsj:!agfWmz԰b{sdZ4S՛.7(j ר ΅nFĪ y 5iM(ݳGf+LWa:uwiJuLZR.SՈ?+sU~rqs. y琟r +WʏJu5|=ixzY3ʽ 4L[睍WlxV.bHA.X}`C04!$GĔհvԂ2s Fa(+JFk%{zibInE)#|^sR,'/zUz@Y mm.4L&dcLw?2^*V[敱ocdն; Ϙ;)OG}#-UGEBpWwOԧ,mj (;e}իh),/ mEVoaeݘUފ)%%Hùpzc0Qn:LȟOF ^[gNjC{ƄȠUdT ިĂL24iM=_Piv~`x`D%BS̩ qdv`2w>mV0S0a8dHۏl 2! ͟:y 5 2|w2>=mk`1V5nS̋NZn}53OwtEss/YEBp?:o ^KhŁS,*p<,Q+$J1)\f;!IqBbhe#) Sp<= ݩPkz8!/ԉEfD]9"|lG#q:wsiֵ)gD\eMuM? }xq4+a>#:-Eqs,3eH|ܸ0]p~ٳ#[Ax~;z¾,/SuvRns㔴~-'zy&ieqIlk quQ9pB:v2\=ۡ.*CGssMZh]e 0 z*$`3fU? Y恟.Gl4nXq:jg?K3̽>VRjUq&ǒ W8Eٵ>ힻVR).QvQ̛lVmT?u*CR eW}Α뼟Vh K5`fX2JMuIbŁIs!ڑsIKu?jFC]ɇ׫k1V2/ҧ+T: 0^bëR:x,KhDa;&ޅ0fu?.\NnKdTM".Q]Eq"bVpP%8}ڐ[͗8)zJO'|?02jo,?^Tm_580Ow81OxU h!xRdPH{CJ)qZؕayz=Nm!ra?M^cS۱m(`6bU-vT8x ,c}ʰoD ~9aqX^j8FT[Lnnj}C=5=m$ӗvuW"O7#j6JvR5A 5fWlA.Eg9f}x|/UFw냿Kz\V=naaϵԙh6Q.}J_" 69 nY{*Ф#fj1-HxpZmڨfQ2 핟 tgndut^ 3R{.{ Eet)ӽnd dP#NbN#RN$2 1^Aiz\LKx cjIu)Qɬʼ g&zq^BH(7T,PқY$մio u*d[;w$̾;V\'# .M7}($#sxʂU$Ђ ey瀌[%p&n2plJU=`i(Hy<wPνyX$B\ |`X> >|A덇GaC\o [_O]c6E -ss7lȎXV+yZmƱ}_yu W:;Y(w qo/fVs漜}7;Viޞy?^;ey\iK4߇C/YvՊ!5.zF+h7EX [:%c_ps?p gDlCKctJOv?Q0H!q/(|ƗxSsOic_kX^7 UX/c=2BFjbUV);l-";! MQ)BٽB-5b A j+swiԡl3vOR&ߚF)*T?Y <7HrãD' l!-q~FӊJ%lVe@{OJX5: ~! | "ϴH.=)诳O,ن`ww/]X]V=ə ۱\I;Iy/0:pJĵaeғɜc3 ,S6]e&Տ%~RľF"F 1Yg~l bZ׸C~dl"޸tBk&} MP}WEK<7zæ= [o^\>!3ys$ N[P1nU D3Ĺ IڨpnV@E; 9o8McB*fvwؽ|eȳӽD9[ i#McBѼ=MZCZ XL\@jw@c@:#lL^Z3i4Ē8}9Sa{BSZ߼:'.yW^-݊#= l 9{F4"sN ʰ"MgG%,vKE'L٭lt_gPIOI?n<%_cxj]6+Cش a._ &j[q~/i{ҷ;ū0"^LگiG=UܵeVi$kt1#_{{i mڵP:Q>LMMR3_sèsIi6)_0?WhQ"g0G6;Ot;AW1JL@&dy{y3jO=vS ^Ļl)碟8w6@Y#M{dji~,9&|/!EACEJna\@zWEeVz$*?Zt*PG`B ZC>ڏBrͬKJYBICc7eRф)AFH-EO7;FF5.~ܗ 4lLZl9.ig9ogoB;dx˾%ƮG(57#nvAL̉zޞ/?9tU!\%"clDZG罌eޞYS^O_ zxWd(60s8ݴ.T1*k /|);{r%.TwI/H;Opf-(ȱ_VSv;]B5y7ʸJJp_zrd+O?ؼO_޹zl ’~ sB!i׉a:ی3Wcp{L me5T2#ʖ< ␝p ]`˾Pz`~9BG2'蠾rqOVT1(Sn!i $7 fyncWk^2H眃24 2cy <>ZcC᱉s=@vaE/BAGIF\wdbiBD}$+-4ZAEݧBRKԎׂTG!A2)1tE1L oy|4@64t%]2;2Gj|W|KӎƄGh ]ᒎ_#:VסmeʯA7iA~AB4ekݜJD28(PN8jL3#ϡh;Zdʓ.疗T_6Y69Easg4q޽? g7A:{α܌dL@C[}Ԯ3r۹E xo e.:2OKe7kʂlvW*<ϳs2bk哄&9n}ηǢ֘B^Rtqy7AaʄXQxm^A,gjzRRon6aJ(8?ߝ\(\˃r)bWFIpYuoݗ`gklKVq?QxڢuƊFl/L(Dx.^ؼt+^ً雮 W>_?Q,s1,AD~s & X$)O$6i>>ז nôDWs\b ͞T+2ʑ3)y;c;WP =$8}JA 2.5G1Ov#x H?gO7š:#juIDjmס8{̀M$+h2co67yG6,c8_Bffl)(N2;1P|\ 30|Ga 8CVP$eX.sw߱_V>Qap$ E`>7 W?2Ι Ko켉ܙ9g.hI^fpU=U IvBzl~6CIׁdobu]Z@֙ꊭ!vw0d;R~kS'CC(f ~ZtRos[%.κb'𜹇lcMuLT72\Mn cգ7R?,8??N6X*T˾{Ƅjdov=R0Q; qZ Dr~$T;DKlz{ } ﰇFsMyR| 8; 4Z\ "@\whZ~Cf/2~w]6ZQ(;\ b٩Gx-2֕Xl,ZΛ75gOS-d1`<]o#(:\r=].[0̂P?xc rhgfpݺe6ZYfRu~/?P5%NZ8G F/sh٥1e4w4}a]M AVT"708>_ywnl&ċcbvW-]8b"x <:flcnqvov[z߳_sd~C;ABpF ƕba@5Α$1k-Dܩ&M(}~Q@ Q?w?ˀ*ܳsWw S)vo %Y벣X3 Z]&m~A&Y[pq<}[ṕA Agb1vFc{qh$el𼣔un,}glkz s/"gϋWY"2u ] 鮂0A=3Sg ь? M;GiƱ3 e}b[x8G `O2Ђ} -SrS9hpZKaeT鯭']w32 g8MDq~5 2Gj@iFHb*dYqZѡ ζALq]mkFѯXx\c4(oU>2A5xjygx5m ãx@D^':tbI7hCG| o5ktx.Xd8d;>ZGEwsZ Wlk7Dk+v&6{ \.ռWC؇Gx޾PRj]x^&Y*[m{2<9Vi=W_TxK<)h)H$_1UtZ,:5hg݂8lu++‘Cakퟀhut~Ui&ɜwuOi9e9MRN p(H;C^MdZ>8P'nYxЮ0wbeܹ5 Z3pyC"9Gw|VӂW}l"}o2U Sބ{amw@Ivu1,/>8qBU!/.,.5P>24#m#&xFtCWq3E:܀ҙG?ձޤfhUӼf|DXyXyl}ϰ0ElmHbLz_XxMK.hq$|p< aVa3G_&+ȭx Y}=z6?PB+$uiOPPn+*| CہvY/:"l#QJ Za3Н~ ;gE>'~{I^,{)?m>,uO3gqޙ͐8TtɻϑUa $P5iGuJ.c-_8μl4B{ pɱ;KB/ X;NGLS(0p`E=AqwJgAw]QX4EɤYjpbT;hW뒲e|,Fn1GQNҭ_FDwpKM-ޢn  Cބǁ]3ou]dݬ n $]qO]MWF= k?%&/5J_&:1}CmUU^[aH:zxg1Ӳ2plmkebw Tx$aH u-YN+οܣȹ k=mךZ2aht1R(ˮd'*=zaEQ:O VSĶ43XįN9)")~o"m"7Hڐw;z#S=] ^EkQRyJi$̶,(bTqokī ~ z:I]t=O2 (((_T/[pU 0 ^B\RͲ~ "W}{.3A1dC?.Q7_4k*1,daT:5l߁ަW("bxY64ØR+}"; ğY\9X>C:FbgH^yL[B@^8~-B\,3k?]2D sYJem3[vWbgOBٖu W~H\fC6k%ܦaZ3&LWf^pTP)?Sxbˎd> vqktBCaCQ;?w8c:ARl~ߝOei`1-SACFOrjU]ou7<_ʟ+qY,;<*bN*VrbG@4#,0Mymͤ퉋' Zi{ )k)x cmL佑gH:2i$?W|%}N~`干ʔI/nQengGN DnG|yu4OU*Y%2Å urfBG/vWdR,3D![YB20{84IF]^C|", 0͔(Y`n8H@uxxq: :GZ{$?C}wqnQY_JF>{5E]r(J+* 5mmd"8֭.0{̽m3UCXKit~1Xu6T7-Ɂc/)N E,"۹K.eҋR 0gW2r]Ø|IX/iە7V``Ȑ3aZ9+4ҾHZ{(4*NLO#LI{va^DB𴄛E' I}v ey@=Uv PAPFjxvh 2uy~EνHߖ,L 77UA#  =sEݾu†&?;s(y8<620숭=ֶCmM(Iq\_4lOHdJz^+/hu)de:NK7m-KwP+m0]-գC0NY 2zn ;,,lU$& 7 *EwPO5A3X{:Z )1~{tl+&*ߒv9zTWz PO\WpWG{D' ƕnKڧBYf>l;k3 r:o-)/>aodH 7 i`NmtScEZ~{kFn$A_5wk&]]Q` _bhk]ޠWo' +v`RŝmAw0<=d}_~ P"pu-!!<~[._:) yz \ BH[uXډYk҃(iG7efZ`s*os =ǷXcB%3ix7]|S+6({v#_Ǜ'b cƙ3 95-}sٞ_Fc|۝ 3ZUǾt$ﮁ=WD-΋c|r%A!uO5JOJG9N.3敽mO^v/&=!UwʼnMǎjVA:c301\mg#{pd%J uUfmgBYm~=܁xCd]Ah(( P /$u8Ѽ4r3حG5U+0)I2E-M&K|CP֘9ZTv]1K@p8Ws^g) !V1YXJT)hUiGF>LPB0C_Vl)7_?W%ݓ_" AgD9wNXCyNN{9Ԍ^Վ>(#]>el/97ޕXA9iz0EimcX-Hg[cfbylwďjt tfsn~1D7kq:p DN.۲YΚǣy-蝙_գt1wǎt c5OdH7,SrksSɯGx]r}<*6gqG"% ]pҩ2{JsI`Ś!VNlH%IYX 89&M@,{zc(1`t,k%PgHEϦM KVccQ4DiD͜JGcaǃ&0i S*s 'Pvͳ_nd.h'KD:rm1)[ La]Բj-x}&g&nWo9{ivuu+lլu6BD1wH&#)g. v m#0z!e-`ZVaM!Zeyo %ýM\'RiO1ӽ$cVJn^&qT" ªnn/Ppݪ}UlA :`cJPHNKFcd~䦋uƒ:6ڶϐ̅|8p!X}5V?&d22˗́W]7e F) AMFF dr H,W{5ѕ Atk^R`8ʍzIiжk]-6ʹIk'kWӼnJ|8 |Y66H&t0OJh9)ײ2]y `ܶ/ ZVCF\h%1,Vg)B݉&曚]nٰEWz#YJG*_Ioq˓!#j WpMK}\|H2a;}U2Z7ƍB[ijD9rzY9L. 9XsʧxfUGmޫ^NXj\nr%FF.QF'k)jWR ]J44LNkPК>+c u\'Ua mXђF̰Y`§D 1&DbFZP!;*{Oŭv&S2&D43.+*1Dxum`?/[ _N9o\;7 ؃:',]$ڨVM,0 ((Ml8nO3cǻ+9ѡ ׈JAcX@d9"Һ˿e~]Ď8OdM$f573@_e=AHAiϖRHU5SJ:ϛ$ zsh'4Wfƞ5\*x|unl ޝS}:rl?]KJVȝ8]S"_/^'eb Vǧц]leLJj¯sweTSг! 孀 jݎZ.PDb AQ:pxEoTۜW}T/)EM[_Om> ƺ@S1-f1y^lM9p>Mbj 79GEe8\gQ;:])к^R @zu Uo ӕNǤLu>GK LC܏߹y%4sv{ecNO AhVT'OD4OZ{(!5nf7U j1wIAi|nfYm\c+~P)w+6VWK)`LᵡV.U1zԗKów=-MٸRb[&ͩx h܈ 9 KJj{e,Gl l b](Zbdp姘)2wُ/`)F]3ĵOvB,iʜj?!K+\$+D}Ndq^yd=itsJx=L+Iat0r!Y&_ؤZh츈p=1ك /[*^Ԁ"%۷OwwG猾l.#e8E状-e?ȫa%m@{"]]m?l&O46 sӂx95V2wGJδ@(<Ѭ঱_Ff K[LJr: XnXyEZ3T$`4in6~K4\U%$K dS+[̵%cjѢp .r$RPTP@}\IkATyz 3"(@ ԑLykp, i8W v{Ig=1d Yrz}sX DLU-x67jEHq_ܹnvsaBPi"޼EB㩲z-lQIHTUKN/1_b&tïqII2j9akw@13ȖHOnep!&fN͠U=2fNӓOyB$%ǘd 3y4 p,:ZpY :;06c=ԱfZ9XQ-~(ɦ>!Ţ@6KfT0s樌;Ԯ=c 5鉇bZq麫jAuс>ŀ aOZ 4#n}(%7 QrkZk2`IPC5Gm{{[23D5x ,* ,*Q,E̥`R%A2ɀN3TĻod 9rS' V2GQŷ﷬m"*q嫠|8 z їw/yG֝tqn_-:ՉuwszHg KVi pQ'%~u![|O_ԮfL9QuJBYCOzneBFÞ7 h .YI-1G$zg瘥/wΥlP!5SU@Y$W&]`= SJS)ծY<'V,#斜jph\؝-b~뉕FrƧ|ڌCo;<$ l)M0{ G~|#y8^cqNj\/T o Qc h5m4|GPm忤M6i=H-7sԹ:#^ )w"p4ELV-,R/j|MɬzmJbnmUn5c]/cD4CHL{'o^ uOlIr1qE~b\əOyW6E_ ZTmLyN2LHFBo '3}krZJ94,W~$ЎaxlodX1%[B!Fp*5v[Dݔdz!H+騸v S_XXkE;l>oIvr/s8^Bdi"oΓD"!Bu`HW.Է&Mҋ9)dT7\cn3eQZLye<~E%3Bo􋂘c]d(ٔY!a1h>toH W-b]Un sңIlz)˹lQc몄d`N9t>HCfʭH3JO,@x¬|#X=daS!騐HgyHImՊXT©&1p{m``/j'+Y F7ᔩ`oZ=W[U`k$ (OYY!砚?PöKiVDJ10 XtcI7&y=PdmGLqno1S{+';o\wbxRi[/$\MnG.3L wXRA:CLv8yrW۟ݞD7ö9[Xxn8h=k~y:=⹧f\jw3[%@HR[Dp?rY۽q /h=5(LZn2)ruJС8ԙ ~9F[ :dJ|ds Lˁ?_m9B?(Bڠ6 A{:CQGnmA<%@tr/( h >NX~ߤ*P.hj uʘ26׹ @R4 80I0JbҤmԷ#NˍOXx 2u{6XbzFc|aw%7 p9#SUlJ g68mdؒ'gx6dr KuXIoӫ"?uxHgA^90Qĉ)JNE9L1؛mU2xY`HM!3L?`46U#厝ñ"`!0  Ʌ""fBMg廀l ͳo^<~w+>UTLDnܕ'h7nȋG+σAjka螜巄m 8)svS6W>VB+LcEq7q+8CC{lΕXC*GŸ:ךg{ T}bfrpI(+JС BVkךE^ g1L8ϡ+oɾ$bC+:1 4b'U2 \wQ zحn$63v3pa.  omF[iT'"~6ܱNi*Ӡg&ڣٚ}oZJ oL5г'a: }Ok`(n~[z,OY @:K֧u*U(H˴DR:6pKj@d@l&yUy}[bW8~pߎ7`ٓWD!ETrXp6N _LGb bʓI3P4"̍k!W3D3F^ }fsx1^;#'|8FAMlţSB~p (qI3G8Wm&<OBօ/Qʴд;al9CۦTR8 5ESY,DY[獢)B{ Hv:x 'w7຤ciλ\.L,ٌiXouzcմR,թ' zcu:Y-kVh3e!sc/m~0kqI߻`ΉS,P]|011k/w.f9r}ݨ22NE]1j/^ i ma(VY Ou\B5``88\4؆Xմ5eC`lGRH R@]-82,JG\Mps 'Ӄ)Esh׵l# +% 1_(`h()J:^BqFb21aM:{ӫ׎}|Lu#)z`Ykk<];_&$1'h@IgڤC5e^|g  XCK}?֜=nq7뛢o@a`r?iƘg>,} `QB_T&6N B'z!Ax˜ds |yDn+:9~ʩ^}H~s:ńjK=LYv-9ߊcB5|[txj ]e ZG!f-Q>1nۀ9uy>7k06jE4,8lW ֨A>}Uvn`o(񮠍.^QI{28c44W!A2Bj8hKu D > N0̾Eļ7r[LѶ1 Cy V5b{;i_|p`ZGo 4v||r~5YBR F*^%ZgS}urdNsva%¸}KnSuZuOn7kBdO1+$ ؠKff7vpzq,n#J'aYMYmo+k_M 8SfudoGI8?'ϖ&z:M5~(5oTtW7mjo1t.3Y\l=֘rNcէ@⥅$ꗞR[-1Ͷu'ֱNX#~Eٹw#:<3W6/Qde [蘟=_]o݋Qb;@jo;!f`z3jgH/raA,'q0bCG ,J>CG8F W$o0e;/C5Q|e+~L=|am#e&F+@Dro*%or_;|;4& ~<> sGHiLYrҴd9†a⊾#7@؍zqǦ8DT9 e~U&@D`:h-í~$H-;ά=*u^Ƨky (RP.s:箁fra``Q![ԗIs0U8RPe1mb@hfK)9N>,!7;@yC%F ||!3@Y폊^OVR+3cpYeXnU$9jJYsɰeT{-#Hvv`E(saYr¦/v:΄ǔCh7 {Gtr +!?ٗ CR *cN펴g[ȑ "]Msɜ?cِ,A"S{H>91t},B 补?*hoR֍|6Uy\h'vn5A-c|Z%fz61tV`6W:>!nTŨc}g,6s?$ʫdͳӆFE JFZxHܚYxmGnW_!oAՌobF^ir d06ry/F5eX> Rܵ(.r]RaY i v|܉liR^{z:M]9|H{eWE5*%=5ZY`y[9sbp kDdgu d >L3~zLiI/Syjc.Awmzc肘]Oi ;eV_#Z+U氺TphgV L\]e%4Onr#w~x342'xO:9A̹Ȯʱ۸uBWat.j=AGd~4!mV=ϬFA]3`j<@}-8&Vp{؍8PJ_QdJP5|>8E(Ҹu|*ȎpD̜(D^+r7Y\8qVJ<Cx+E4^Ύjݑ/ZYZ`S}%?`ƒY c2i\k7'JNr w/opxeJ NX@ʃ1G-Hilaj0>EAkg2v̑=ZE 1/0&VpۢAt׽n9XT?Jvup t\Pb& SP>8z:8_@eáđAgi3Ri#. 8&U*34X["Bc{;՞lUfg EM*YE `Ǖ ~5BFt?$H ?XkTGUkhx)A^h}VZ'THU46 vPOW)zչG-,H5ٲH$sVzUM]Ԭ(q}wpۊn,R4vI!,Tsj}9b\auO!as(N^ͳNg/~ۑ+IcTI& |e2&:HFաpcߔ"wđ9DYS^Q $zA\.! yf%#XfO;h{7T4 dYָ["'UM'{iؘNٽ8S@LOHň/s' i}@Kr=a`NlT"1@Ŝ~kaP]֍Li|ڽA Mf1h}Wlgܶ\_N61ÜY{q dy &L5?6d U.4lϫJ設9\}*A|A}acfXɟ,p`g^"qO]+A+&;%ɨDSH[KwYLa+-M(EmrK9^Df{@Ogcp[~X*bs<pzm@}T[_띹sp1l|;=D%zOVF<-uC`a#{3^s]0hJ a=_zteݳߪ)ej: ~h  Zvmך(q$O֔MO ݒ.:s,HMxFoUMEl bS!9.֗PWhut6~qb(FQ\>D";~woƟ8e$Fbrd|%+:.ib|*7n '&vgVq'\W40L rJ9ȹtHNk;.`W {ϠH4q=k8~G`4fa<{t5$+N63fb㨆eK۲ݓcݫ[uQM"tn|xbeZ/sgztE1E~E3*ݵLب(Wf01l~qI"k!E\*Q06T]bSU"F /qvUvYcXK_ഐO6NCY8/pýFS5}eWdL2;ٞo)Qp;g<\6yWȯs;"e\r<KTjχix)%'lXF0.pjkͩ^?n` 2+Otp3!~!bvD1Q^khY띅a*S"Ȏ֧_k/ T}rc&C0zĨſ1} re%~4Y6<٫Ww'LD(AݛO=g~Wpb3=z"53 w;'N$CO~C44)Oh8w8%4AUv[kxjfNw[G.]MVZ ytKǭY K/&&0b^Vu[t2T4v笂L<eCԉڟSTPOU[CV^^ u2:>X?(oC8kxC6Vy<0xZ'}]D1 k 76߮ɸU".eS Nb+xg:'YM>~P";7\cPa6Iry8;V#ƹDv3#R&i@ʅy*V3g` (0RQ!nٿD@-eZ2&=˯\"ǮS)4CStZѧJfw٥ŢA5H-o}H\׭,ֺ;XʓˢoqGD'hVvpR%,跙c󼬮K;4w|(4Bu рt?'=߰d`$~{lV T3@2o ~KPo FL% &CrZƌ` %B % }MDD+r7*KݐlG?]G۟6J#V5V.jO^0+|ǿ9bpo~PbFVG-Z٣Sl%!#%TuCAnYm{5Dhb+W/(+ 24=O!: VQ;ak~yfyYe|+sbcKrC'ɲ'GCІ¸;idD^cO?oD^ЍG෥1僸L hIҦ~L3)6l*H|>ܩ/,vJ;}{Lg1eWJ<%"]ŘC4-k@ S<EK (f`tivK\,G]v0prI4XpŲ̏?j &x)+; j609H 1}E% oƌ"a^tF!%$҃LAĞ".>k)}4 ]!A]v7q,Fъiih7l;|:SRE HޔpJc1:{uwt3R %Q謁Xj@x5Бb7.ME J1 95x~9cFt5`c UbYJ؍G.f]Ci*m 8 ]{Q355æRdgmZDըB>;;0L`> @q:Sr9hvAn Xӻ7t&*5f DtqH!j&Tg9eY ٝMY+%KѫHIB keC0xXXuFKE(eBH"F|eN^iPuxk2M-'N߶Uvi:BN"f&ӟ}1(N!椺VIUѓޔ{UӞE4ԛ-K4 \[S-Awç@jB50Ñ6xCf=u$ 5}Azeӓ`HS2G5Mŋvy†K[7T) e21Zo싕 Ɇnag>`i2GASPT x;pۚL(=~\uT'H>S)̫K?9l ͠tS eaG º vv3> OZ` X1Ux3;NtE識ʌTaD6i߇+Ҿ͉#& hK`YVq;lgCp#@j$ { C]J&(a9ꝒXf*dgS}ΠzW9& E䤛oB%L17.6Gnq%%dD-Ҟ+qʪ3f MUNrbGNkO%-7H tU KՑ0G@c a9zŷ<ٓAMl{q|ngjc(5r6`Ȗ3Zy;?Rn4ATA :r8p:w2+K3q/,䱈/܇("XA@9Zc*ac}UL4pP0KN6jޅ+J gV hk|n.2moR.~7G`"EdPF9pqȞܫǢgU+R&Ԓ3v$?o挻gnv;*9 LqlH@*Jko*}MH 4VI6 O%#V" ߍQe٠(HIeG-2JъOȸ7L=ĒyI"s*jH2פL-Wfn4b+Ć+r;bTK5ņ5on9, O>w; ?cE>ؙi`[~}}npL~&mYDnCN݃BWx6+UZT& &be ,#KH'BNsX q tA2=sTeҼ~6,$%EvjKA b `Q`[HꞥIkr劯l};+5Yx2\tKS2` '{fd{t,W-[yŹ0Y;)sK\ۚˆ".;1YX<ϯNs7$Gf TKEq~6*#e';3 755;m2/CJ77p2 P=j@!4 ctt|{l_' 3{tW$8J|8聃l:26LJ wmUtZԱ]MiLhIy%~䥅boRW+/C䤨m~vZ&is#qUB ToT(c?t839|9M9rl| Jv/?;8EԳ:ƬM3 VGq <(|"ιU읾+GX\7.k25 qpެPr*D>^2GA$шK'b`j=eAϡĨ Jw8FmYA8<:s:0 ~uD>d1ˍ,+-)_>X`󚚑X$zAj{H+&  < iei|{e|F`)Tоm^)1#uyIoz趑w}sŬaq mЖ餒8ߓad:!G+ zU%ɟ`gOM/PKU= ⪮wf|{Jto&?oB|\Jt㏤i  Q5~?1}_S K^aOws_uƩR Xsp[p/{O|p>chEo7pMP% n,g-"_|gU޿&}HQ<֛E @P(jA2iMbҝ{u$KN&g-qIX_Wo}a\*?x/6Pw2\ԧyv//>͚DuJ߰=ʗ?N~.1OϚq:~:<۪ݱ*"GWiVNO$b;`S*P& b*FX{^~Y|+W; A𴫠C#:bs"($V~ov2m{3[QLmIĥ%ea~n$Sԯh,׾SZo¬=KGFAÈ 5c7E3iolJ#fnFnerx)ܖS]_l\I>E:'pwbFy6ˑ+dZ?¶Z#-&o̖:?K[*1鷷l2UX*{Q6.yh)1oʛ毁Ҁ`+.$`{`,ܝX/4僿0Lnk1+bZ$|Ipu5d0 \MXXN[|*ݱ;\!7`nKr5T} 2qRuwL7aﳿD@Ϛ=395%cݳ{EMmYí1yVSt7u KI}м0S'C?#1L3v@NRo &?P,3nd#5$YGNCA/(,jn3EA? ~vGq[qY@fPςAƁÆW{Fs#4v SFp,h Xި09r.5;tN0L*&xXcZGv#ƎJxS27e6ħEqcsh4%J"9%;ԯrg*%Zz`螌T9e⿦qlum.O|a=%Gtg_MmIS2~ oភjid3z^mCrWQ5l1CE$1=HKSp`4jG> `5 AyоYwehlAw<@HD6~`@; _ [bW 6L^mN-m6Tl {4zl;,D0GƓ!%=Y S =$sf?kUFaT{'Ť0jHĚ0)ػ2БsSH$B3ՕNsgn E)ՆY\E*1y&*FxrܨY '0)=^2'D.7ٴ1gHþ[NXK$sJD}fi>[XǸL EdzJӬ,\xrUZ> sPN&f'e5GGŘz_f|U]7J3`v*]}9RoEoh)#׹q]RNŠc\It@GrcA~a#xc}b?F^=9"rZpR I ;Ur͌wLκi^/i5`u֓&ij*H(7ΰl*TIW FE6%ljmW)@4/Tu[~9BUoGQɖ]v_M7I[TZ Ӧ+~g-& {:E;|nh:DԿH.L '9S;X@H7F_ܗ343gT ͭlQ$F30n0~ZBL߽}o ʈm|_bv億 ]B^^t&gӋgJa _0x/V|ż.?^0VW*Qv,!79\#xR^vTg~a'I03 j!W>\Όa+ bIe"9{ !6 O/o$(V8+8Vz*%_`{,XJ2'r|yIz-{88J!~QaB籊Hw{5>֕.5~R1= ];*&H>Ȉ ,裲#Q}.LY yx^j}]Ѫ&Oi1y{W'ު~2\zfw`=m22ʢkzYӰ|i%:ۿM6L60,֖6؎gs"oO2qFШ]gg P|BH*¢L[ q]ruk䃿af5hSO[:5q+޿j3V7UϸӉ@58zޝ%H\U[-ev3k_ZV^'љ~raru "3;])uun.Qkeތ W78-$J{ǑPA2&#P`/&wSQ W璘#(мmN"Ǽ=iw\R+}v(m8="Q9Uti;p5)po>isa:)^i",;=~~ޚЅ +4 CE/)>Z@Fmhppv)2f(<Ŕ=-5}{Ց"ZNq\Ay+hsτȩGvh.x? _ړ5ѥ>Z?>޴Qؾ2n"E6 i46I\nr(9nz^75 .1s~WHk8⹉!6|4Dfg,0ۂ6L}Ȭo׺pͦF)|52/aΪ1yn"u/\ ¢v8&Ke39b 3.O#o^dt^f$tpEE; G/|9XKO!.Hjx1ܒ^ (0gĻ. blU:};ش9 FYbGн\B#xɧ_Vwۏ3`Ku"_cգrv9d2\dOj~r)iX3(}{⳰QK.є\ZFA/]k1V"HO2#AۺD3 c.3;,"1`nb?ޢ@RjPCY}/$\r*!nCj9ݔ,d~.lfc6Ҙ•}憎|Ey̭#?&pڮ1Pb¿f+r^9=[J!Fb֙О07/JQ)"ȧ O.(=NԘR|ڛޡ~AFhhNF\?J^# yo,=T4},X8,=Eyc?m:)~^:v~d! `}8I_Uպz Xɜ0UK uj}~d䷺LT̬o袮{[ MՊ! Esc:"|eL_}=/ /,Dڛ=Tn\cn,qtraݨToO;q\ W֊L[P0 5;VMFrCYATɘo{h-`u';|]6tF0N wɃap2Mԙ.FO 35BE[Tmw_\;Zp"v.\'Ŗw(C+6qCq88.հRmr!:.>;|FXaݓ x/ˠiNԎA4r7"[Ti^+P~0]j/$gޅ,1k=\9B./Yx}ѣ&…{- 0OEu{DQb< >gߐ<"v$gl(AT=Hsdؑ}7AX /:Z6`&}h7~ks”h"X ZIʱs&}fj-&6 /rRٶn ?{G ^?ʋWs!7aa *2 qibX2~51VO RPq٪i_k&bPӺI L?=Tx`6qm/7f@#$@d*>Vr'UϹsE ;0-] !O;XW~L5ZKuIed9sB><&[ˋt(,@qWdۻh2 PTA`|,hH`eh*sv|۟f+J l )Dx?#br\7sdW \ޫW#y/fla^ƫ^7-o;eFAŰ OZ@WD_Bp0D(3UH<c2l/;ZT )i`C0JBzCך6Rp,员i"Tlyxz&Neٓ#LT4oG&TDf? \Н0{_ ym f`!L+R5$핏\EҲ;zͽ~cO1=X󿖳rp^yųHTKD|%5{6(*sgCp(2Ns8,iPWά>W̛ۭߤ?d b]h}pjwFz2a*?U3o-;38vr7e* 7ܝ;gyEjo֤3C&`oBHdd8iSX9B TI9 DWLTT JT|T+ d2TyU03:S9K;Tn&<;A<8A2ux5 gTLm292N2dKҜ(Yp>`hm{׹fhZ@z)kՊ0QT U1#u4[)/n.I>㭦|z> :D+AYXqt0 l^Z+~_/"~R~#IG;>@~tZ@_RL! α&ͅ@')hDr6t Q!$`na\ \uC\iB* V8oM>TҚ(ď7sP4hXJ4Gį7޺2 ݶV]\?/YV\ ܴT~Ī*׃+Y1Kz1 zhw}P7"F|)Ke_ 9C 3%ݸwt=aCB83ʩRFxX`U㤵\;醝OGreIOJa&SQq$q(VBJqV25Ⱦ.LH(޹zׇhKb8M wmk("MI5]1kf;>2c Oݎc7F:ULo~]ƣ$}I!/^cH޳ .iW%#X pnh=gZk!l:,R yVAG9Gb>N/0ߕN*ż0AgS^[l=r|w2`nK#.^?l+^]Zk'ڣYR"0h;ęN¿–&& kođ)lv:1Q=a}#DzZԟҊ$k+IMLhL%tnDAW=}aӗԧE*C KZ4$^=D)[smt&{Pd5g•ԾwƊ-|fќY7#!ǞjWS'>ؼ~ mD wp"T9l#wP[P50aFWk&xRR-fU,Qh.' T,<AJY C 3/shCVDÿNTiCqBX:B̝v&Y-X~j}L؂D ʵ/W#}5g&\~26v@w3K4|^TGH?"Tyo޼eEİ{DТ3f1 Zr8v@9 css]e}(Rѭ7l3w:'I AjY˄N9fPde bZ}GY}ffI:C|v|huMQb@R+8F3>!d91qQ!(C1&j`ti6ݴQ bLwoӾ1fV]po櫍hݸ ۠`vt.Zf}o ] }Ӥy:3wO1:Xd\w~}k~QXg(7a(gl {;R)Muޡ@u|S҇.L|g\.GA-00lDçՁ\Œ|el9{͖1DP~ʴ5Dy]Z u1vmRh|8:Yd $ /=41^)ah6_:>̗L]Sc~[( 0)T` M!6R`s6o '\{4L* SsO.F9m(2Yܱ2j6vRfwP+g0,/6A !K~^$ &V{`emQHu {!Ѣ"~y`6Z/.n'fW\ }hW^ęYt:Z|p "h{@DᬱllXP._<&hi[[ei^"֋y@l:/H푭 4>w -{6ofl#?EĈM*1K`]GM ,듅)ϻdDžҌVcq wz#СE;4hX/xxu0w21ЗI"Si0 (;$ڈK@2Qnx4(Y|Hgk1>~G U!3b6 ,Tc-%#'~<'n#:sGJ9hLB-"TKi($w?0 ;ȫHpb*%sb2YxtUL~!E?\hqcZJ_1i)Qn؉soϜO\G&'n 'Hd$qهF4w͂$¸˛S"~:=62Fl&b)g@j$U^Co[+ ^q r"#lWbʺ_<0gxC,e#ݺ\ 滇~*ץy yTkDNr[!<k wۂ`Kp. [t(2VWE@^7>Ѥhxݎi6)Z zg^qU+7俯ȒfNLTҺxCb]7bRAPI`̴b\O=!zҧlN>4_;WEn0W_Oi0z Ÿo;TheX9HH>YU`HDeIhƮGلTt4gUGD Z<=#Z e8X7_uapuƷQ,dA&G{ i Pʻ%( &\;bሹu;ր%0t!1Nw"S>Rp*z4I߄R I+g^>5<^'Pa KoZ<+*,ޡCoӹrCxɊX}!& /U="^g5`"?)>>Hqj%¯o ytЗB´v6@ 1"Ea4{IUC='hl`@x+4ċs (.ď(<4Iy=RҶol-=(3\59ý6NslD\)6U*61mH3[ؑkspw_Q"("ݚA7P8LA0bk)[/L/GL{dmmbi84J$mX:#l ?Kt쿶ȝjR)Z: ,O*VQY-I@[}V NΊFn; q^5qNjH(c`،HMZ9<(RG/d&#].3\n T}T*CHHF< ]u貦*9Sq d 9Cd?ui[[PwZGȔ>a c=RƣяP*һ)my1 vhhi9~;GJ"?` #)#t^j:6H[n9Hi=7ؔu# 6s11Btdɢ-5IͶl '62%>X͡n'z9^n:w_[Ab{lVqpM|6 3ɩSެn\Ȯy`%>oΊ@$ ,Ѧ|,"0(>G m;ĆWZ# ͖,8i`MQw%): KЦpzi;?Q[)J /ay3d%K[gA+M]d,V1)EZ xZr?RZaǕv>딌VgJvABJ$P9(25sD=?wr5kv 5[Rae?-GRDU|LWTm-_LlgcP^kK]ݤ`J>3:8gbUKZH"](EJRn17cOD?@T5gdhք*g@?dێ&K?y$ @ӑvYb<'"`ZMo*tDzVk+/yufZ]L_gdJ4 by$M$M^?/s sXi81: ǂY~r?U_Mf;m@9_qs%/{x$[̜טyNoV%cÀDzN0֓y3*.?øIZ7tGhxwGÿo˪JNkJg;;'I/o~07@D\?Z htIz樂b>0V0ir0* G8aWmKTsDHbR% 2U["G 1Ah-ǣw КS]RDUFP{`qY;üF Jȷ tu> `ǭqĀ-$8.~6s-1-Biou@2=E2%@;sۭ auS=°8ؐ K9sV 3mKm$H.l< >&L1#@o3  l厖RSkk` n.%?gyZ zj*s*}>mRrt->霎g)eO):t[2tSfwWH(w͡,x!F~GTLe}ou )h`ЇI{ ҞbVb9 χ6䍉VwMƀ#:I+Ua{Ŭr\-GU:7a()611 h7쯦`׀VIshB;>mU., Sa8K,MD]R91$ KDSnxSC#$̠NXt[6i"OăybeU-d 3ȒRl2,`Z=0}bph0GM%GBG^XG.T੽Jؗd{@NJ&8\YI¹ 'nw *(˽t|ٗh]մP SLnC ͪ"-Л[X4]2 WY8 "Nv'j "2;c9slZh*,ANX=ިrBY5ol5z+jm?B(ue*+'pT/!P׽WNJxPh\qgvh[_Ʉƾ C}QVF"$or"jW(*s^ '*Ü8Ē S6ȪM H AGN+q5{) xvuKeOwR>.PXB3ԋϋ2)*JW |`~<4Y0J fSśJ`vzN{=Tfu[-UQWb〞㻫滩]Ƅ#ȇ/gku[ӏ?td7r̝vEl85cO4ukN9.u^@0k@@:F+^`ua,4b. 驪-MVak[cJٖ,iקmwtE]U#\ƐG~Yg9QǮz &С'VUE=V/S)xフfJJJ \\B#bV9|ƯNֺ3?Ӽ'k0d&F{ jߟL6-h؄cSp{΍In1_1 ĹVGx5٪,QPF!a;,?_pۏ"}y뭔^9^ k3d׹.foR(prJBu NLJ]| g!>.An ,iY´0ƬHvd*,:z`/N&es";UZi^򮏍*,cs! {ܝYM; 5w[Kx:`</d): jto}N!0. !0*䓟@;  1-z["8֑/KھpJAa&$23BD"ј|$xwR^3$ ]'].nWtr#\b@O,c62;oZ: kzoe3:伭u~6ͫw}a}1z؋XXV5ǚ5n+a|Iv{zc+G7PҠ5/_+xh #E[H㺗 JLV"bN1'YD4=?gN"(SCczc|5D@||q0(hk| % !V~z5!\ iu&-;ZGR8℺8MpQI2dpE^犟PG̢7ouTHp :%j-f@:0gbKFBXf ulT$*+R&8,,{jzgp'C" BfTS3I:гJV\Dd$*[恾>} em'#΢NUh.NJv(p1bnO""̎TfRMsOP~FM8;Z(9+Fe^SȤ8.Q\]A]LKI6eEkP%x{]9sG+G@C1ߊ-4b,;}~V 6$JGcUݰuƥ8h mMbb% ^E|w4+5PQnnM*#@WT"$l,=X5x AU{e-ִm}4mU]d!'_vrkU:FjW!-( 0SbUD| >뇹nnRrM6fPEnW|şnS /\'(I5y>~lD9罈XK~t怴.ZjҷL4Tf{H1y9㱎CCfVg4?pjēZwf,E }y [Vf; %7f9h:1Qf;̈́wxv&#.##R2HC-!V+Ľm5(rK.0/g=T`fxs0MD,a~biJk>Ggm*bri|#FbRR<6ߩ!`~wUinc%G+Kjm a;Յp׫Myfdʷdi2=^sz/(f8ϯ}u3ک1k$qխV 4غ>ø)NEg) `joL؃|wՄ|D$i`-auZ5 O_<8SNhsܺ QShg$Ic@. i&Xa>;!RxHI0zRC/3P8G":n3! Rҳv_\b[Gd8EphWat]5)-ՠ C۞CF/3k@9+M[PAq4rr%'Ǖ&Kc(3Yb ۝1Ӎ x'yL{ ׈(zT!ХU}NR)sKە6pbڄ_b%qWfƷ|W 04S 7h A^ 8ryKD$afkA糈ҞsgeZ+ߚ#2rv~%vb\]›l*s6Smf:Ie_rX,[av{4"."*] M$A|@k eXMQi' ,Sh1$ZkbI]Z.$jHEN/3UʪbNnS)-b?d /d V.(ޔ0K%믱ǻ,Q)K-z^hՠ\'>LM!E`է 4l mP8'5{ pghw>!nۿ/{/>}y6/s 3嵲&`u\GIsCq2U+mEAspc~M JӬd?љ|fLc1_|:&&Ee3`;JWz3mTskk쎷&3.]Ύ~ck*cn*+WlIn)oC:$@pJ_kPX v.9GP WxvPO>hY@ xIБ:qX4tR&gR;:!6;EFŘӊ}eSHjMG4=j&@>]|7C)5 ΕSڄwx67qzHҍ.Kk2Ҋs^OlF?{M-B/h?Cъ_dޢ)Og#&2kCY돂"͐,_C}ZGtY[GS~A_1d"t305Jac1ߐD4[B[[ vh@? Ȗhwė<>-$Mx*ʗEw|A$U`٪47IDlCܝ5Y K:.( Ȯ&ſl%'iyUl#ٯ v9`Ut@]r] ~<9PTyAp_zW(?y4Lk7 m[+/arx8͠0`)JS\N7zeƎ:fիeHwTR'M 2HMcU{7f4ɪO_Ǧ(sue.poV[t9-w&BXi^~9(yS-#nDrw2m MPXgDlcC^Y\V z9wk6V_~ =&Ahy ڕ(<5 М"tUpvۥbYk}$ {ԻM (E{K2ysێ*AZ+uQw޹ z#3ɬU= IMYq:Bnv`bNH$Jh;6OoE .w.׌O-VS'ތ̏*.PѦ9OAPhYRΓHi?04@*w'cHxM/Uwߌ9 ,4:Ā̯͠ 5@sGQIw3KIO~RvI0F"jΏ?zDBsx'Q@pU,Cp ;=}0o)_Ӷ1eh|BPL#i.YNѶ3dM OQܷV\2IE.BB{{0T ` t"Ɍln%ؕ [QAE_&Y49%P8-Q hzУd-h :9⨄ d7FX^e2í8pA]JqLNHfӌ!J/$'b$Zwn՟6`-%/>I ٸ<;F!Id@m -3l"ȌU2ϩ/;6T(\'+epW?XWl0laZ^h%:ؾH%יO`N 'Tj鴹8UULfPp쟩֝ylXs:v5}iSB4'$:b~Zͦp{XL3tܶ"ўEt(ؠa+wa},ay[%+q@E<v eOqѹFk.lҢE88&LbD4~vcד:Q+ƦA}S,Z#z\PV+LɡA[F$E=EQi _@}!m­m2{Y/fP^ke1jštV28ӵ*RL/Lt">@SeG'|Dr6>xsuv`{6n4߀6l0u#nź`30䇺C. 7)"!܇?yk$rCAϲJm(v(-rof/yU:4 Tc*?]^ %yްu/W Xt2 HM ȜkRD1vT?m^q$Klw쨴u<8\NٹF6hNQCU2*0ir[(R9:L+6>hޥ-3dyOtvB@S ZO9%%Tڱ!,J͂@nSN)օ)ACLXk€W[7qI=}y%!ivz"PscYsՏNq/ p e >=FMŽq {N-3|+|Q8{ h[d扅WdP tNzeJ%kua/ V!!UG5+:L8r]XٿgGXb3?Bd!ܡ4Gzgsk Yg3@z AWQ ~ԍ əgퟏ0gʨz_27mDJ+OڻJ삧rNHt}[t?cW`Zk #1Ld&Fdd0)Y_` B@w g;ƵZh ̍"-&)nDx*[`kJ_pP]"?[ྉgv Nsa<)E/7"Ck T֎4!'Nv۸p!OeV7NUmFtuq%ŔNHBIP|;vܳ"!lE e^,s͎E |T_J$O9Fb莢O.S& vv|u%țHw`H'{OS{pj-d.jH֕7IщVp۟G¿OVEcI0ۓD8_zS:]@rnz>$Z' DW<3ޘ*ު&%2肾a?zVHXM,^դGDSKS) W:0XU{UgTq!}Vmr(Oʟ&I)*: p)ccy0`ćq*!{ejiREBWU/$עV}!S~-K76' 2 A' &6!V3%/}evHwSy;{Fb' 1QJ^93Jel6sB!EnAhP50d%Â>:2Kv: @X?*ҟy?B y:@ mb7nŒIcMs49V dOQ^(m7V%6̼U1dsIl*@ au" hU;zskH~ -ۂAE$ښVoz^}{RpJy-A eQHړx-,J@ؾ"%^k|G:1ohis]P;B2Jkc>? P$<#Nn_:{REpjDPHH9P" cAa@{MsM|Mu`M[˵LT89$\rqƜv)UeV>cqxܗ;{ jH*f 9!X2l^UXT>x 0f1ps>D*iOg/%@%/)3y[JŌÄg50/j [u]T}*OA 9 ?<Tխ;K1u<.Gѣ9pct[o'A O /g i,RSo@#PhX\(MW2H]AD7h)+Z!/.;WF ea_/ꦢVH쏴˙ -O!0:}J'| u[?Ft/+lBk2M0ukk\u %ƲB??΃jrVrH7Z#:w60-9M].- S'7TL&N*#B?JGh'ʪqįg S}Ս&q,ϻCQgqPF?Nc1Lzf{f)TYPa?쏡PG&6'AW^ _4ЙSTh|Pͻڥ\>2O =[Cm1P`^2H<_**Ј65s+h7r܇1aڅL;5p֌uNyXd)jasM5W}`!Z,ݧk+^fǨZɣW$ǗZn~5{bIeꅏlA7BR&CB#U lWqP IIO]K+zDK /(^ا^*r ;6rʧ>yη3ptA Ks'[='.Q;4J ]`q!HdUc -]ĉbVT )˓`me2#>}of-g617 njWTO+b"=͓OzT6ۛt,Bʁp;.M%TR+;8̶CoyMpf );?0V'j\ZeSQ:ogkw|NQ(_>7`mzWs#Z2y !6 %29ӣoWe8\O]p&D|gluC9PrY.oLcwuZ=Ӽ0;ػ #{Mp?3/K~eo̳K])f Պ5 *u.w3s  %Pѿ2keq3L(ݗcqRwQUǪF(·6 ZamWIWϴmfBgD^4puV_W8z=Bj5hG(ucm63 f*Ӿ^0 |.Fa-Ѭҕ[Qyb/ȉ>4f=#EҋE<#!F|AC-ȶ(Zug93vd^ iT8tIQTj7hc#s=AW6MCu A:Q,AuHȉdEkAerSU%`e< =O{ O5R:a'_e&ʳ[Z unVsV*SfSZqꓢ U_i} /gZz%tQ. mu# {yƞ]9N8豂*rfurx@O'~gqPqMJ5SwrQ%S]/_s TY(Y,O(&Q©(!a<6?$U&)u*rClQTAz,tL>>k4WqEi;8遫??*p߂}G)RJ.c5ʠ&J:#=$.4:Ɵ:! s TC˵&ȷ FMss&ɂ0I Ix|E =xORZ2 j3 Z8m?Hs^%azcZ.ˊ9|0_"q9힇%F̗#[v]rf ^ģ_! nI#==`C*GYdG8)qE0?+ì)"Nmk[xnI*2[=2ò1 ̩6I31 x(Hlx^*Gˇ;xdX'z悞i تa  @:r#p-6 ޹ɋ͖^L޵Th{uP=Ocy=7]\|@iJ,Cj``0\$tGE%&jfsWхOLP[|F뎹}#-ٰ\'- !df爞oȟVz!f^+h'OYLӫ&ٌO*3gi^O̺fޮ B`hb3d+:cBq-=kǎbGk$y':r$ {+?l/[H onfŔ4#Zy =\9G!W1 S \c Ps a⨏jX(mJ< ˇj Lfd;ظaA- S>$t2XMC'8=F 7V鋮#impl鶜!sJǂ;~ 2JP8ߖl7Y=>.1ܦK]r}֝~fp2 w%U|`hnbLXW&*BTůo&)k<Ԑ/V=d.Y{B&02bn+ْT"+PoUErWD,0n -5L37U,#Ә&__dJ._?j@kֻC,*'ssKex.#4XԭhRԅZ* DgT^T/X{lBŢҔ&Ww'2m~v# BW P].ȌSqG*Jźn^ {C; )Z2fDә K<-*R .BvRG9Ȧ"굲!̨z8hqx@gmSn_g6le>^ ̷H7"Έ5AjGoNu= QD%Qإ‡±] R$Ю1֠O{{)!x8í? M_i2EdD^å_S%<Pi7ڜiѽĖ#_M<|D;+M'^atYPvwiҩ7;Le񻯛"l30>6§2e#pjAp @T߸O2>20(5`"~}rO{<;ս+xoK}gpR˜h`AJ\ƻz+awF[Ou@ ~Zae__lt_6bue#TXAdYG$⹘eDO][ Ђ7R l3`qRZ?~G(nn'fNgS%$wh5z̚(vӝ*kiߣ 'c6`mq76}nS^Be`Y1`6ol0,*}䵩B̷M8fgJݷ!, /a1.1~NQiZ4_/*@" $ sgTJ.W1gl@9LF##SG}lVS^>lD1(`mǹDIwaN^>`PZ!?Ns51HwWĩwe9eۦcClyeփDQ")l-aIR x{ ?؏PUwG KM #IJ3;UxҬU.8ݎQ>?O5 o_kK5K>M\sFWxPQ$:H!UfZ;ȧ v@˓} @\Q xPZ8/g~_],>~U 6Ճ&iNCOr97\QUk#1m5B[hdJۇz;ھD$WcXՑ%Z/_lÔfiJH`Ț2G 8@Mۅ+Y{ ~p ead褩MVW8م~#CӋOWЬ? !/M^tW|=<"xW{T1:^g@.{T`5̽ЛPg$ :ݤSzz,/-,}2c.ޗ=b23͊~엒F-0jQl4ht5٠Pi ~Ҳ$=틔Gs@E?_wrfBØLS<ߥ soO1 cSs*l #p٨H-;kJ贘'("T0Ľ Lwz<ĮqazKk]2>δ]ϯJAz K2yf 44ΥF#n8(DmY{cGUgjt^!$R;fgIyI(xUSRsh->($ebVSf`"-cG|hAa*ɦЌ!*lئ,%E#?\w)M6! p`MхD^*@.k#!D'HQ/i%0^oI\<[]=1:W» )SW:"O7N zװ-^6cqAF?RX-jgQ?O'ZU˱ $mBFv@`=\z[MN oKIpϘb8pȞPBpJ+Y̛P kY4!wZ,j 2%}w91JXz*|m"Z99Ԕ }e-&=F$-ErȭQh_ _(c~cl5zh-?v!Uү}ԯIk~8Yq^/kpVtYVЦD($<Xf#ÔOLE8{$M2Z|}.++N:kHT1I·# j{2Dt }xQ`xz{X)mer2XվAt>9d_s) rOz]Z SI yݒhK׊><^/FҦ"ap$OF֕%zwТfa{O=x*^ܟj5 Mff{Tt#Ysҥ߆h~H\p˃/ޒY?{gƻKj3jԁSi >vlfQNFB}9tD3i)azcPgp2_s)V+#|e mDX\:a,Koc V\Z{WHZ9 EBaԗ;1n+RN"Gld%ME )I15% 'xk  eXJ5rIYth_3 oҴjޕNz}^C8e |5K*NY Ytû4wECH=FwLM\LNFP@XX'z]Q[+wLW",1otCHz4f,E2! #5%%CtcYVyA8!ifsẌ́D UU5vh>ٻyb,k}]N SV ?ΖSUS=hƚ>-I[zgF,t]'⛑AxK qWiۥ,QZ"#ڤEHz@Y}M\Nbr CĨP fvʮq]z 4bUץƢz6 D +]raG&9I!T 5=ɕP}8f jgXjdrgbJZM-=Bs)?=|hyz1ǿo ݭCp.t_T+7eڨJ}\ 2&!')`mD"Uwooju74Mlڦ߈mEŹ,:ZL&bbvfhMCsd-qvґ^ %J Y}c g}jQQC~_RA G&ex0,Yq_+NOޚQ6B׋~QR:_fjbz! cQ"̿?1B*)FJDHS7)-Tsʓ]sTPCaAɴkya,4<ЦsTxbMb"؟;%|s6/ڛ%CaC' f (%|S cLǩ:K s1t i\|r{<W4ա@nmbA(c'7kN Wz~4JbIM{''Oϰ 8(if/ҶRbzŇz3cp9ux$p"J9w_=S0C?)B%5N>)A ٳK}dp]@fZXd"2V: 43ҶfOݝUlX:;Dr*Ťއ^F&e)7nsF =lW%SUD&QU'^ݢ?V]R0d4W%NVٟ K YQ\*@!  мh{˩xt /`r1>XQTBkZH0]kx+y~÷}t:|~Yi!z'԰˟>wdlOk8C/3WF-TO=FڐgөC)2G4_q #H)iر ,2_BC{#L46yOYƄ&8uA!p^S$r,Tpe>0)1#:y.lϠl*-Y}f20:kBvc N{U Y#9eUD"u"i UU}>{>s&sи~AO% kcHMx}̛mGҾ6$qv 8quenL 5ZxYzşm"y.^a&"o.G&,lt719$jO *ըrsfV+oaVe[|l`YJlR/aH{m-cD<N1N7NkiDdd0uW;v*k *{W4f``=.9lhzĮRN20Xgyqpd͸ia0pމ2j4d6ȰePQk՞NaT>cpE *|5E\Őo*ZRF]Qu 7೩ J '擦OfpVu'{e}ɱ\1r(l$`jWe&f/,_C1@jX!|^;BF+9xs3;N2GhC~Q>܊^8C.CLN7;HCu"Ӧ;BEHǣ̼qَ$X`v` cK瑌&[}Ѽ Ob l֑NpqQ1u^|᝝"5&L"jV9ٟ "]L3O|as 0"~0:Kűגn<>^*;iuwv&Kaj_W,\aRNY}Hz!>0=:Pw2&J.ًk$yIo+/SS}ߞTJ=-ј fgъt'=3Z\~$DsIF$Y:1EtE;OD<)'|DikyHTO8`o9A'O baU 9Iz:+h Xr&`=2 Q(H mzԞ~c D4PzY?"@fEjmaUVm7!ղqhyﮏSOV тU>FE!!UFtd384R6A: d+Ykff4?R2 \l~i'^ ]ek*SAp<}!!|OAshj+DΜz"gdlA±mM5^5kCH@PbQkJZˀ9isD#2I>n֣3N7tф5T s˲`jnE]GiϠMu}bxcX"tQ4YWG? (*E'ܩo3'mã ;䇃Jy9TGxUխg4JROjT+ެC,NLKtܯIVݶ0L|>$ch-arR sQ-RL '].?/X~&PpBA?JI$/᩶ <ㅥy 6eU~p)JՃOK\ \$+hw31>K5^č5"N3;kN!ņbq Dd:M䭨 l˲NU 0:<zT?b 5NX>d4|tiR 팞3po8q2 =a^lbdžruu} ǥ[*g(V@>g(1L |pShoL6Lz8PYU~ As)t -!umUzN [oVq.QX6~Ci~M6>IՀa ڳ|8L,/_rH.w\ +/MuilFXH,{RÖH˨vD@+ IpA!p3[B~Ck9D+}'"5e#Osu ED. XO ! oK+F= xKh loP;St.f ~BgY~Pjd$'b5ï 4.&1mڳwy,©}Φ_0FZuMSrXOfTM XO|nch98%)vPb"ơwe^ZL\b($u[fڈ*a6U.~ }+f+XO7hoXAI~PN qRշ6#y0f&K. !"sy69zՑlQY5Ep'hIGn2`6(Dw"}30i{OWd91?5^Pt#,Q8%u}E7f2SfT -$F%P6zȪ']HW?~n!BijNi7Ay3o0A`/2Orl;Aeǽ8Jz%2b!tFw~UsgQ٧3~}Gئwv дP#K-hsUr;hW28a 8.Pvg ECir($Oo-n@o? `W8 YK N:(؈||jJb܈Wy ϝЋb֔]sƎc:ب_mS 5P^Ә=6dT(D:钔$NOT1gPºAW gFi~S<z?B֕UBC_,&v;_<1\jBwO[g0 aq!10'dGBƐdF>)autd~(^Rn:oK5܋Esx,Kf)ء}k8-r+q`e>Bb8AĶox`$v} WK_Bi} 5P\ꚱت!&Sv)Si|TM:$gpjHŕ݄#կBb$1gB@J;sK<\qI:g!2VM(lL +Ŧz4=UBZxاKI& ߽yUʘuUU!P`N2?xne='J" 5"1JGD1.c!y焾7S"}@l>%֑-&;ع&_N(R`n_&d=~(R{. PMp1ԉ醶1V2%Glxv_0BtO{g} mē(YI^A512:/ y3+<#V;QyUY}O2(EꐰOɏqNٕrM$._LΡטDzO}anr$bA!;R7JCOod]2 #zQ3bɳY8$ i0aͫ̚ئsY2V^Sf'6#M:0>:1CLQ zHA7Dک?OV ^*/ I! "10a7wtﴸ )&b34`,k,4R](@:m1ܷP-+{ of)Ze2Bt3 7V V-(-0xZSK?+&S]{ޱao= ;˩ݗɪM\}: & ꣀS |ʳ2XA 7~вa v+8Ֆ*Yf0CcMk8'Y֭h 7(;L@|dbE{+~¶x'|jx _\FN>V!fo0٘]8W@ %aUVO-_b ᫃gKi]fbu&&I`4lmip.MՄ*)g4@~EJAF|ؙXΌwT# 6E{Bz#aW&U]4ՙ`eRׄwśaOP{9m.L?DHһ̟.tx4jE[qu+Y~M$g !ݯJ~VE^5AD&n}Kێ#4p]*]VHKAaYEK照U˰&A=3U LvM9;++++*XrD_c(|I:qF.`QȷU}'?6 zKN̸"OYHGbl,Z窱HptWA`p!طˀehYUPY(Uuy"Xd=|'r*3p6Q ڬZ[y&f0A4o^(NQ05̜P[ k4 /dLϐI݀<;#\V- > (LgG?F57%#a }Sɰ}N&;R٢?w'm"hy^`u3vrΚ^X~%GMO #w ӏUZb{|NVwXK+kؘNFhz.q< 4 TLfv,l 8BlDL2cF5w$TdFуKC71̜qUN GN #77YkWvyBe $ҁulRrJz+lgNSUrR-%e:f'q$M.OНٯ,1CD͈Yw!Jw7?%,6if%u}q/!OZ4C7GNz)ߖF/%!_*拨>ܪYp]?/cmiw]9*s䉝H '%ҏ&Z;n v`G&GU ])MuYt\^a4q!M O!:zgw9v||sYbI,ț')vSY|i5+O^mm[Cr9(Qq)&;RXh`{x%R({LflD*95J8 5fYC%!nj %ʯ."Ņ^hcS D\1vKylt4l%[ S?RftJZ6"%Z|!R_!T7rVCj kY)&!7 #z'a^CPIˬ}8J}){7=9SQI + ˱Q/h9;c?l xl͔z#L?UN p1y݊\47L~q!E[vJ4Oky1+! ۮ+GΉa W37 v\lr'p1c8. .jDg(CVjGD#!eX7w?o=ߵla!!`ݛ4(Q@ؕ,vU4[ d7=|0L-/Rqt5B1 7HbS',T۴IYك!0%pUd!w,#nkAd϶vE|*v{}=Nd*|EF&-rp°'P({1<ZRHµ rr+"a91k7Ɛ!Yx½\LqY.iuuY.S̵pƌuT^} l1pnO!m:vhJ;nUu,5x:yѼq8=_ AS䮤QTҝv(sH-;i-VI^ew)nu@>M+iE|4śNݿ~T ' ?_3guS>C(fnrx[<񌂔+"Y>f |8HCA*Os!9Gʦ ]N4o!w8&/e0 Ts7<'16R0`qݜmd8RaϺ@I}˚>F{mo=DCs>T R%SZ#_4@R*9P̢jw%6*[,vl!~)({oϊQ]im(1 By;L+ϤځG5׵q8nZe7>/< Pv픽}cmS'wa5ucԟ1^"9Ϯ7R4Żl7֦/IdAtux-i,&-> Am8Td8Rr^>`|~$ Hn}*uU|D;>VB|1&,׊̐nr0B%ZŒR*X/003\KfP4X #|)C"bP5W~ZV6 m9 (dWgRRak.P4! ~(I6᧰M, M[gغifjǤ:k􀰄v 90A%yVG~酊)߂C+<[nߓ,덳?]zx$b ffEE1۫Sl$\YvF8yyfyj|enG}||ۋJWhNs)6 Z: .#գOw+v!x ogtuT9X璁U_9fl$p_"SƦt GkYD~(Nxhv7T֋oN-4C\ƻamb)$ăӛ4_ee#!S(/n0] 8m^[|Ciq!Q ݙxRByy VYGF(!2 .]#oVhK"> ڶ487xVʛ=g^6x;Oٿ1l/p?w.CcC#'Piٕj"\Ah<)BiOsx$jWz<5|h~ǴC1P]  ZMAd"znI+a΂`nOx F6>BYbfr@m 4a ˩t-mzZhؒ@z& M?|YP$} W&K:=Q؎ mgmpΜ]Pŋ2Pl4eBϗzEV@;rݴ쑵"Som: ZgtJlO`F2['S8 -λ-AFCR9٭ߥ *.̶r^@muI!A{&f$';bHhʰgYosEAb*;@NRP~%/\*:7OsPҡ|y0x82Ǐ^.J,_ @5rdST4 'k, N1AW˻16+ѣT3zc lXldt9Ϭ (jȁpCo/[G/c/|}v>" _/!|sMU( Z=btDO4zU_E/mT)Z6.:_4=$sS]I~NxKM.v/fJ@b!4^$.Ζ~\X&/}0˺ >gC}MWO''y}%n!Q1%5{w^tQcHb !0nc7SX T}Ẇ+bvC9 OSlnE*>&Yţ<;ז:y瘔u!H2fLOrc$_4 :U{$Ej̺҃'a w ggiy Z+ 39ׅ*Hlл|sroUƌ/" q/nNUݷ & ̩ғ)#.2m@CT5m2AN;pi7_)^va_?;Gga$c8iKIuq Cqil`3{tp!o4k. .SaDZC0ʄxmu`;/D + ?r T'NX,s|LE3JCjM1ld Mvl|Xś A״:A"Z\؊yL /#IWHx̰\di$4{@w~*8#/ysa 9Gʮjt7P.+V _غ۩PQ!+Dm!ɨ-.)w7aY׭/|)2V=f7#a9N4q 6^mœ}I(ot؁瀸\Ӄ(iN$꽒^Ct["q?lݫkMhk&Bj8uP[=1k ͻg_Hw&gYg͍H7E5Sa1DcwZ,7jYyǐc0CrNV~mhs<`Sj-VqBk)E}T+EڻwR]GLTGq}2ٺ&&d1샦'NX̧ƎEpx͔ZqeMRDrhJ9:P$AT,ȱ17ē)BEa;"<0 4ϓI>mOc&{} Ч/bp%)Va+Q%fB%zmd7/eWk̷xlk?O0tV,lF$1kMoc8UlW@]k?&z֒]VI2&Kvo@$F 6<U#~ N WQ̀TK=bF*tpiV7HUe vl4B3Q+L1rጨD>z--} }#@޲a1kG<-=s&a#Y #+6*ꢗ!` ΩR;̹P eh]_-5svkJ"1bIu9fOĤ) r܄lm5Kء>o\5j^u wu{4W)jW4/xBCtSM?N6=p5C/. N{RelA%68K!B 5_᧶ oٖ\?kXbO5kn=i=uF[N' 2}jњ'D6y>'{ti(5?aOʻ0ka'|ԾFGjJa> j'J(rwklc(ɉiᚙ@V5؏K:]깝EB+^A?xvk&)e е(b8q.Z);h_gM5[nŸ@7<&sZurFErD]W~Јwa37 qTW君8 n`wR6hΪS@#\ݚ2gw ?OfACx_z񛍼XI)x _ MI`0 :%z6]ՙQ*nlcY3ɵ kbYǎyAMj0wq/l~!@=Zsk<,MOX5.%SJ﬋y@ vmƦm谳a0H͍RJbPGپ-D7Txq*k޲f%pQ}f'u-lؼ†ҙP6?L7ZFi>vD-{n^"zPs)ócj^^Fm)hDe ਗ਼Qq mZuU7pH^5)$48Zbw2.>/Ct(/ &?kyQ[ʚ 2ǗOӒ۬Tn5 9`1r3͍ ԩMjt.X&tA ].(rR&xj :RB!bxœm& Ni(T2`&ỎH׾gKp>UIG3`Q ؆ 1VGV0Ѐ{7 \wY2QDb}UK[sKklj0^aVMCs$9fؖMZ2~^-OEW') ^'h$Ms>L.!AJOJOhȲr"jJ/5 [\>]fщ=y&#)g3&W$- $1뿩\P/$?~E s.8{;ͼ*kgq.!7 Ϲ_6`3-3 :\h\P22ay5~0%U&MOp7Alv>w~QY=1kMi2ub#o3)Ue DCZ26Ӧy5ȿYӺ[BTe@s+LњI%vKܛJ}NXo Ѓ)3~W`65zɅf3낂pʊ۷&Hm m9",]I\Da5NkZۏE2ts}\}&R 358'uUTWkF}\.h@UDH}_p^YOBly lrJ]>|'̖4H 67Ve M:Y-`774LJߩ.;167U(ԖNY2UL R8h 2]2JV‘jRrӞy:WZBEYYB HKYi[(9+{x]PñZ*R]:aP5d*OԠHC/V ҇HEor+t{nͽS۾Rw׏Whj^u,HƎ1VXQ `0 8C5p VUXcykp?T΂cÐ 0s;TRL&$p3m(}D]M]e^'%d%0ĦKȝh{ EĬ /Xl_1 Ǖ?u_!4"p8꾈Gs;ʏC\b/XXiO֥Uw:AY^"IC,w:?B"wk7AE+Ah(ND9@,Vxgrl~5i?EQ[}k0Y2~uPyӝ!c NTSB9dٮ}V ]az|`z` U{iApxt=nP>RM^wRՠx{y)_2 {;:>FJތ?f'E*Mf0Wُ#L"-C_kLk49|qk[EP- z;RJaB,ȧ_FT=_9L,]6$?DakUEL]HzwmDPa>taFgQjq?Ԍdg/]8E2rt%8էvgXC#hcxMA'NX!|. L*'WjruQ}2j| A*S,N6i״o^ 'ZSD̼"4QK|@a>Jo$RWdzluwʯhHTabT^[ ߶U:GcXmĜМ&90z&BUWW=* KY,0J["i FWT_1mE$ L6y^Hkmbi=C~\.ʦfy5$I{ HY䑌5ѱT ⧢W`- vf jSG"#i\g)Cq+kOޢa RQd"5:hXoD(*xfݝS.͢Fǡn<>ޚisqDʶx\Ŀi;uE41k55h8mL%Z2|S^8(K|'% -n #,2PXLjPéҁcXTvi\N=ކAqΟ*5!m9&)CR4= ݖhAm /VƩ8z~8r&r,}**\EnTkܺF i85]i@uP$ ʔt& HX䢛Wǃ՞_p@f89ziUx'u2jJ֟X>S 3>$bEsy",NfAokԷُ`3ðҹMJYr+h΋), ?™kKj=MgՏ7_}>>q }ۏc'Sr%dGxei \;@Z{ik&` #^"(R@؋tD:CX/Za ӫpl9ǹТj;| (?g zgq1 o'rCZՖfYh#+.`METYM(70 " bRn(7ww2F"XY2 nw:6L`$X4$3r'A@Nyԑ^8B9eẐ@eP¦wlh ?+O@#! JXt1VlC:׏T/ՀAe,h5!,|utR$i =MXZ~vP'G`_ b  p`'Ġbً<,Ⱦ-r|u4M.v6]V3mk49i5Q6]e\u:fn҂'v+S>3Fڳh}^pU 0tAW2=`pԦQ^H@Ε@*r>?0| u&]ramHC ]"9Q>n +IQKЌ|Vn@$yILޮf[qݡ(VUq $Hg<3;lTz1/CΰUNc`3E/%Wx4uaE.ۄhw|îhI>Pp wi"a?UpLZ"s:_ $΄,g88v`/m4PR|YP*vo2uBe ~q?n&?#Wy]ꈣ f24ax,p"E?A"Oج\|ኘfy16X,ső+zxNx { ]M2B(.);&C5$dws/GB;lvPL;",߉}OM* kY #jTwfq#/KEѧ5P*TR47e%y)a&=)4*DkqF~B8" v6þ~㜏Azj*gjrȹ̵֣}56\tӇKY8H!IJѮ`Ɩv+]a۾>яr2w`JOG,o(yV Ї(avJgR`ߜӳrI/}//j6 ʥuaHȺ-Yůֹ0خcR:ŠS뉰eK"@F &UPMCi?q_}9ڄR)D0Xͽg4Y!qo tNc~z`I?XMJ͘Cw,,+Ga&;I\Nn"sE9.k@9m7^kѝaڂh^~k`\"űcT12wFՑ#c/FSơ"B& Q6a;)Gx?OVAs؛ώ-cF\c,c€݌ .v0_k,P>ntFsX10E2z͵)0EWuKϢ"~rB7ik3HSºG2\SM~=zO= u . h^5u貝~c ȑa}\ت%2/ҽznOx>j??&G.cY􄵫gp*C&Z2/Hq[/_XyFnUOД5G̫&s2\4Y=䣕b=&ֲ;j;"Vp3$ roB.%\ $ך R5ՁZP#ϳ+rE[cE 6mrDNҢX0˵vO"8C3Qy%I ښ{洹 m;BZ/A&BYFJ%U] i9`$>(^Jn˜%Xl5ƃ`(5tYxgPqT=IJ(A7?'Z&']9^ek}yKNp5oW )A:R&9|m5e  ^YHa  <i/san_|imp؏[Էh+Z poS6Ŏ#Iq`{WG@eAgp>#B+>8\YAi"_^Adn@\}.݊ΐZ鮨u'dBjNc5rGg6#~6񐫳5-gs/HF%6L-vF׉cƈ|!8]i hj{5Yo^Q~}5luF L zK_Q" S>{gbvQW2a8V>j(X'Ft'j XغnR? Al,NdoǍS(nQڜġ&]]+C`OCU'""%QJf?"' b [mֲ Z![p5;8Pih6ÒF=3uiw>$}Z`(V&za_β(8yX>GZg ?V6_iBvD">ܢ,3BT=l碪As6h_'wE٘T噵uU(ݤ:7;Ś*Ksѳc4wߑֿPƗrT;=Pi"B~̝wr+DEg)Ij_;jdRJ$-eJ++n=`ՠ Gu S.,er#r3pqy);%bwo9q2 զ˴KW8vbX:G "()J{nOV$BxēAvDvGWaQK: !R^GĦ3<6fS;1+6%rT?m @': e] hIMi?VCJ(\er"Uefm?",̵%1tNg`;C6Ihڛ{/_ }bdՙ,Ukfǎ@ւe%oB Lת'Җ7&uh`Zo􆠼rÙh܍xĦ0z_g mV´8*ws8A킦O@S 0֬LO8hdGbD4&=v)@>Ȱ\+olcjpc7 ~ }C}N\ {\:?ɫ32֬)0WW.tJV8v*·U_OkdFxV&>6(/Jh7x,{VUb8NJͳ\zio`KTŧ;yHl#wLJY>v +F@|=26StK)xIq̼GצQs€ej`քS/s zRKM$ JŸly_*v#U{x=DzQ5;,%N{ڏr;Hȼ}"!"@=42ǻ{UQ(%0 e5p՛-E!oL$:4l@C<92>|eg=Q+b"h1- yUw!Ok 0hVd+FhFN&׻axUkc}l4jhq:al2ѵ(xZS zr@Y6Z%ψP=,栏H{1qhZY|J5*dB I1(<^Ȱȼ--u#uI+)1 6cݶmR2{Kⶲ=t vVh%E9)LXGvMNa-بo goOf+A^ƌ̗`P̱ֆ~|l<zJg44IK.^/&τ]=lLIЪjS{`gʔ~u<&XO L7 NS'̇szgPTK[5GA<8LyKzHN:HS[mqe&6]l"R`. spgvaJ H(=O&!\GFad K x" }C񤰈{JX=pgiXPnMR0ďm晴!+| ḇ1YH`M!#eFZe#\,| eB aFtGQ _u%ZS>+!l 5 0ʑ3f7D+oQ-bjMg8jg<;ztSUU$h3M=>oxn~>k{ڛ✎v{>zYuA]@<&b[#)}5{ zVVu~4Envq!EZD>B"HYz02;["}>s(U#QyD<.ifo4]`(HȡJ7avEyʽ+8',79@{_Rt*A9uySe n7fzA8g^G /C5(ȇc}jqGy/ ~_"NƒPz̀Zu>!@~ƵGKvл>ZΚ|'Yr{h f'<) q],Zn|caqӰ0 [0Ps77+n@&'Zz٠O!Lrb 0HN~K.sǣk :q< oy7"Js4!@ V#XBU*V#fMRU;2m`RaΑ$3hWD0 Z+nh 3fXCOúT: 52o^uq9O]_ ,~fɋil `n^r5+cߩԪR<\H=_Wfǭ X*$Pq~$wm ӀoH%íü+#.~%LF*qcɞ\Ez3~rh 5vY>u.sĈG rmpEsl)an'L3*44'y%{_-oMJF2(N0[bxv*v7K @0@30$_QiE֖6P irU)ґD [}.'Q4:S6m ؖI|eJޅ[0JҊ@=0bRTFJc#~3F,u^pe~hH:w^BOoz  F I|a޿VJ0("bvp-Mov41vP%õȆ%e{rػe{turb?+PmR􌲯 njo3)A\J#Z×fzuCI(q𑹼]lv٢͝[wj&SnO&no@wnqڇ8Ce~ɕ09ǹM 咷nSOSPOG~|3hrT [ (G#v,.8+g1^RY !/IJ{LՏ #ߥTB]dF^ffQmm2A!j=dM!| k$nlW?z$H5k%5گ XJ,uDip̕bPI2_<7u-[0'g?poAxϱkƽ,nb׫+ cX2SQ\*ohsؔH &lq!bׯ޲&|czF]|5C>~mcz+Z+'guߘ5M8*x-㭔r97o4U\{bd;\ȕ)K/V *zKɑclA &eC[nHœOA+߫޿!m.+@Hdm= 9+Sa'n%#)apJ&@/G#R OuwFs˦K_Yf ,0xa`͏6liMB}qVme@n㌚-Iu\;: >ǹ'ravxT0.xB2A|wnGMŨL S݇&Kd~h8g D\s-N$*q `{OSa]/mB;#;jGQpzQoMVKZqOy MybұC̋4vH]"XW;c?՚O Նu5>i4NeàB̿hTה+l/J&jh (zLʭT CGwGw"(HٮIO68DoGщȮJ-:0nE$ \V '3^,&fXk=F2,2~X34Ԓ}%9%iӹXB B(4 Af)*gtuQM{JjpEAhʪ~'N:-~!XRwDv1!A itoV<1al楿pͿ)~јEK:Z̽HAp!2z4jR]cKh qQΜNnX :&牪rrl+G H5&rpN q1X2d̝ٱI1EsHo )x4j-eLx֙_*\l H^"H7s93o)rEmXFFUR AeV `򓰱%,ڗ-a;M:lu 1>If #kf a5$GS,]N\2$"4A% z~t-c0.30LA) Ê^w7&ċ>Ey/EZG/p4GY%n$*Hb?Oc (gK.T7GAƺ [bD܅Upe&}i.Bsw\L]ȑ1;8XFҧ"U IEw UF]·ت .&5Kl$UQv"VstynʀU>LxPwfw8<oNr 'm l X~oݡBs2? ] ZitL\2JFfmi:!HNO6rdꢬ`VdI剠ޒ˸qRjkv;yCK^]0W\h(j^jfָ\e3^%g~U;LLJm\5r2Mf6%[֫}%c;l;:h ]݉YjF>4Ec*2k#!%W %Ÿ!f&.VWm[{<>DVOWz?ubFpo)Hkz9Ok^RPe1t5ظcg~'x۵al 6sl<ۉlX|BO b/0o7_.r6 (3XvS|QbDje*LE111[@t"#c5M;3oZӬn0ܣoJJ0v1'Za_1OO:gkq:ƂY$w-pH!}9RqꉽVSPKj$띘.C۠m2k;AX.jB2=Tw!KR>ـr i󁗒⢪\ w]8 S|4 t>Dw(-;s-]Vjo.#SE?xtV2xXLOPqu ߐ*Fلqn[T1`>l.Icn_If _'Lfɮ&J(Pu{=vBJx HUN-B>[5U>D+M*GaЛ HHF, Z -4UI9C4^C(&Q2Rzx:I>JZFOhB/#PHASZ(߅L>uSMudouh۱:A9=s E.t'qY(3p.Wkv!y|ܧ.٣X2cl 0{mTc-zV~+k Y9Ȕ1ve"(&?uBLn# x=r:Qt3%h 5Ey Wǜ]C3D~jJJ v:R  |>Eܴ 92]ius9^%N*@Kp!E۾{Zk/J^vUtRsYQ PBѷyIVM#+)>~J Pg BAiC Ea&ŧT!QN ]ǞNsNkN>a&'sfbVɕ*'*1r܂ԮyƨQSUҁA6 !$ ٣J#wKw'W}`f>ītBp$B(FH<}I3Y]X!^)R1Eh/=y<M?fo *SZ(I_4%xک$; N (`E94a" ,s17Z#eGJɉU:Ӧ&I5; O-5ګ($ҷvIF!n0x!;s) ^!=3=ٔߕM|è%J8Se}sV L1c{⯄`af:T:,hdIƠE>U=bxa9_ZRt׻|rkHƽ%7f1qgOIyhdxueO hEyrHbZ}6>&5Kݰt bbjv}MUhE &1q|U.3?þvp5Z2-eBk* C 0`[zVE}H()2m^hFgGo[eZ풐D: ItŌG$Hy/b`yX[NDC9o Uq_l2eI :L}@7LH_EU\NT((=z*O -iaK>N-JqvB6ﱪGh9:U|#{sn7y Ԓ غ2{x˷ Vwdܑ uY~}|kL̼j eqT;bx4xܟH]Dp9%Ϻ-ٖ Yb YpW :!e~Wz}X_:$Bc*u dܖnbF=./@ òEއв öiP6IjCy 츻8hGXpk\3;H,o:|F`2JUL$>OH2G"_dȀP+T'IXs)?4E[ :*MEO|p'W&gIu:^ -&{u#EhC:~GtqFؗ`ڻPT5G%=X-(qR&g6cH&fb'Vп65(8=1w^ 6"܀I1o61k z6wK& KPN F)y{QHp4ߥYN#`n_xPzT3PdE.>10**. >w㏺ɷ5Y8V,&4 Io7]m܉ºw\kc~KY B]s * {IZiS: `A'cjlMh 2Tfk9l#^4W6ڣJ ^+{M7a7)yBP_z~Mc,'C\d.a#oE/1 5rf{R7Ӝ>|#c62}ly捖4y*LiAZ< J 76i# · Wda(‰v39kIP.$gcIp"tLO5Nv C8Ծތt_u?~PKTUw_N~C7(2VU4>"pr3KTj{""8(Ax3kx;vW&>oM@g0ѩc9XJx!e'hW`vС;⥯E#\Z͍m\B\smSD3![D~ i_6V-/La ;1~8X\/7$8tQA[˖ynO2F*ɧ/D@lcf;s%N9Z8q\!63A/#/N]x]Ȧ>P%rGbDU ke2#B{Jf%@UJ~!,Ymn,E91u_ _%.d5jfYF&Sq/LCr-Lp.ri]1B{$(X2 Ox G߃Kfs3$ gPI 3GNX;H%/wL8TƈHffq_fc9rJX Wj/51IER}4luB,\5 /I2z, su۵elGqER( /ZV$ieH5~U9M^Nڬ=`~,#ci+M4GMM'V(z!GiBUeB b("ke~i/\8 H:X gdn @vCjK|g;@<}8'[S%8ǔ˸C+Ycj%cL Oyrͨg[u3#:N3xڙC-)+ KWp a*-^]&^uQvD*Na&@MNSI+ZFr2#[4eaL0-%fx9W.-Dm8u.ELfu>qdaBHًY? AQ"E3aWggxAY J؝k`yQ&nL,x^p_ v!y83ҖXb;gķU#h[@$vaw{uCpَ>%wmN.&w4e\oܠ-4V7R V Ew-Rf%2rr 4}4}d҆z_X})ݺj ZSYndh[]#|Z-=vr2xڋ۵OÞb/y7~ ŧMYFPN/d!3a%x(ҥc0CwR[10QE1J7YJG0dFxdB!J_vAz?p>?YUk3פ wƸmR]x|xnDQLSp$ARWM[ g6caY)K9m| v2 -or#AʉŪ|c9/X5*Kv9i\= z|EX Lo{<|'ԞjeT8QCp d(V;OpMȸ@V~e1H|yfE$K~!2oi 'dz]}4*U(b )NlJVF1MeMF/9 k_MzNz2]ԯKTyG#_ zpTOA"tل4ԳN@ ݮ`Qd,4 OCw,xq%̞h)PѢ )ڗh|Zrwʹ a[ϊ Ɉ )#ͷ͆M~m7SXڬٗV>EfcCR75ά>`nI.lj~Ek5aFUǹ0+ lx,dvZU:j4ЈwF.x3'a1B g!B(H%O7p %!-A]0t(z$| &l*D)RRWCh mR䋌7YzYͅo#b<`Yz:n~J zg55:`ޜ|~no!%Gz55G=WgH=>X/^2i3\tz$1:EXHhCI)gdj ~zKR&ł\1( 5S$n021<Ʒ d4̡o-0}sdO2.YUw I6'  rнe/q)ҳ @[=Ը)ltn⸠s6o1w P8y?޶[%c\s]q4dKL̠SzC)Ro"Mt}yvT ()cQߠ cƘ.:<B5kPwuFiSE%R˝ ߲Z5h O_nrH5f\,UNt&ML0== "Q*Z6gn +҅ C(&ީ?*2`6S(9u9`4 >%kad&H(y@ʗ;Xı9dAt` n++%i@vx~RQG.s[vK ='*z9$ƛD l~ًv͌#X(֔FŒk:{t vj/muhp"3ysVRX=g,ptR񭼔5`ykOdA[x}qӫSɞ@Ga/>q ptI@<}?;!*T>(3W4 צeI::.0nϟ#TK뎭bbG#~5ؒMYOgP<, +Te|:E"v}`I?Wދ/y:K4N;^qxA([<g"k8S%T}5VQiƽf18PbGy\Ƅ$'/Vgx:C}ݝU+ӘickmA![xXwȧ'QGj:JV| 8L$K-ϩ/_8˷{L6eӠ*=CO"#$2ƙN5z]ZA#JuӆΝ2/mO^֤դRT ^+qD{8Fڧ@?$H5;/2Mj/:s%gi n|vK:8dt*y>gG:ʘ9]J7$tU{wGl{2_tU'2?s,2)z&aL*ϭ9qz >svQ#Kb~h" 蚖_N.lb;&iRJh?7|?PdIrG z,,m32C_|ꬎ#98E> Xɞ)^@5Ar*1<'k ͰҹBe*yǐ)LR+e&K#J#M6s*1EB> \El~z 5Uwx˜D=c1fVˍ\[JNaIvoڢf،_Sq? h+;m](Mok=o=(l흭&f6C&)Z\q޵~O?0ur{Y?Ewd@vQǸv2ocox 3ɗԿ+zДG=*|Nѯzr3>9%Y,ATcxj;dI3MuMvzh'vMW7v3OQ6hRnsf6a=QΫu4"^C䗉K @pcHO~'Zm57J,Aޘ/4/r*w?{HDVZ:ʟ:7g0}~k\zGn(=XQwIy7KNЮpq`dm41:|w﹂:(D! "AJFceՈAsj fAd* D# 6(=K Nyx P)f #HI#]վ/O^Yky/~ٻ{ۂ= y'1Ul$ԟ\v"sH?y^1`vgLzر(oѭkK56I{gc*8FsĪⲦk3 מ7\E=:vWE:gI"oB`FJa}p =I"JyM(oGЪ.!3Mт1EGKG?,®&: Vwz ,)iVaSo;ƭ}vvEǓ"7e:w ĿּPݻ e^@\kw12nF:+H\/b:+Gu{ J>]pYJ> ':_b⽩$ U $x̄fi]2JD?]BݳeFD _x^Iݰ*isJ!Xk2B:L% tjk:e9}֨aci Wmڢ~%M Et=f~TmQzq``mx) p`J3:Ude #/U? "r o%r)_(6Ҙ}|$-ȓhfS5\RиZJ8rvВeװ7OmR2X_݌)&*a(![n:omŹbf!h.#%uP W֍:!BPȼbdAy;4^i˽(%|.)15>K$s'(PiԈlb* Em-w@_F몽;^{Uҗ`Dp2pBnw>.Y(W@ X+[FFp./<T]#KRxQ侈ŚvBR~CYLF̪,,Ɋjҳzo[%J!v.R̓BM)QVd}Eu#KƄf:epU/`.6T/ }W~J|J~w|.GPL0m3⿌K7" ߘ<8am*p[T0ں/KD-r0ҒCMm${ؘe8h~&P.m*Z;#6uKA$ ]O?.#hohIP]iPy+i-HEl!Ļ u~oJjA8 wF+Hb8x5#x&pLe=U ]܀Z~bc­K8#REjž:ջaG+OUN5Aom/{X\5κ *$@[ 0x0X$ZH护+b贇@uxl콰[+MᄁS S`dxQU>/y Kג.Ɗ%8x;\.m&!\*&n]ǿ9u<0wd SVf6$ےCE}ZK8 !U DJ+PY``]oI-pz|v{anlډF/e:o^?E}h:=i1`ֶ2N5;Kiٿ,\-&]&82\fY  b:meU{[M5>qviCFͽSS J'rNݫ Q9"4Y.hTےԀ/Egl-!PSw0%BG_vkhV/wJS"!Y'E ԭH@Gɟy=IWZ:~X ,2d:sM y#?aXZڤ2IpZWRo&(6yɛu,#x!N\4mgEnY_t,T"Mһ$H#iPE * s^ y.M`+VWVwo1"ٚl#_j8yH${ONMVmin"8 4euU=jXEF%ZX Mpgr6󫤉WoMK`NG2$s;zP!9X?zkŖ3nzSD-Úc(P)~BȵY[C#S`^%Ce7nOAk 0.soT ռJ[4l~p "/M 3{6}^A;$ԲUP 5$0kc Gr#/\MOJ~7ҡz~H$4V-hqUNe\E1 =ɠu[b ϩy2ez 2o]bXaui\$jhX<ɁAA7o(15!U[#JHAHN*(JdOU?>:W썓ِEd1[ŵ\ʼn [^#ç(`F~}=[޹ΘZvUֽ`nc#C Ն&˰xpG㬣J+Mc|ϟ=h')F*%@RK?%O&VWA28P#g.ߌ4fJrF^k ɻRe!Q|`Ũ oD%p\PHu 6$.}혪|ZMq @>԰GgMB6؋/Sm8n$I"_؋>*C`M2x8;v  ӹߨFnHF(j9gJ4F* 9mrHxѥt{=ͫfp0m5Vϻ#N#dڙom5ʶBC,CJWva< ,W>8, $#[oϩ|swOttlX <ψ8-:Bz}zy9kS%9e-N5WAӡQ;r"/՛U?3NK<vw36kg?봖4AmL1Wymab"ko }|I?>\3 ["8:juͦ°jw9Dc4>XbLPWWq$* |A;>R+ 0VT6¯U7Gqxz͵^͢ԛpbCM%|Z4p E-rH[G{n^a0\xvSd7fLi/x;*a6ѱv3g.(6k?@G|v1zhx 9_l3Qbsla89 aPs_}80\gqdl*]iߙhVavPWQAFBcLp@3ɝ?1oXU1;Ȝp{i"kL7W(B>%HG͕Nzq4;ZR١׻WLT{簵}9_q(+. 31knd#=L߾^\`]&2d*G=^QBLRū<@*6M`W6 nv sst7 V컮~; Ӱs2;|Jά_Izw3 A߷UÍ$K@fx})jC51I91#žJЦ޿ !N:t`\&g*o-0Ҩ"E:Gs(xcI(9jɊ%Δَ^$U-k<~0Պ)s0cU$Ϣ@yx6KH(c>GT&<^%Vm^{YB#A S/5vC. P ,<Oտ*id !ԧIƒrYi޼RLN0Էބ(m/zKL{}01D3?6[J)$T[Ii ֘tj L|Xc7kQz3}ȇIٖTgا f )OfZ)#i"' u4k܄XL2>V-2xf^,j QB?!w(>D(%(E4!HFIoq4 8ҧ`@o2qRpnSq1-~wŚk!LqVtϷ.Q()x"-I*aEp)^)o`@!١(kyܴgrt}Ƨ0J/$d"~?C`-j$®IĢvŞyVc:%-A  `A{IUgRԝ9m6e[QI>8 cc5͚˘t芬 'PD;%1 'e׼Z~O7 gV8__e`&ՙXp /=D hVtyn:{YYޣLy  }O"1F֨{\Kq|U6Lpw1Bs #8U,(0KY >HU* #.G8U dwlvא}G"Q!#,^(RmZ[.,ц5_O(جf8[K/u)2`fcTB2xnX/v 7lO%ʂT FJwa FJi;ܘXpG`!a.zB lXu'UI"ۯy+3CA")u 3%Ms-}XvZRt_c6i y)]q\]1)RbFFf9܇"uޓc&A̢[4u@AEjpך&?j@p'~85*^XJ@7O {sGs 2Rss{8X99! ,SeD/h+xCߓHk7Ax,SE|h0cgT@3,Sg)u]&K ޼ Ws=Ef7e\lҎ )7e}ɡw{^W<8P )rCVo8qMPP= XF~*ߖL@Zq^0R)( l# +BZ̰ܣ;e'yրREze@`S]#ӣk/? +rb*õs:nI2ZMऑ#m(fgbZޣ[C ƔУ>;ŖMp<+nEp6G -J/u~mFZR=f%>,vbDkL` SbX@u"s:Ŏˇ7謾? KCUJeneBѾq SBH|Dgf#}wedr]s-q>d;Oeh&B+/_Ԧz&3>'Ek'di3K,"I&|U n7 ֮+ w]2-toNk"!R`y!t{Պ @E#7NpwEI'a4adI}DIXOXtE6C<%&NmMY0k6h_=}NݚpQ%xk^eY)_b_?$:r V Q+eҬ~e-䴤aL:?_{əgװf:.$kvԛd-9UwMƓw`[OC_>upCu c%|>gdbBXиGJDvG342b}}ažڲ"P/#XFƞ14P`IZCЩ&P$ӃpbUh l+dvЯT:sHc]큶Jɷ!PQM;C `ns 7"j1muk4TtF޴LUzpPf#Q`Vh |B r8䕠Z͸u*]zd}vM&@Їl7E fʘp>'_]p:ʆr̤_>B$AWzhKW6H l p?~AC 2{eRaôg@ +rۻmNUتDgZMIϜp-`=dS <:'AZj({EO*͆DROlS"*<\=JI'px֩+gnN PB( ri夅al>NڋE*x?o K.৯/TĴom\]H&zq7xͺ&GϾEs_İd{#czDSxOk9pvla|e=#pF$vh1掉bZsSz&N,r.1/d gAytK8cfWȚ1S[Rh.7P9KH6ck9\Rh%z[$+Dmf @G 8rwf̸[￈[5Q8 ~GhjgQi8Prlゑ0^5QH ": =ى3AO(GHr}9QS\T۩*jiI&[änܐ#y~y~*ң[NF-?>B阇~ u\r(̮b(;1O1YurS񸲹V9!\=4<D7LmBIp(}}64}˂(6+DCKslV*đ=ブ\;cUH~Q̒{8N+y|9[G|_Ϳ6A luҼn;ǿ\_ԿAC)^X f΁8D_iJq|sFA;gj׾Zy# 5BF@̬z hJF1mN~qL8E _'7Ng7XCĹњK,qX)@S~SM*c8ݟp0> WGx.ډWV@ (R,-_ܓs3ɉz9fZ'bNXZ{ ̟dʹV`h1',ƻ@%Ԏ[0ʗh#@IwyX9>m(c]dcD@'Xx2qjnGgq}9WCGN,}v!m\ޜxLK#66HMCFfܻPL޴@YbUt01e Rw.э`9Bu} jEHs#DVP->*t^*3G-~oTc|=vf?Ps.lm/$ ZFg$KZY@p{A=14x6,T Jz^~T?әQ T`-3o@3|'D4|>bT\YD=-꤈ԑչ.į:;rOZ4OX`lИ$h{T vXGnpDI(Gמ Y4xu[ n`?JH#pd yȎܡݽ+sr@mt%jܳd qχx^lͅ=-= vk));oȲA NP2_S[WS*ʏxicOd@$P0MV ʄ2W dK]N:{Rx:&\p 2~~ D ۢ5^Egi;?LQ/?Z saluc*c\8:N!J+P7niw2l6vD~no~ (șC1t()-'qO#M+)Tx\xCfBZs>Q;qEw❻}Zfmȟ^w_GzϷf@oV0/1lsǫ}%ht^ƥρ]+{-A4oS'tzD`%oL(5 rjꭏ 7+zmu[(K[A6q:j |937p "*s=oMG{ȾI%^Vmj☫Es~v. #)Wɾa׋M,HF Gz,TX]u2=FUУܓqSw mFDrCPHmFfdSࢊj9n6]>'q"WF,J<,}DTʎLE[.b'6f"* J@[I8c.XtU27 VZ*֯c+;€.2*ODOϽlA8UIpZFiq3HLxSȹ kS -Bw|p\ga~qx u9 WHsd?Ml Mq-3u gR@y+ˁDv&Ka v.Q7|Zz3'J1XGR_۳_u e4I9n- uV{}٫Krk҃yZ]JQ}$VfZsp5ca0mLT;9,9kdw6$5>Z^ ހ](\ t\\& $:⩤ ,wuC3J9i*yȈ^u2Tҝ>XfY:YWT~ |W(U"u%ְ?JnKzOf.jh-@g߽H@*s5G^&K/02sogg疧%GN:Hʄ1VΆofXxMXRmY> [|KNGX(49zlu+N{W!L{%лfό儵$f="P%>_X?aj/_ 妗٨On4'b{>jd=#jxeuXJ=|zc4j ~!Q;u1{S(Rd҉BieɪG#}@{ îuN9 f?l1 =]oɎy1%@՟-K@.g}pov~k̦0- Q|P<;=`IMҙ n<裰H?H'}`լ\ro ˭Xf!x$GC,ՔO!LN@3}~z\!bQ 4 .L¡D6#HN2G}Ǘ/ x<`K^~u1]aH Q eBhL藔Hr fggMz{Ѫon>8v\9/0c= tIE:Oy}*r8a &RlVPGgZ|պW!cLF-{sShF'`Я/Ji˯6!%Õ =YG h͵X2;=۬zGBHlʇ+91^]Zq5.I.E*/!J{HӜ!B93ҋ4bZʿ&u,/$paY_PJIJ,ȿfѲ784ڬ2۝˔A9`OZAA4bXSc5D YX1 Ltg?!agu .(_Мi_6o-5cX+ (folB mIOdMME?%Ѥ(=9iͺ6}9ekD:@VA)]DZ%w:WzX,<ؐx?Ns*3 :{f9My֞#Jɤ2Sdǭqgy|Y{q0ǟ&AyC"pleu96lLu۝wAw@#`sz9RG6<;dی"qiFګ <\7@(жp"F"| 9>tx6U\Lx%%=6XH-|rZުȬ~}WCq5xOM,0ӇZϛXٯjB7ơEO5ߵC:#{ARTV/OЕNi tR杽:m[eu$CE1++x'χf+6YzݾN ނ- @1,؇YόSCwz~1&|4Fc >r sEc7+h0t*65!FX N9mF4f/?a+V7}5Xǯc`&X@M)! /q *t;n7~ll^| DIz Co w8t\ ~ay֝ʜh4r(r3 c2I򍃃rkT+j҉ƚ*:MKqO0*w9i^hDXok $S]WqQ?04- Y5Wm$#%nPuXtb_Wkʗ>sѭ =$~&t { .9S&J dy߄G :ms<<,S|%EM]|pSL-xXouVgSkqb.c .7WV"˳\ )66 }XėK=цc5l/ih{r[#Cq,/yz; Q(/0e78:3ycD6lp.x ӴO%ue/JrfH^6_@Y9yD?KNy'$;Y#8-l `QޭQee QExU<2_س`Ce1yOAë~v*%v|V,o7g;N55xRՠ֝ٞv`L) r&`Rt7BdOM#󢕜F ([ ov&I48.QU3?᡽GЀ3bT;?=ᨲ^ )|ٲ nM.9_}s EaJ|FLgֈ7O]-(!=/6X$pL '@9Y9:p4^\;Ho"@.c8l-jKr|~.Ļ%9rl|2yemEܲp6{6; [g>8DHpLhWe pƠGnO`>B1 Nڿ@uu6FHK4| ?>4%aXSgM.<xɷ<[rM}_3ϳ>J:I9SNg$bp!B}žK(.ߖy@57hnѫ&"n;1=k7&-ad%(KywR^U&(PqW*P=wA`+6OCfϡ>. mr5| sJ:<ܢ!'tQHGc .Ҵ2S9U/&wKA%@uwmp N ;ۣ xPe՞|E@δ̓]]-9ӝ1b+Ne~%?L0uz%c`ziGc:AqlPPTɔg+~k0$%Z mvV#C?eFb^]ߕ!ؐpI G`d@r#؋ f>P. {7Gj"ӭ}ʧl H{ 6:4Z-~"B[9wsOz t #&_9\[jlGvij+g0&&YI-_̠;yR~N\/ ScѮdFA{݇9Eb %#5]좍f.MFw6Gƣ`(K%-!;;xV\ ǎ,Fr DO/Ax I? ;%RPu{*)2o"XC8N.FwP|^BmVr ZJGجGt2^RqAQv# ucAc7"tlrhyf|l-T*o_4{}1k<';C:@R)Dd.X_h ``09'k'T+.;EKJY+B{;~Xp[o,rEbn/@dϼ=b'`mi,Da@{5x>GUG]*tu @xr3?GiTe7pY9vo_Y *ǥUjgۋ8jri5y)m "lm٤oR_zvm\D':oln:5%j!3 _ecT"HxG/_4`Ʈ5A#f}8Pב1x{RPDfvm"%wrʄhz-Bjzf[Vyp&0T_ 9[A]V/m?AbcBoOkqxflYVv6)}y5ՀMU^ įŘiԝi푫og -}S2A? Փ6_^ vk4 Je؃6-8&%iKY ĺ<-M^ay2|2طwoRܘvpr9<,UFUvh!?ƙdl6k 5ћD[3N_ Ȱg@'˨Cꭩ)Ik48!jۥS 5mAWE$Ңj)1UjCsU90{.M6V=T}ĐH׷fQ(] :#CIOUŶ2$v# +=o^@;h'0C?Q9fIS?P+qv :$q|xECi4怏9Cw\ B? ʼnE_)d0}֐K[R 7_pԷu+摦"H 2);1$+2#&NuM2s 5"px I+*8ej %۟ippڱRL @ YZ